jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-19 15:30:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e61efde323
openafs/doc/xml/AdminGuide/c24913.html

9663 lines
195 KiB
HTML
Raw Normal View History

xml-docbook-documentation-first-pass-20060915 needs more massaging to make it fit the tree, but, get it here first
2006-09-16 02:13:22 +01:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Creating and Deleting User Accounts with the uss Command Suite</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="AFS Administration Guide"
HREF="book1.html"><LINK
REL="UP"
TITLE="Managing Users and Groups"
HREF="p24911.html"><LINK
REL="PREVIOUS"
TITLE="Managing Users and Groups"
HREF="p24911.html"><LINK
REL="NEXT"
TITLE="Administering User Accounts"
HREF="c27596.html"></HEAD
><BODY
CLASS="chapter"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>AFS Administration Guide: Version 3.6</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="p24911.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="c27596.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="chapter"
><H1
><A
NAME="HDRWQ449"
></A
>Chapter 12. Creating and Deleting User Accounts with the uss Command Suite</H1
><P
></P
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command suite helps you create and delete AFS user accounts quickly and easily. You
can create a single account with the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command, delete a single account with the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss delete</B
></SPAN
> command, or create and delete multiple accounts with the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
bulk</B
></SPAN
> command.</P
><P
>A single <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command can create a complete
AFS user account because the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter refers to a template file in which you
predefine the configuration of many account components. The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss delete</B
></SPAN
> command deletes most of
the components of a user account, but does not use a template file.</P
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> suite also easily incorporates shell scripts or other programs that you write to
perform parts of account creation and deletion unique to your site. To invoke a script or program automatically as a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command runs, use the appropriate instructions in the template file or bulk input file. Various
sections of this chapter discuss possible uses for scripts.</P
><P
>Using the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> commands to create and delete accounts is the recommended method because it
automates and correctly orders most of the necessary steps. The alternative is to issue a series of separate commands to the
various AFS servers, which requires more careful record keeping. For instructions, see <A
HREF="c27596.html"
>Administering User
Accounts</A
>.</P
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="HDRWQ450"
>Summary of Instructions</A
></H1
><P
>This chapter explains how to perform the following tasks by using the indicated commands:</P
><DIV
CLASS="informaltable"
><A
NAME="AEN24938"
></A
><TABLE
BORDER="0"
FRAME="void"
CLASS="CALSTABLE"
><COL
WIDTH="80*"><COL
WIDTH="20*"><TBODY
><TR
><TD
>Add a single user account</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
></TD
></TR
><TR
><TD
>Delete a single user account</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss delete</B
></SPAN
></TD
></TR
><TR
><TD
>Add and delete multiple accounts</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
></TD
></TR
></TBODY
></TABLE
></DIV
></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="HDRWQ452"
>Overview of the uss Command Suite</A
></H1
><P
>The commands in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> suite help you to automate the creation and deletion of AFS user
accounts: <UL
><LI
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command creates all of the components of an account, one account at a
time. It consults a template file that defines account configuration.</P
></LI
><LI
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss delete</B
></SPAN
> command deletes the major components of an account, one account at a
time. It does not use a template file, so you possibly need to perform additional tasks manually.</P
></LI
><LI
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command can create and delete multiple accounts. It refers to a bulk
input file that can contain any number of account-creation and deletion instructions, along with other instructions for
further automating the process.</P
></LI
></UL
></P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="Header_538"
>The Components of an AFS User Account</A
></H2
><P
>An AFS user account can have many components. The only two required components are entries in the Protection Database
and Authentication Database, but the other components add functionality and usability. The following information also appears
in a corresponding section of <A
HREF="c27596.html"
>Administering User Accounts</A
>, but is repeated here for your
convenience. <UL
><LI
><P
>A <SPAN
CLASS="emphasis"
><I
CLASS="emphasis"
>Protection Database entry</I
></SPAN
> defines the username (the name provided when authenticating with
AFS), and maps it to an AFS user ID (AFS UID), a number that the AFS servers use internally when referencing users. The
Protection Database also tracks the groups to which the user belongs. For details, see <A
HREF="c29323.html"
>Administering the Protection Database</A
>.</P
></LI
><LI
><P
>An <SPAN
CLASS="emphasis"
><I
CLASS="emphasis"
>Authentication Database entry</I
></SPAN
> records the user's AFS password in a scrambled form suitable
for use as an encryption key.</P
></LI
><LI
><P
>A home <SPAN
CLASS="emphasis"
><I
CLASS="emphasis"
>volume</I
></SPAN
> stores all the files in the user's home directory together on a single
partition of a file server machine. The volume has an associated quota that limits its size. For a complete discussion
of volumes, see <A
HREF="c8420.html"
>Managing Volumes</A
>.</P
></LI
><LI
><P
>A <SPAN
CLASS="emphasis"
><I
CLASS="emphasis"
>mount point</I
></SPAN
> makes the contents of the user's volume visible and accessible in the AFS
filespace, and acts as the user's home directory. For more details about mount points, see <A
HREF="c8420.html#HDRWQ183"
>About Mounting Volumes</A
>.</P
></LI
><LI
><P
>Full access permissions on the home directory's <SPAN
CLASS="emphasis"
><I
CLASS="emphasis"
>access control list (ACL)</I
></SPAN
> and ownership of
the directory (as displayed by the UNIX <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ls -ld</B
></SPAN
> command) enable the user to manage his
or her files. For details on AFS file protection, see <A
HREF="c31274.html"
>Managing Access Control
Lists</A
>.</P
></LI
><LI
><P
>A <SPAN
CLASS="emphasis"
><I
CLASS="emphasis"
>local password file entry</I
></SPAN
> (in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/etc/passwd</B
></SPAN
> file or
equivalent) of each AFS client machine enables the user to log in and access AFS files through the Cache Manager. A
subsequent section in this chapter further discusses local password file entries.</P
></LI
><LI
><P
>Other optional <SPAN
CLASS="emphasis"
><I
CLASS="emphasis"
>configuration files</I
></SPAN
> make the account more convenient to use. Such files help
the user log in and log out more easily, receive electronic mail, print, and so on.</P
></LI
></UL
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ453"
>Privilege Requirements for the uss Commands</A
></H2
><P
>To issue <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> commands successfully, you usually need all of the standard AFS
administrative privileges: membership in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>system:administrators</B
></SPAN
> group, inclusion in the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/usr/afs/etc/UserList</B
></SPAN
> file on every relevant server machine, and the
<SAMP
CLASS="computeroutput"
>ADMIN</SAMP
> flag on your Authentication Database entry. For details on administrative privilege,
see <A
HREF="c32432.html"
>Managing Administrative Privilege</A
>. </P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ454"
>Avoiding and Recovering from Errors and Interrupted Operations</A
></H2
><P
>As for any complex operation, there are a number of possible reasons that an account-creation or deletion operation can
halt before it completes. You can easily avoid several of the common reasons by making the following checks before issuing a
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command: <UL
><LI
><P
>Verify that you have all of the administrative privileges you need to complete an operation, as described in <A
HREF="c24913.html#HDRWQ453"
>Privilege Requirements for the uss Commands</A
>. The instructions for using the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss delete</B
></SPAN
>, and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
bulk</B
></SPAN
> commands include this check as a step.</P
></LI
><LI
><P
>Proofread the template and bulk input files for correct syntax and acceptable values. For discussion, see <A
HREF="c24913.html#HDRWQ463"
>Constructing a uss Template File</A
> and <A
HREF="c24913.html#HDRWQ489"
>Constructing a Bulk Input
File</A
>.</P
></LI
><LI
><P
>Do not issue <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> commands when you are aware of network, server machine, or
server process outages. Because <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> operations affect so many components of AFS, it is
unlikely that the command can succeed when there are outages.</P
></LI
></UL
></P
><P
>Another way to avoid errors that halt an operation is to preview the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command by
combining the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-dryrun</B
></SPAN
> flag with the other arguments to be used on the actual command. The
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter generates a screen trace of the actions to be performed by the actual
command, without performing them.</P
><P
>Using the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-dryrun</B
></SPAN
> flag reveals many basic errors that can halt an operation,
particularly the ones due to incorrect syntax in the command line, template file, or bulk input file. It does not catch all
possible errors, however, because the command interpreter is not actually attempting to perform the actions it is tracing. For
example, a Volume Server outage does not necessarily halt the volume creation step when the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-dryrun</B
></SPAN
> flag is included, because the command interpreter is not actually contacting the server; such
an outage halts the actual creation operation. </P
><P
>When the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter encounters error conditions minor enough that they do
not require halting the operation, it usually generates a message that begins with the string <SAMP
CLASS="computeroutput"
>uss:
Warning:</SAMP
> and describes the action it is taking to avoid halting. For example, if a user's Protection Database
entry already exists, the following message appears on the standard output stream:</P
><PRE
CLASS="programlisting"
>&#13; uss: Warning: User 'user' already in the protection database
The uid for user 'user' is AFS UID
</PRE
><P
>If an error is more serious, the word <SAMP
CLASS="computeroutput"
>Warning</SAMP
> does not appear in the message, which
instead describes why the command interpreter cannot perform the requested action. Not all of these errors cause the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> operation to halt, but they still require you to take corrective action. For example, attempting to
create a mount point fails if you lack the necessary permissions on the parent directory's ACL, or if the mount point pathname
in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point field is malformed. However, this error does not cause the
creation operation to halt until later instructions in the template attempt to install subdirectories or files under the
nonexistent mount point.</P
><P
>If the command shell prompts returns directly after an error message, then the error generally was serious enough to
halt the operation. When an error halts account creation or deletion, the best way to recover is to find and fix the cause,
and then reissue the same <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command. </P
><P
>The following list describes what happens when components of a user's account already exist when you reissue an
account-creation command (the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command, or the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
bulk</B
></SPAN
> command when the bulk input file contains <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instructions): <UL
><LI
><P
>If the Protection Database entry already exists, a message confirms its existence and specifies the associated AFS
UID.</P
></LI
><LI
><P
>If the Authentication Database entry already exists, a message confirms its existence.</P
></LI
><LI
><P
>If the volume and associated Volume Location Database (VLDB) entry already exist, a message confirms their
existence. However, the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter does alter the volume's quota, mount
point, or ACL if any of the relevant fields in the template <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction have changed
since the command last ran. If the value in the mount_point field has changed, the command interpreter creates the new
mount point but does not remove any existing mount points.</P
></LI
><LI
><P
>If any of the fields in the template <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>A</B
></SPAN
> instruction have changed, the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter makes the changes without comment.</P
></LI
><LI
><P
>If a directory, file, or link defined by a template file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>L</B
></SPAN
>, or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>S</B
></SPAN
> instruction already exists, the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter
replaces the existing element with one that conforms to the template definition. To control whether the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter prompts for confirmation that you wish to overwrite a given element, use
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-overwrite</B
></SPAN
> flag to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command: <UL
><LI
><P
>If you include the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-overwrite</B
></SPAN
> flag, the command interpreter automatically
overwrites all elements without asking for confirmation.</P
></LI
><LI
><P
>If you omit the flag, the command interpreter prompts once for each account to ask if you want to overwrite
all elements associated with it.</P
></LI
></UL
></P
></LI
><LI
><P
>The command interpreter always reexecutes <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>X</B
></SPAN
> instructions in the template file. If
a command's result already holds, reissuing it has the same effect as reissuing it outside the context of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> commands.</P
></LI
></UL
></P
><P
>The following describes what happens when a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss delete</B
></SPAN
> command references account
components that have already been deleted. <UL
><LI
><P
>If the volume and VLDB entry no longer exist, a message confirms their absence.</P
></LI
><LI
><P
>If the Authentication Database entry no longer exists, a message confirms its absence.</P
></LI
></UL
></P
></DIV
></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="HDRWQ455"
>Creating Local Password File Entries with uss</A
></H1
><P
>To obtain authenticated access to a cell's AFS filespace, a user must not only have a valid AFS token, but also an entry
in the local password file (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/etc/passwd</B
></SPAN
> or equivalent) of the AFS client machine. This section
discusses why it is important for the user's AFS UID to match to the UNIX UID listed in the local password file, the appropriate
value to put in the file's password field, and outlines a method for creating a single source password file.</P
><P
>For instructions on using the template file's <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instruction to generate local password
file entries automatically as part of account creation, see <A
HREF="c24913.html#HDRWQ458"
>Creating a Common Source Password
File</A
>.</P
><P
>The following information also appears in a corresponding section of <A
HREF="c27596.html"
>Administering User
Accounts</A
>, but is repeated here for your convenience. </P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ456"
>Assigning AFS and UNIX UIDs that Match</A
></H2
><P
>A user account is easiest to administer and use if the AFS user ID number (AFS UID) and UNIX UID match. All instructions
in the AFS documentation assume that they do.</P
><P
>The most basic reason to make AFS and UNIX UIDs the same is so that the owner name reported by the UNIX <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ls -l</B
></SPAN
> and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ls -ld</B
></SPAN
> commands makes sense for AFS files and directories.
