pts - Introduction to the pts command suite
The commands in the
pts command suite are the administrative interface to
the Protection Server, which runs on each database server machine in a cell
and maintains the Protection Database. The database stores the information
that AFS uses to augment and refine the standard UNIX scheme for controlling
access to files and directories.
Instead of relying only on the mode bits that define access rights for
individual files, AFS associates an access control list (ACL) with each
directory. The ACL lists users and groups and specifies which of seven
possible access permissions they have for the directory and the files it
contains. (It is still possible to set a directory or file's mode bits, but
AFS interprets them in its own way; see the chapter on protection in the
OpenAFS Administration Guide for details.)
AFS enables users to define groups in the Protection Database and place them on
ACLs to extend a set of rights to multiple users simultaneously. Groups
simplify administration by making it possible to add someone to many ACLs by
adding them to a group that already exists on those ACLs. Machines can also be
members of a group, so that users logged into the machine automatically
inherit the permissions granted to the group.
There are several categories of commands in the pts command suite:
- •
- Commands to create and remove Protection Database entries:
pts creategroup, pts createuser, and pts delete.
- •
- Commands to administer and display group membership: pts
adduser, pts listowned, pts membership, and pts
removeuser.
- •
- Commands to administer and display properties of user and
group entries other than membership: pts chown, pts examine,
pts listentries, pts rename, and pts setfields.
- •
- Commands to set and examine the counters used when
assigning IDs to users and groups: pts listmax and pts
setmax.
- •
- Commands to run commands interactively: pts
interactive, pts sleep, and pts quit.
- •
- A command to run commands from a file: pts
source.
- •
- Commands to obtain help: pts apropos and pts
help.
- •
- A command to display the OpenAFS command suite version:
pts version.
The following arguments and flags are available on many commands in the
pts suite. The reference page for each command also lists them, but
they are described here in greater detail.
-
-cell <cell name>
- Names the cell in which to run the command. It is
acceptable to abbreviate the cell name to the shortest form that
distinguishes it from the other entries in the
/etc/openafs/CellServDB file on the local machine. If the
-cell argument is omitted, the command interpreter determines the
name of the local cell by reading the following in order:
- •
- The value of the AFSCELL environment variable.
- •
- The local /etc/openafs/ThisCell file.
Do not combine the -cell and -localauth options. A command on
which the -localauth flag is included always runs in the local cell
(as defined in the server machine's local
/etc/openafs/server/ThisCell file), whereas a command on which the
-cell argument is included runs in the specified foreign cell.
-
-config <config directory>
- The location of the directory to use to obtain
configuration information, including the CellServDB. This is primarily
provided for testing purposes.
- -force
- Enables the command to continue executing as far as
possible when errors or other problems occur, rather than halting
execution immediately. Without it, the command halts as soon as the first
error is encountered. In either case, the pts command interpreter
reports errors at the command shell. This flag is especially useful if the
issuer provides many values for a command line argument; if one of them is
invalid, the command interpreter continues on to process the remaining
arguments.
- -help
- Prints a command's online help message on the standard
output stream. Do not combine this flag with any of the command's other
options; when it is provided, the command interpreter ignores all other
options, and only prints the help message.
- -noauth
- Establishes an unauthenticated connection to the Protection
Server, in which the server treats the issuer as the unprivileged user
"anonymous". It is useful only when authorization checking is
disabled on the server machine (during the installation of a file server
machine or when the bos setauth command has been used during other
unusual circumstances). In normal circumstances, the Protection Server
allows only privileged users to issue commands that change the Protection
Database, and refuses to perform such an action even if the -noauth
flag is provided.
- -encrypt
- Establishes an authenticated, encrypted connection to the
Protection Server. It is useful when it is desired to obscure network
traffic related to the transactions being done.
- -localauth
- Constructs a server ticket using the server encryption key
with the highest key version number in the local
/etc/openafs/server/KeyFile file. The pts command
interpreter presents the ticket, which never expires, to the BOS Server
during mutual authentication.
Use this flag only when issuing a command on a server machine; client
machines do not usually have a /etc/openafs/server/KeyFile file.
The issuer of a command that includes this flag must be logged on to the
server machine as the local superuser "root". The flag is useful
for commands invoked by an unattended application program, such as a
process controlled by the UNIX cron utility. It is also useful if
an administrator is unable to authenticate to AFS but is logged in as the
local superuser "root".
Do not combine the -cell and -localauth options. A command on
which the -localauth flag is included always runs in the local cell
(as defined in the server machine's local
/etc/openafs/server/ThisCell file), whereas a command on which the
-cell argument is included runs in the specified foreign cell.
Also, do not combine the -localauth and -noauth flags.
- -auth
- Use the calling user's tokens from the kernel to
communicate with the ptserver (that is, the same tokens displayed by
tokens(1). This is the default if neither -localauth nor
-noauth is given.
Since this option is the default, it is usually not useful for running
single command line operations. However, it can be useful when running
commands via pts_interactive(1), since otherwise it would be
impossible to switch from, for example, -localauth back to using
regular tokens during a bulk operation. See pts_interactive(1) for
more details.
Members of the system:administrators group can issue all
pts commands on
any entry in the Protection Database.
Users who do not belong to the system:administrators group can list information
about their own entry and any group entries they own. The privacy flags set
with the
pts setfields command control access to entries owned by other
users.
pts_adduser(1),
pts_apropos(1),
pts_chown(1),
pts_creategroup(1),
pts_createuser(1),
pts_delete(1),
pts_examine(1),
pts_help(1),
pts_interactive(1),
pts_listentries(1),
pts_listmax(1),
pts_listowned(1),
pts_membership(1),
pts_quit(1),
pts_removeuser(1),
pts_rename(1),
pts_setfields(1),
pts_setmax(1),
pts_sleep(1),
pts_source(1)
The
OpenAFS Administration Guide at
<
http://docs.openafs.org/AdminGuide/>.
IBM Corporation 2000. <
http://www.ibm.com/> All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0. It was
converted from HTML to POD by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.