From fc145e7162ef5b2280f25840c8bcb5649bdafa72 Mon Sep 17 00:00:00 2001 From: Booker Bense Date: Fri, 5 Mar 2010 10:11:41 -0500 Subject: [PATCH] Updating UserGuide with Kerberos v5 authentication This patchset contains updates to the OpenAFS UserGuide that explains how to authentication OpenAFS using kinit/aklog and uses language describing Kerberos outside the context of the kaserver. References to applications such as telnet have been replaced with more modern equivalents such as ssh. Change-Id: Ifae779b04a26beb9be9cf58b450958acdc477c06 Reviewed-on: http://gerrit.openafs.org/1521 Tested-by: Jeffrey Altman Reviewed-by: Jeffrey Altman --- doc/xml/UserGuide/auusg000.xml | 1 + doc/xml/UserGuide/auusg003.xml | 4 +- doc/xml/UserGuide/auusg004.xml | 74 +++--- doc/xml/UserGuide/auusg005.xml | 399 +++++++++++---------------------- doc/xml/UserGuide/auusg006.xml | 16 +- doc/xml/UserGuide/auusg007.xml | 12 +- doc/xml/UserGuide/auusg008.xml | 36 +-- doc/xml/UserGuide/auusg009.xml | 18 +- doc/xml/UserGuide/auusg010.xml | 26 +-- doc/xml/UserGuide/auusg011.xml | 76 +++---- doc/xml/UserGuide/auusg012.xml | 4 +- 11 files changed, 272 insertions(+), 394 deletions(-) diff --git a/doc/xml/UserGuide/auusg000.xml b/doc/xml/UserGuide/auusg000.xml index d1265d356..cbd0fd822 100644 --- a/doc/xml/UserGuide/auusg000.xml +++ b/doc/xml/UserGuide/auusg000.xml @@ -34,6 +34,7 @@ First IBM Edition, Document Number GC09-4561-00 + diff --git a/doc/xml/UserGuide/auusg003.xml b/doc/xml/UserGuide/auusg003.xml index 7204d8eca..71c717abc 100644 --- a/doc/xml/UserGuide/auusg003.xml +++ b/doc/xml/UserGuide/auusg003.xml @@ -28,8 +28,8 @@ An Introduction to OpenAFS introduces the basic concepts and functions of AFS. To use AFS successfully, it is important to be familiar with the terms and concepts described in this chapter. - Using OpenAFS describes how to use AFS's basic features: how to log in and authenticate, unlog, - log out, access AFS files and directories in AFS, and change your password. + Using OpenAFS describes how to use AFS's basic features: how to log in and authenticate, + and access AFS files and directories in AFS. Displaying Information about OpenAFS describes how to display information about AFS volume quota and location, file server machine status, and the foreign cells you can access. diff --git a/doc/xml/UserGuide/auusg004.xml b/doc/xml/UserGuide/auusg004.xml index c992482ed..ee62696c2 100644 --- a/doc/xml/UserGuide/auusg004.xml +++ b/doc/xml/UserGuide/auusg004.xml @@ -336,7 +336,7 @@ - On machines that do not use an AFS-modified login utility, you must perform two steps. + On machines that do not use an AFS-modified login utility, you must perform three steps. @@ -344,9 +344,16 @@ - Issue the klog command with the -setpag - argument to authenticate with AFS and get your token. + Issue the kinit command to obtain a kerberos Ticket Granting Ticket or + TGT. If the kinit is compiled with AFS support, it may automatically get a + token for you. However to ensure that you get an afs token, you will need to run a second command. + + OpenAFS provides the aklog command to allow you to obtain a token, + or AFS service ticket using your kerberos TGT. A kinit with AFS support will run this as part of it's execution, + but if you issue the aklog command that will ensure you have an AFS token. + + @@ -356,7 +363,7 @@ Your system administrator can tell you whether your machine uses an AFS-modified login utility or not. Then see the login instructions in Logging in and Authenticating with AFS. - AFS authentication passwords are stored in special AFS database, rather than in the local password file (AFS uses the kerberos authentication protocol, rather than storing passwords in the local password file (/etc/passwd or equivalent). If your machine uses an AFS-modified login utility, you can change your password with a single command. If your machine does not use an AFS-modified login utility, you must issue separate commands to change your AFS and local passwords. See Changing Your Password. UNIX, differences with AFSpasswords @@ -426,28 +433,43 @@ Remote Commands - UNIX, differences with AFScommands remote commands commandsftp ftp command commandsrcp - rcp command commandsrsh rsh command The UNIX remote commands enable you - to run programs on a remote machine without establishing a connection to it by using a program such as telnet. Many of the remote commands (such as ftp, rcp, and rsh) remain available in AFS, depending on how your - administrators have configured them. If the remote