Following standard UNIX practice, the File Server records a number rather than a username in an AFS file or directory's owner
field: the owner's AFS UID. When you issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ls -l</B
></SPAN
> command, it translates the UID to a
username according to the mapping in the local password file, not the AFS Protection Database. If the AFS and UNIX UIDs do not
match, the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ls -l</B
></SPAN
> command reports an unexpected (and incorrect) owner. The output can even
vary on different client machines if their local password files map the same UNIX UID to different names.</P
><P
>Follow the recommendations in the indicated sections to make AFS and UNIX UIDs match when you are creating accounts for
various types of users: <UL
><LI
><P
>If creating an AFS account for a user who already has a UNIX UID, see <A
HREF="c24913.html#HDRWQ459"
>Converting Existing
UNIX Accounts with uss</A
>.</P
></LI
><LI
><P
>If some users in your cell have existing UNIX accounts but the user for whom you are creating an AFS account does
not, then it is best to allow the Protection Server to allocate an AFS UID automatically. To avoid overlap of AFS UIDs
with existing UNIX UIDs, set the Protection Database's <SAMP
CLASS="computeroutput"
>max user id</SAMP
> counter higher than
the largest UNIX UID, using the instructions in <A
HREF="c29323.html#HDRWQ560"
>Displaying and Setting the AFS UID and GID
Counters</A
>.</P
></LI
><LI
><P
>If none of your users have existing UNIX accounts, allow the Protection Server to allocate AFS UIDs automatically,
starting either at its default or at the value you have set for the <SAMP
CLASS="computeroutput"
>max user id</SAMP
>
counter.</P
></LI
></UL
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ457"
>Specifying Passwords in the Local Password File</A
></H2
><P
>Authenticating with AFS is easiest for your users if you install and configure an AFS-modified login utility, which logs
a user into the local file system and obtains an AFS token in one step. In this case, the local password file no longer
controls a user's ability to login in most circumstances, because the AFS-modified login utility does not consult the local
password file if the user provides the correct AFS password. You can nonetheless use a password file entry's password field
(usually, the second field) in the following ways to control login and authentication: <UL
><LI
><P
>To prevent both local login and AFS authentication, place an asterisk ( * ) in the field. This is useful mainly in
emergencies, when you want to prevent a certain user from logging into the machine.</P
></LI
><LI
><P
>To prevent login to the local file system if the user does not provide the correct AFS password, place a character
string of any length other than the standard thirteen characters in the field. This is appropriate if you want to allow
only people with local AFS accounts to log into to your machines. A single <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>X</B
></SPAN
> or other
character is the most easily recognizable way to do this.</P
></LI
><LI
><P
>To enable a user to log into the local file system even after providing an incorrect AFS password, record a
standard UNIX encrypted password in the field by issuing the standard UNIX password-setting command (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>passwd</B
></SPAN
> or equivalent).</P
></LI
></UL
></P
><P
>If you do not use an AFS-modified login utility, you must place a standard UNIX password in the local password file of
every client machine the user will use. The user logs into the local file system only, and then must issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>klog</B
></SPAN
> command to authenticate with AFS. It is simplest if the passwords in the local password file and
the Authentication Database are the same, but this is not required. </P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ458"
>Creating a Common Source Password File</A
></H2
><P
>This section explains how to create a common source version of the local password file when using <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> commands to create user accounts. The sequence of steps is as follows: <OL
TYPE="1"
><LI
><P
>Include an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instruction in the template file to create a one-line file that has
the format of a local password file entry.</P
></LI
><LI
><P
>Incorporate the one-line file into the common source version of the local password file. It makes sense to store
this file in AFS. See the following two example scripts for automating this step.</P
></LI
><LI
><P
>Distribute the common password file to each client machine, perhaps by using the AFS <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>package</B
></SPAN
> utility as described in <A
HREF="c23832.html"
>Configuring Client Machines with the
package Program</A
>.</P
></LI
></OL
></P
><P
>As an example, the template file used by the ABC Corporation includes the following <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
>
instruction to create a file called <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>passwd_</B
></SPAN
>username in the directory <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com/common/etc/newaccts</B
></SPAN
> (the entire contents of the template file appear in <A
HREF="c24913.html#HDRWQ471"
>Example uss Templates</A
> and a full description of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instruction
appears in <A
HREF="c24913.html#HDRWQ476"
>Creating One-Line Files with the E Instruction</A
>):</P
><PRE
CLASS="programlisting"
>&#13; E /afs/.abc.com/common/etc/newaccts/passwd_$USER 0644 root \
"$USER:X:$UID:11:$NAME:$MTPT:/bin/csh"
</PRE
><P
>For the user Joe L. Smith with username <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>smith</B
></SPAN
>, this instruction creates a file called
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>passwd_smith</B
></SPAN
> which contains the following line:</P
><PRE
CLASS="programlisting"
>&#13; smith:X:1205:11:Joe L. Smith:/afs/abc.com/usr/usr1/smith:/bin/csh
</PRE
><P
>A shell script is probably the easiest way to incorporate a set of files created in this manner into a common source
password file, and two sample shell scripts appear here. To automate the process even further, you can create a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>cron</B
></SPAN
> process in a file server machine's <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/usr/afs/local/BosConfig</B
></SPAN
>
directory to execute the shell script, perhaps each day at a given time; for details, see <A
HREF="c6449.html#HDRWQ162"
>To create
and start a new process</A
>.</P
><DIV
CLASS="note"
><BLOCKQUOTE
CLASS="note"
><P
><B
>Note: </B
>The following example scripts are suggestions only. If you choose to use them, or to model similar scripts on them,
you must test that your script has the desired result, preferably in a test environment.</P
></BLOCKQUOTE
></DIV
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>Example C Shell Script</B
></SPAN
></P
><P
>The first example is a simple C shell script suitable for the ABC Corporation cell. It incorporates the individual files
found in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com/common/uss/newaccts</B
></SPAN
> directory into a new version of the global
password file found in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com/common/etc</B
></SPAN
> directory, sorting the files into
alphabetical order. It takes care to save the current version with a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>.old</B
></SPAN
> extension, then
removes the individual files when done.</P
><PRE
CLASS="programlisting"
>&#13; set dir = /afs/.abc.com/common
cat $dir/uss/newaccts/passwd_* $dir/etc/passwd &#62;! $dir/etc/passwd.new
mv $dir/etc/passwd $dir/etc/passwd.old
sort $dir/etc/passwd.new &#62; $dir/etc/passwd
rm $dir/etc/passwd.new $dir/uss/newaccts/passwd_*
</PRE
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>Example Bourne Shell Script</B
></SPAN
></P
><P
>The second, more elaborate, example is a Bourne shell script that first verifies that there are new <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>passwd_</B
></SPAN
>username files to be incorporated into the global password file. While running, it checks that
each new entry does not already exist. Like the shorter C shell example, it incorporates the individual files found in the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com/common/uss/newaccts</B
></SPAN
> directory into a new version of the global <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>passwd</B
></SPAN
> file found in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com/common/etc</B
></SPAN
> directory.</P
><PRE
CLASS="programlisting"
>&#13; #!/bin/sh
DESTDIR=/afs/.abc.com/common/uss/newaccts
cd $DESTDIR
DEST=/afs/.abc.com/common/etc
cp /afs/.abc.com/common/etc/passwd /afs/.abc.com/common/uss/newaccts/passwd
echo "copied in passwd file."
PASSWD=/afs/.abc.com/common/uss/newaccts/passwd
ENTRIES=`ls passwd_*`
case $ENTRIES in
"")
echo No new entry found to be added to passwd file
;;
*)
echo "Adding new users to passwd file."
for i in $ENTRIES
do
cat $i | awk -F: '{print $1 &#62; "foo"}'
USER=`cat foo`
case `egrep -e \^$USER\: $PASSWD` in
"")
echo adding $USER
cat $i &#62;&#62; $PASSWD
;;
*)
echo $USER already in passwd file
;;
esac
mv $i ../old.passdir/done_${i}
done
cd /afs/.abc.com/common/uss/newaccts
echo "sorting password file"
sort ${PASSWD} &#62; ${PASSWD}.sorted
echo "installing files"
install ${PASSWD}.sorted ${DEST}/passwd
echo "Password file is built, sorted and installed."
;;
esac
</PRE
></DIV
></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="HDRWQ459"
>Converting Existing UNIX Accounts with uss</A
></H1
><P
>This section discusses the three main issues you need to consider if there are existing UNIX accounts to be converted to
AFS accounts.</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ460"
>Making UNIX and AFS UIDs Match</A
></H2
><P
>As previously mentioned, AFS users must have an entry in the local password file on every client machine from which they
access the AFS filespace as an authenticated user. Both administration and use are much simpler if the UNIX UID and AFS UID
match. When converting existing UNIX accounts, you have two alternatives: <UL
><LI
><P
>Make the AFS UIDs match the existing UNIX UIDs. In this case, you need to assign the AFS UID yourself as you
create an AFS account: <UL
><LI
><P
>If using the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command, include the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-uid</B
></SPAN
> argument.</P
></LI
><LI
><P
>If using the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command, specify the desired UID in the uid field of
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction in the bulk input file.</P
></LI
></UL
></P
><P
>Because you are retaining the user's UNIX UID, you do not need to alter the UID in the local password file entry.
However, if you are using an AFS-modified login utility, you possibly need to change the password field in the entry.
For a discussion of how the value in the password field affects login with an AFS-modified login utility, see <A
HREF="c24913.html#HDRWQ455"
>Creating Local Password File Entries with uss</A
>.</P
><P
>If now or in the future you need to create AFS accounts for users who do not have an existing UNIX UID, then you
must guarantee that new AFS UIDs do not conflict with any existing UNIX UIDs. The simplest way is to set the
<SAMP
CLASS="computeroutput"
>max user id</SAMP
> counter in the Protection Database to a value higher than the largest
existing UNIX UID. See <A
HREF="c29323.html#HDRWQ560"
>Displaying and Setting the AFS UID and GID Counters</A
>.</P
></LI
><LI
><P
>Change the existing UNIX UIDs to match the new AFS UIDs that the Protection Server assigns automatically.</P
><P
>Allow the Protection Server to allocate the AFS UIDs automatically as you create AFS accounts. For instructions on
creating a new entry for the local password file during account creation, see <A
HREF="c24913.html#HDRWQ455"
>Creating Local
Password File Entries with uss</A
>.</P
><P
>There is one drawback to changing the UNIX UID: any files and directories that the user owned in the local file
system before becoming an AFS user still have the former UID in their owner field. If you want the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ls -l</B
></SPAN
> and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ls -ld</B
></SPAN
> commands to display the correct owner, you must
use the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>chown</B
></SPAN
> command to change the value to the user's new UID, whether you are
leaving the file in the local file system or moving it to AFS. See <A
HREF="c24913.html#HDRWQ462"
>Moving Local Files into
AFS</A
>.</P
></LI
></UL
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ461"
>Setting the Password Field Appropriately</A
></H2
><P
>Existing UNIX accounts already have an entry in the local password file, probably with a (scrambled) password in the
password field. You possibly need to change the value in the field, depending on the type of login utility you use:
<UL
><LI
><P
>If the login utility is not modified for use with AFS, the actual password must appear (in scrambled form) in the
password field of the local password file entry.</P
></LI
><LI
><P
>If the login utility is modified for use with AFS, choose one of the acceptable values, each of which affects the
login utility's behavior differently. See <A
HREF="c24913.html#HDRWQ455"
>Creating Local Password File Entries with
uss</A
>.</P
></LI
></UL
></P
><P
>If you choose to place an actual password in a local password file entry, then you can define a dummy password when you
use a template file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instruction to create the entry, as described in <A
HREF="c24913.html#HDRWQ476"
>Creating One-Line Files with the E Instruction</A
>. Have the user issue the UNIX password-setting
command (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>passwd</B
></SPAN
> or equivalent) to replace the dummy with an actual secret password.</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ462"
>Moving Local Files into AFS</A
></H2
><P
>New AFS users with existing UNIX accounts probably already own files and directories stored in a machine's local file
system, and it usually makes sense to transfer them into the new home volume. The easiest method is to move them onto the
local disk of an AFS client machine, and then use the UNIX <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>mv</B
></SPAN
> command to transfer them into
the user's new AFS home directory.</P
><P
>As you move files and directories into AFS, keep in mind that the meaning of their mode bits changes. AFS ignores the
second and third sets of mode bits (group and other), and does not use the first set (the owner bits) directly, but only in
conjunction with entries on the ACL (for details, see <A
HREF="c31274.html#HDRWQ580"
>How AFS Interprets the UNIX Mode Bits</A
>).
Be sure that the ACL protects the file or directory at least as securely as the mode bits.</P
><P
>If you have chosen to change a user's UNIX UID to match a new AFS UID, you must change the ownership of UNIX files and
directories as well. Only members of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>system:administrators</B
></SPAN
> group can issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>chown</B
></SPAN
> command on files and directories once they reside in AFS. </P
></DIV
></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="HDRWQ463"
>Constructing a uss Template File</A
></H1
><P
>Creating user accounts with <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> commands is generally more convenient than using
individual commands. You control the account creation process just as closely, but the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
>
template file enables you to predefine many aspects of account configuration. Because you construct the template before issuing
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> commands, you have time to consider configuration details carefully and correct syntax
errors. The following list summarizes some further advantages of using a template: <UL
><LI
><P
>You do not have to remember the correct order in which to create or delete account components, or the order of each
command's arguments, which reduces the likelihood of errors.</P
></LI
><LI
><P
>You do not have to type the same information multiple times. Instead, you can place constants and variables in the
template file that enable you to type as little on the command line as possible. See <A
HREF="c24913.html#HDRWQ465"
>Using
Constants and Variables in the Template File</A
>.</P
></LI
><LI
><P
>You can create different templates for different types of users. Instead of having to remember which components
differ for a given user, specify the appropriate template when issuing the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> or
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command.</P
></LI
><LI
><P
>You can create any of the three types of AFS account (authentication-only, basic, or full) by including or omitting
certain information in the template, as described in <A
HREF="c24913.html#HDRWQ464"
>Creating the Three Types of User
Accounts</A
>.</P
></LI
></UL
></P
><P
>The following list briefly describes the instructions that can appear in a template file and points you to a later section
for more details. It lists them in the order that is usually optimal for correct handling of dependencies between the different
types of instruction. <DIV
CLASS="variablelist"
><DL
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>G</B
></SPAN
></DT
><DD
><P
>Defines a directory that is one of a set of parent directories into which the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
>
command interpreter evenly distributes newly created home directories. Place the corresponding template file variable,
$AUTO, in the mount_point field of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction. See <A
HREF="c24913.html#HDRWQ472"
>Evenly Distributing User Home Directories with the G Instruction</A
> and <A
HREF="c24913.html#HDRWQ473"
>Creating a Volume with the V Instruction</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
></DT
><DD
><P
>Creates a volume, mounts it as the user's home directory at a specified location in the AFS filespace, sets the
volume's quota, and defines the owner and ACL for the directory. This instruction must appear in any template that is
not empty (zero-length). See <A
HREF="c24913.html#HDRWQ473"
>Creating a Volume with the V Instruction</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
></DT
><DD
><P
>Creates a directory, generally a subdirectory of the new home directory, and sets its mode bits, owner, and ACL.
See <A
HREF="c24913.html#HDRWQ474"
>Creating a Directory with the D Instruction</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
></DT
><DD
><P
>Creates a file by copying a prototype and sets its mode bits and owner. See <A
HREF="c24913.html#HDRWQ475"
>Creating a
File from a Prototype with the F Instruction</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
></DT
><DD
><P
>Creates a single-line file by copying in the contents of the instruction itself, then sets the file's mode bits
and owner. See <A
HREF="c24913.html#HDRWQ476"
>Creating One-Line Files with the E Instruction</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>L</B
></SPAN
></DT
><DD
><P
>Creates a hard link. See <A
HREF="c24913.html#HDRWQ477"
>Creating Links with the L and S Instructions</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>S</B
></SPAN
></DT
><DD
><P
>Creates a symbolic link. See <A
HREF="c24913.html#HDRWQ477"
>Creating Links with the L and S Instructions</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>A</B
></SPAN
></DT
><DD
><P
>Improves account security by imposing restrictions on passwords and authentication attempts. See <A
HREF="c24913.html#HDRWQ478"
>Increasing Account Security with the A Instruction</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>X</B
></SPAN
></DT
><DD
><P
>Executes a command. See <A
HREF="c24913.html#HDRWQ479"
>Executing Commands with the X Instruction</A
>.</P
></DD
></DL
></DIV
></P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ464"
>Creating the Three Types of User Accounts</A
></H2
><P
>Using the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> commands, you can
create three types of accounts that differ in their levels of functionality. For a description of the types, see <A
HREF="c667.html#HDRWQ57"
>Configuring AFS User Accounts</A
>. The following list explains how to construct a template for each type:
<UL
><LI
><P
>To create an authentication-only account, create an empty (zero-length) template file. Such an account has only
two components: entries in the Authentication Database and Protection Database.</P
></LI
><LI
><P
>To create a basic account, include a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction, and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>G</B
></SPAN
> instructions if you want to distribute home directories evenly as described in <A
HREF="c24913.html#HDRWQ472"
>Evenly Distributing User Home Directories with the G Instruction</A
>. In addition to
Authentication Database and Protection Database entries, this type of account includes a volume mounted at the home
directory with owner and ACL set appropriately.</P
></LI
><LI
><P
>To create a full account, include <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
>,
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>L</B
></SPAN
>, and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>S</B
></SPAN
>
instructions as appropriate, in addition to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>G</B
></SPAN
> instructions. This type of account includes configuration files for basic functions such as
logging in, printing, and mail delivery. For a discussion of some useful types of configuration files, see <A
HREF="c667.html#HDRWQ60"
>Creating Standard Files in New AFS Accounts</A
>.</P
></LI
></UL
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ465"
>Using Constants and Variables in the Template File</A
></H2
><P
>Each instruction in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> template file has several fields that define the
characteristics of the element that it creates. The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
> instruction's fields, for instance,
define a directory's pathname, owner, mode bits, and ACL.</P
><P
>You can place three types of values in a field: a variable, a constant, or a combination of the two. The appropriate
value depends on the desired configuration, and determines which arguments you provide to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
add</B
></SPAN
> command or which fields you include in a bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
>
instruction.</P
><P
>If an aspect of account configuration is the same for every user, define a constant value in the appropriate field by
inserting a character string. For example, to assign a space quota of 10,000 KB to every user volume, place the string
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>10000</B
></SPAN
> in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's quota field.</P
><P
>If, on the other hand, an aspect of account configuration varies for each user, put a variable in the appropriate field.
