Page tree

As for a user, access rights to directories or files are bound to his or her user identity. Batch jobs have to 'inherit' these right from the users identity so that they can access and use the same resources as the user.


Most permissions and access rights are handled locally, i.e., within the DESY domain, via the 'Kerberos' protocol.
A user has to request for his or her username a Kerberos ticket from the central Kerberos server authenticated by a password. With a valid Kerberos ticket, the user is matched against resources, for example computer access or some file permissions.

To prevent misuse, Kerberos tickets have a limited lifetime, i.e., tickets have to be renewed to be still able to access resources.

Kerberos domains are mostly 'local'. I.e., you can authenticate against a Kerberos domain only within the domain. Meaning: it's for authorizing resource access at one site - only within DESY for accessing DESY resouces or only within CERN for accessing CERN resources (requesting a token for another domain might work, but don't expect it and fear remote server and firewall configurations).

Creating a ticket

To request a plain Kerberos ticket, ask with your username the server in the DESY domain


If you know what you do, you can ask for a ticket that is -f(orwardable) and/or -p(roixable) and/or -A (nonrestrictes addresses). For example, to log on onto a  computer via ssh and let your ticket be carried over so that you can further 'ssh' to another machine.


Beware, that if you loose your ticket to somebody else, this person will have all your permissions!

Checking tickets

To list all current tickets and their lifetimes, do


Destroying tickets

If you do not need access resources anymore and don't want to wait for the tickets to expire, do



Permissions via tokens for the AFS network file system are working similar as with Kerberos ticket including lifetime limits etc. (both came into existence more or less in parallel).

Creating a AFS token

Luckily, you can get an AFS token for your user without entering a password, if you have already a Kerberos ticket.

aklog -cell DESY.DE

Tokens for other sites can be requested accordingly, as access to different AFS sites (cells) in parallel is possible.
(as AFS is an old protocol with dwindling support, sites are dropping support for it - so don't expect to have AFS at other sites and prepare to loose the cells still around)
Long story short: move to another protocol for remote access!

Checking AFS tokens

To list all current AFS tokens and their lifetimes, do


Destroying AFS tokens

To drop a still valid for a AFS site/cell, do

unlog -cell SITE.FOO


nasty X509 stuff

  • No labels