• Skip to Main Content
  • Go to the Website's Home
  • Go to Website News
  • Go to About this site
  • Skip to Audience Navigation Menu
  • About
    • Welcome to the College
    • Facts and Figures
    • Message from the Dean
    • Visit Us
    • College Administration
    • News Center
    • More...
  • Research
    • Research
    • Departments
    • Faculty Directory
  • Admissions
    • Undergraduate Admissions
    • Graduate Admissions
    • Undergraduate Recruiting
    • Graduate Recruiting
    • More...
  • Academics
    • Course Guide/Bulletin
    • Departments
    • Teaching
    • Programs and Degrees
    • Support Services
    • More...
  • Departments
    • Aerospace Engineering
    • Atmospheric, Oceanic and Space Sciences
    • Biomedical Engineering
    • Chemical Engineering
    • Civil and Environmental Engineering
    • Electrical Engineering and Computer Science
    • Industrial and Operations Engineering
    • Materials Science and Engineering
    • Mechanical Engineering
    • Naval Architecture and Marine Engineering
    • Nuclear Engineering and Radiological Sciences
  • Support the College
    • Giving
    • Involve Yourself
    • Corporate Relationships
    • More...
  • Information for:  
  • Alumni
    • Alumni Website
    • Alumni Society
    • Get Involved
  • Students
    • Academic Calendar
    • Course Guide/Bulletin
    • Financial Aid
    • Career Resources
    • Advising Center
    • More...
  • Faculty
    • College Faculty Meetings
    • Getting Research Funding
    • Employment Opportunities
    • More...
  • Staff
    • Department Listing
    • College Administration
    • Contacts
    • Faculty Directory
    • Staff Handbook
    • Employment Opportunities
    • More...
  • Friends
    • K-12 Outreach
    • Parents Weekend
    • Community Service Projects
    • Contacts
  • Corporations
    • Corporate Relations
    • Sponsoring Research
    • Opportunties for Interaction
    • Professional Education
    • Technology Transfer and Licensing
    • More...

CAEN

CAEN

  • About CAEN
    • Introduction
    • A Student Guide to CAEN
    • Policies
    • Organizational Chart
    • Employment
    • Hours of Operation
  • Computer Labs
    • Overview
    • Guidelines
    • Comparison Chart
    • Lab Descriptions
    • Lab Map
    • Realtime Lab Monitor (external link)
    • Reserving a Lab
    • Document Scanners
    • Virtual CAEN Labs
  • Computing Accounts
    • Overview
    • Obtaining an Account
    • Account Eligibility & Fees
    • Expiration of CAEN Accounts
    • Backups & Restorations
    • Passwords at U-M
  • Connecting to CAEN
    • Overview
    • Linux Login Servers
    • Secure File Transfer Protocol (SFTP)
    • Secure Shell (SSH)
    • Virtual CAEN Labs
    • Virtual Network Computing (VNC)
    • Virtual Private Network (VPN)
    • X11 Connections
  • Departmental Services
    • Overview
    • CAEN Operating Environment (COE)
    • Course Support
    • Data Storage
    • Instructional Technology
    • Network Support
    • Software Licensing
    • Ordering & Purchasing
  • Email
    • Overview
    • U-M Exchange Accounts
    • Group Email Distribution
    • CoE Email Lists
    • Recent Service Changes
    • Frequently Asked Questions
  • Help & Support
    • Overview
    • The CAEN Hotline (external link)
    • The CAEN Service Center (external link)
    • Search Documentation (external link)
    • Frequently Asked Questions (external link)
    • Administrative Forms (external link)
  • Information Security
    • Information Security at the College
    • IT Security Recommendations
    • Recent Announcements (external link)
  • Network & Wireless
    • Overview
    • Departmental Services
    • Ethernet Connections
    • Name Service (DNS) Requests
    • Network Status (external link)
    • Wireless Networking
  • Printing
    • Overview
    • Page Allocations & Costs
    • Printer Names & Locations
    • Using the Xerox Printers
    • Web Printing
    • Frequently Asked Questions (external link)
  • Software & Licensing
    • Overview
    • Software Listing
    • Course Software Requests
    • Departmental Licensing
    • Online Documentation
    • User-Contributed Software
    • Linux Utility Programs
  • Web Services
    • Overview
    • Content Management System
    • Forms Application
    • Google Search Appliance
    • Group Web Space
    • Tips on Web Photos
    • Statistics (external link)
Contact CAEN Support
(external link warning) Link goes to external page