When creating each account, provide a value for the variable by providing either the corresponding argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or a value in the corresponding field of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
>
instruction in the bulk input file.</P
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command suite defines a set of template variables, each of which has a
corresponding source for its value, as summarized in <A
HREF="c24913.html#TBLWQ466"
>Table 3</A
>. For a discussion of their
intended uses, see the following sections about each template instruction (<A
HREF="c24913.html#HDRWQ473"
>Creating a Volume with the
V Instruction</A
> through <A
HREF="c24913.html#HDRWQ479"
>Executing Commands with the X Instruction</A
>).</P
><DIV
CLASS="table"
><A
NAME="TBLWQ466"
></A
><TABLE
BORDER="1"
CLASS="CALSTABLE"
><COL
WIDTH="20*"><COL
WIDTH="80*"><THEAD
><TR
><TH
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>Variable</B
></SPAN
></TH
><TH
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>Source for value</B
></SPAN
></TH
></TR
></THEAD
><TBODY
><TR
><TD
>$AUTO</TD
><TD
>Previous <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>G</B
></SPAN
> instructions in template</TD
></TR
><TR
><TD
>$MTPT</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-mount</B
></SPAN
> argument to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or
mount_point field of bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction, when in <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction; <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point field when in
subsequent instructions</TD
></TR
><TR
><TD
>$NAME</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-realname</B
></SPAN
> argument to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or
mount_point field of bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction, if provided; otherwise,
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
> argument to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or username field
of in bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction</TD
></TR
><TR
><TD
>$PART</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-partition</B
></SPAN
> argument to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or
partition field of bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction</TD
></TR
><TR
><TD
>$PWEXPIRES</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-pwexpires</B
></SPAN
> argument to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or
password_expires field of bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction</TD
></TR
><TR
><TD
>$SERVER</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-server</B
></SPAN
> argument to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or
file_server field of bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction</TD
></TR
><TR
><TD
>$UID</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-uid</B
></SPAN
> argument to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or uid field
of bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction, if provided; otherwise, allocated automatically
by Protection Server</TD
></TR
><TR
><TD
>$USER</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
> argument to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or username
field of bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction</TD
></TR
><TR
><TD
>$1 through $9</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-var</B
></SPAN
> argument to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or var1
through var9 fields of bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction</TD
></TR
></TBODY
></TABLE
><P
><B
>Table 3. Source for values of uss template variables</B
></P
></DIV
><P
>A common use of variables is to define the file server machine and partition that house the user's volume, which often
vary from user to user. Place the $SERVER variable in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's server field, and
the $PART variable in its partition field. If using the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command, provide the desired
value with the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-server</B
></SPAN
> and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-partition</B
></SPAN
> arguments. If using
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command, provide the desired values in the file_server and partition fields of
each user's <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction in the bulk input file. </P
><P
>The variables $1 through $9 can be used to customize other aspects of the account. Provide a value for these variables
with the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-var</B
></SPAN
> argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or in the
appropriate field of the bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction. The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-var</B
></SPAN
> argument is unusual in that each instance for it has two parts: the number index and the value,
separated by a space. For examples of the use of a number variable, see the discussions of the mount_point and quota fields in
<A
HREF="c24913.html#HDRWQ473"
>Creating a Volume with the V Instruction</A
>.</P
><P
>If some aspect of account configuration is partly constant and partly variable, you can combine variables and constants
in an instruction field. For example, suppose that the ABC Corporation mounts user volumes in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/abc.com/usr</B
></SPAN
> directory. That part of the pathname is constant, but the name of the mount point and
home directory is the user's username, which corresponds to the $USER variable. To configure accounts in this way, combine a
constant string and a variable in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point field as follows:</P
><PRE
CLASS="programlisting"
>&#13; /afs/abc.com/usr/$USER
</PRE
><P
>Then provide the value for the $USER variable with the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
> argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command, or in the username field of each user's <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
>
instruction in the bulk input file. </P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ468"
>Where to Place Template Files</A
></H2
><P
>A template must be available to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter as it executes a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command, even if it is the zero-length file
appropriate for creating an authentication-only account.</P
><P
>If you do not provide the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-template</B
></SPAN
> argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
add</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command, then the command interpreter searches for a template file
called <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss.template</B
></SPAN
> in each of the following directories in turn: <OL
TYPE="1"
><LI
><P
>The current working directory</P
></LI
><LI
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/cellname/common/uss</B
></SPAN
>, where cellname is the local cell</P
></LI
><LI
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/etc</B
></SPAN
></P
></LI
></OL
></P
><P
>To use a template file with a different name or stored in a different directory, include the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-template</B
></SPAN
> argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
bulk</B
></SPAN
> command. If you provide a filename only, the command interpreter looks for it in the directories listed just
previously. If you provide a pathname and filename, it looks only in the specified directory, interpreting a partial pathname
relative to the current working directory. </P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ469"
>Some General Rules for Constructing a Template</A
></H2
><P
>This section summarizes some general rules to follow when constructing a template file. For each instruction's syntax
definition, see the following sections (<A
HREF="c24913.html#HDRWQ472"
>Evenly Distributing User Home Directories with the G
Instruction</A
> through <A
HREF="c24913.html#HDRWQ479"
>Executing Commands with the X Instruction</A
>). <UL
><LI
><P
>If a variable takes its value from an element elsewhere within the template, the definition must precede the
reference. Putting the instruction lines in the following order usually results in correct resolution of
variables:</P
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>G V D F E L S A X</B
></SPAN
></P
></LI
><LI
><P
>The fields in each instruction must appear in the order specified by the instruction's syntax definition, which
appear in the following sections about each instruction. You cannot omit a field. Separate each field from its neighbors
with one or more spaces.</P
></LI
><LI
><P
>When specifying a pathname, provide a full one. Partial pathnames are interpreted relative to the current working
directory (the one in which the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command is issued), with possibly unintended
results.</P
></LI
><LI
><P
>Each instruction must appear on a single line in the template file, with a newline character (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>&#60;Return&#62;</B
></SPAN
>) only at the end of the instruction. Some example instructions appear in this
document on more than one line, but that is only for legibility.</P
></LI
><LI
><P
>Provide a value for every variable that appears in the template by including the corresponding argument to the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or placing a value in the corresponding field of the bulk input file
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction. A missing value halts the entire creation operation. If a variable
does not appear in the template file, the command interpreter ignores the corresponding command-line argument or field
in the bulk input file, even if you provide it.</P
></LI
><LI
><P
>You can use blank lines in the template file to increase its legibility. If you place comments in the file, begin
each comment line with the number sign (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>#</B
></SPAN
>).</P
></LI
></UL
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ470"
>About Creating Local Disk Directories and Files</A
></H2
><P
>It is possible to use the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
>, and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
> instructions to create directories or files in the local file system of the machine on which you are
issuing the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command, but that usage is not recommended. It introduces two potential
complications: <UL
><LI
><P
>The local file system automatically assigns ownership of a new local disk directory or file to its creator.
Because you are the issuer of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command that is creating the object, it records
your current UNIX UID. If that is not appropriate and you want to designate another owner as the object is created, then
you must be logged in as the local superuser <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>root</B
></SPAN
> (the local file system allows only
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>root</B
></SPAN
> user to issue the UNIX <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>chown</B
></SPAN
> command, which
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter invokes to change the owner from the default value). You
must also use the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-admin</B
></SPAN
> argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> or
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command to authenticate as a privileged AFS administrator. Only an
administrator can create Authentication Database and Protection Database entries, which the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter always creates as part of a new account.</P
><P
>The alternative is to become the local superuser <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>root</B
></SPAN
> after the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> operation completes, and issue the necessary <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>chown</B
></SPAN
> command
then. However, that makes the account creation process that much less automated.</P
></LI
><LI
><P
>Creating a local disk directory always generates an error message because the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
>
command interpreter cannot successfully set a local directory's ACL. The directory is created nevertheless, and a value
still must appear in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
> instruction's ACL field.</P
></LI
></UL
></P
><P
>The recommended method for configuring a machine's local disk is to use the AFS <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>package</B
></SPAN
>
utility instead; see <A
HREF="c23832.html"
>Configuring Client Machines with the package Program</A
>. </P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ471"
>Example uss Templates</A
></H2
><P
>This section describes example templates for the basic and full account types (the template for an authentication-only
account is empty).</P
><P
>The first example creates a basic account. It contains two <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>G</B
></SPAN
> instructions and a
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction that defines the volume name, file server machine, partition, quota in
kilobytes, mount point, home directory owner, and home directory access control list. In the ABC Corporation cell, a suitable
template is:</P
><PRE
CLASS="programlisting"
>&#13; G /afs/.abc.com/usr1
G /afs/.abc.com/usr2
V user.$USER $SERVER.abc.com /vicep$PART 5000 $AUTO/$USER $UID \
$USER all staff rl
</PRE
><P
>When issuing the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command with this type of template, provide the following
arguments: <UL
><LI
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
> to specify the username for the $USER variable</P
></LI
><LI
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-server</B
></SPAN
> to specify the unique part of the file server machine name for the
$SERVER variable</P
></LI
><LI
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-partition</B
></SPAN
> to specify the unique part of the partition name for the $PART
variable</P
></LI
></UL
></P
><P
>The Protection Server automatically assigns an AFS UID for the $UID variable, and the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>G</B
></SPAN
>
instructions provide a value for the $AUTO variable.</P
><P
>The following example template file creates a full account in the ABC Corporation cell. The following sections about
each type of instruction describe the effect of the examples. Note that the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instructions appear on two lines each only for the sake of legibility.</P
><PRE
CLASS="programlisting"
>&#13; #
# Specify the available grouping directories
#
G /afs/.abc.com/usr1
G /afs/.abc.com/usr2
#
# Create the user's home volume
#
V user.$USER $SERVER.abc.com /vicep$PART 5000 /afs/.abc.com/$AUTO/$USER \
$UID $USER all abc:staff rl
#
# Create directories and files for mail
#
D $MTPT/.MESSAGES 0700 $UID $USER all abc:staff none
D $MTPT/.Outgoing 0700 $UID $USER rlidwk postman rlidwk
D $MTPT/Mailbox 0700 $UID $USER all abc:staff none system:anyuser lik
#
# Here are some useful scripts for login etc.
#
F $MTPT/.Xbiff 0755 $UID /afs/abc.com/admin/user/proto
F $MTPT/.Xresources 0644 $UID /afs/abc.com/admin/user/proto
F $MTPT/.Xsession 0755 $UID /afs/abc.com/admin/user/proto
F $MTPT/.cshrc 0755 $UID /afs/abc.com/admin/user/proto
F $MTPT/.login 0755 $UID /afs/abc.com/admin/user/proto
F $MTPT/.logout 0755 $UID /afs/abc.com/admin/user/proto
F $MTPT/.twmrc 0644 $UID /afs/abc.com/admin/user/proto
F $MTPT/preferences 0644 $UID /afs/abc.com/admin/user/proto
#
# Make a passwd entry
#
E /afs/.abc.com/common/etc/newaccts/passwd_$USER 0644 root \
"$USER:X:$UID:11:$NAME:$MTPT:/bin/csh"
#
# Put in the standard password/authentication checks
#
A $USER 250 noreuse 9 25
#
# Create and mount a public volume for the user
#
X "create_public_vol $USER $1 $2"
#
# Here we set up the symbolic link to public directory
#
S /afs/abc.com/public/$USER $MTPT/public
</PRE
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ472"
>Evenly Distributing User Home Directories with the G Instruction</A
></H2
><P
>In cells with thousands of user accounts, it often makes sense to distribute the mount points for user volumes into
multiple parent directories, because placing them all in one directory noticeably slows down directory lookup when a user home
directory is accessed. A possible solution is to create parent directories that group user home directories alphabetically, or
that reflect divisions like academic or corporate departments. However, in a really large cell, some such groups can still be
large enough to slow directory lookup, and users who belong to those groups are unfairly penalized every time they access
their home directory. Another drawback to groupings that reflect workplace divisions is that you must move mount points when
users change departmental affiliation.</P
><P
>An alternative is an even distribution of user home directories into multiple parent directories that do not represent
workplace divisions. The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command suite enables you to define a list of directories by
placing a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>G</B
></SPAN
> instruction for each one at the top of the template file, and then using the
$AUTO variable in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point field. When the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter encounters the $AUTO variable, it substitutes the directory named by a
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>G</B
></SPAN
> instruction that currently has the fewest entries. (Actually, the $AUTO variable can appear
in any field that includes a pathname, in any type of instruction. In all cases, the command interpreter substitutes the
directory that currently has the fewest entries.)</P
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>G</B
></SPAN
> instruction's syntax is as follows:</P
><PRE
CLASS="programlisting"
>&#13; G directory
</PRE
><P
>where directory specifies either a complete directory pathname or only the final element (the directory itself). The
choice determines the appropriate value to place in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point
field.</P
><P
>Specify the read/write path to each directory, to avoid the failure that results when you attempt to create a new mount
point in a read-only volume. By convention, you indicate the read/write path by placing a period before the cell name at the
pathname's second level (for example, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com</B
></SPAN
>). For further discussion of the concept
of read/write and read-only paths through the filespace, see <A
HREF="c8420.html#HDRWQ208"
>Mounting Volumes</A
>.</P
><P
>For example, the ABC Corporation example template for a full account in <A
HREF="c24913.html#HDRWQ471"
>Example uss
Templates</A
> defines two directories:</P
><PRE
CLASS="programlisting"
>&#13; G /afs/.abc.com/usr1
G /afs/.abc.com/usr2
</PRE
><P
>and puts the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>$AUTO/$USER</B
></SPAN
> in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's
mount_point field. An alternative with the same result is to define the directories as follows:</P
><PRE
CLASS="programlisting"
>&#13; G usr1
G usr2
</PRE
><P
>and specify a more complete pathname in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point field:
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com/$AUTO/$USER</B
></SPAN
>. </P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ473"
>Creating a Volume with the V Instruction</A
></H2
><P
>Unless the template file is empty (zero-length), one and only one <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction must
appear in it. (To create other volumes for a user as part of a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> account-creation
operation, use the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>X</B
></SPAN
> instruction to invoke the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>vos create</B
></SPAN
>
command or a script that invokes that command along with others, such as the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs mkmount</B
></SPAN
>
command. For an example, see <A
HREF="c24913.html#HDRWQ479"
>Executing Commands with the X Instruction</A
>.)</P
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction defines the following AFS entities:</P
><UL
><LI
><P
>A volume and associated VLDB entry</P
></LI
><LI
><P
>The volume's site (file server machine and partition)</P
></LI
><LI
><P
>The volume's mount point in the AFS filespace, which becomes the user's home directory</P
></LI
><LI
><P
>The volume's space quota</P
></LI
><LI
><P
>The home directory's owner, usually the new user</P
></LI
><LI
><P
>The home directory's ACL, which normally at least grants all permissions to the user</P
></LI
></UL
><P
>The following discussion of the fields in a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction refers to the example in the
full account template from <A
HREF="c24913.html#HDRWQ471"
>Example uss Templates</A
> (the instruction appears here on two lines
only for legibility):</P
><PRE
CLASS="programlisting"
>&#13; V user.$USER $SERVER.abc.com /vicep$PART 5000 \
/afs/.abc.com/$AUTO/$USER $UID $USER all abc:staff rl
</PRE
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's syntax is as follows:</P
><PRE
CLASS="programlisting"
>&#13; V volume_name server partition quota mount_point owner ACL
</PRE
><P
>where <DIV
CLASS="variablelist"
><DL
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
></DT
><DD
><P
>Indicates a volume creation instruction.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>volume_name</B
></SPAN
></DT
><DD
><P
>Specifies the volume's name as recorded in the VLDB.</P
><P
>To follow the convention of including the user's name as part of the volume name, include the $USER variable in
this field. The variable takes its value from the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
> argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or from the bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction's
username field.</P
><P
>The ABC Corporation example uses the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>user.$USER</B
></SPAN
> to assign the
conventional volume name, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>user.</B
></SPAN
>username. When creating an account for user <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>smith</B
></SPAN
>, for example, you then include <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user smith</B
></SPAN
> as an
argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command, or place the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>smith</B
></SPAN
> in the bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction's username
field.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>server</B
></SPAN
></DT
><DD
><P
>Names the file server machine on which to create the new volume. It is best to provide a fully qualified host
name (for example, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs1.abc.com</B
></SPAN
>), but an abbreviated form is acceptable if the cell's
naming service is available to resolve it at the time the volume is created.</P
><P
>To place different users' volumes on different file server machines, use the $SERVER variable in this field, and
provide a value for it either with the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-server</B
></SPAN
> argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or in the server field of the bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction. One easy way to specify a fully qualified hostname without having to type it
completely on the command line is to combine a constant and the $SERVER variable. Specifically, the constant specifies
the domain-name suffix common to all the file server machines.</P
><P
>In the ABC Corporation example, all of the file server machines in the cell share the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>abc.com</B
></SPAN
> domain name suffix, so the server field combines a variable and constant: <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>$SERVER.abc.com</B
></SPAN
>. To place the new volume on the machine <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs1.abc.com</B
></SPAN
>, you then include <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-server fs1</B
></SPAN
> as an argument to
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command, or place the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs1</B
></SPAN
> in the
bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction's server field.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>partition</B
></SPAN
></DT
><DD
><P
>Specifies the partition on which to create the user's volume; it must be on the file server machine named in the
server field. Identify the partition by its complete name (for example, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/vicepa</B
></SPAN
>) or
use one of the abbreviations listed in <A
HREF="a33826.html#HDRWQ615"
>Rules for Using Abbreviations and
Aliases</A
>.</P
><P
>To place different users' volumes on different partitions, use the $PART variable in this field, and provide a
value for it either with the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-partition</B
></SPAN
> argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
add</B
></SPAN
> command or in the partition field of the bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
>
instruction. Because all full partition names start with the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/vicep</B
></SPAN
> string, it is
convenient to combine that string as a constant with the $PART variable.</P
><P
>The ABC Corporation example template combines the constant string <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/vicep</B
></SPAN
> and
the $PART variable in this way, as <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/vicep$PART</B
></SPAN
>. </P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>quota</B
></SPAN
></DT
><DD
><P
>Sets the maximum number of kilobyte blocks the volume can occupy on the file server machine's disk. It must be
an integer. If you assign the same quota to all user volumes, specify a constant value. To assign different quotas to
different volumes, place one of the number variables ($1 through $9) in this field, and provide a value for it either
with the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-var</B
></SPAN
> argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or in
the appropriate field of the bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction.</P
><P
>The ABC Corporation example grants a 5000 KB initial quota to every new user. </P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>mount_point</B
></SPAN
></DT
><DD
><P
>Creates a mount point for the volume, which serves as the volume's root directory and the user's home directory.
