mirror of
https://git.openafs.org/openafs.git
synced 2025-01-22 08:50:17 +00:00
5f70221b2c
Change references to the documentation sets that we still ship to reference the OpenAFS manuals instead of the IBM AFS manuals. Remove references to the IBM AFS/DFS Migration documentation, since that doesn't appear to be available anywhere any more, replacing them where relevant to more generic references to the DFS documentation. Add links to docs.openafs.org for mentions of the manuals in SEE ALSO, and standardize on one link format. Replace a few references to the IBM AFS Release Notes with the actual information in those notes, or drop the reference if it doesn't seem particularly useful. Change-Id: Ie9666842f1315891c6a9c37c0424200f4b78bff7 Reviewed-on: http://gerrit.openafs.org/2031 Reviewed-by: Derrick Brashear <shadow@dementia.org> Tested-by: Derrick Brashear <shadow@dementia.org>
222 lines
7.4 KiB
Plaintext
222 lines
7.4 KiB
Plaintext
=head1 NAME
|
|
|
|
pts - Introduction to the pts command suite
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
The commands in the B<pts> command suite are the administrative interface
|
|
to the Protection Server, which runs on each database server machine in a
|
|
cell and maintains the Protection Database. The database stores the
|
|
information that AFS uses to augment and refine the standard UNIX scheme
|
|
for controlling access to files and directories.
|
|
|
|
Instead of relying only on the mode bits that define access rights for
|
|
individual files, AFS associates an access control list (ACL) with each
|
|
directory. The ACL lists users and groups and specifies which of seven
|
|
possible access permissions they have for the directory and the files it
|
|
contains. (It is still possible to set a directory or file's mode bits,
|
|
but AFS interprets them in its own way; see the chapter on protection in
|
|
the I<OpenAFS Administration Guide> for details.)
|
|
|
|
AFS enables users to define groups in the Protection Database and place
|
|
them on ACLs to extend a set of rights to multiple users simultaneously.
|
|
Groups simplify administration by making it possible to add someone to
|
|
many ACLs by adding them to a group that already exists on those
|
|
ACLs. Machines can also be members of a group, so that users logged into
|
|
the machine automatically inherit the permissions granted to the group.
|
|
|
|
There are several categories of commands in the pts command suite:
|
|
|
|
=over 4
|
|
|
|
=item *
|
|
|
|
Commands to create and remove Protection Database entries:
|
|
L<B<pts creategroup>|pts_creategroup(1)>,
|
|
L<B<pts createuser>|pts_createuser(1)>,
|
|
and L<B<pts delete>|pts_delete(1)>.
|
|
|
|
=item *
|
|
|
|
Commands to administer and display group membership:
|
|
L<B<pts adduser>|pts_adduser(1)>,
|
|
L<B<pts listowned>|pts_listowned(1)>,
|
|
L<B<pts membership>|pts_membership(1)>,
|
|
and L<B<pts removeuser>|pts_removeuser(1)>.
|
|
|
|
=item *
|
|
|
|
Commands to administer and display properties of user and group entries
|
|
other than membership:
|
|
L<B<pts chown>|pts_chown(1)>,
|
|
L<B<pts examine>|pts_examine(1)>,
|
|
L<B<pts listentries>|pts_listentries(1)>,
|
|
L<B<pts rename>|pts_rename(1)>,
|
|
and L<B<pts setfields>|pts_setfields(1)>.
|
|
|
|
=item *
|
|
|
|
Commands to set and examine the counters used when assigning IDs to users
|
|
and groups:
|
|
L<B<pts listmax>|pts_listmax(1)>
|
|
and L<B<pts setmax>|pts_setmax(1)>.
|
|
|
|
=item *
|
|
|
|
Commands to run commands interactively:
|
|
L<B<pts interactive>|pts_interactive(1)>,
|
|
L<B<pts sleep>|pts_sleep(1)>,
|
|
and L<B<pts quit>|pts_quit(1)>.
|
|
|
|
=item *
|
|
|
|
A command to run commands from a file:
|
|
L<B<pts source>|pts_source(1)>.
|
|
|
|
=item *
|
|
|
|
Commands to obtain help:
|
|
L<B<pts apropos>|pts_apropos(1)>
|
|
and L<B<pts help>|pts_help(1)>.
|
|
|
|
=back
|
|
|
|
=head1 OPTIONS
|
|
|
|
The following arguments and flags are available on many commands in the
|
|
B<pts> suite. The reference page for each command also lists them, but
|
|
they are described here in greater detail.
|
|
|
|
=over 4
|
|
|
|
=item B<-cell> <I<cell name>>
|
|
|
|
Names the cell in which to run the command. It is acceptable to abbreviate
|
|
the cell name to the shortest form that distinguishes it from the other
|
|
entries in the F</usr/vice/etc/CellServDB> file on the local machine. If
|
|
the B<-cell> argument is omitted, the command interpreter determines the
|
|
name of the local cell by reading the following in order:
|
|
|
|
=over 4
|
|
|
|
=item *
|
|
|
|
The value of the AFSCELL environment variable.