Home  /  CAEN  /  Frequently Asked Questions  /  Computing Accounts  /  AFS Home Directories

  • CAEN Accounts
  • Network-Attached Storage
  • AFS Home Directories
  • Course Directories

AFS Home Directories

  • What is AFS?
  • What does it mean to have AFS file space / an H: drive?
  • How can I access my AFS storage space from home?
  • How do I check my AFS quota usage? What should I do if I am over my AFS quota?
  • Can I get more AFS file storage space?
  • What is the difference between AFS at ITCS (umich.edu) and CAEN (engin.umich.edu)?
  • How can I mount/map my H: drive from my home computer to access my AFS space?
  • How do I set file permissions and access control in AFS?
  • How do I create and manage groups in AFS?
  • Why can't I open/save a file directly from/to AFS in Windows?
  • Where can I find more information about my AFS home directory?

What is AFS?

All of CAEN's workstations use AFS, which is derived from the Andrew File System developed at Carnegie-Mellon University. AFS allows many machines to share files over a network, and provides a simple, integrated working environment.

AFS is comprised of file servers and clients. A file server stores files that other computers, clients, need to access. AFS clients can access standard network file servers in addition to the new AFS file system, providing better performance with minimum inconvenience. In general, the task of a distributed file system is to make a shared file system accessible to hosts via a network. The file system must control which individual hosts and users have rights to mount file systems and to access files. AFS defines a protocol for making file systems available to other machines. This protocol determines automatically where the client can find a desired file.

A number of server machines export the AFS file system over the network to any number of client machines. Each client machine has a cache manager which requests files from the servers, stores them in a cache on the local hard disk and returns them when they have been updated. The cache manager is an active client; that is, it controls the transfer of files to and from the server, and locates alternate copies of files if a server should fail. Retrieving and updating files only when necessary minimizes network use and delay. Not only does this make file access faster, it also increases the number of machines that can access a single server without a decline in performance.

Kerberos

AFS uses MIT's Kerberos authentication scheme to validate users' rights to access files, which improves network security significantly. By default, an ordinary user has very limited access rights. When you wish to access files, the AFS client connects to the server through a mutual authentication process. This authentication not only ensures the client has valid access to the server volumes, but that the server is a valid file server for the client. In order to access files in the AFS file space, you must provide an AFS password to receive authentication. When you enter your Kerberos password, it is encrypted before sent to the server, which must be able to interpret and verify it. AFS establishes your access rights after authentication by granting you tokens. AFS uses Kerberos to perform the necessary authentication, and then examines your token to determine your rights to each file. Files are only exchanged between a client and a server if both machines are able to recognize the token as valid.

AFS allows you to access all AFS files around the world through a single entry point in the file system. In UNIX-based operating systems, including Linux and Mac OS, this is at /afs. On CAEN Windows computers, the AFS client mounts AFS to the R: network drive under the My Computer icon.

The /afs tree contains several AFS cells. These cells are distinct administrative domains that may comprise many different servers and volumes fused together under a single directory tree. For example, the main U-M AFS cell (administered by ITCS) is umich.edu. In addition to the local cell, many foreign cells from other AFS domains are accessible, whether they are located across campus or across the country. This allows you to access files across the nation as easily as a local disk on any workstation.

File Permissions

AFS allows seven distinct directory access rights that may be granted to specific users and user-definable groups. Though CAEN still supports standard Linux file permissions, they are used in conjunction with AFS access rights only minimally. An authorized user can add each specific access right to, or delete it from, any user or group. The following commands describe the allowable AFS file permissions.