By convention, user home directory names include the username, which you can read in by including the $USER variable
in this field.</P
><P
>Specify the read/write path to the mount point, to avoid the failure that results when you attempt to create the
new mount point in a read-only volume. By convention, you indicate the read/write path by placing a period before the
cell name at the pathname's second level (for example, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com</B
></SPAN
>). If you use the
$AUTO variable in this field, the directories named by each <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>G</B
></SPAN
> instruction possibly
already indicate the read/write path. For further discussion of the concept of read/write and read-only paths through
the filespace, see <A
HREF="c8420.html#HDRWQ208"
>Mounting Volumes</A
>.</P
><P
>If other parts of the mount point name also vary from user to user, you can use the $MTPT variable in this
field, and provide a value with the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command's <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-mount</B
></SPAN
> argument or in the mount_point field of a bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction. Note, however, that when the $MTPT variable appears in subsequent instructions
in the template (usually, in <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
>, or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
> instructions), it instead takes as its value the complete contents of this field.</P
><P
>Combine constants and variables based on how you have decided to group home directories together in one or more
parent directories. Note that the parent directories must already exist before you run a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
add</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command that references the template. Possibilities for
grouping home directories include the following: <UL
><LI
><P
>Placing all user home directories in a single parent directory; the name <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/</B
></SPAN
>cellname<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/usr</B
></SPAN
> is an AFS-appropriate variation on the
UNIX <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/usr</B
></SPAN
> convention. This choice is most appropriate for a cell with a small
number of user accounts. The simplest way to implement this choice is to combine a constant string and the $USER
variable, as in <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com/usr/$USER</B
></SPAN
>.</P
></LI
><LI
><P
>Distributing home directories evenly into a set of parent directories that do not correspond to workplace
divisions. This choice is appropriate in cells with tens of thousands of accounts, where the number of home
directories is large enough to slow directory lookup significantly if they all reside together in one parent
directory, but distribution according to workplace divisions is not feasible.</P
><P
>The $AUTO variable is designed to distribute home directories evenly in this manner. As explained in <A
HREF="c24913.html#HDRWQ472"
>Evenly Distributing User Home Directories with the G Instruction</A
>, the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter substitutes the directory that is defined by a preceding
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>G</B
></SPAN
> template instruction and that currently has the fewest entries. The example
ABC Corporation template illustrates this choice by using the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com/$AUTO/$USER</B
></SPAN
>.</P
></LI
><LI
><P
>Distributing home directories into multiple directories that reflect divisions like academic or corporate
departments. Perhaps the simplest way to implement this scheme is to use the $MTPT variable to represent the
department, as in <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.ghi.com/usr/$MTPT/$USER</B
></SPAN
>. You then provide <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user smith</B
></SPAN
> and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-mount acctg</B
></SPAN
> arguments to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command to create the mount point <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.ghi.com/usr/acctg/smith</B
></SPAN
>.</P
></LI
><LI
><P
>Distributing home directories into alphabetic subdirectories of <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>usr</B
></SPAN
>
(<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>usr/a</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>usr/b</B
></SPAN
> and so on), based on the first
letter or letters in the username. The advantage is that knowing the username enables you easily to locate a
home directory. A potential drawback is that the distribution is not likely to be even, and if there are a large
number of accounts, then slowed directory lookup unfairly affects users whose names begins with popular
letters.</P
><P
>Perhaps the simplest way to implement this scheme is to use the $MTPT variable to represent the letter or
letters, as in <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.jkl.com/usr/$MTPT/$USER</B
></SPAN
>. Then provide the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user smith</B
></SPAN
> and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-mount s/m</B
></SPAN
> arguments to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command to create the mount point <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.jkl.com/usr/s/m/smith</B
></SPAN
>.</P
></LI
></UL
></P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>owner</B
></SPAN
></DT
><DD
><P
>Specifies the username or UID of the user to be designated the mount point's owner in the output from the UNIX
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ls -ld</B
></SPAN
> command. To follow the standard convention for home directory ownership, use
the $UID variable in this field, as in the ABC Corporation example template. The Protection Server then automatically
assigns an AFS UID unless you provide the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-uid</B
></SPAN
> argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or fill in the uid field in the bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction. (If you are converting existing UNIX accounts, see the discussion of
additional considerations in <A
HREF="c24913.html#HDRWQ459"
>Converting Existing UNIX Accounts with uss</A
>.) </P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ACL</B
></SPAN
></DT
><DD
><P
>Sets the ACL on the new home directory. Provide one or more paired values, each pair consisting of an AFS
username or group name and the desired permissions, in that order (a group name must already exist in the Protection
Database to be used). Separate the two parts of the pair, and each pair, with a space. For a discussion of the
available permissions, see <A
HREF="c31274.html#HDRWQ567"
>The AFS ACL Permissions</A
>.</P
><P
>At minimum, grant all permissions to the new user by including the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>$USER
all</B
></SPAN
> in this field. The File Server automatically grants all permissions to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>system:administrators</B
></SPAN
> group as well. You cannot grant permissions to the issuer of the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command, because as the last step in account creation the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter automatically deletes that user from any ACLs set during the creation
process.</P
><P
>The ABC Corporation example uses the following value to grant all permissions to the new user and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>r</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>read</B
></SPAN
>) and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>l</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>lookup</B
></SPAN
>) permissions to the members of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>abc:staff</B
></SPAN
>
group:</P
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>$USER all abc:staff rl</B
></SPAN
></P
></DD
></DL
></DIV
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ474"
>Creating a Directory with the D Instruction</A
></H2
><P
>Each <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
> instruction in the template file creates a directory; there is no limit on the
number of them in the template. If a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
> instruction creates a subdirectory in a new user's
home directory (its intended use), then it must follow the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction. Creating a
directory on the local disk of the machine where the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command runs is not recommended for
the reasons outlined in <A
HREF="c24913.html#HDRWQ470"
>About Creating Local Disk Directories and Files</A
>.</P
><P
>The following discussion of the fields in a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
> instruction refers to one of the examples
in the full account template in <A
HREF="c24913.html#HDRWQ471"
>Example uss Templates</A
>:</P
><PRE
CLASS="programlisting"
>&#13; D $MTPT/Mailbox 0700 $UID $USER all abc:staff none system:anyuser lik
</PRE
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
> instruction's syntax is as follows:</P
><PRE
CLASS="programlisting"
>&#13; D pathname mode_bits owner ACL
</PRE
><P
>where <DIV
CLASS="variablelist"
><DL
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
></DT
><DD
><P
>Indicates a directory creation instruction.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pathname</B
></SPAN
></DT
><DD
><P
>Specifies the directory's full pathname. If it is a subdirectory of the user's home directory, it is simplest to
use the $MTPT variable to specify the home directory pathname. When the $MTPT variable appears in a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
> instruction, it takes its value from the preceding <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
>
instruction's mount_point field (this dependency is why a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
> instruction must follow
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction).</P
><P
>Specify the read/write pathname to the directory, to avoid the failure that results when you attempt to create a
new directory in a read-only volume. By convention, you indicate the read/write path by placing a period before the
cell name at the pathname's second level (for example, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com</B
></SPAN
>). If you use the
$MTPT variable in this field, the value in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point field
possibly already indicates the read/write path. For further discussion of the concept of read/write and read-only
paths through the filespace, see <A
HREF="c8420.html#HDRWQ208"
>Mounting Volumes</A
>.</P
><P
>The ABC Corporation example uses the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>$MTPT/Mailbox</B
></SPAN
> to place the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>Mailbox</B
></SPAN
> subdirectory in the user's home directory.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>mode_bits</B
></SPAN
></DT
><DD
><P
>Defines the directory's UNIX mode bits. Acceptable values are the standard three- or four-digit numbers
corresponding to a combination of permissions. Examples: <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0755</B
></SPAN
> corresponds to
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>rwxr-xr-x</B
></SPAN
>, and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0644</B
></SPAN
> to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>rw-r--r--</B
></SPAN
>. The first (owner) <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>x</B
></SPAN
> bit must be turned on to enable
access to a directory.</P
><P
>The ABC Corporation example uses the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0700</B
></SPAN
> to set the mode bits on the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>Mailbox</B
></SPAN
> subdirectory to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>rwxr-----</B
></SPAN
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>owner</B
></SPAN
></DT
><DD
><P
>Specifies the username or UID of the user to be designated the directory's owner in the output from the UNIX
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ls -ld</B
></SPAN
> command.</P
><P
>If the directory resides in AFS, place the $UID variable in this field, as in the ABC Corporation example
template. The Protection Server then automatically assigns an AFS UID unless you provide the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-uid</B
></SPAN
> argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or fill in the uid field
in the bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction. (If you are converting existing UNIX
accounts, see the discussion of additional considerations in <A
HREF="c24913.html#HDRWQ459"
>Converting Existing UNIX
Accounts with uss</A
>.)</P
><P
>If the directory resides on the local disk, it is simplest to specify the username or UNIX UID under which you
are issuing the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command. For a discussion of the complications that arise from
designating another user, see <A
HREF="c24913.html#HDRWQ470"
>About Creating Local Disk Directories and Files</A
>.
</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ACL</B
></SPAN
></DT
><DD
><P
>Sets the ACL on the new directory. Provide one or more paired values, each pair consisting of an AFS username or
group name and the desired permissions, in that order (a group name must already exist in the Protection Database to
be used). Separate the two parts of the pair, and each pair, with a space. For a description of the available
permissions, see <A
HREF="c31274.html#HDRWQ567"
>The AFS ACL Permissions</A
>.</P
><P
>At minimum, grant all permissions to the new user by including the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>$USER
all</B
></SPAN
>. You cannot grant permissions to the issuer of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command,
because as the last step in account creation the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter
automatically deletes that user from any ACLs set during the creation process. An error message always appears if the
directory is on the local disk, as detailed in <A
HREF="c24913.html#HDRWQ470"
>About Creating Local Disk Directories and
Files</A
>.</P
><P
>The ABC Corporation example uses the following value to grant all permissions to the new user, no permissions to
the members of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>abc:staff</B
></SPAN
> group, and the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>l</B
></SPAN
>
(<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>lookup</B
></SPAN
>), <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>i</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>insert</B
></SPAN
>), and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>k</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>lock</B
></SPAN
>)
permissions to the members of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>system:anyuser</B
></SPAN
> group:</P
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>$USER all abc:staff none system:anyuser lik</B
></SPAN
></P
><P
>It grants such extensive permissions to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>system:anyuser</B
></SPAN
> group to enable any
system user (including a mail-delivery daemon) to insert mail into the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>Mailbox</B
></SPAN
>
directory. The absence of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>r</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>read</B
></SPAN
>) permission
prevents members of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>system:anyuser</B
></SPAN
> group from reading the mail files.</P
></DD
></DL
></DIV
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ475"
>Creating a File from a Prototype with the F Instruction</A
></H2
><P
>Each <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
> instruction in the template file creates a file by copying the contents of an
existing prototype file; there is no limit on the number of them in the template, and each can refer to a different prototype.
If an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
> instruction creates a file in a new user's home directory or a subdirectory of it
(the intended use), then it must follow the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
>
instruction that creates the parent directory. Creating a file on the local disk of the machine where the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command runs is not recommended for the reasons detailed in <A
HREF="c24913.html#HDRWQ470"
>About Creating
Local Disk Directories and Files</A
>.</P
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instruction also creates a file, but the two types of instruction have
complementary advantages. Files created with an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instruction can be customized for each
user, because variables can appear in the field that specifies the contents of the file. In contrast, the contents of a file
created using the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
> instruction are the same for every user. An <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> file can be only a single line, however, whereas an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
> file can be
any length.</P
><P
>The following discussion of the fields in a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
> instruction refers to one of the examples
in the full account template in <A
HREF="c24913.html#HDRWQ471"
>Example uss Templates</A
>:</P
><PRE
CLASS="programlisting"
>&#13; F $MTPT/.login 0755 $UID /afs/abc.com/admin/user/proto
</PRE
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
> instruction's syntax is as follows:</P
><PRE
CLASS="programlisting"
>&#13; F pathname mode_bits owner prototype_file
</PRE
><P
>where <DIV
CLASS="variablelist"
><DL
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
></DT
><DD
><P
>Indicates a file creation instruction.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pathname</B
></SPAN
></DT
><DD
><P
>Specifies the full pathname of the file to create, including the filename. If it resides in the user's home
directory or a subdirectory of it, it is simplest to use the $MTPT variable to specify the home directory pathname.
When the $MTPT variable appears in an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
> instruction, it takes its value from the
preceding <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point field (this dependency is why an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
> instruction must follow the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction).</P
><P
>Specify the read/write path to the file, to avoid the failure that results when you attempt to create a new file
in a read-only volume. By convention, you indicate the read/write path by placing a period before the cell name at the
pathname's second level (for example, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com</B
></SPAN
>). If you use the $MTPT variable
in this field, the value in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point field possibly already
indicates the read/write path. For further discussion of the concept of read/write and read-only paths through the
filespace, see <A
HREF="c8420.html#HDRWQ208"
>Mounting Volumes</A
>.</P
><P
>The ABC Corporation example uses the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>$MTPT/.login</B
></SPAN
> to place a file called
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>.login</B
></SPAN
> in the user's home directory.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>mode_bits</B
></SPAN
></DT
><DD
><P
>Defines the file's UNIX mode bits. Acceptable values are the standard three- or four-digit numbers corresponding
to a combination of permissions. Examples: <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0755</B
></SPAN
> corresponds to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>rwxr-xr-x</B
></SPAN
>, and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0644</B
></SPAN
> to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>rw-r--r--</B
></SPAN
>.</P
><P
>The ABC Corporation example uses the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0755</B
></SPAN
> to set the mode bits on the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>.login</B
></SPAN
> file to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>rwxr-xr-x</B
></SPAN
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>owner</B
></SPAN
></DT
><DD
><P
>Specifies the username or UID of the user to be designated the file's owner in the output from the UNIX
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ls -l</B
></SPAN
> command.</P
><P
>If the file resides in AFS, place the $UID variable in this field, as in the ABC Corporation example template.