machine has a Cache Manager, your token is used there also and you are - authenticated while the remote command runs. If the remote machine does not run a Cache Manager, you receive the following - message: - + + SSH, differences with AFScommands + remote commands + commandsssh + ftp command + commandsscp + scp command + The ssh and scp commands enable you + to run programs on a remote machine or copy files to/from a remote machine. ssh commands can work seamlessly with AFS, depending + on how your administrators have configured them. For the recent versions of OpenSSH, you need to have a kerberos ticket on the machine you are + connecting from and support in the ssh client to forward that ticket to the remote machine. The remote machine needs to be configured + to use that ticket to obtain a token after it is forwarded. + + + Most current unix OS's come with a version of OpenSSH that understands the necessary GSSAPI protocol that can use kerberos to forward + TGT's, but this ability is generally not enabled by default. In order to configure your ssh client to use this you need to add the + following lines to your ~/.ssh/config file. - Warning: unable to authenticate. - - - In this case, you are logged into the remote machine's UNIX file system, but you are not authenticated to AFS. You can - access the local files on the remote machine and the AFS directories that grant access to the system:anyuser group, but you cannot access protected AFS directories. + GSSAPIAuthentication yes + GSSAPIDelegateCredentials yes + GSSAPITrustDNS yes + + See the ssh_config man page on your system for more details about these configuration options. In particular, you may + want to limit them to specific hosts or domains. + + + If you do not have an ssh client that can do TGT forwarding, when you login into a remote machine, you will have access to + native UNIX file system. However, since you are not authenticated to AFS, you can only + access the AFS directories that grant access to the system:anyuser group, but you cannot access protected AFS directories. You can enable this access by + following the kinit/aklog procedure listed above. Differences in the Semantics of Standard UNIX Commands - This section summarizes differences in the functionality of some commonly issued UNIX commands. + This section summarizes differences in the functionality of some commonly issued UNIX commands. @@ -488,20 +510,11 @@ - - inetd inetd command commandsinetd - - - The AFS version of this daemon authenticates remote issuers of the AFS-modified rcp and rsh commands with AFS. - - - login utilities login utility - AFS-modified login utilities both log you into the local UNIX file system and authenticate you with AFS. + In general, most systems will use a combination of PAM modules to provide both kerberos enabled logins and automatic AFS tokens on login. Often these PAM modules will also be used with screenlockers and graphic logins at the console. @@ -514,7 +527,6 @@ - diff --git a/doc/xml/UserGuide/auusg005.xml b/doc/xml/UserGuide/auusg005.xml index b9b3fd96f..c965ce843 100644 --- a/doc/xml/UserGuide/auusg005.xml +++ b/doc/xml/UserGuide/auusg005.xml @@ -23,14 +23,14 @@ commandslogin - On machines that use an AFS-modified login utility, you log in and authenticate in one step. On machines that do not use - an AFS-modified login utility, you log in and authenticate in separate steps. To determine which type of login utility your + On machines that use AFS enabled PAM modules with their login utility, you log in and authenticate in one step. On machines that do not use + an AFS enabled PAM modules, you log in and authenticate in separate steps. To determine which type of login configuration your machine uses, you can check for AFS tokens after logging in, or ask your system administrator, who can also tell you about any differences between your login procedure and the two methods described here. - To Log In Using an AFS-modified Login Utility + To Log In Using an AFS enabled PAM module Provide your username at the login: prompt that appears when you establish a new connection to a machine. Then provide your password at the Password: prompt as shown in the @@ -39,18 +39,18 @@ login: username Password: password - + If you are not sure which type of login utility is running on your machine, it is best to issue the tokens command to check if you are authenticated; for instructions, see To - Display Your Tokens. If you do not have tokens, issue the klog command as described in + Display Your Tokens. If