mirror of
https://git.openafs.org/openafs.git
synced 2025-01-19 07:20:11 +00:00
5f70d9bb3c
SYNOPSIS was mislabelled DESCRIPTION and the man page was therefore missing the HTML formatting fixes.
176 lines
5.8 KiB
Plaintext
176 lines
5.8 KiB
Plaintext
=head1 NAME
|
|
|
|
kaserver - Initializes the Authentication Server
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
=for html
|
|
<div class="synopsis">
|
|
|
|
B<kaserver> [B<-noAuth>] [B<-fastKeys>] [B<-database> <I<dbpath>>]
|
|
S<<< [B<-localfiles> <I<lclpath>>] >>> S<<< [B<-minhours> <I<n>>] >>>
|
|
S<<< [B<-servers> <I<serverlist>>] >>> [B<-enable_peer_stats>]
|
|
[B<-enable_process_stats>] [B<-help>]
|
|
|
|
=for html
|
|
</div>
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
The B<kaserver> command initializes the Authentication Server, which runs
|
|
on every database server machine. In the conventional configuration, its
|
|
binary file is located in the F</usr/afs/bin> directory on a file server
|
|
machine.
|
|
|
|
The B<kaserver> command is not normally issued at the command shell prompt
|
|
but rather placed into a file server machine's F</usr/afs/local/BosConfig>
|
|
file with the B<bos create> command. If it is ever issued at the command
|
|
shell prompt, the issuer must be logged onto a database server machine as
|
|
the local superuser C<root>.
|
|
|
|
As it initializes, the Authentication Server process creates the two files
|
|
that constitute the Authentication Database, F<kaserver.DB0> and
|
|
F<kaserver.DBSYS1>, in the F</usr/afs/db> directory if they do not already
|
|
exist. Use the commands in the B<kas> suite to administer the database.
|
|
|
|
The Authentication Server is responsible for several aspects of AFS
|
|
security, including:
|
|
|
|
=over 4
|
|
|
|
=item *
|
|
|
|
Maintenance of all AFS server encryption keys and user passwords in the
|
|
Authentication Database.
|
|
|
|
=item *
|
|
|
|
Creation of the tickets and tokens that users and servers use to establish
|
|
secure connections. Its Ticket Granting Service (TGS) component performs
|
|
this function.
|
|
|
|
=back
|
|
|
|
The Authentication Server records a trace of its activity in the
|
|
F</usr/afs/logs/AuthLog> file. Use the B<bos getlog> command to display
|
|
the contents of the file. Use the B<kdb> command to read the protected
|
|
files associated with the F<AuthLog> file, F<AuthLog.dir> and
|
|
F<AuthLog.pag>.
|
|
|
|
This command does not use the syntax conventions of the AFS command
|
|
suites. Provide the command name and all option names in full.
|
|
|
|
=head1 OPTIONS
|
|
|
|
=over 4
|
|
|
|
=item B<-noAuth>
|
|
|
|
Assigns the unprivileged identity C<anonymous> to the issuer. Thus, it
|
|
establishes an unauthenticated connection between the issuer and the
|
|
Authentication Server. It is useful only when authorization checking is
|
|
disabled on the database server machine. In normal circumstances, the
|
|
Authentication Server allows only authorized (privileged) users to issue
|
|
commands that affect or contact the Authentication Database and will
|
|
refuse to perform such an action even if the B<-noAuth> flag is used.
|
|
|
|
=item B<-fastKeys>
|
|
|
|
Is a test flag for use by the AFS Development staff; it serves no
|
|
functional purpose.
|
|
|
|
=item B<-database> <I<dbpath>>
|
|
|
|
Specifies the pathname of an alternate directory in which the
|
|
Authentication Database files reside. Provide the complete pathname,
|
|
ending in the base filename to which the C<.DB0> and C<.DBSYS1> extensions
|
|
are appended. For example, the appropriate value for the default database
|
|
files is F</usr/afs/db/kaserver>.
|
|
|
|
Provide the B<-localfiles> argument along with this one; otherwise, the
|
|
B<-localfiles> argument is also set to the value of this argument, which
|
|
is probably inappropriate.
|
|
|
|
=item B<-localfiles> <I<lclpath>>
|
|
|
|
Specifies the pathname of an alternate directory in which the auxiliary
|
|
Authentication Database file resides. Provide the complete pathname,
|
|
ending in the base filename to which the C<auxdb> suffix is appended. For
|
|
example, the appropriate value for the default auxiliary database file is
|
|
F</usr/afs/local/kaserver>.
|
|
|
|
=item B<-minhours> <I<n>>
|
|
|
|
Specifies the minimum number of hours that must pass between password
|
|
changes made by any regular user. System administrators (with the C<ADMIN>
|
|
flag in their Authentication Database entry) can change passwords as often
|
|
as desired. Setting a minimum time between password changes is not
|
|
recommended.
|
|
|
|
=item B<-servers> <I<authentication servers>>+
|
|
|
|
Names each database server machine running an Authentication Server with
|
|
which the local Authentication Server is to synchronize its copy of the
|
|
Authentication Database, rather than with the machines listed in the local
|
|
F</usr/afs/etc/CellServDB> file.
|
|
|
|
=item B<-enable_peer_stats>
|
|
|
|
Activates the collection of Rx statistics and allocates memory for their
|
|
storage. For each connection with a specific UDP port on another machine,
|
|
a separate record is kept for each type of RPC (FetchFile, GetStatus, and
|
|
so on) sent or received. To display or otherwise access the records, use
|
|
the Rx Monitoring API.
|
|
|
|
=item B<-enable_process_stats>
|
|
|
|
Activates the collection of Rx statistics and allocates memory for their
|
|
storage. A separate record is kept for each type of RPC (FetchFile,
|
|
GetStatus, and so on) sent or received, aggregated over all connections to
|
|
other machines. To display or otherwise access the records, use the Rx
|
|
Monitoring API.
|
|
|
|
=item B<-help>
|
|
|
|
Prints the online help for this command. All other valid options are
|
|
ignored.
|
|
|
|
=back
|
|
|
|
=head1 EXAMPLES
|
|
|
|
The following B<bos create> command creates a C<kaserver> process on
|
|
C<fs3.abc.com> (the command appears on two lines here only for
|
|
legibility):
|
|
|
|
% bos create -server fs3.abc.com -instance kaserver \
|
|
-type simple -cmd /usr/afs/bin/kaserver
|
|
|
|
=head1 PRIVILEGE REQUIRED
|
|
|
|
The issuer must be logged in as the superuser C<root> on a file server
|
|
machine to issue the command at a command shell prompt. It is conventional
|
|
instead to create and start the process by issuing the B<bos create>
|
|
command.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<AuthLog(5)>,
|
|
L<BosConfig(5)>,
|
|
L<CellServDB(5)>,
|
|
L<kaserver.DB0(5)>,
|
|
L<kaserverauxdb(5)>,
|
|
L<bos(8)>,
|
|
L<bos_create(8)>,
|
|
L<bos_getlog(8)>,
|
|
L<kas(8)>,
|
|
L<kdb(8)>
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
|
|
|
|
This documentation is covered by the IBM Public License Version 1.0. It was
|
|
converted from HTML to POD by software written by Chas Williams and Russ
|
|
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
|