Carnegie Mellon University School of Computer Science

AFS Cache Manager and Authentication

Files on AFS are stored on servers (such as the SCS AFS servers located in our machine rooms). Access to these files is controlled by a cache manager which runs on your local host. The cache manager keeps an on-disk cache of files that have been previously accessed. When you attempt to access data on AFS, it checks to see if the data is in this cache, and if not it gets a copy of the data from a file server that has it. Consistency between the data in the local cache and the data on the file server is maintained through use of a callback mechanism where the server notifies the cache manager of any changes to the data.

The tokens that one gets when authenticating to AFS are used by the cache manager to authenticate to AFS servers when it requests data. To distinguish between one user's tokens and another’s, the cache manager keeps track of tokens by using either the user's Unix ID or a process authentication group (PAG).

AFS IDs & Unix IDs

A Unix ID is a number that corresponds to a particular user on a Unix host. An AFS ID is a number that corresponds to a particular AFS username or instance name (eg "example" or "example.ftp"). AFS uses the AFS ID, instead of the name, internally. There is no necessary relation between AFS IDs and Unix IDs, but we keep them synchronized when creating AFS and Unix user IDs. A given Unix user ID may be authenticated to any AFS ID for which a token can be obtained.

Process Authentication Groups

Since AFS authentication tokens are associated with a Unix user, the AFS client uses the concept of a PAG to allow multiple sessions for the same Unix user to have different AFS tokens. Without a PAG, all Unix sessions for a given Unix user would share the same AFS tokens. In addition, a PAG is inherited by subprocesses, so a setuid program can use the AFS authentication token associated with the PAG.

By using a PAG, different sessions for the same Unix user can have a different set of AFS tokens. Obtaining and destroying such tokens does not interfere with the tokens of another Unix session for the same Unix user.

If a Unix user does not have a PAG, then the AFS tokens are associated with the (numeric) Unix user ID. In this case, all sessions for the same Unix ID without a PAG will share the same set of tokens.

AFS & Kerberos

AFS uses Kerberos as the basis for its authentication tokens. Kerberos provides a mechanism where a given Kerberos name, such as "example" can have separate instances such as "example.root". AFS also supports the use of such instances. Each instance has its own password and AFS will use a unique ID for the corresponding AFS instance.