you do not have tokens, issue the kinit/aklog command pair as described in To Authenticate with AFS. To Log In Using a Two-Step Login Procedure - If your machine does not use an AFS-modified login utility, you must perform a two-step procedure: + If your machine does not use AFS enabled PAM modules, you must perform a two-step procedure: @@ -59,21 +59,31 @@ - Issue the klog command to authenticate with AFS. Include the command's -setpag argument to associate your token with a special identification number called a - PAG (for process authentication group). For a description of PAGs, see Protecting Your Tokens with a PAG. - - % klog -setpag - Password: your_AFS_password - + Issue the kinit command to authenticate with kerberos and + obtain a ticket granting ticket ( or TGT). + + + % kinit + Password: your_Kerberos_password + - - + + Issue the aklog command to obtain an AFS token using your TGT. + + + % aklog + + + On systems with an AFS enabled kinit program, the kinit program can be configured to run the aklog + program for you by default, but running it again has no negative side effects. + + + + If your machine uses a two-step login procedure, you can choose to use different passwords for logging in and - authenticating. It is simplest to use the same one for both, though. Talk with your system administrator. + authenticating. @@ -86,17 +96,20 @@ role="bold">anonymous user and your access to AFS filespace is limited: you have only the ACL permissions granted to the system:anyuser group. authenticationtokens as proof tokensas proof of authentication Cache Managertokens, use of - You can obtain new tokens (reauthenticate) at any time, even after using an AFS-modified login utility, which logs you - in and authenticates you in one step. Issue the klog command as described in To Authenticate with AFS. + You can obtain new tokens (reauthenticate) at any time, even after using an AFS enabled login utility, which logs you + in and authenticates you in one step. Issue the aklog command as described in To Authenticate with AFS. If your kerberos TGT has expired, you will also need to use the kinit command. Protecting Your Tokens with a PAG To make your access to AFS as secure as possible, it is best to associate your tokens with a unique identification - number called a PAG (for process authentication group). PAG - process authentication group (PAG) setpag argument to klog command AFS-modified login utilities automatically create a PAG and associate the new - token with it. To create a PAG when you use the two-step login procedure, include the klog + number called a PAG (for process authentication group). + PAG + process authentication group (PAG) + setpag argument to klog command + AFS enabled login utilities automatically create a PAG and associate the new + token with it. To create a PAG when you use the two-step login procedure, include the aklog command's -setpag flag. If you do not use this flag, your tokens are associated with your UNIX UID number instead. This type of association has two potential drawbacks: @@ -125,8 +138,21 @@ any other cell consider you to be the anonymous user unless you have an account in the cell and authenticate with its AFS authentication service. - To obtain tokens in a foreign cell, use the -cell argument to the klog command. You can have tokens for your home cell and one or more foreign cells at the same + To obtain tokens in a foreign cell, you must first obtain a kerberos TGT for the realm used to authenticate for that cell. + Unfortunately, while AFS tokens have support for multi-realm credentials, most kerberos implementations don't handle this as + gracefully. You can control where kerberos stores it's credentials by using the ENV variable KRB5CCNAME. + If you want to get a token for a foreign cell, without destroying the kerberos credentials of your current session, you + need to follow this sequence of commands. + + + env KRB5CCNAME=/tmp/test.ticket kinit user@REMOTE.REALM + env KRB5CCNAME=/tmp/test.ticket aklog -c remote.realm -k REMOTE.REALM + + + It's probably a good idea to remove the TGT from the remote realm after doing this. For kerberos implementations that don't use + file based ticket caches ( Mac OS X, Windows), you will need to use the graphic kerberos ticket manager included in the OS to + switch kerberos identities. + You can have tokens for your home cell and one or more foreign cells at the same time. @@ -134,14 +160,13 @@ The One-Token-Per-Cell Rule You can have only one token per cell for each PAG you