The Protection Server then automatically assigns an AFS UID unless you provide the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-uid</B
></SPAN
> argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or fill in the uid field
in the bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction. (If you are converting existing UNIX
accounts, see the discussion of additional considerations in <A
HREF="c24913.html#HDRWQ459"
>Converting Existing UNIX
Accounts with uss</A
>.)</P
><P
>If the file resides on the local disk, it is simplest to specify the username or UNIX UID under which you are
issuing the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command. For a discussion of the complications that arise from
designating another user, see <A
HREF="c24913.html#HDRWQ470"
>About Creating Local Disk Directories and Files</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>prototype_file</B
></SPAN
></DT
><DD
><P
>Names the AFS or local directory that houses the prototype file to copy. The prototype file's name must match
the final element in the pathname field.</P
><P
>The ABC Corporation example references a prototype file called <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>.login</B
></SPAN
> in the
directory <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/abc.com/admin/user/proto</B
></SPAN
>.</P
></DD
></DL
></DIV
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ476"
>Creating One-Line Files with the E Instruction</A
></H2
><P
>Each <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instruction in the template file creates a file by echoing a specified single
line into it; there is no limit on the number of them in the template. If an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instruction
creates a file in a new user's home directory or a subdirectory of it (the intended use), then it must follow the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
> instruction that creates the parent directory. Creating a file
on the local disk of the machine where the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command runs is not recommended for the
reasons detailed in <A
HREF="c24913.html#HDRWQ470"
>About Creating Local Disk Directories and Files</A
>.</P
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
> instruction also creates a file, but the two types of instruction have
complementary advantages. Files created with an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instruction can be customized for each
user, because variables can appear in the field that specifies the contents of the file. The command interpreter replaces the
variables with appropriate values before creating the file. In contrast, the contents of a file created using the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
> instruction are the same for every user. An <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> file can be only a
single line, however, whereas an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
> file can be any length.</P
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instruction is particularly suited to creating an entry for the new user in the
cell's common source password file, which is then copied to client machines to serve as the local password file (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/etc/passwd</B
></SPAN
> or equivalent). The following discussion of the fields refers to an example of this type of
use, from the ABC Corporation's full account template shown in <A
HREF="c24913.html#HDRWQ471"
>Example uss Templates</A
>. For
further discussion of how to incorporate the files created in this way into a common source password file, see <A
HREF="c24913.html#HDRWQ458"
>Creating a Common Source Password File</A
>.</P
><PRE
CLASS="programlisting"
>&#13; E /afs/.abc.com/common/etc/newaccts/passwd_$USER 0644 root \
"$USER:X:$UID:11:$NAME:$MTPT:/bin/csh"
</PRE
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instruction's syntax is as follows:</P
><PRE
CLASS="programlisting"
>&#13; E pathname mode_bits owner "contents"
</PRE
><P
>where <DIV
CLASS="variablelist"
><DL
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
></DT
><DD
><P
>Indicates a file creation instruction.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pathname</B
></SPAN
></DT
><DD
><P
>Specifies the full pathname of the file to create, including the filename. It can include variables. If it
resides in the user's home directory or a subdirectory of it, it is simplest to use the $MTPT variable to specify the
home directory pathname. When the $MTPT variable appears in an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instruction, it
takes its value from the preceding <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point field (this dependency
is why an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instruction must follow the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
>
instruction.)</P
><P
>Specify the read/write path to the file, to avoid the failure that results when you attempt to create a new file
in a read-only volume. By convention, you indicate the read/write path by placing a period before the cell name at the
pathname's second level (for example, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com</B
></SPAN
>). If you use the $MTPT variable
in this field, the value in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point field possibly already
indicates the read/write path. For further discussion of the concept of read/write and read-only paths through the
filespace, see <A
HREF="c8420.html#HDRWQ208"
>Mounting Volumes</A
>.</P
><P
>The ABC Corporation example writes the file created by the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
> instruction to
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com/common/etc/newaccts</B
></SPAN
> directory, naming it after the new user:</P
><PRE
CLASS="programlisting"
>&#13; /afs/.abc.com/common/etc/newaccts/passwd_$USER
</PRE
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>mode_bits</B
></SPAN
></DT
><DD
><P
>Defines the file's UNIX mode bits. Acceptable values are the standard three- or four-digit numbers corresponding
to a combination of permissions. Examples: <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0755</B
></SPAN
> corresponds to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>rwxr-xr-x</B
></SPAN
>, and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0644</B
></SPAN
> to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>rw-r--r--</B
></SPAN
>.</P
><P
>The ABC Corporation example uses the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0644</B
></SPAN
> to set the mode bits on the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>passwd_</B
></SPAN
>user file to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>r-xr--r--</B
></SPAN
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>owner</B
></SPAN
></DT
><DD
><P
>Specifies the username or UID of the user to be designated the file's owner in the output from the UNIX
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ls -l</B
></SPAN
> command.</P
><P
>If the file resides in AFS and is to be owned by the user, place the $UID variable in this field. The Protection
Server then automatically assigns an AFS UID unless you provide the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-uid</B
></SPAN
> argument to
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command or fill in the uid field in the bulk input file <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction. (If you are converting existing UNIX accounts, see the discussion of
additional considerations in <A
HREF="c24913.html#HDRWQ459"
>Converting Existing UNIX Accounts with uss</A
>.)</P
><P
>If the file resides on the local disk, specify the username or UNIX UID under which you are issuing the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command. For a discussion of the complications that arise from designating
another user, see <A
HREF="c24913.html#HDRWQ470"
>About Creating Local Disk Directories and Files</A
>.</P
><P
>The ABC Corporation example is creating an AFS file intended for incorporation into the common password file,
rather than for direct use by the new user. It therefore designates the local superuser <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>root</B
></SPAN
> as the owner of the new file. Designating an alternate owner on an AFS file does not
introduce complications: issuing the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>chown</B
></SPAN
> command on AFS files requires membership
in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>system:administrators</B
></SPAN
> group, but the issuer of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command is necessarily authenticated as a member of that group.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>contents</B
></SPAN
></DT
><DD
><P
>Specifies the one-line character string to write into the new file. Surround it with double quotes if it
contains one or more spaces. It cannot contain the newline character, but can contain any of the standard variables,
which the command interpreter resolves as it creates the file.</P
><P
>The ABC Corporation example has the following value in the contents field, to create a password file
entry:</P
><PRE
CLASS="programlisting"
>&#13; $USER:X:$UID:10:$NAME:$MTPT:/bin/csh
</PRE
></DD
></DL
></DIV
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ477"
>Creating Links with the L and S Instructions</A
></H2
><P
>Each <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>L</B
></SPAN
> instruction in the template file creates a hard link between two files, as
achieved by the standard UNIX <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ln</B
></SPAN
> command. The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>S</B
></SPAN
> instruction
creates a symbolic link between two files, as achieved by the standard UNIX <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ln -s</B
></SPAN
> command. An
explanation of links is beyond the scope of this document, but the basic effect in both cases is to create a second name for
an existing file, so that it can be accessed via either name. Creating a link does not create a second copy of the
file.</P
><P
>There is no limit on the number of <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>L</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>S</B
></SPAN
> instructions
in a template file. If the link is in a new user's home directory or a subdirectory of it (the intended use), then it must
follow the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
> instruction that creates the parent
directory, and the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
>, or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>X</B
></SPAN
> instruction that creates the file being linked to. Creating a file on the local disk of the machine
where the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command runs is not recommended, for the reasons detailed in <A
HREF="c24913.html#HDRWQ470"
>About Creating Local Disk Directories and Files</A
>.</P
><P
>Note that AFS allows hard links only between files that reside in the same directory. This restriction is necessary to
eliminate the confusion that results from associating two potentially different ACLs (those of the two directories) with the
same file. Symbolic links are legal between two files that reside in different directories and even in different volumes. The
ACL on the actual file applies to the link as well.</P
><P
>You do not set the owner or mode bits on a link created with an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>L</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>S</B
></SPAN
> instruction, as you do for directories or files. The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command
interpreter automatically records the UNIX UID of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command's issuer as the owner, and
sets the mode bits to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>lrwxrwxrwx</B
></SPAN
> (777).</P
><P
>The following discussion of the fields in an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>L</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>S</B
></SPAN
>
instruction refers to an example in the full account template from <A
HREF="c24913.html#HDRWQ471"
>Example uss Templates</A
>,
namely</P
><PRE
CLASS="programlisting"
>&#13; S /afs/abc.com/public/$USER $MTPT/public
</PRE
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>L</B
></SPAN
> and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>S</B
></SPAN
> instructions' syntax is as follows:</P
><PRE
CLASS="programlisting"
>&#13; L existing_file link
S existing_file link
</PRE
><P
>where <DIV
CLASS="variablelist"
><DL
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>L</B
></SPAN
></DT
><DD
><P
>Indicates a hard link creation instruction.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>S</B
></SPAN
></DT
><DD
><P
>Indicates a symbolic link creation instruction.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>existing_file</B
></SPAN
></DT
><DD
><P
>Specifies the complete pathname of the existing file. If it resides in the user's home directory or a
subdirectory of it, it is simplest to use the $MTPT variable to specify the home directory pathname. When the $MTPT
variable appears in an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>L</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>S</B
></SPAN
> instruction, it takes
its value from the preceding <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point field (this dependency is
why the instruction must follow the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction).</P
><P
>Do not create a symbolic link to a file whose name begins with the number sign (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>#</B
></SPAN
>) or percent sign (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>%</B
></SPAN
>). When the Cache Manager reads a
symbolic link whose contents begin with one of those characters, it interprets it as a regular or read/write mount
point, respectively.</P
><P
>The ABC Corporation example creates a link to the publicly readable volume created and mounted by a preceding
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>X</B
></SPAN
> instruction, by specifying the path to its mount point:</P
><PRE
CLASS="programlisting"
>&#13; /afs/abc.com/public/$USER
</PRE
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>link</B
></SPAN
></DT
><DD
><P
>Specifies the complete pathname of the second name for the file. If it resides in the user's home directory or a
subdirectory of it, it is simplest to use the $MTPT variable to specify the home directory pathname.</P
><P
>Specify the read/write path to the link, to avoid the failure that results when you attempt to create a new link
in a read-only volume. By convention, you indicate the read/write path by placing a period before the cell name at the
pathname's second level (for example, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com</B
></SPAN
>). If you use the $MTPT variable
in this field, the value in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point field possibly already
indicates the read/write path. For further discussion of the concept of read/write and read-only paths through the
filespace, see <A
HREF="c8420.html#HDRWQ208"
>Mounting Volumes</A
>.</P
><P
>The ABC Corporation example creates a link called <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>public</B
></SPAN
> in the user's home
directory:</P
><PRE
CLASS="programlisting"
>&#13; $MTPT/public
</PRE
></DD
></DL
></DIV
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ478"
>Increasing Account Security with the A Instruction</A
></H2
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>A</B
></SPAN
> instruction in the template file enhances cell security by imposing the following
restrictions on users' password choice and authentication attempts. <UL
><LI
><P
>Limiting the user's password lifetime. When the lifetime expires, the user can no longer use the password to
authenticate and must change it.</P
></LI
><LI
><P
>Prohibiting the reuse of the user's 20 most-recently used passwords.</P
></LI
><LI
><P
>Limiting the number of consecutive times that a user can provide an incorrect password during authentication, and
for how long the Authentication Server refuses further authentication attempts after the limit is exceeded (referred to
as an <SPAN
CLASS="emphasis"
><I
CLASS="emphasis"
>account lockout</I
></SPAN
>). For regular user accounts in most cells, the recommended limit is nine and
lockout time is 25 minutes.</P
></LI
></UL
></P
><P
>The following discussion of the fields in an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>A</B
></SPAN
> instruction refers to the example in the
full account template from <A
HREF="c24913.html#HDRWQ471"
>Example uss Templates</A
>, which sets a password lifetime of 250 days,
prohibits reuse of passwords, limits the number of failed authentication attempts to nine, and creates a lockout time of 25
minutes if the authentication limit is exceeded:</P
><PRE
CLASS="programlisting"
>&#13; A $USER 250 noreuse 9 25
</PRE
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>A</B
></SPAN
> instruction's syntax is as follows:</P
><PRE
CLASS="programlisting"
>&#13; A username password_lifetime password_reuse failures locktime
</PRE
><P
>where <DIV
CLASS="variablelist"
><DL
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>A</B
></SPAN
></DT
><DD
><P
>Indicates a security enhancing instruction.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>username</B
></SPAN
></DT
><DD
><P
>Names the Authentication Database entry on which to impose security restrictions. Use the $USER variable to read
in the username from the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command's <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
>
argument, or from the username field of an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction in the bulk input file.
The ABC Corporation example uses this value.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>password_lifetime</B
></SPAN
></DT
><DD
><P
>Sets the number of days after the user's password is changed that it remains valid. When the password becomes
invalid (expires), the user is unable to authenticate, but has 30 more days in which to issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>kpasswd</B
></SPAN
> command to change the password (after that, only an administrator can change
it).</P
><P
>Specify an integer from the range <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>1</B
></SPAN
> through <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>254</B
></SPAN
> to specify the number of days until expiration, the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0</B
></SPAN
> to indicate that the password never expires, or the value $PWEXPIRES to read in the number of
days from the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command's
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-pwexpires</B
></SPAN
> argument. If the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>A</B
></SPAN
> instruction does not
appear in the template file, by default the user's password never expires.</P
><P
>The ABC Corporation example sets a password lifetime of 250 days.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>password_reuse</B
></SPAN
></DT
><DD
><P
>Determines whether or not the user can change his or her password (using the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>kpasswd</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>kas setpassword</B
></SPAN
> command) to one that is similar to
any of his or her last 20 passwords. The acceptable values are <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>reuse</B
></SPAN
> to allow reuse
and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>noreuse</B
></SPAN
> to prohibit it. If the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>A</B
></SPAN
> instruction
does not appear in the template file, the default is to allow password reuse.</P
><P
>The ABC Corporation example prohibits password reuse.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>failures</B
></SPAN
></DT
><DD
><P
>Sets the number of consecutive times the user can provide an incorrect password during authentication (using the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>klog</B
></SPAN
> command or a login utility that grants AFS tokens). When the user exceeds the
limit, the Authentication Server rejects further authentication attempts for the amount of time specified in the
locktime field.</P
><P
>Specify an integer from the range <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>1</B
></SPAN
> through <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>254</B
></SPAN
> to specify the number of failures permitted, or the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0</B
></SPAN
> to indicate that there is no limit to the number of unsuccessful attempts. If the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>A</B
></SPAN
> instruction does not appear in the template file, the default is to allow an unlimited number
of failures.</P
><P
>The ABC Corporation example sets the limit to nine failed attempts.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>locktime</B
></SPAN
></DT
><DD
><P
>Specifies how long the Authentication Server refuses authentication attempts from a user who has exceeded the
failure limit set in the failures field.</P
><P
>Specify a number of hours and minutes (hh:mm) or minutes only (mm), from the range <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>01</B
></SPAN
> (one minute) through <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>36:00</B
></SPAN
> (36 hours). The Authentication
Server automatically reduces any larger value to <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>36:00</B
></SPAN
> and also rounds up any nonzero
value to the next highest multiple of 8.5 minutes. A value of <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0</B
></SPAN
> (zero) sets an
infinite lockout time, in which case an administrator must always issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>kas
unlock</B
></SPAN
> command to unlock the account.</P
><P
>The ABC Corporation example sets the lockout time to 25 minutes, which is rounded up to 25 minutes 30 seconds
(the next highest multiple of 8.5 minutes).</P
></DD
></DL
></DIV
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ479"
>Executing Commands with the X Instruction</A
></H2
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>X</B
></SPAN
> instruction in the template file executes a command, which can be a standard UNIX
command, a shell script or program, or an AFS command. The command string can include standard template variables, and any
number of <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>X</B
></SPAN
> instructions can appear in a template file. If an instruction manipulates an
element created by another instruction, it must appear after that instruction.</P
><P
>The following discussion of the field in an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>X</B
></SPAN
> instruction refers to the example in the
full account template from <A
HREF="c24913.html#HDRWQ471"
>Example uss Templates</A
>:</P
><PRE
CLASS="programlisting"
>&#13; X "create_public_vol $USER $1 $2"
</PRE
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>X</B
></SPAN
> instruction's syntax is as follows:</P
><PRE
CLASS="programlisting"
>&#13; X "command"
</PRE
><P
>where command specifies the command to execute. Surround it with double quotes if it contains spaces. The command string
can contain any of the standard variables, which the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter resolves before
passing the command on to the appropriate other command interpreter, but it cannot contain newline characters.</P
><P
>The ABC Corporation example invokes a script called <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>create_public_vol</B
></SPAN
>, which creates
another volume associated with the new user and mounts it in a publicly readable part of the ABC Corporation's
filespace:</P
><PRE
CLASS="programlisting"
>&#13; "create_public_vol $USER $1 $2"
</PRE
><P
>It uses the $USER variable to read in the username and make it part of both the volume name and mount point name. The
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command issuer supplies a file server machine name for the $1 variable and a partition
name for the $2 variable, to specify the site for the new volume. </P
></DIV
></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="HDRWQ480"
>Creating Individual Accounts with the uss add Command</A
></H1
><P
>After you have created a template file, you can create an individual account by issuing the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
add</B
></SPAN
> command (for template creation instructions see <A
HREF="c24913.html#HDRWQ463"
>Constructing a uss Template
File</A
>). When you issue the command, the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter contacts various AFS
servers to perform the following actions: <UL
><LI
><P
>Create a Protection Database entry. By default, the Protection Server assigns an AFS UID which becomes the value of
the $UID variable used in the template.</P
></LI
><LI
><P
>Create an Authentication Database entry, recording an encrypted version of the initial password.</P
></LI
><LI
><P
>Create the account components defined in the indicated template file, contacting the File Server, Volume Server, and
Volume Location (VL) Server as necessary.</P
></LI
></UL
></P
><P
>To review which types of instructions to include in a template to create different file system objects, see <A
