AFS is a complex thing, so when you’re experiencing problems with it, this site might help you and us tracking down the problem.


  • How can I get tokens from another cell when logged in a UNIX-machine at MPCDF ?
    There are two things to consider here.
    The Kerberos REALM and the AFS-Cell.
    If the Kerberos REALM is version 5 only (like e.g. MPA), then you first need to get a
    Kerberos ticket and then use it to create an AFS-token.
    So, in order to get a token from another Cell, you can do the following :

    aklog -c AFSCell

    NOTE: this will overwrite your present KRB5-ticket, unless you specify another ticket cache (env KRB5CCNAME) for this shell

  • As an example use following for the MPA :

    aklog -c
  • **What are these .__afsNNN files ?
    **Sometimes you happen to see files starting with .__afsNNN and wonder where they come from.
    Those files are created by the client when one application has a opened a file, but on the same client
    this very file was deleted. On closing the (original) file, this .__afsNNN file will be deleted. It may happen due to
    some kind of error condition that the client does not remove this. Then, it will be removed by the next file-system
    check (“salvage”) or you just do it your self.

  • What means “Connection timed out” ?
    When a client cannot reach a server for a certain period of time, it does not try to talk to it anymore, but simply returns “Connection timed out”. You can make the client re-establish the server connection by issueing “fs checkservers &” on the
    command line. It will give you a list of servers, this client cannot reach. If your server is reachable again, the access should be
    working normally again.

  • **What means “Unable to authenticate to AFS because Authentication Server was unavailable.” ?
    **Very likely you are issuing the command “klog” on a UNIX-based machine, which uses Kerberos4.
    Kerberos4 is deprecated and will be shutdown soon completely. For some parts of the institutes it is already disabled.
    Thus, use the following commands :

    kinit # to get a Kerberos5 Ticket
    aklog -noprdb # to turn this ticket into a AFS-Token

General problems known to cause errors

  • Are you coming from outside the campus network ?
    Then, a simple “aklog” will take a long time to login. You should use

    kinit # get a Kerberos ticket
    aklog -noprdb # turn it into an AFS-token, do not query the PT-Server

    to avoid this timeout.

  • Do you use Kerberos 5 ?
    Make sure not to use “klog” anymore on UNIX-Systems. See FAQ above.

  • Computer time correct ?
    Please check that the time on your client is correct.

  • Do I have a token ?
    Check that you have a valid token. Tokens expire after some amount of time, thus a sudden loss of access rights can occur.

  • Which version do I have ?
    Please use the the recommended version 1.6 for unix and 1.7 for windows (or any later version) when accessing AFS.


  • Even a reboot does not help: remove the cache-file

  • When using an Client prior to version 1.7, make sure you are using the AFS-Loopback-Adapter.
    or even better: upgrade to 1.7.x


  • X-connection does not work:
    When logging into a remote machine via ssh, something like :

    xauth: timeout in locking authority file

    appears and then no X-application can be started.
    The problem here is, that when logging in, you do not get an AFS-token when logging in remotely. The solution is to either use an authority file which is local on the remote machine or to make sure that you get a token when logging in.