  • read (r) - Allows you to open files within a directory for read access only and to copy the contents of any file in the directory.
  • lookup (l) - Allows you to list the names of the files in the directory; without this right, you may access files only if you know their names beforehand.
  • delete (d) - Allows you to delete files from the directory.
  • write (w) - Allows you to append to, modify, and overwrite existing files in the directory; does not allow you to create new files.
  • insert (i) - Permits you to create new files in a directory.
  • lock (k) - Allows you to lock files for exclusive use.
  • administer (a) - Allows you to change access rights on the directory.

AFS predefines three standard user groups for convenience. The system:administrators group contains all of the local AFS administrators; the system:authuser group consists of all users who have an authenticated, local AFS account; the system:anyuser group includes all those who have access to AFS. Since AFS is used across the entire country, this is a very broad implementation of the world rights.

AFS Commands

A few commands provide the user interface to AFS:

gettokens

The gettokens command allows you to authenticate to the AFS server through Kerberos, determining access rights to AFS files. After entering your UMICH.EDU Kerberos password at the prompt, the cache manager receives a token, which grants it specific access rights to files from the server. This token expires after a specific amount of time (typically 25 hours), after which you will have to authenticate again.

tokens

This command lists the AFS access tokens currently held by the cache manager, along with the expiration times. In most cases the tokens command will produce output similar to the following:

Tokens held by the Cache Manager:

User's (AFS ID #) tokens for afs@umich.edu [Expires Apr 11 11:05]

--End of list--

unlog

The unlog command will remove any user tokens, disabling authenticated access to AFS files.

fs

The fs command, along with its many options, is the primary interface to many aspects of the AFS file system.

fs help

This built-in help facility lists the proper syntax for accessing the various fs options. To find help with a specific command name, type: fs help command

fs listquota

The listquota option lists the percentage of used disk space for the current or specified volume.

fs listacl

This option produces a listing of access privileges for the current or specified directory.

fs setacl

This command allows you to set the access rights for a specified directory. These access rights include the seven AFS privileges for specific users and groups. For example, to allow user bob full access to a directory named dropbox, you could use the following command:

fs setacl -dir dropbox -acl bob rlidwka

To remove all access from any user to the directory named Private, use the following command:

fs setacl -dir Private -acl system:anyuser none

pts

The pts command, an administrative interface to the protection server, allows you to create and modify groups to which you may give access to certain AFS directories. Specific options can be listed with its syntax by using the pts help option.

Logging In

Anyone with a standard CAEN computing account is provided a home directory by ITCS on a U-M AFS file server (in the umich.edu cell). Home directories are located at /afs/umich.edu/user/u1/u2/uniqname where u1 and u2 are the first two letters of your U-M uniqname. This directory is a single AFS volume, with a quota (or limit) which cannot be exceeded.

Further Help

See IBM's AFS FAQs for more information on AFS.



What does it mean to have AFS file space / an H: drive?

All University of Michigan (U-M) students, faculty, and staff receive AFS (a.k.a. IFS) file space through Information Technology Central Services (ITCS); the main computing organization at U-M. Online file storage space is the best place to store your work and important documents, because it is backed up regularly. Files are less likely to become corrupted as they could on CD-R, and they are easily accessible from any computer connected to the Internet. Please Note: Your CAEN NAS file space should not be confused with the AFS space given to all U-M students by ITCS.

You are automatically connected to your storage space when you log onto any CAEN machine:

  • If you are logged into a CAEN Windows computer, the H: network drive is connected to your ITCS AFS space, and the N: drive is connected to your CAEN NAS space. To access them, double-click My Computer in the Start menu.
  • On a CAEN Linux workstation, your home directory is your ITCS AFS space (you can return to it at any time by entering cd ~ at the command prompt). For instructions to access your NAS space from Linux, please click here.
  • If you are on your personal computer, or otherwise off-campus, see this FAQ.


How can I access my AFS storage space from home?

In order to connect remotely and transfer files to/from your AFS space, you should use an SCP/SFTP client to securely connect to the ITCS SFTP server: sftp.itd.umich.edu. Log in with your U-M uniqname and ITCS Kerberos password as if you were connecting with SSH. For tips on how to mount your H: drive from a home computer (similar to a CAEN PC), see the FAQ on OpenAFS. More information on accessing your AFS space can be found at:

  • http://www.itcs.umich.edu/files/


How do I check my AFS quota usage? What should I do if I am over my AFS quota?

