openafs/doc/man-pages/pod1/knfs.pod

193 lines
6.9 KiB
Plaintext
Raw Normal View History

=head1 NAME
knfs - Establishes authenticated access via the NFS/AFS Translator
=head1 SYNOPSIS
=for html
<div class="synopsis">
B<knfs> S<<< B<-host> <I<host name>> >>> S<<< [B<-id> <I<user ID (decimal)>>] >>>
S<<< [B<-sysname> <I<host's '@sys' value>>] >>> [B<-unlog>] [B<-tokens>]
[B<-help>]
B<knfs> S<<< B<-ho> <I<host name>> >>> S<<< [B<-i> <I<user ID (decimal)>>] >>>
S<<< [B<-s> <I<host's '@sys' value>>] >>> [B<-u>] [B<-t>] [B<-he>]
=for html
</div>
=head1 DESCRIPTION
The B<knfs> command creates an AFS credential structure on the local
machine, identifying it by a process authentication group (PAG) number
associated with the NFS client machine named by the B<-hostname> argument
and by default with a local UID on the NFS client machine that matches the
issuer's local UID on the local machine. It places in the credential
structure the AFS tokens that the issuer has previously obtained (by
logging onto the local machine if an AFS-modified login utility is
installed, by issuing the B<klog> command, or both). To associate the
credential structure with an NFS UID that does not match the issuer's
local UID, use the B<-id> argument.
Issue this command only on the NFS(R)/AFS translator machine that is
serving the NFS client machine, after obtaining AFS tokens on the
translator machine for every cell to which authenticated access is
required. The Cache Manager on the translator machine uses the tokens to
obtain authenticated AFS access for the designated user working on the NFS
client machine. This command is not effective if issued on an NFS client
machine.
To enable the user on the NFS client machine to issue AFS commands, use
the B<-sysname> argument to specify the NFS client machine's system type,
which can differ from the translator machine's. The NFS client machine
must be a system type for which AFS is supported.
The B<-unlog> flag discards the tokens in the credential structure, but
does not destroy the credential structure itself. The Cache Manager on the
translator machine retains the credential structure until the next reboot,
and uses it each time the issuer accesses AFS through the translator
machine. The credential structure only has tokens in it if the user
reissues the B<knfs> command on the translator machine each time the user
logs into the NFS client machine.
To display the tokens associated with the designated user on the NFS
client machine, include the B<-tokens> flag.
Users working on NFS client machines of system types for which AFS
binaries are available can use the B<klog> command rather than the B<knfs>
command.
=head1 CAUTIONS
If the translator machine's administrator has enabled UID checking by
issuing the B<fs exportafs> command with the B<-uidcheck on> argument, it
is not possible to use the B<-id> argument to assign the tokens to an NFS
UID that differs from the issuer's local UID. In this case, there is no
point in including the B<-id> argument, because the only acceptable value
(the issuer's local UID) is the value used when the B<-id> argument is
omitted. Requiring matching UIDs is effective only when users have the
same local UID on the translator machine as on NFS client machines. In
that case, it guarantees that users assign their tokens only to their own
NFS sessions.
This command does not make it possible for users working on non-supported
system types to issue AFS commands. This is possible only on NFS clients
of a system type for which AFS is available.
=head1 OPTIONS
=over 4
=item B<-host> <I<host name>>
Names the NFS client machine on which the issuer is to work. Providing a
fully-qualified hostname is best, but abbreviated forms are possibly
acceptable depending on the state of the cell's name server at the time
the command is issued.
=item B<-id> <I<user ID (decimal)>>
Specifies the local UID on the NFS client to which to assign the
tokens. The NFS client identifies file requests by the NFS UID, so
creating the association enables the Cache Manager on the translator
machine to use the appropriate tokens when filling the requests. If this
argument is omitted, the command interpreter uses an NFS UID that matches
the issuer's local UID on the translator machine (as returned by the
getuid() function).
=item B<-sysname> <I<host's '@sys' value>>
Specifies the value that the local (translator) machine's remote executor
daemon substitutes for the I<@sys> variable in pathnames when executing
AFS commands issued on the NFS client machine (which must be a supported
system type). If the NFS user's PATH environment variable uses the I<@sys>
variable in the pathnames for directories that house AFS binaries (as
recommended), then setting this argument enables NFS users to issue AFS
commands by leading the remote executor daemon to access the AFS binaries
appropriate to the NFS client machine even if its system type differs from
the translator machine's.
=item B<-unlog>
Discards the tokens stored in the credential structure identified by the
PAG associated with the B<-host> argument and, optionally, the B<-id>
argument.
=item B<-tokens>
Displays the AFS tokens assigned to the designated user on the indicated
NFS client machine.
=item B<-help>
Prints the online help for this command. All other valid options are
ignored.
=back
=head1 OUTPUT
The following error message indicates that UID checking is enabled on the
translator machine and that the value provided for the B<-id> argument
differs from the issuer's local UID.
knfs: Translator in 'passwd sync' mode; remote uid must be the same as
local uid
=head1 EXAMPLES
The following example illustrates a typical use of this command. The
issuer C<smith> is working on the machine C<nfscli1.abc.com> and has user
ID C<1020> on that machine. The translator machine C<tx4.abc.com> uses an
AFS-modified login utility, so C<smith> obtains tokens for the ABC
Corporation cell automatically upon login via the B<telnet> program. She
then issues the B<klog> command to obtain tokens as C<admin> in the ABC
Corporation's test cell, C<test.abc.com>, and the B<knfs> command to
associate both tokens with the credential structure identified by machine
name C<nfs-cli1> and user ID C<1020>. She breaks the connection to C<tx4>
and works on C<nfscli1>.
% telnet tx4.abc.com
. . .
login: smith
Password:
AFS(R) login
% klog admin -cell test.abc.com
Password:
% knfs nfscli1.abc.com 1020
% exit
The following example shows user smith again connecting to the machine
C<tx4> via the B<telnet> program and discarding the tokens.
% telnet translator4.abc.com
. . .
login: smith
Password:
AFS(R) login
% knfs nfscli1.abc.com 1020 -unlog
% exit
=head1 PRIVILEGE REQUIRED
None
=head1 SEE ALSO
L<klog(1)>,
L<pagsh(1)>
=head1 COPYRIGHT
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0. It was
converted from HTML to POD by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.