have obtained on a client machine. If you already have a token - for a particular cell and issue the klog command, the new token overwrites the existing + for a particular cell and issue the aklog command, the new token overwrites the existing one. Getting a new token is useful if your current token is almost expired but you want to continue accessing AFS files. For a discussion of token expiration, see Token Lifetime. - To obtain a second token for the same cell, you must either login on a different machine or establish another separate - connection to the machine where you already have a token (by using the telnet utility, for - example). You get a new PAG for each separate machine or connection, and can use the associated tokens only while working on - that machine or connection. + To obtain a second token for the same cell, you need to run a process in a different PAG. OpenAFS provides the pagsh command to start a new shell in with a different PAG. You will then need to authenticate as described in To Authenticate with AFS. + @@ -150,9 +175,11 @@ authenticationas another user You can authenticate as another username if you know the associated password. (It is, of course, unethical to use - someone else's tokens without permission.) If you use the klog command to authenticate as - another AFS username, you retain your own local (UNIX) identity, but the AFS server processes recognize you as the other - user. The new token replaces any token you already have for the relevant cell (for the reason described in kinit and + aklog commands to authenticate as + another Kerberos username and obtain an AFS token, you retain your own local (UNIX) identity, but the AFS + server processes recognize you as the other user. The new token replaces any token you already have for the + relevant cell (for the reason described in The One-Token-Per-Cell Rule). @@ -163,89 +190,96 @@ lifetime of tokens - Tokens have a limited lifetime. To determine when your tokens expire, issue the Tokens and Kerberos TGT's have a limited lifetime. To determine when your tokens expire, issue the tokens command as described in To Display Your Tokens. If you are ever unable to access AFS in a way that you normally can, issuing the tokens command tells you whether an expired token is a possible reason. - Your cell's administrators set the default lifetime of your token. The AFS authentication service never grants a token - lifetime longer than the default, but you can request a token with a shorter lifetime. See the klog reference page in the OpenAFS Administration Reference to learn how to use + Your cell's kerberos administrators set the default lifetime of your kerberos TGT. The AFS authentication service never grants a token + lifetime longer than the current TGT lifetime, but you can request a TGT with a shorter lifetime. See the kinit man page on your system to learn how to use its -lifetime argument for this purpose. - - Authenticating for DFS Access - - commandsdlog - - commandsdpass - - dlog command - - dpass command - - authenticationwith DCE for DFS access - - If your machine is configured to access a DCE cell's DFS filespace by means of the AFS/DFS Migration Toolkit, you can - use the dlog command to authenticate with DCE. The dlog - command has no effect on your ability to access AFS filespace. - - If your system administrator has converted your AFS account to a DCE account and you are not sure of your DCE - password, use the dpass command to display it. You must be authenticated as the AFS user - whose AFS account was converted to a DCE account, and be able to provide the correct AFS password. Like the dlog command, the dpass command has no functionality with respect to - AFS. - - For more information on using the dlog and dpass - commands, see your system administrator. - To Authenticate with AFS - klog command - - commandsklog - + aklog command + kinit command + commandsaklog + commandskinit tokensgetting - If your machine is not using an AFS-modified login utility, you must authenticate after login by issuing the klog command. You can also issue this command at any time to obtain a token with a later expiration + If your machine is not using an AFS enabled login utility, you must authenticate after login by issuing the kinit command and then use aklog to obtain a token. You can also + issue these commands at any time to obtain a token with a later expiration date than your current token. - % klog [-setpag] [-cell <cell name>] - Password: your_AFS_password + % kinit [userid@KRB5.REALM] + Password: your_kerberos_password where - -setpag + userid@KRB5.REALM - Associates the resulting tokens with a PAG (see Protecting Your Tokens with a PAG). - Include this flag the first time you obtain a token for a particular cell during a login session or connection. Do not - include it when refreshing the token for a cell during the same session. + is the kerberos userid and realm that you want to get a TGT from. If the machine is properly configured + for your local cell and realm, you should not need to specify the kerberos identity. + + + + Your password does not echo visibly appear on the screen. When the command shell prompt returns, + you have a kerberos TGT. You then need to use the aklog command to + obtain an AFS token. + + + % aklog [-cell afs.cell.name] [-k KRB5.REALM] + + + where + + - -cell + KRB5.REALM - Names the cell for which to obtain the token. You must have an account in the cell. + is the kerberos realm used to authenticate the AFS cell. + + + afs.cell.name + + + is the AFS cell for which you want a token. + + + - + - Your password does not echo visibly appear on the screen. When the command shell prompt returns, you are an - authenticated AFS user. You can use the tokens command to verify that you are authenticated, + You can use the tokens command to verify that you are authenticated, as described in the following section. + + + A Note on Kerberos Realms and AFS Cellnames + These are two things that are often the same, but each has it's own distinct rules. + By convention, kerberos realms are always in UPPER CASE and afs cellnames are in lower case. + Thus username@KRB5.REALM is the kerberos identity used for the AFS cell krb5.realm. There is + no restriction that the cell and realm names must match, but most sites are set up that way + to avoid confusion. In a well configured system you should never need worry about this until + you need to access remote realms/cells. + + @@ -281,7 +315,7 @@ Tokens held by the Cache Manager: User's (AFS ID 1022) tokens for afs@abc.com [Expires Aug 3 14:35] - User's (AFS ID 9554) tokens for afs@stateu.edu [Expires Aug 4 1:02] + User's (AFS ID 9554) tokens for afs@stateu.edu [Expires Aug 4 1:02] --End of list-- @@ -293,11 +327,13 @@ Suppose that user terry cannot save a file. He uses the tokens command and finds that his tokens have expired. He reauthenticates in his local cell under his - current identity by issuing the following command: + current identity by issuing the following commands: - % klog + % kinit Password: terry's_password + % aklog + The he issues the tokens command to make sure he is authenticated. @@ -320,8 +356,9 @@ Manager can store only one token per cell per login session on a machine. - % klog pat + % kinit pat Password: pat's_password + % aklog % tokens Tokens held by the Cache Manager: User's (AFS ID 4278) tokens for afs@abc.com [Expires Jun 23 9:46] @@ -338,73 +375,15 @@ his account is called ts09. - % klog ts09 -cell stateu.edu - Password: ts09's_password + % env KRB5CCNAME=/tmp/temp.tgt kinit ts09@STATEU.EDU + Password: ts09's_password + % env KRB5CCNAME=/tmp/temp.tgt aklog ts09 -cell stateu.edu + % tokens Tokens held by the Cache Manager: User's (AFS ID 4562) tokens for afs@abc.com [Expires Jun 22 14:35] User's (AFS ID 8346) tokens for afs@stateu.edu [Expires Jun 23 1:02] --End of list-- - - - - - Limits on Failed Authentication Attempts - - authenticationlimits on consecutive failed attempts - - Your system administrator can choose to limit the number of times that you fail to provide the correct password when - authenticating with AFS (using either an AFS-modified login utility or the klog command). If - you exceed the limit, the AFS authentication service refuses further authentication attempts for a period of time set by your - system administrator. The purpose of this limit is to prevent unauthorized users from breaking into your account by trying a - series of passwords. - - To determine if your user account is subject to this limit, ask your system administrator or issue the kas examine command as described in To Display Your Failed Authentication Limit - and Lockout Time. - - The following message indicates that you have exceeded the limit on failed authentication attempts. - - - Unable to authenticate to AFS because ID is locked - see your system admin - - - - - To Display Your Failed Authentication Limit and Lockout Time - - kas commandsexamine - - commandskas examine - - limits on authentication attempts - - usersaccount lockout time - - Issue the