mirror of
https://git.openafs.org/openafs.git
synced 2025-01-22 08:50:17 +00:00
6ba44802ea
LICENSE IPL10 FIXES 124681 add -encrypt flag to pts generic options, allowing the wire to be encrypted if desired and the user's authenticated. document same.
203 lines
6.9 KiB
Plaintext
203 lines
6.9 KiB
Plaintext
=head1 NAME
|
|
|
|
pts - Introduction to the pts command suite
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
The commands in the B<pts> command suite are the administrative interface
|
|
to the Protection Server, which runs on each database server machine in a
|
|
cell and maintains the Protection Database. The database stores the
|
|
information that AFS uses to augment and refine the standard UNIX scheme
|
|
for controlling access to files and directories.
|
|
|
|
Instead of relying only on the mode bits that define access rights for
|
|
individual files, AFS associates an access control list (ACL) with each
|
|
directory. The ACL lists users and groups and specifies which of seven
|
|
possible access permissions they have for the directory and the files it
|
|
contains. (It is still possible to set a directory or file's mode bits,
|
|
but AFS interprets them in its own way; see the chapter on protection in
|
|
the I<IBM AFS Administration Guide> for details.)
|
|
|
|
AFS enables users to define groups in the Protection Database and place
|
|
them on ACLs to extend a set of rights to multiple users simultaneously.
|
|
Groups simplify administration by making it possible to add someone to
|
|
many ACLs by adding them to a group that already exists on those
|
|
ACLs. Machines can also be members of a group, so that users logged into
|
|
the machine automatically inherit the permissions granted to the group.
|
|
|
|
There are several categories of commands in the pts command suite:
|
|
|
|
=over 4
|
|
|
|
=item *
|
|
|
|
Commands to create and remove Protection Database entries: B<pts
|
|
creategroup>, B<pts createuser>, and B<pts delete>.
|
|
|
|
=item *
|
|
|
|
Commands to administer and display group membership: B<pts adduser>, B<pts
|
|
listowned>, B<pts membership>, and B<pts removeuser>.
|
|
|
|
=item *
|
|
|
|
Commands to administer and display properties of user and group entries
|
|
other than membership: B<pts chown>, B<pts examine>, B<pts listentries>,
|
|
B<pts rename>, and B<pts setfields>.
|
|
|
|
=item *
|
|
|
|
Commands to set and examine the counters used when assigning IDs to users
|
|
and groups: B<pts listmax> and B<pts setmax>.
|
|
|
|
=item *
|
|
|
|
Commands to run commands interactively: B<pts interactive>, B<pts
|
|
sleep>, and B<pts quit>.
|
|
|
|
=item *
|
|
|
|
A command to run commands from a file: B<pts source>.
|
|
|
|
=item *
|
|
|
|
Commands to obtain help: B<pts apropos> and B<pts help>.
|
|
|
|
=back
|
|
|
|
=head1 OPTIONS
|
|
|
|
The following arguments and flags are available on many commands in the
|
|
B<pts> suite. The reference page for each command also lists them, but
|
|
they are described here in greater detail.
|
|
|
|
=over 4
|
|
|
|
=item B<-cell> <I<cell name>>
|
|
|
|
Names the cell in which to run the command. It is acceptable to abbreviate
|
|
the cell name to the shortest form that distinguishes it from the other
|
|
entries in the F</usr/vice/etc/CellServDB> file on the local machine. If
|
|
the B<-cell> argument is omitted, the command interpreter determines the
|
|
name of the local cell by reading the following in order:
|
|
|
|
=over 4
|
|
|
|
=item *
|
|
|
|
The value of the AFSCELL environment variable.
|
|
|
|
=item *
|
|
|
|
The local F</usr/vice/etc/ThisCell> file.
|
|
|
|
Do not combine the B<-cell> and B<-localauth> options. A command on which
|
|
the B<-localauth> flag is included always runs in the local cell (as
|
|
defined in the server machine's local F</usr/afs/etc/ThisCell> file),
|
|
whereas a command on which the B<-cell> argument is included runs in the
|
|
specified foreign cell.
|
|
|
|
=back
|
|
|
|
=item B<-force>
|
|
|
|
Enables the command to continue executing as far as possible when errors
|
|
or other problems occur, rather than halting execution immediately.