HREF="c24913.html#HDRWQ463"
>Constructing a uss Template File</A
>. If the template is empty, the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
add</B
></SPAN
> command creates an authentication-only account consisting of Protection Database and Authentication Database
entries.</P
><P
>When you issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command, provide a value for each variable in the template
file by including the corresponding command-line argument. If you fail to supply a value for a variable, the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter substitutes a null string, which usually causes the account creation to fail. If
you include a command line argument for which the corresponding variable does not appear in the template, it is ignored.</P
><P
><A
HREF="c24913.html#TBLWQ481"
>Table 4</A
> summarizes the mappings between variables and the arguments to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command. It is adapted from <A
HREF="c24913.html#TBLWQ466"
>Table 3</A
>, but includes only those
variables that take their value from command line arguments.</P
><DIV
CLASS="table"
><A
NAME="TBLWQ481"
></A
><TABLE
BORDER="1"
CLASS="CALSTABLE"
><COL
WIDTH="20*"><COL
WIDTH="80*"><THEAD
><TR
><TH
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>Variable</B
></SPAN
></TH
><TH
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>Command-line Argument</B
></SPAN
></TH
></TR
></THEAD
><TBODY
><TR
><TD
>$MTPT</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-mount</B
></SPAN
> (for occurrence in <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
>
instruction)</TD
></TR
><TR
><TD
>$NAME</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-realname</B
></SPAN
> if provided; otherwise <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
></TD
></TR
><TR
><TD
>$PART</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-partition</B
></SPAN
></TD
></TR
><TR
><TD
>$PWEXPIRES</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-pwexpires</B
></SPAN
></TD
></TR
><TR
><TD
>$SERVER</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-server</B
></SPAN
></TD
></TR
><TR
><TD
>$UID</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-uid</B
></SPAN
> if provided; otherwise allocated by Protection Server</TD
></TR
><TR
><TD
>$USER</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
></TD
></TR
><TR
><TD
>$1 through $9</TD
><TD
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-var</B
></SPAN
></TD
></TR
></TBODY
></TABLE
><P
><B
>Table 4. Command-line argument sources for uss template variables</B
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ483"
>To create an AFS account with the uss add command</A
></H2
><OL
TYPE="1"
><LI
><P
>Authenticate as an AFS identity with all of the following privileges. In the conventional configuration, the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>admin</B
></SPAN
> user account has them, or you possibly have a personal administrative account. (To
increase cell security, it is best to create special privileged accounts for use only while performing administrative
procedures; for further discussion, see <A
HREF="c32432.html#HDRWQ584"
>An Overview of Administrative Privilege</A
>.) If
necessary, issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>klog</B
></SPAN
> command to authenticate. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>klog</B
></SPAN
> admin_user
Password: &#60;<VAR
CLASS="replaceable"
>admin_password</VAR
>&#62;
</PRE
></P
><P
>The following list specifies the necessary privileges and indicates how to check that you have them.</P
><UL
><LI
><P
>Membership in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>system:administrators</B
></SPAN
> group. If necessary, issue the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pts membership</B
></SPAN
> command, which is fully described in <A
HREF="c32432.html#HDRWQ587"
>To
display the members of the system:administrators group</A
>. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pts membership system:administrators</B
></SPAN
>
</PRE
></P
></LI
><LI
><P
>Inclusion in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/usr/afs/etc/UserList</B
></SPAN
> file. If necessary, issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>bos listusers</B
></SPAN
> command, which is fully described in <A
HREF="c32432.html#HDRWQ593"
>To display the
users in the UserList file</A
>. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>bos listusers</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>machine name</VAR
>&#62;
</PRE
></P
></LI
><LI
><P
>The <SAMP
CLASS="computeroutput"
>ADMIN</SAMP
> flag on the Authentication Database entry. However, the
Authentication Server always prompts you for a password in order to perform its own authentication. The following
instructions direct you to specify the administrative identity on the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command
line itself.</P
></LI
><LI
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>i</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>insert</B
></SPAN
>) and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>l</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>lookup</B
></SPAN
>) permissions on the ACL of the directory in which
you are mounting the user's volume. If necessary, issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs listacl</B
></SPAN
> command, which
is fully described in <A
HREF="c31274.html#HDRWQ572"
>Displaying ACLs</A
>. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs listacl</B
></SPAN
> [&#60;<VAR
CLASS="replaceable"
>dir/file path</VAR
>&#62;]
</PRE
></P
><P
>Members of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>system:administrators</B
></SPAN
> group always implicitly have the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>a</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>administer</B
></SPAN
>) and by default also the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>l</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>lookup</B
></SPAN
>) permission on every ACL and can use the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs setacl</B
></SPAN
> command to grant other rights as necessary.</P
></LI
></UL
></LI
><LI
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>(Optional)</B
></SPAN
> Log in as the local superuser <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>root</B
></SPAN
>.
This is necessary only if you are creating new files or directories in the local file system and want to designate an
alternate owner as the object is created. For a discussion of the issues involved, see <A
HREF="c24913.html#HDRWQ470"
>About
Creating Local Disk Directories and Files</A
>.</P
></LI
><LI
><P
>Verify the location and functionality of the template file you are using. For a description of where the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter expects to find the template, see <A
HREF="c24913.html#HDRWQ468"
>Where to Place
Template Files</A
>. You can always provide an alternate pathname if you wish. Also note the variables used in the
template, to be sure that you provide the corresponding arguments on the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command
line.</P
></LI
><LI
><P
><A
NAME="LIWQ484"
></A
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>(Optional)</B
></SPAN
> Change to the directory where the template
resides. This affects the type of pathname you must type in Step <A
HREF="c24913.html#LIWQ485"
>6</A
>. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>cd</B
></SPAN
> template_directory
</PRE
></P
></LI
><LI
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>(Optional)</B
></SPAN
> Run the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command with the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-dryrun</B
></SPAN
> flag to preview the creation of the account. Note any error messages and correct
the cause before reissuing the command without the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-dryrun</B
></SPAN
> flag. The next step describes
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command's syntax. For more information on the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-dryrun</B
></SPAN
> flag, see <A
HREF="c24913.html#HDRWQ454"
>Avoiding and Recovering from Errors and Interrupted
Operations</A
>. </P
></LI
><LI
><P
><A
NAME="LIWQ485"
></A
>Issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command to create the account. Enter the
command on a single line; it appears here on multiple lines only for legibility.</P
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> operation creates an Authentication Database entry. The Authentication
Server performs its own authentication rather than accepting your existing AFS token. By default, it authenticates your
local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. Include the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-admin</B
></SPAN
> argument to name an identity that has the <SAMP
CLASS="computeroutput"
>ADMIN</SAMP
> flag on its
Authentication Database entry. To verify that an entry has the flag, issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>kas
examine</B
></SPAN
> command as described in <A
HREF="c32432.html#HDRWQ590"
>To check if the ADMIN flag is set</A
>.</P
><PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>login name</VAR
>&#62; <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-admin</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>administrator to authenticate</VAR
>&#62; \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-realname</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>full name in quotes</VAR
>&#62;] [<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-pass</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>initial passwd</VAR
>&#62;] \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-pwexpires</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>password expires in [0..254] days (0 =</VAR
>&#62; never)&#62;] \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-server</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>FileServer for home volume</VAR
>&#62;] \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-partition</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>FileServer's disk partition for home volume</VAR
>&#62;] \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-mount</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>home directory mount point</VAR
>&#62;] \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-uid</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>uid to assign the user</VAR
>&#62;] \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-template</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>pathname of template file</VAR
>&#62;] \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-var</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>auxiliary argument pairs (Numval)</VAR
>&#62;+] [<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-dryrun</B
></SPAN
>] \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-overwrite</B
></SPAN
>]
Administrator's (admin_user) password: &#60;<VAR
CLASS="replaceable"
>admin_password</VAR
>&#62;
</PRE
><P
>where <DIV
CLASS="variablelist"
><DL
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>ad</B
></SPAN
></DT
><DD
><P
>Is the shortest acceptable abbreviation of <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
></DT
><DD
><P
>Names the user's Authentication Database and Protection Database entries. Because it becomes the username
(the name under which a user logs in), it must obey the restrictions that many operating systems impose on
usernames (usually, to contain no more than eight lowercase letters). Also avoid the following characters: colon
(<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>), semicolon (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>;</B
></SPAN
>), comma (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>,</B
></SPAN
>), at sign (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>@</B
></SPAN
>), space, newline, and the period (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>.</B
></SPAN
>), which is conventionally used only in special administrative names.</P
><P
>This argument provides the value for the $USER variable in the template file. For suggestions on
standardizing usernames, see <A
HREF="c667.html#HDRWQ58"
>Choosing Usernames and Naming Other Account
Components</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-admin</B
></SPAN
></DT
><DD
><P
>Names an administrative account that has the <SAMP
CLASS="computeroutput"
>ADMIN</SAMP
> flag on its
Authentication Database entry, such as <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>admin</B
></SPAN
>. The password prompt echoes it as
admin_user. Enter the appropriate password as admin_password.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-realname</B
></SPAN
></DT
><DD
><P
>Specifies the user's actual full name. If it contains spaces or punctuation, surround it with double quotes.
If you do not provide it, it defaults to the username provided with the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
>
argument.</P
><P
>This argument provides the value for the $NAME variable in the template file. For information about using
this argument and variable as part of an automated process for creating entries in a local password file such as
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/etc/passwd</B
></SPAN
>, see <A
HREF="c24913.html#HDRWQ458"
>Creating a Common Source Password
File</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-pass</B
></SPAN
></DT
><DD
><P
>Specifies the user's initial password. Although the AFS commands that handle passwords accept strings of
virtually unlimited length, it is best to use a password of eight characters or less, which is the maximum length
that many applications and utilities accept.</P
><P
>Possible choices for initial passwords include the username, a string of digits such as those from a Social
Security number, or a standard string such as <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>changeme</B
></SPAN
>, which is the default if
you do not provide this argument. There is no corresponding variable in the template file.</P
><P
>Instruct users to change their passwords to a truly secret string as soon as they authenticate with AFS for
the first time. The <SPAN
CLASS="emphasis"
><I
CLASS="emphasis"
>IBM AFS User Guide</I
></SPAN
> explains how to use the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>kpasswd</B
></SPAN
> command to change an AFS password.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-pwexpires</B
></SPAN
></DT
><DD
><P
>Sets the number of days after a user's password is changed that it remains valid. Provide an integer from
the range <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>1</B
></SPAN
> through <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>254</B
></SPAN
> to specify the number of
days until expiration, or the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0</B
></SPAN
> to indicate that the password never expires
(the default if you do not provide this argument). When the password becomes invalid (expires), the user is unable
to authenticate, but has 30 more days in which to issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>kpasswd</B
></SPAN
> command to
change the password; after that, only an administrator can change it.</P
><P
>This argument provides the value for the $PWEXPIRES variable in the template file.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-server</B
></SPAN
></DT
><DD
><P
>Names the file server machine on which to create the new user's home volume. It is best to provide a fully
qualified hostname (for example, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs1.abc.com</B
></SPAN
>), but an abbreviated form is
acceptable provided that the cell's naming service is available to resolve it when you issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command.</P
><P
>This argument provides the value for the $SERVER variable in the template file. To avoid having to type a
fully qualified hostname on the command line, combine the $SERVER variable with a constant (for example, the
cell's domain name) in the server field of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction in the template
file. For an example, see <A
HREF="c24913.html#HDRWQ473"
>Creating a Volume with the V Instruction</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-partition</B
></SPAN
></DT
><DD
><P
>Specifies the partition on which to create the user's home volume; it must be on the file server machine
named by the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-server</B
></SPAN
> argument. Identify the partition by its complete name (for
example, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/vicepa</B
></SPAN
>), or use one of the abbreviations listed in <A
HREF="a33826.html#HDRWQ615"
>Rules for Using Abbreviations and Aliases</A
>.</P
><P
>This argument provides the value for the $PART variable in the template file.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-mount</B
></SPAN
></DT
><DD
><P
>Specifies the pathname for the user's home directory in the cell's read/write filespace. Partial pathnames
are interpreted relative to the current working directory.</P
><P
>This argument provides the value for the $MTPT variable in the template file, but only when it appears in
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point field. When the $MTPT variable appears in any
subsequent instructions, it takes its value from the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's mount_point
field, rather than directly from this argument. For more details, and for suggestions about how to use this
argument and the $MTPT variable, see <A
HREF="c24913.html#HDRWQ473"
>Creating a Volume with the V
Instruction</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-uid</B
></SPAN
></DT
><DD
><P
>Specifies a positive integer other than <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0</B
></SPAN
> (zero) to assign as the user's
AFS UID. It is best to omit this argument and allow the Protection Server to assign an AFS UID that is one greater
than the current value of the <SAMP
CLASS="computeroutput"
>max user id</SAMP
> counter. (To display the counter, use
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pts listmax</B
></SPAN
> command as described in <A
HREF="c29323.html#HDRWQ561"
>To display the
AFS ID counters</A
>.)</P
><P
>If you have a reason to use this argument (perhaps because the user already has a UNIX UID), first use the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pts examine</B
></SPAN
> command to verify that there is no existing account with the desired
AFS UID; if there is, the account creation process terminates with an error.</P
><P
>This argument provides the value for the $UID variable in the template file.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-template</B
></SPAN
></DT
><DD
><P
>Specifies the pathname of the template file. If you omit this argument, the command interpreter searches for
a template file called <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss.template</B
></SPAN
> in each of the following directories in turn:
<OL
TYPE="a"
><LI
><P
>The current working directory</P
></LI
><LI
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/</B
></SPAN
>cellname<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/common/uss</B
></SPAN
>, where
cellname names the local cell</P
></LI
><LI
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/etc</B
></SPAN
></P
></LI
></OL
></P
><P
>If you specify a filename other than <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss.template</B
></SPAN
> but without a pathname,
the command interpreter searches for it in the indicated directories. If you provide a full or partial pathname,
the command interpreter consults the specified file only; it interprets partial pathnames relative to the current
working directory.</P
><P
>If the specified template file is empty (zero-length), the command creates Protection and Authentication
Database entries only.</P
><P
>To learn how to construct a template file, see <A
HREF="c24913.html#HDRWQ463"
>Constructing a uss Template
File</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-var</B
></SPAN
></DT
><DD
><P
>Specifies values for each of the number variables $1 through $9 that can appear in the template file. You
can use the number variables to assign values to variables in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> template
file that are not part of the standard set.</P
><P
>For each instance of this argument, provide two parts in the indicated order, separated by a space:
<UL
><LI
><P
>The integer from the range <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>1</B
></SPAN
> through <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>9</B
></SPAN
> that matches the variable in the template file. Do not precede it with a dollar
sign.</P
></LI
><LI
><P
>A string of alphanumeric characters to assign as the value of the variable.</P
></LI
></UL
></P
><P
>To learn about suggested uses for the number variables, see the description of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction's quota field in <A
HREF="c24913.html#HDRWQ473"
>Creating a Volume with the V
Instruction</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-dryrun</B
></SPAN
></DT
><DD
><P
>Reports actions that the command interpreter needs to perform to run the command, without actually
performing them.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-overwrite</B
></SPAN
></DT
><DD
><P
>Overwrites any directories, files, and links that exist in the file system and for which there are
definitions in <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>L</B
></SPAN
>, or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>S</B
></SPAN
> instructions
in the template file named by the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-template</B
></SPAN
> argument. If you omit this flag, the
command interpreter prompts you once for confirmation that you want to overwrite all such elements.</P
></DD
></DL
></DIV
></P
></LI
><LI
><P
>If the new user home directory resides in a replicated volume, use the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>vos release</B
></SPAN
>
command to release the volume, as described in <A
HREF="c8420.html#HDRWQ194"
>To replicate a read/write volume (create a
read-only volume)</A
>. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>vos release</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>volume name or ID</VAR
>&#62;
</PRE
></P
><DIV
CLASS="note"
><BLOCKQUOTE
CLASS="note"
><P
><B
>Note: </B
>This step can be necessary even if the home directory's parent directory is not itself a mount point for a
replicated volume (and is easier to overlook in that case). For example, the ABC Corporation template puts the mount
points for user volumes in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/abc.com/usr</B
></SPAN
> directory. Because that is a regular
directory rather than a mount point, it resides in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>root.cell</B
></SPAN
> volume mounted at the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/abc.com</B
></SPAN
> directory. That volume is replicated, so after changing it by creating a
new mount point the administrator must issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>vos release</B
></SPAN
> command.</P
></BLOCKQUOTE
></DIV
></LI
><LI
><P
>Create an entry for the new user in the local password file (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/etc/passwd</B
></SPAN
> or
equivalent) on each AFS client machine that he or she can log into. For suggestions on automating this step, see <A
HREF="c24913.html#HDRWQ458"
>Creating a Common Source Password File</A
>.</P
><P
>Even if you do not use the automated method, set the user's UNIX UID to match the AFS UID assigned automatically by
the Protection Server or assigned with the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-uid</B
></SPAN
> argument. The new user's AFS UID appears
in the trace produced by the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> output, or you can use the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pts
examine</B
></SPAN
> command to display it, as described in <A
HREF="c29323.html#HDRWQ537"
>To display a Protection Database
entry</A
>.</P
></LI
></OL
></DIV
></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="HDRWQ486"
>Deleting Individual Accounts with the uss delete Command</A
></H1
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss delete</B
></SPAN
> command deletes an AFS user account according to the arguments you provide
on the command line; unlike the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command, it does not use a template file. When you
issue the command, the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command interpreter contacts various AFS servers to perform the
following actions: <UL
><LI
><P
>Remove the mount point for the user's home volume</P
></LI
><LI
><P
>Remove the user's home volume and delete the associated VLDB entry, unless you include the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-savevolume</B
></SPAN
> flag</P
></LI
><LI
><P
>Delete the user's Authentication Database entry</P
></LI
><LI
><P
>Delete the user's Protection Database entry</P
></LI
></UL
></P
><P
>Before issuing the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss delete</B
></SPAN
> command, you can also perform the following optional tasks:
<UL
><LI
><P
>Copy the user's home volume to tape or another permanent medium and record the username and UID on a reserved list.