It is always a good idea to keep at least 5% of your AFS home directory clear to prevent problems with logging into Linux machines and running software. If you believe you are at or over your AFS quota, you can check by logging into a CAEN Windows computer and using SSH to connect to a Linux host (i.e. login.engin.umich.edu). Once you are logged in, you can type the following command to see how much of your quota you are using:

fs lq ~

You can then use the following command to determine which directories are taking up the most amount of space:

du -k ~ | more

This will list how much space, in KB, each directory it taking up. So, if it says ~/Public contains 1000, then your Public directory is taking up 1 MB of space. You can then descend into each directory and see which files are using the most space by simply typing:

ls -l


Here are a few common things that can consume your AFS space, and should be monitored closely:

  • Core Files:
    If you see a file named core in your home directory you can usually delete it. For more info please visit this FAQ.
  • Mozilla Cache:
    To delete all of the temporary internet files used by Mozilla type:
    rm -rf ~/.mozilla/uniqname/*/Cache
  • ~/.dt/Trash:
    To delete all of these trash files type:
    rm -rf ~/.dt/Trash
    To see how much space your Trash is using type this command:
    du -k ~/.dt/Trash
  • Request More Space:
    You can request more umich.edu AFS space for your ITCS account. For more information, please visit this FAQ.

If you have any further problems, please stop by the CAEN Hotline or Contact CAEN.



Can I get more AFS file storage space?

Yes. All students at the University of Michigan receive 10 GB of space in the umich.edu AFS cell through their Basic Computing Package (BCP), which is provided by ITCS. To increase your ITCS AFS quota, simply go to the following web site:

  • https://accounts.www.umich.edu/umce-bin/umce

Log in with your uniqname and ITCS password, and click the modify button. Charges may be applied by ITCS to your student account.



What is the difference between AFS at ITCS (umich.edu) and CAEN (engin.umich.edu)?

Note: Beginning May 1, 2006, CAEN is no longer issuing AFS home directories in the engin.umich.edu cell. Instead, all new CAEN computing accounts will use ITCS IFS (umich.edu) home directories by default on CAEN computers, taking advantage of the larger quota. For more information, read the news article.

AFS is a distributed file system used by more than 100 organizations. It provides an easy medium in which files can be stored and shared. The University of Michigan has a few cells within AFS, but students in the College of Engineering will only be concerned with two: umich.edu & engin.umich.edu

In general, Engineering students have two computing accounts: one with ITCS and one with CAEN. ITCS provides personal AFS (a.k.a. IFS) space (also known as a your home directory) to all students. This space can be accessed via the H: network drive on CAEN Windows machines, and in Linux via the following path:

/afs/umich.edu/user/l1/l2/uniqname

Note: l1 and l2 are the first and second letters of your uniqname, respectively.

CAEN provides access to Engineering Linux software for all CAEN account holders in the following AFS path:

/afs/engin.umich.edu/caen

You can follow the same path on a Windows machine through the R: drive. This is the global AFS drive.



How can I mount/map my H: drive from my home computer to access my AFS space?

Note: Currently, it is not possible to mount AFS home directories via Windows built-in networking. While it is possible to mount your AFS home directory to a network drive from your home computer using a third-party AFS client (e.g. http://www.openafs.org/), it is important to note that CAEN will not support third-party AFS clients run on personal computers.

Any problems or questions you may have regarding the installation or configuration of AFS clients should be directed to the creators of the software.



How do I set file permissions and access control in AFS?

All CAEN workstations use AFS, which is derived from the Andrew File System developed at Carnegie-Mellon University. AFS allows many machines to share files over a network, and provides a simple, integrated working environment. Files stored in AFS are accessible from anywhere on the Internet. It is important for users of AFS to protect files that they do not want viewed or modified by others on the network.

AFS file permissions are significantly different from standard Linux permissions. In fact, no other current file system uses the same permissions system as AFS. This page explains AFS file permissions and how to set them for personal files and directories.

Are Your Files in AFS?