|
|
Without it, the command halts as soon as the first error is
|
|
encountered. In either case, the B<pts> command interpreter reports errors
|
|
at the command shell. This flag is especially useful if the issuer
|
|
provides many values for a command line argument; if one of them is
|
|
invalid, the command interpreter continues on to process the remaining
|
|
arguments.
|
|
|
|
=item B<-help>
|
|
|
|
Prints a command's online help message on the standard output stream. Do
|
|
not combine this flag with any of the command's other options; when it is
|
|
provided, the command interpreter ignores all other options, and only
|
|
prints the help message.
|
|
|
|
=item B<-noauth>
|
|
|
|
Establishes an unauthenticated connection to the Protection Server, in
|
|
which the server treats the issuer as the unprivileged user
|
|
C<anonymous>. It is useful only when authorization checking is disabled on
|
|
the server machine (during the installation of a file server machine or
|
|
when the B<bos setauth> command has been used during other unusual
|
|
circumstances). In normal circumstances, the Protection Server allows only
|
|
privileged users to issue commands that change the Protection Database,
|
|
and refuses to perform such an action even if the B<-noauth> flag is
|
|
provided.
|
|
|
|
=item B<-encrypt>
|
|
|
|
Establishes an authenticated, encrypted connection to the Protection Server.
|
|
It is useful when it is desired to obscure network traffic related to the
|
|
transactions being done.
|
|
|
|
=item B<-localauth>
|
|
|
|
Constructs a server ticket using the server encryption key with the
|
|
highest key version number in the local F</usr/afs/etc/KeyFile> file. The
|
|
B<pts> command interpreter presents the ticket, which never expires, to
|
|
the BOS Server during mutual authentication.
|
|
|
|
Use this flag only when issuing a command on a server machine; client
|
|
machines do not usually have a F</usr/afs/etc/KeyFile> file. The issuer
|
|
of a command that includes this flag must be logged on to the server
|
|
machine as the local superuser C<root>. The flag is useful for commands
|
|
invoked by an unattended application program, such as a process controlled
|
|
by the UNIX B<cron> utility. It is also useful if an administrator is
|
|
unable to authenticate to AFS but is logged in as the local superuser
|
|
C<root>.
|
|
|
|
Do not combine the B<-cell> and B<-localauth> options. A command on which
|
|
the B<-localauth> flag is included always runs in the local cell (as
|
|
defined in the server machine's local F</usr/afs/etc/ThisCell> file),
|
|
whereas a command on which the B<-cell> argument is included runs in the
|
|
specified foreign cell. Also, do not combine the B<-localauth> and
|
|
B<-noauth> flags.
|
|
|
|
=back
|
|
|
|
=head1 PRIVILEGE REQUIRED
|
|
|
|
Members of the system:administrators group can issue all B<pts> commands
|
|
on any entry in the Protection Database.
|
|
|
|
Users who do not belong to the system:administrators group can list
|
|
information about their own entry and any group entries they own. The
|
|
privacy flags set with the B<pts setfields> command control access to
|
|
entries owned by other users.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<pts_adduser(1)>,
|
|
L<pts_apropos(1)>,
|
|
L<pts_chown(1)>,
|
|
L<pts_creategroup(1)>,
|
|
L<pts_createuser(1)>,
|
|
L<pts_delete(1)>,
|
|
L<pts_examine(1)>,
|
|
L<pts_help(1)>,
|
|
L<pts_interactive(1)>,
|
|
L<pts_listentries(1)>,
|
|
L<pts_listmax(1)>,
|
|
L<pts_listowned(1)>,
|
|
L<pts_membership(1)>,
|
|
L<pts_quit(1)>,
|
|
L<pts_removeuser(1)>,
|
|
L<pts_rename(1)>,
|
|
L<pts_setfields(1)>,
|
|
L<pts_setmax(1)>,
|
|
L<pts_sleep(1)>,
|
|
L<pts_source(1)>
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
|
|
|
|
This documentation is covered by the IBM Public License Version 1.0. It was
|
|
converted from HTML to POD by software written by Chas Williams and Russ
|
|
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
|