This information enables you to restore the user's account easily if he or she returns to your cell. For information about
using the AFS Backup System to back up volumes, see <A
HREF="c12776.html"
>Configuring the AFS Backup System</A
> and
<A
HREF="c15383.html"
>Backing Up and Restoring AFS Data</A
>.</P
></LI
><LI
><P
>If the user has exclusive use of any other volumes (such as a volume for storing project-related data), make a
backup copy of each one and then remove it and its mount point as instructed in <A
HREF="c8420.html#HDRWQ235"
>Removing Volumes
and their Mount Points</A
>.</P
></LI
><LI
><P
>Use the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pts listowned</B
></SPAN
> command to display any groups that the user owns;
instructions appear in <A
HREF="c29323.html#HDRWQ540"
>To list the groups that a user or group owns</A
>. Decide whether to use
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pts delete</B
></SPAN
> command to remove the groups or the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pts
chown</B
></SPAN
> command to transfer ownership to another user or group. Instructions appear in <A
HREF="c29323.html#HDRWQ553"
>To delete Protection Database entries</A
> and <A
HREF="c29323.html#HDRWQ555"
>To change a group's
owner</A
>. Alternatively, you can have the user remove or transfer ownership of the groups before leaving. A group that
remains in the Protection Database after its owner is removed is considered orphaned, and only members of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>system:administrators</B
></SPAN
> group can administer it.</P
></LI
></UL
></P
><P
>You can automate some of these tasks by including <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>exec</B
></SPAN
> instructions in the bulk input
file and using the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command to delete the account. See <A
HREF="c24913.html#HDRWQ488"
>Creating and Deleting Multiple Accounts with the uss bulk Command</A
>.</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ487"
>To delete an AFS account</A
></H2
><OL
TYPE="1"
><LI
><P
>Authenticate as an AFS identity with all of the following privileges. In the conventional configuration, the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>admin</B
></SPAN
> user account has them, or you possibly have a personal administrative account. (To
increase cell security, it is best to create special privileged accounts for use only while performing administrative
procedures; for further discussion, see <A
HREF="c32432.html#HDRWQ584"
>An Overview of Administrative Privilege</A
>.) If
necessary, issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>klog</B
></SPAN
> command to authenticate. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>klog</B
></SPAN
> admin_user
Password: &#60;<VAR
CLASS="replaceable"
>admin_password</VAR
>&#62;
</PRE
></P
><P
>The following list specifies the necessary privileges and indicates how to check that you have them.</P
><UL
><LI
><P
>Membership in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>system:administrators</B
></SPAN
> group. If necessary, issue the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pts membership</B
></SPAN
> command, which is fully described in <A
HREF="c32432.html#HDRWQ587"
>To
display the members of the system:administrators group</A
>. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pts membership system:administrators</B
></SPAN
>
</PRE
></P
></LI
><LI
><P
>Inclusion in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/usr/afs/etc/UserList</B
></SPAN
> file. If necessary, issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>bos listusers</B
></SPAN
> command, which is fully described in <A
HREF="c32432.html#HDRWQ593"
>To display the
users in the UserList file</A
>. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>bos listusers</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>machine name</VAR
>&#62;
</PRE
></P
></LI
><LI
><P
>The <SAMP
CLASS="computeroutput"
>ADMIN</SAMP
> flag on the Authentication Database entry. However, the
Authentication Server always prompts you for a password in order to perform its own authentication. The following
instructions direct you to specify the administrative identity on the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command
line itself.</P
></LI
><LI
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>d</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
>) permission on the ACL of the
directory that houses the user's home directory. If necessary, issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs listacl</B
></SPAN
>
command, which is fully described in <A
HREF="c31274.html#HDRWQ572"
>Displaying ACLs</A
>. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs listacl</B
></SPAN
> [&#60;<VAR
CLASS="replaceable"
>dir/file path</VAR
>&#62;]
</PRE
></P
><P
>Members of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>system:administrators</B
></SPAN
> group always implicitly have the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>a</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>administer</B
></SPAN
>) and by default also the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>l</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>lookup</B
></SPAN
>) permission on every ACL and can use the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs setacl</B
></SPAN
> command to grant other rights as necessary.</P
></LI
></UL
></LI
><LI
><P
>Consider and resolve the issues discussed in the introduction to this section concerning the continued maintenance
of a deleted user's account information, owned groups, and volumes.</P
></LI
><LI
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>(Optional)</B
></SPAN
> Run the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss delete</B
></SPAN
> command with the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-dryrun</B
></SPAN
> flag to preview the deletion of the account. Note any error messages and correct
the cause before reissuing the command without the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-dryrun</B
></SPAN
> flag. The next step describes
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss delete</B
></SPAN
> command's syntax. </P
></LI
><LI
><P
>Issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss delete</B
></SPAN
> command to delete the account. Enter the command on a single
line; it appears here on multiple lines only for legibility.</P
><P
>The delete operation always removes the user's entry from the Authentication Database. The Authentication Server
performs its own authentication rather than accepting your existing AFS token. By default, it authenticates your local
(UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. Include the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-admin</B
></SPAN
> argument to name an identity that has the <SAMP
CLASS="computeroutput"
>ADMIN</SAMP
> flag on its
Authentication Database entry. To verify that an entry has the flag, issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>kas
examine</B
></SPAN
> command as described in <A
HREF="c32432.html#HDRWQ590"
>To check if the ADMIN flag is set</A
>.</P
><PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss delete</B
></SPAN
> <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>login name</VAR
>&#62; \
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-mountpoint</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>mountpoint for user's volume</VAR
>&#62; \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-savevolume</B
></SPAN
>] <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-admin</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>administrator to authenticate</VAR
>&#62; \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-dryrun</B
></SPAN
>]
Administrator's (admin_user) password: &#60;<VAR
CLASS="replaceable"
>admin_password</VAR
>&#62;
</PRE
><P
>where <DIV
CLASS="variablelist"
><DL
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>d</B
></SPAN
></DT
><DD
><P
>Is the shortest acceptable abbreviation of <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
></DT
><DD
><P
>Names the entry to delete from the Protection and Authentication Databases.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-mountpoint</B
></SPAN
></DT
><DD
><P
>Specifies the pathname of the mount point to delete (the user's home directory). Unless the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-savevolume</B
></SPAN
> argument is included, the volume mounted there is also deleted from the file
server machine where it resides, as is its record from the VLDB. Partial pathnames are interpreted relative to the
current working directory.</P
><P
>Specify the read/write path to the mount point, to avoid the failure that results when you attempt to delete
a mount point from a read-only volume. By convention, you indicate the read/write path by placing a period before
the cell name at the pathname's second level (for example, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com</B
></SPAN
>). For
further discussion of the concept of read/write and read-only paths through the filespace, see <A
HREF="c8420.html#HDRWQ208"
>Mounting Volumes</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-savevolume</B
></SPAN
></DT
><DD
><P
>Retains the user's volume and VLDB entry.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-admin</B
></SPAN
></DT
><DD
><P
>Names an administrative account that has the <SAMP
CLASS="computeroutput"
>ADMIN</SAMP
> flag on its
Authentication Database entry, such as <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>admin</B
></SPAN
>. The password prompt echoes it as
admin_user. Enter the appropriate password as admin_password.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-dryrun</B
></SPAN
></DT
><DD
><P
>Reports actions that the command interpreter needs to perform to run the command, without actually
performing them.</P
></DD
></DL
></DIV
></P
></LI
><LI
><P
>If the deleted user home directory resided in a replicated volume, use the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>vos
release</B
></SPAN
> command to release the volume, as described in <A
HREF="c8420.html#HDRWQ194"
>To replicate a read/write
volume (create a read-only volume)</A
>. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>vos release</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>volume name or ID</VAR
>&#62;
</PRE
></P
><DIV
CLASS="note"
><BLOCKQUOTE
CLASS="note"
><P
><B
>Note: </B
>This step can be necessary even if the home directory's parent directory is not itself a mount point for a
replicated volume (and is easier to overlook in that case). For example, the ABC Corporation template puts the mount
points for user volumes in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/abc.com/usr</B
></SPAN
> directory. Because that is a regular
directory rather than a mount point, it resides in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>root.cell</B
></SPAN
> volume mounted at the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/abc.com</B
></SPAN
> directory. That volume is replicated, so after changing it by deleting a
mount point the administrator must issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>vos release</B
></SPAN
> command.</P
></BLOCKQUOTE
></DIV
></LI
><LI
><P
>Delete the user's entry from the local password file (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/etc/passwd</B
></SPAN
> or equivalent) of
each client machine. If you use the AFS <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>package</B
></SPAN
> utility, it is sufficient to remove the
entry from the common source version of the file. If you intend to reactivate the user's account in the future, it is
simpler to comment out the entry or place an asterisk (*) in the password field.</P
></LI
></OL
></DIV
></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="HDRWQ488"
>Creating and Deleting Multiple Accounts with the uss bulk Command</A
></H1
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command allows you to create and delete many accounts at once. Before
executing the command, you must <UL
><LI
><P
>Construct a template if you plan to create any accounts, just as you must do before running the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command. The same template applies to all accounts created by a single <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command.</P
></LI
><LI
><P
>Construct a bulk input file of instructions that create and delete accounts and execute any related commands, as
described in <A
HREF="c24913.html#HDRWQ489"
>Constructing a Bulk Input File</A
>.</P
></LI
></UL
></P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="HDRWQ489"
>Constructing a Bulk Input File</A
></H2
><P
>You can include five types of instructions in a bulk input file: <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>exec</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>savevolume</B
></SPAN
>, and
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delvolume</B
></SPAN
>. The following sections discuss their uses.</P
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>Creating a User Account with the add Instruction</B
></SPAN
></P
><P
>Each <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction creates a single user account, and so is basically the equivalent
of issuing one <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command. There is no limit to the number of <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instructions in the bulk input file.</P
><P
>As indicated by the following syntax statement, the order of the instruction's fields matches the order of arguments to
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command (though some of the command's arguments do not have a corresponding
field). Like the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command's arguments, many of the fields provide a value for a
variable in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> template file. Each instruction must be a single line in the file (have a
newline character only at its end); it appears on multiple lines here only for legibility.</P
><PRE
CLASS="programlisting"
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> username[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>full_name][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>initial_password][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>password_expires]
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>file_server][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>partition][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>mount_point][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>uid]
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>var1][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>var2][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>var3][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>var4][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>var5][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>var6][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>var7][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>var8][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>var9][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>]
</PRE
><P
>For a complete description of the acceptable values in each field, see the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss Bulk Input
File</B
></SPAN
> reference page in the <SPAN
CLASS="emphasis"
><I
CLASS="emphasis"
>IBM AFS Administration Reference</I
></SPAN
>, or the description of the
corresponding arguments to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command, in <A
HREF="c24913.html#HDRWQ483"
>To create an AFS
account with the uss add command</A
>. Following are some basic notes: <UL
><LI
><P
>Begin the line with the string <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> only, not <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
add</B
></SPAN
>.</P
></LI
><LI
><P
>Only the first argument, username, is required. It corresponds to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
>
argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command.</P
></LI
><LI
><P
>Do not surround the full_name value with double quotes, even though you must use them around the value for the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-realname</B
></SPAN
> argument to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> command.</P
></LI
><LI
><P
>If you want to omit a value for an argument, indicate an empty field by using two colons with nothing between
them. Leaving a field empty is acceptable if the corresponding command line argument is optional or if the corresponding
variable does not appear in the template file. For every field that precedes the last one to which you assign an actual
value, you must either provide a value or indicate an empty field. It is acceptable, but not necessary, to indicate
empty fields after the last one in which you assign a value.</P
></LI
><LI
><P
>After the last field, end the line with either a colon and newline character (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>&#60;Return&#62;</B
></SPAN
>), or a newline alone.</P
></LI
><LI
><P
>The final nine fields are for assigning values to the number variables ($1 through $9), with the fields listed in
increasing numerical order. Specify the value only, not the variable number.</P
></LI
></UL
></P
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>Deleting a User Account with the delete Instruction</B
></SPAN
></P
><P
>Each <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
> instruction deletes a single user account, and so is basically the
equivalent of issuing one <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss delete</B
></SPAN
> command. There is no limit to the number of <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
> instructions in the bulk input file.</P
><P
>Like all instructions in the bulk input file, each <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
> instruction must be a single
line in the file (have a newline character only at its end), even though it can cover multiple lines on a display screen. The
curly braces (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>{ }</B
></SPAN
>) indicate two mutually exclusive choices.</P
><PRE
CLASS="programlisting"
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
> username<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>mount_point_path[:{ <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>savevolume</B
></SPAN
> | <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delvolume</B
></SPAN
> }][<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>:</B
></SPAN
>]
</PRE
><P
>For a complete description of the acceptable values in each field, see the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss Bulk Input
File</B
></SPAN
> reference page in the <SPAN
CLASS="emphasis"
><I
CLASS="emphasis"
>IBM AFS Administration Reference</I
></SPAN
> or the description of the
corresponding arguments to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss delete</B
></SPAN
> command, in <A
HREF="c24913.html#HDRWQ487"
>To delete an
AFS account</A
>. Following are some basic notes: <UL
><LI
><P
>Begin the line with the string <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
> only, not <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
delete</B
></SPAN
>.</P
></LI
><LI
><P
>The first two arguments, username and mount_point_path, are required. They correspond to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-user</B
></SPAN
> and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-mountpoint</B
></SPAN
> arguments to the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
delete</B
></SPAN
> command.</P
></LI
><LI
><P
>The third field, which is optional, controls whether the user's home volume is removed from the file server where
it resides, along with the corresponding VLDB entry. There are three possible values: <UL
><LI
><P
>No value treats the volume and VLDB entry according to the prevailing default, which is established by a
preceding <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>savevolume</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delvolume</B
></SPAN
> instruction in
the template file. See the following discussion of those instructions to learn how the default is set.</P
></LI
><LI
><P
>The string <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>savevolume</B
></SPAN
> preserves the volume and VLDB entry, overriding the
default.</P
></LI
><LI
><P
>The string <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delvolume</B
></SPAN
> removes the volume and VLDB entry, overriding the
default.</P
></LI
></UL
></P
></LI
><LI
><P
>After the last field, end the line with either a colon and newline character (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>&#60;Return&#62;</B
></SPAN
>), or a newline alone.</P
></LI
></UL
></P
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>Running a Command or Script with the exec Instruction</B
></SPAN
></P
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>exec</B
></SPAN
> instruction runs the indicated AFS command, compiled program, or UNIX shell
script or command. The command processor assumes the AFS and local identities of the issuer of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
bulk</B
></SPAN
> command, who must have the privileges required to run the command.</P
><P
>The instruction's syntax is as follows:</P
><PRE
CLASS="programlisting"
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>exec</B
></SPAN
> command
</PRE
><P
>It is not necessary to surround the command string with double quotes (" ") or other delimiters.</P
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>Setting the Default Treatment of Volumes with the delvolume and savevolume
Instructions</B
></SPAN
></P
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>savevolume</B
></SPAN
> and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delvolume</B
></SPAN
> instructions set the
default treatment of volumes referenced by the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
> instructions that follow them in the
bulk input file. Their syntax is as follows:</P
><PRE
CLASS="programlisting"
>&#13; <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>savevolume</B
></SPAN
>