kas examine command to determine if there is a limit on the number of - unsuccessful authentication attempts for your user account and any associated lockout time. You can examine only your own - account. The fourth line of the output reports the maximum number of times you can provide an incorrect password before being - locked out of your account. The lock time field on the next line reports how long the AFS - authentication service refuses authentication attempts after the limit is exceeded. - - - % kas examine your_username - Password for your_username: your_AFS_password - - - The following example displays the output for the user pat, who is allowed nine failed - authentication attempts. The lockout time is 25.5 minutes. - - - User data for pat - key (15) cksum is 3414844392, last cpw: Thu Oct 21 16:05:44 1999 - password will expire: Fri Nov 26 20:44:36 1999 - 9 consecutive unsuccessful authentications are permitted. - The lock time for this user is 25.5 minutes. - User is not locked. - entry never expires. Max ticket lifetime 100.00 hours. - last mod on Wed Aug 18 08:22:29 1999 by admin - permit password reuse @@ -428,7 +407,7 @@ You can use the unlog command any time you want to unauthenticate, not just when logging out. For instance, it is a good practice to unauthenticate before leaving your machine unattended, to prevent other users from - using your tokens during your absence. When you return to your machine, issue the klog command + using your tokens during your absence. When you return to your machine, issue the aklog command to reauthenticate, as described in To Authenticate with AFS. Do not issue the unlog command when you are running jobs that take a long time to @@ -589,11 +568,11 @@ The alternative is for the foreign cell's administrator to create an account for you, essentially making you a local user in the cell. The directory's owner creates an ACL entry for you as for any other local user. To authenticate in the - foreign cell, issue the klog command with the -cell + foreign cell, issue the aklog command with the -cell argument. - + For further discussion of directory and file protection, see Protecting Your Directories and Files. @@ -603,127 +582,13 @@ Changing Your Password - In cells that use an AFS-modified login utility, the password is the same for both logging in and authenticating with AFS. - In this case, you use a single command, kpasswd, to change the password. + In cells that use an AFS and kerberos enabled login utility, the password is the same for both logging in and authenticating with AFS. + In this case, generally you use a single command, kpasswd, to change the password. But this may vary from system to system, if in doubt contact your local system administrator. - If your machine does not use an AFS-modified login utility, there are separate passwords for logging into the local file + If your machine does not use an AFS and kerberos enabled login utility, there are separate passwords for logging into the local file system and authenticating with AFS. (The two passwords can be the same or different, at your discretion.) In this case, use the - kpasswd command to change your AFS password and the UNIX kpasswd command to change your Kerberos password and the UNIX passwd command to change your UNIX password. - Your system administrator can improve cell security by configuring several features that guide your choice of password. - Keep them in mind when you issue the kpasswd command: - - - - Limiting the amount of time your password is valid. This improves your cell's security by limiting the amount of time - an unauthorized user has to try to guess your password. Your system administrator needs to tell you when your password is - due to expire so that you can change it in time. The administrator can configure the AFS-modified login utility to report - this information automatically each time you log in. You can also use the kas examine - command to display the password expiration date, as instructed in To Display Password Expiration - Date and Reuse Policy. - - You can change your password prior to the expiration date, but your system administrator can choose to set a minimum - time between password changes. The following message indicates that the minimum time has not yet passed. - - - kpasswd: password was not changed because you changed it too - recently; see your system administrator - - - - - Enforcing password quality standards, such as a minimum length or inclusion of nonalphabetic characters. The - administrator