The first thing one should determine when thinking about protecting a set of files is whether the file is stored in AFS or a Linux file system (local disk or NFS). The easiest way to do this is using the fs whereis command. For example, to determine whether the file /tmp/mydir is in AFS or not, type fs whereis /tmp/mydir. A file named abc can be tested using fs whereis abc.

The fs whereis command will either return a host name on which the file is stored (if it is in AFS), or it will return an error stating that the file may not be in AFS (in which case it almost certainly is not).

You must know whether the file is in AFS or not because AFS file permissions are different from Linux permissions. Attempting to use AFS protection commands on a file that is not in AFS, causes an error. However, using Linux protection commands on a file in AFS, does not cause an error, but the command will have little-to-no effect on the file's access permissions (or at least not the effects intended). It is easy to be misled into thinking that Linux files are protected, when in reality, the files are in AFS and are not being protected at all.

Access Control Lists

Files in AFS are protected using Access Control Lists (ACLs). Every directory in AFS has an associated ACL. Individual files do not have ACLs, so all files stored in the same directory have the same permissions. (Subdirectories within a directory have their own ACLs, of course, so files stored in a subdirectory do not have to have the same permissions as files in the directory above them.)

An AFS ACL is a list of identity/privilege pairs. There may be any number of these pairs in the ACL. There are two types of pairs: normal and negative. We will talk only about normal pairs for the moment.

Each pair has an identity and a privilege specification. The identity can be any AFS user or group name. The user or group must exist in the same administrative domain as the directory itself. For example, a file stored in the umich.edu domain can have users or groups in the umich.edu domain listed in its ACL entry pairs, but it cannot have users or groups from the andrew.cmu.edu domains.

The privilege specification is the list of privileges that the identity is given. For example, if an entry in an ACL contains the identity amber and the privilege specification rlid, it means that the user amber has the r, l, i and d privileges on the directory.

Available Privileges

AFS allows seven different privileges to be given to any identity. Note that some of these privileges affect what may be done to the directory (list, insert, delete, and administer) and some affect what may be done to the files in the directory (read, write, lock).

  • r - Ability to read the contents of files in this directory
  • l - Ability to list the names of files in this directory
  • i - Ability to create new files in this directory
  • d - Ability to delete files in this directory
  • w - Ability to write to (modify) files in this directory
  • k - Ability to lock files in this directory
  • a - Ability to change the ACL on this directory

The privilege specification rlid means the combination of read, list, insert, and delete privileges. A privilege specification of lida would include list, insert, delete, and administer privileges. Any of the seven privileges may be given to an identity independently of the others. An example of listing an AFS ACL follows:

example% fs la mydir

Access control list for mydir
Normal rights:
system:administrators rlidwka
amber rlidwka
system:anyuser rl
amber:eecs498 rlidwk

This ACL contains four entries. The first entry gives all seven privileges to members of the system:administrators group. The second entry gives full privileges to the user amber. The third gives read and list privileges to system:anyuser (more on this group later). The last entry gives all privileges except administer to members of the group amber:eecs498.

Negative Entries

As mentioned earlier, there are two types of entries in Access Control Lists: normal and negative. Normal rights give privileges to specific identities. Negative rights take privileges away.

The default ACL (one with no entries) gives no privileges to anyone. Adding normal entries to an ACL gives privileges to the identities listed. Negative entries subtract privileges from the set given out by normal entries. The following gives an example of an ACL with negative entries:

Access control list for mydir
Normal rights:
system:administrators rlidwka
amber rlidwka
system:anyuser rl
amber:friends rlidwk
amber:eecs498 rlidwk
Negative rights:
joeuser idwk
amber:enemies idwk

When dealing with negative entries, the rule is to first add up all of the privileges given out by the normal entries, then subtract those listed in the negative entries. The normal entries give full privileges to system:administrators and amber, read and list privileges to system:anyuser, and all privileges except administer to members of amber:friends and amber:eecs498. The negative entries, however, take away insert, delete, write, and lock privileges from joeuser and members of amber:enemies. If jilluser is a member of amber:friends, he will have rlidwk privileges, unless he is also a member of amber:enemies, in which case he will only have read and list privileges. Regardless of the groups that joeuser is a member of, he only has read and list privileges because of the negative entry containing his uniqname.