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delvolume</B
></SPAN
>
</PRE
><P
>Both instructions are optional and take no arguments. If neither appears in the bulk input file, then by default all
volumes and VLDB entries referenced by <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
> instructions are removed. If the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>savevolume</B
></SPAN
> instruction appears in the file, it prevents the removal of the volume and VLDB entry
referenced by all subsequent <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
> instructions in the file. The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delvolume</B
></SPAN
> instruction explicitly establishes the default (which is deletion) for subsequent <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
> instructions.</P
><P
>The effect of either instruction lasts until the end of the bulk input file, or until its opposite appears. To override
the prevailing default for a particular <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
> instruction, put the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>savevolume</B
></SPAN
> or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delvolume</B
></SPAN
> string in the instruction's third field. (You
can also use multiple instances of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>savevolume</B
></SPAN
> and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delvolume</B
></SPAN
> instructions to toggle back and forth between default preservation and deletion of
volumes.)</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="Header_570"
>Example Bulk Input File Instructions</A
></H2
><P
>To create an authentication-only account, use an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction like the following
example, which includes only the first (username) argument. The user's real name is set to match the username (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>anderson</B
></SPAN
>) and her initial password is set to the string <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>changeme</B
></SPAN
>.</P
><PRE
CLASS="programlisting"
>&#13; add anderson
</PRE
><P
>The following example also creates an authentication-only account, but sets nondefault values for the real name and
initial password.</P
><PRE
CLASS="programlisting"
>&#13; add smith:John Smith:js_pswd
</PRE
><P
>The next two example <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instructions require that the administrator of the ABC
Corporation cell (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>abc.com</B
></SPAN
>) has written a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> template file
with the following <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction in it:</P
><PRE
CLASS="programlisting"
>&#13; V user.$USER $SERVER.abc.com /vicep$PART 10000 /afs/.abc.com/usr/$3/$USER \
$UID $USER all
</PRE
><P
>To create accounts for users named John Smith from the Marketing Department and Pat Jones from the Finance Department,
the appropriate <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instructions in the bulk input file are as follows:</P
><PRE
CLASS="programlisting"
>&#13; add smith:John Smith:::fs1:a:::::marketing
add jones:Pat Jones:::fs3:c:::::finance
</PRE
><P
>The new account for Smith consists of Protection and Authentication Database entries called <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>smith</B
></SPAN
>. His initial password is the default string <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>changeme</B
></SPAN
>, and the
Protection Server generates his AFS UID. His home volume, called <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>user.smith</B
></SPAN
>, has a 10,000 KB
quota, resides on partition <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/vicepa</B
></SPAN
> of file server machine <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs1.abc.com</B
></SPAN
>, and is mounted at <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com/usr/marketing/smith</B
></SPAN
>. The
final <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>$UID $USER all</B
></SPAN
> part of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction gives him
ownership of his home directory and all permissions on its ACL. The account for <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>jones</B
></SPAN
> is
similar, except that it resides on partition <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/vicepc</B
></SPAN
> of file server machine <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs3.abc.com</B
></SPAN
> and is mounted at <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/.abc.com/usr/finance/jones</B
></SPAN
>.</P
><P
>Notice that the fields corresponding to mount_point, uid, var1, and var2 are empty (between the values
<SAMP
CLASS="computeroutput"
>a</SAMP
> and <SAMP
CLASS="computeroutput"
>marketing</SAMP
> on the first example line) because the
corresponding variables do not appear in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>V</B
></SPAN
> instruction in the template file. The
initial_passwd and password_expires fields are also empty.</P
><P
>If you wish, you can specify values or empty fields for all nine number variables in an <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction. In that case, the bulk input file instructions are as follows:</P
><PRE
CLASS="programlisting"
>&#13; add smith:John Smith:::fs1:a:::::marketing::::::
add jones:Pat Jones:::fs3:c:::::finance::::::
</PRE
><P
>The following example is a section of a bulk input file with a number of <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
>
instructions and a <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>savevolume</B
></SPAN
> instruction. Because the first three instructions appear before
the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>savevolume</B
></SPAN
> instruction and their third field is blank, the corresponding volumes and VLDB
entries are removed. The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
> instruction for user <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>terry</B
></SPAN
>
follows the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>savevolume</B
></SPAN
> instruction, so her volume is not removed, but the volume for user
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>johnson</B
></SPAN
> is, because the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delvolume</B
></SPAN
> string in the third field
of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
> instruction overrides the current default.</P
><PRE
CLASS="programlisting"
>&#13; delete smith:/afs/abc.com/usr/smith
delete pat:/afs/abc.com/usr/pat
delete rogers:/afs/abc.com/usr/rogers
savevolume
delete terry:/afs/abc.com/usr/terry
delete johnson:/afs/abc.com/usr/johnson:delvolume
</PRE
><P
>The following example <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>exec</B
></SPAN
> instruction is useful as a separator between a set of
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instructions and a set of <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
> instructions. It
generates a message on the standard output stream that informs you of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command's
progress.</P
><PRE
CLASS="programlisting"
>&#13; exec echo "Additions completed; beginning deletions..."
</PRE
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="Header_571"
>To create and delete multiple AFS user accounts</A
></H2
><OL
TYPE="1"
><LI
><P
>Authenticate as an AFS identity with all of the following privileges. In the conventional configuration, the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>admin</B
></SPAN
> user account has them, or you possibly have a personal administrative account. (To
increase cell security, it is best to create special privileged accounts for use only while performing administrative
procedures; for further discussion, see <A
HREF="c32432.html#HDRWQ584"
>An Overview of Administrative Privilege</A
>.) If
necessary, issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>klog</B
></SPAN
> command to authenticate. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>klog</B
></SPAN
> admin_user
Password: &#60;<VAR
CLASS="replaceable"
>admin_password</VAR
>&#62;
</PRE
></P
><P
>The following list specifies the necessary privileges and indicates how to check that you have them.</P
><UL
><LI
><P
>Membership in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>system:administrators</B
></SPAN
> group. If necessary, issue the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pts membership</B
></SPAN
> command, which is fully described in <A
HREF="c32432.html#HDRWQ587"
>To
display the members of the system:administrators group</A
>. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pts membership system:administrators</B
></SPAN
>
</PRE
></P
></LI
><LI
><P
>Inclusion in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/usr/afs/etc/UserList</B
></SPAN
> file. If necessary, issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>bos listusers</B
></SPAN
> command, which is fully described in <A
HREF="c32432.html#HDRWQ593"
>To display the
users in the UserList file</A
>. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>bos listusers</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>machine name</VAR
>&#62;
</PRE
></P
></LI
><LI
><P
>The <SAMP
CLASS="computeroutput"
>ADMIN</SAMP
> flag on the Authentication Database entry. However, the
Authentication Server always prompts you for a password in order to perform its own authentication. The following
instructions direct you to specify the administrative identity on the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command
line itself.</P
></LI
><LI
><P
>The <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>d</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>delete</B
></SPAN
>), <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>i</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>insert</B
></SPAN
>) and <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>l</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>lookup</B
></SPAN
>) permissions on the ACL of the parent directory for each volume mount point. If
necessary, issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs listacl</B
></SPAN
> command, which is fully described in <A
HREF="c31274.html#HDRWQ572"
>Displaying ACLs</A
>. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs listacl</B
></SPAN
> [&#60;<VAR
CLASS="replaceable"
>dir/file path</VAR
>&#62;]
</PRE
></P
><P
>Members of the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>system:administrators</B
></SPAN
> group always implicitly have the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>a</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>administer</B
></SPAN
>) and by default also the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>l</B
></SPAN
> (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>lookup</B
></SPAN
>) permission on every ACL and can use the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>fs setacl</B
></SPAN
> command to grant other rights as necessary.</P
></LI
></UL
></LI
><LI
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>(Optional.)</B
></SPAN
> Log in as the local superuser <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>root</B
></SPAN
>.
This is necessary only if you are creating new files or directories in the local file system and want to designate an
alternate owner as the object is created. For a discussion of the issues involved, see <A
HREF="c24913.html#HDRWQ470"
>About
Creating Local Disk Directories and Files</A
>.</P
></LI
><LI
><P
>If the bulk input file includes <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instructions, verify the location and
functionality of the template you are using. For a description of where the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss</B
></SPAN
> command
interpreter expects to find the template, see <A
HREF="c24913.html#HDRWQ468"
>Where to Place Template Files</A
>. You can
always provide an alternate pathname if you wish. Also note which variables appear in the template, to be sure that you
provide the corresponding arguments in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction or on the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command line.</P
></LI
><LI
><P
>Create a bulk input file that complies with the rules listed in <A
HREF="c24913.html#HDRWQ489"
>Constructing a Bulk Input
File</A
>. It is simplest to put the file in the same directory as the template file you are using.</P
></LI
><LI
><P
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>(Optional.)</B
></SPAN
> Change to the directory where the bulk input file and template file
reside. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>cd</B
></SPAN
> template_directory
</PRE
></P
></LI
><LI
><P
><A
NAME="LIWQ490"
></A
>Issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> command to create or delete accounts, or
both. Enter the command on a single line; it appears here on multiple lines only for legibility.</P
><P
>The bulk operation always manipulates user entries in the Authentication Database. The Authentication Server
performs its own authentication rather than accepting your existing AFS token. By default, it authenticates your local
(UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. Include the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-admin</B
></SPAN
> argument to name an identity that has the <SAMP
CLASS="computeroutput"
>ADMIN</SAMP
> flag on its
Authentication Database entry. To verify that an entry has the flag, issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>kas
examine</B
></SPAN
> command as described in <A
HREF="c32432.html#HDRWQ590"
>To check if the ADMIN flag is set</A
>.</P
><PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss bulk</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>bulk input file</VAR
>&#62; \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-template</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>pathname of template file</VAR
>&#62;] \
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-admin</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>administrator to authenticate</VAR
>&#62; \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-dryrun</B
></SPAN
>] [<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-overwrite</B
></SPAN
>] \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-pwexpires</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>password expires in [0..254] days (0 =</VAR
>&#62; never)&#62;] \
[<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-pipe</B
></SPAN
>]
Administrator's (admin_user) password: &#60;<VAR
CLASS="replaceable"
>admin_password</VAR
>&#62;
</PRE
><P
>where <DIV
CLASS="variablelist"
><DL
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>b</B
></SPAN
></DT
><DD
><P
>Is the shortest acceptable abbreviation of <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>bulk</B
></SPAN
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>bulk input file</B
></SPAN
></DT
><DD
><P
>Specifies the pathname of the bulk input file. Partial pathnames are interpreted relative to the current
working directory. For a discussion of the required file format, see <A
HREF="c24913.html#HDRWQ489"
>Constructing a Bulk
Input File</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-template</B
></SPAN
></DT
><DD
><P
>Specifies the pathname of the template file for any <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> commands that
appear in the bulk input file. Partial pathnames are interpreted relative to the current working directory. For a
discussion of the required file format, see <A
HREF="c24913.html#HDRWQ463"
>Constructing a uss Template
File</A
>.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-admin</B
></SPAN
></DT
><DD
><P
>Names an administrative account that has the <SAMP
CLASS="computeroutput"
>ADMIN</SAMP
> flag on its
Authentication Database entry, such as the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>admin</B
></SPAN
> account. The password prompt
echoes it as admin_user. Enter the appropriate password as admin_password.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-dryrun</B
></SPAN
></DT
><DD
><P
>Reports actions that the command interpreter needs to perform to run the command, without actually
performing them.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-overwrite</B
></SPAN
></DT
><DD
><P
>Overwrites any directories, files and links that exist in the file system and for which there are also
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>D</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>E</B
></SPAN
>, <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>F</B
></SPAN
>,
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>L</B
></SPAN
>, or <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>S</B
></SPAN
> instructions in the template file named
by the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-template</B
></SPAN
> argument. If this flag is omitted, the command interpreter
prompts, once for each <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction in the bulk input file, for confirmation
that it is to overwrite such elements. Do not include this flag if there are no <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instructions in the bulk input file.</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-pwexpires</B
></SPAN
></DT
><DD
><P
>Sets the number of days after a user's password is changed that it remains valid, for each user named by an
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>add</B
></SPAN
> instruction in the bulk input file. Provide an integer from the range
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>1</B
></SPAN
> through <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>254</B
></SPAN
> to specify the number of days
until expiration, or the value <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>0</B
></SPAN
> to indicate that the password never expires (the
default).</P
><P
>When the password becomes invalid (expires), the user is unable to authenticate, but has 30 more days in
which to issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>kpasswd</B
></SPAN
> command to change the password (after that, only an
administrator can change it).</P
></DD
><DT
><SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-pipe</B
></SPAN
></DT
><DD
><P
>Suppresses the Authentication Server's prompt for the password of the issuer or the user named by the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-admin</B
></SPAN
> argument (the Authentication Server always separately authenticates the
user who is creating or deleting an entry in the Authentication Database). Instead, the command interpreter
accepts the password as piped input from another program, enabling you to run the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss
bulk</B
></SPAN
> command in unattended batch jobs.</P
></DD
></DL
></DIV
></P
></LI
><LI
><P
>If a newly created or deleted user home directory resides in a replicated volume, use the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>vos
release</B
></SPAN
> command to release the volume, as described in <A
HREF="c8420.html#HDRWQ194"
>To replicate a read/write
volume (create a read-only volume)</A
>. <PRE
CLASS="programlisting"
>&#13; % <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>vos release</B
></SPAN
> &#60;<VAR
CLASS="replaceable"
>volume name or ID</VAR
>&#62;
</PRE
></P
><DIV
CLASS="note"
><BLOCKQUOTE
CLASS="note"
><P
><B
>Note: </B
>This step can be necessary even if the home directory's parent directory is not itself a mount point for a
replicated volume (and is easier to overlook in that case). For example, the ABC Corporation template puts the mount
points for user volumes in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/abc.com/usr</B
></SPAN
> directory. Because that is a regular
directory rather than a mount point, it resides in the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>root.cell</B
></SPAN
> volume mounted at the
<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/afs/abc.com</B
></SPAN
> directory. That volume is replicated, so after changing it by creating or
deleting a mount point, the administrator must issue the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>vos release</B
></SPAN
> command.</P
></BLOCKQUOTE
></DIV
></LI
><LI
><P
>If you are creating accounts, create an entry for the new user in the local password file (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/etc/passwd</B
></SPAN
> or equivalent) on each AFS client machine that he or she can log into. For suggestions
on automating this step, see <A
HREF="c24913.html#HDRWQ458"
>Creating a Common Source Password File</A
>.</P
><P
>Even if you do not use the automated method, set the user's UNIX UID to match the AFS UID assigned automatically by
the Protection Server or assigned with the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>-uid</B
></SPAN
> argument. The new user's AFS UID appears
in the trace produced by the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>uss add</B
></SPAN
> output or you can use the <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>pts
examine</B
></SPAN
> command to display it, as described in <A
HREF="c29323.html#HDRWQ537"
>To display a Protection Database
entry</A
>.</P
></LI
><LI
><P
>If you are deleting accounts, delete the user's entry from the local password file (<SPAN
CLASS="bold"
><B
CLASS="emphasis"
>/etc/passwd</B
></SPAN
> or equivalent) of each client machine. If you use the AFS <SPAN
CLASS="bold"
><B
CLASS="emphasis"
>package</B
></SPAN
> utility, it is sufficient to remove the entry from the common source version of the file.
If you intend to reactivate the user's account in the future, it is simpler to comment out the entry or place an asterisk
(*) in the password field.</P
></LI
></OL
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="p24911.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="book1.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="c27596.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Managing Users and Groups</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="p24911.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Administering User Accounts</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue Copy Permalink