|
|
|
|
=item *
|
|
|
|
The local F</usr/vice/etc/ThisCell> file.
|
|
|
|
Do not combine the B<-cell> and B<-localauth> options. A command on which
|
|
the B<-localauth> flag is included always runs in the local cell (as
|
|
defined in the server machine's local F</usr/afs/etc/ThisCell> file),
|
|
whereas a command on which the B<-cell> argument is included runs in the
|
|
specified foreign cell.
|
|
|
|
=back
|
|
|
|
=item B<-force>
|
|
|
|
Enables the command to continue executing as far as possible when errors
|
|
or other problems occur, rather than halting execution immediately.
|
|
Without it, the command halts as soon as the first error is
|
|
encountered. In either case, the B<pts> command interpreter reports errors
|
|
at the command shell. This flag is especially useful if the issuer
|
|
provides many values for a command line argument; if one of them is
|
|
invalid, the command interpreter continues on to process the remaining
|
|
arguments.
|
|
|
|
=item B<-help>
|
|
|
|
Prints a command's online help message on the standard output stream. Do
|
|
not combine this flag with any of the command's other options; when it is
|
|
provided, the command interpreter ignores all other options, and only
|
|
prints the help message.
|
|
|
|
=item B<-noauth>
|
|
|
|
Establishes an unauthenticated connection to the Protection Server, in
|
|
which the server treats the issuer as the unprivileged user
|
|
C<anonymous>. It is useful only when authorization checking is disabled on
|
|
the server machine (during the installation of a file server machine or
|
|
when the L<B<bos setauth>|bos_setauth(8)> command has been used during
|
|
other unusual circumstances). In normal circumstances, the Protection
|
|
Server allows only privileged users to issue commands that change the
|
|
Protection Database, and refuses to perform such an action even if the
|
|
B<-noauth> flag is provided.
|
|
|
|
=item B<-encrypt>
|
|
|
|
Establishes an authenticated, encrypted connection to the Protection Server.
|
|
It is useful when it is desired to obscure network traffic related to the
|
|
transactions being done.
|
|
|
|
=item B<-localauth>
|
|
|
|
Constructs a server ticket using the server encryption key with the
|
|
highest key version number in the local F</usr/afs/etc/KeyFile> file. The
|
|
B<pts> command interpreter presents the ticket, which never expires, to
|
|
the BOS Server during mutual authentication.
|
|
|
|
Use this flag only when issuing a command on a server machine; client
|
|
machines do not usually have a F</usr/afs/etc/KeyFile> file. The issuer
|
|
of a command that includes this flag must be logged on to the server
|
|
machine as the local superuser C<root>. The flag is useful for commands
|
|
invoked by an unattended application program, such as a process controlled
|
|
by the UNIX B<cron> utility. It is also useful if an administrator is
|
|
unable to authenticate to AFS but is logged in as the local superuser
|
|
C<root>.
|
|
|
|
Do not combine the B<-cell> and B<-localauth> options. A command on which
|
|
the B<-localauth> flag is included always runs in the local cell (as
|
|
defined in the server machine's local F</usr/afs/etc/ThisCell> file),
|
|
whereas a command on which the B<-cell> argument is included runs in the
|
|
specified foreign cell. Also, do not combine the B<-localauth> and
|
|
B<-noauth> flags.
|
|
|
|
=back
|
|
|
|
=head1 PRIVILEGE REQUIRED
|
|
|
|
Members of the system:administrators group can issue all B<pts> commands
|
|
on any entry in the Protection Database.
|
|
|
|
Users who do not belong to the system:administrators group can list
|
|
information about their own entry and any group entries they own. The
|
|
privacy flags set with the L<B<pts setfields>|pts_setfields(1)> command
|
|
control access to entries owned by other users.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<pts_adduser(1)>,
|
|
L<pts_apropos(1)>,
|
|
L<pts_chown(1)>,
|
|
L<pts_creategroup(1)>,
|
|
L<pts_createuser(1)>,
|
|
L<pts_delete(1)>,
|
|
L<pts_examine(1)>,
|
|
L<pts_help(1)>,
|
|
L<pts_interactive(1)>,
|
|
L<pts_listentries(1)>,
|
|
L<pts_listmax(1)>,
|
|
L<pts_listowned(1)>,
|
|
L<pts_membership(1)>,
|
|
L<pts_quit(1)>,
|
|
L<pts_removeuser(1)>,
|
|
L<pts_rename(1)>,
|
|
L<pts_setfields(1)>,
|
|
L<pts_setmax(1)>,
|
|
L<pts_sleep(1)>,
|
|
L<pts_source(1)>
|
|
|
|
The I<OpenAFS Administration Guide> at
|
|
L<http://docs.openafs.org/AdminGuide/>.
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
|
|
|
|
This documentation is covered by the IBM Public License Version 1.0. It was
|
|
converted from HTML to POD by software written by Chas Williams and Russ
|
|
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
|