PTS Groups

AFS allows every user to create and manage his or her own permissions groups, called PTS groups because they are an administrative interface to the protection server. These are used when setting ACLs and giving out privileges to directories in AFS. AFS also pre-defines three groups that are very useful when giving out privileges using ACLs. The system:anyuser group is effectively synonymous with 'everyone.' The system:authuser group is roughly 'everyone who has an account here.' For example, a user at u_m would be a member of system:authuser for files stored on umich.edu servers, but not for files stored on MIT's servers. In short:

  • system:anyuser - Everyone who can access AFS anywhere.
  • system:authuser - Anyone who has an AFS token in the domain that the file is stored in.
  • system:administrators - The administrators of the domain that the file is stored in.

Refer to the Creating & Managing AFS/PTS Groups page for more information.

Listing & Setting ACLs

The commands for listing and setting AFS ACLs are relatively straightforward, and can be used at the terminal prompt of any CAEN Linux machine, or the DOS prompt on CAEN Windows computers. To view the ACL on a directory, use the fs listacl command (which can be shortened to fs la). For example, to view the ACL of a directory named mydir, type fs la mydir.

To change an ACL, use the fs setacl (or fs sa) command. The basic format for an fs sa command is fs sa file identity privileges. For example, to give read privileges to user joeuser for a directory named abc, you would type fs sa abc joeuser r. To remove an entry from an ACL, use the keyword none as the privilege specification. For example, type fs sa abc joeuser none.

Multiple entries may be given in an fs sa command.

fs sa abc joeuser rl jilluser rlidwk amber:eecs498 all

Multiple directories may be specified if the directory names and the ACL entries are clearly separated using the -dir and -acl switches.

fs sa -dir dir1 dir2 dir3 dir3/subdir -acl amber:friends rlidwk

To add or remove negative entries, use the -negative switch before the entries.

fs sa abc -negative amber:enemies idwk

More Information

More information about the commands used to work with AFS permissions can be obtained though the online help for fs. The command fs help will display a list of help topics. Typing the command fs help topic will explain how to use a particular fs command. For example, fs help sa gives a detailed explanation of the fs sa command discussed above.



How do I create and manage groups in AFS?

All CAEN workstations use AFS, which is derived from the Andrew File System developed at Carnegie-Mellon University. AFS allows many machines to share files over a network, and provides a simple, integrated working environment. Files stored in AFS are accessible from anywhere on the Internet. AFS also uses a special system for assigning users and groups rights, or privileges, to files and directories on AFS servers. It is important to protect the files that you do not want viewed or modified by others on the network.

AFS allows every user to create and manage his or her own groups that he or she can use when setting Access Control Lists (ACLs) and giving out privileges. Refer to our Setting AFS File Permissions page for information on setting file permissions for existing groups and groups you've created. This technical note describes how to create and manage groups of your own.

Permissions groups, called PTS groups because they are an administrative interface to the protection server, are only used for setting files permissions. They cannot be used to set up email lists.

Note: When working with PTS groups, it is important to know which AFS cell you are working with: umich.edu or engin.umich.edu. For example, when you log into a CAEN Linux host (e.g. login.engin.umich.edu) you will be working with groups in the engin.umich.edu cell. To work with PTS groups in the umich.edu cell, log into an ITCS Linux host (login.itd.umich.edu).

Creating a PTS Group

In many situations, it is desirable to grant several people access to a directory in AFS. For example, class files may be permitted so that any student in a class may read the files, or a shared work space may be permitted so that members of a research group may modify files. In these cases, it is inefficient to provide each person with their own ACL entry. Doing so would require changing the ACL of every affected directory whenever someone joined or left the research group, or added or dropped the class.

Creating a PTS group and adding one entry in each directory's ACL giving permissions to all the members of the group. In this way, group members can be easily added or removed from all directory ACLs using a single command without having to change the ACLs on any directory.

To create a PTS group, use the pts creategroup command (this can be shortened to pts cg). Group names should be formatted as uniqname:groupname, where uniqname is your U-M uniqname. For example, type pts cg uniqname:myfriends. This will create a new group called uniqname:myfriends. Note that members are not specified when creating a group. This is done later. Also note that the group name is prefixed by a uniqname. The group name must start with your uniqname and a colon. This prefix prevents groups from being created with the same name.

Adding and Removing Group Members

When you create a new group, it will not have any members. You add users using the pts adduser command. To add a single person, for example, you would type pts adduser uniqname groupname. To add more than one person, type pts adduser -user user1 user2... -group groupname.

Use the pts removeuser (or pts rem) command to remove people from a group. The format is the same as for the pts adduser command.

Listing Group Membership

There are three types of group membership listings that you can obtain. You can list all of the members of a given group, you can list all of the groups that a given person is a member of, and you can list all of the groups that a given person owns. You cannot easily obtain a listing of all groups at CAEN.

To list the members of a group use the pts membership (or pts mem) command. For example, typing pts mem uniqname:myfriends would list all of the members of your new group. pts mem uniqname would list all of the groups that you are a member of.

To list all of the groups that a user owns, type pts listowned uniqname.

Note that you may not be able to list all of this information depending on how the group's protection is configured. Groups may be protected so that only certain people may examine them, modify them, or find out who is in them. There are five group privileges that may be given out. The next section explains this.

Group Privileges

  • Status (S) - Ability to examine the group (using pts examine).
  • Owner (O) - Ability to list the owner of the group.
  • Membership (M) - Ability to list the membership of the group.
  • Add (A) - Ability to add users to the group.
  • Remove (R) - Ability to remove users from the group.

Privileges may be given to no one except the owner, to members of the group, or to everyone. These are the only three possibilities. The pts examine command lists these privileges as part of its output. Typing pts exa groupname would show the state of each privilege. In this listing, you will see a five-character string labeled flags. Each character is either a lowercase letter, an uppercase letter, or a dash. A dash means that the corresponding privilege is available only to the owner of the group. A lowercase letter means that it is available to members of the group. An uppercase letter means that it is available to everyone.

For example, the string s-Mar means that everyone may list the membership of the group, members may list the status of the group and add and remove users, and only the group's owner may see who owns the group.

To change the privileges for any group, use the pts setfields command. Typing pts setfields groupname -access string would set the privileges (the string is of the same format given by the pts examine command).

Deleting a Group

When a group is no longer needed, it should be deleted. The first step in removing a group is revoking all of its permissions. After removing a group's permissions, the group itself can be deleted with the pts delete groupname command.

More Information

More information about the commands used to work with PTS groups can be obtained though the online help for pts. The command pts help will display a list of help topics. Typing the command pts help topic will explain how to use a particular pts command. For example, pts help adduser gives a detailed explanation of the pts adduser command discussed above.

Once you've created your group and populated it, you can easily grant the group permissions to any directory in AFS. Refer to our Setting AFS File Permissions for more information.



Why can't I open/save a file directly from/to AFS in Windows?

There have been several reports of a conflict between certain Windows programs (e.g. Microsoft Office, ABAQUS, MATLAB...) and the OpenAFS client when saving directly to AFS (H: network drive). In most cases, opening a file directly from AFS and then attempting to save any changes will result in an error that the file is "locked" or otherwise cannot be saved. To avoid this:

  • If you are working with a new file that you have just created, instead of saving directly to the H: drive from the software program, it is recommended that you instead save your file to a temporary location on on the computer (e.g. Desktop or C:\Temp) and then manually copy (drag/drop) it over to AFS.
  • Alternatively, if you need to modify a file that is already stored in AFS; copy it to your Desktop first and then open it in the program from there. When you are done editing the file, save it and manually copy it back to AFS. This should prevent any "locks" from being created on the file.

Note: If you have CAEN NAS space which can be accessed via the N: network drive, you may also try storing/saving your data and files there as an alternative to AFS.



Where can I find more information about my AFS home directory?

ITCS provides much information about AFS home directories and file storage on their web site at:

  • http://www.itcs.umich.edu/files/


CSS 2.1 Valid
University of Michigan
  • Contact Us
  • Site Map
  • Site Feedback
  • Accessibility
  • Emergency Procedures
  • Jump to top of the page
© 2008 College of Engineering, University of Michigan
Last edited on: 11/13/2008