needs to tell you about such requirements so that you do not waste time picking unacceptable passwords. - - - - Rejecting a password that is too similar to the last 20 passwords you used. You can use the kas - examine command to check whether this policy applies to you, as instructed in To Display - Password Expiration Date and Reuse Policy. The following message indicates that the password you have chosen is too - similar to a previous password. - kpasswd: Password was not changed because it seems like a reused password - - - - - - - To Display Password Expiration Date and Reuse Policy - - kas commandsexamine - - commandskas examine - - passwordexpiration date, displaying - - passwordreuse policy, displaying - - displayingpassword expiration date - - displayingpassword reuse policy - - Issue the kas examine command to display your password expiration date and reuse - policy. You can examine only your own account. The third line of the output reports your password's expiration date. The last - line reports the password reuse policy that applies to you. - - - % kas examine your_username - Password for your_username: your_AFS_password - - - The following example displays the output for the user pat. - - - User data for pat - key (15) cksum is 3414844392, last cpw: Thu Oct 21 16:05:44 1999 - password will expire: Fri Nov 26 20:44:36 1999 - 9 consecutive unsuccessful authentications are permitted. - The lock time for this user is 25.5 minutes. - User is not locked. - entry never expires. Max ticket lifetime 100.00 hours. - last mod on Wed Aug 18 08:22:29 1999 by admin - don't permit password reuse - - - - - To Change Your AFS Password - - passwordchanging AFS - - changingAFS password - - commandskpasswd - - kpasswd command - - Issue the kpasswd command, which prompts you to provide your old and new passwords and - to confirm the new password. The passwords do not echo visibly on the screen. - - - % kpasswd - Old password: current_password - New password (RETURN to abort): new_password - Retype new password: new_password - - - - - To Change Your UNIX Password - - commandspasswd passwdcommand passwordchanging UNIX changingUNIX password Issue the UNIX passwd command, which prompts you to provide your old and new passwords and to confirm the new - password. The passwords do not echo visibly on the screen. On many machines, the passwd - resides in the /bin directory, and you possibly need to type the complete pathname. - - - % passwd - Changing password for username. - Old password: current_password - New password: new_password - Retype new passwd: new_password - - diff --git a/doc/xml/UserGuide/auusg006.xml b/doc/xml/UserGuide/auusg006.xml index 6d0db933a..14bb25bad 100644 --- a/doc/xml/UserGuide/auusg006.xml +++ b/doc/xml/UserGuide/auusg006.xml @@ -159,8 +159,8 @@ % fs listquota ~terry - Volume Name Quota Used % Used Partition - user.terry 10000 3400 34% 86% + Volume Name Quota Used % Used Partition + user.terry 10000 3400 34% 86% @@ -401,7 +401,7 @@ % fs checkservers -all & - These servers unavailable due to network or server problems: + These servers unavailable due to network or server problems: fs1.abc.com server7.stateu.edu. @@ -432,18 +432,18 @@ % fs listcells & - Cell abc.com on hosts + Cell abc.com on hosts db1.abc.com db2.abc.com db3.abc.com - Cell test.abc.com on hosts + Cell test.abc.com on hosts test4.abc.com. - Cell stateu.edu on hosts + Cell stateu.edu on hosts sv5.stateu.edu. sv2.stateu.edu. sv11.stateu.edu. - Cell def.com on hosts - serverA.def.com + Cell def.com on hosts + serverA.def.com diff --git a/doc/xml/UserGuide/auusg007.xml b/doc/xml/UserGuide/auusg007.xml index ace0543f0..82a4ffafa 100644 --- a/doc/xml/UserGuide/auusg007.xml +++ b/doc/xml/UserGuide/auusg007.xml @@ -745,7 +745,7 @@ Normal rights: system:anyuser rl pat rlidwka - terry rliw + terry rliw Access list for ../plans is Normal rights: terry rlidwka @@ -1050,7 +1050,7 @@ % fs setacl -dir <directory>+ -acl <access list entries>+ -negative + role="bold">-negative where @@ -1449,10 +1449,10 @@ Normal rights: terry rlidwka pat rl - smith rl - + smith rl + % fs copyacl -from . -to plans - + % fs listacl . plans Access list for . is Normal rights: @@ -1464,7 +1464,7 @@ terry rlidwka pat rlidwk jones rl - smith rl + smith rl diff --git a/doc/xml/UserGuide/auusg008.xml b/doc/xml/UserGuide/auusg008.xml index 746e7aad6..a1980d798 100644 --- a/doc/xml/UserGuide/auusg008.xml +++ b/doc/xml/UserGuide/auusg008.xml @@ -243,7 +243,7 @@ % pts membership terry:team Members of terry:team (id: -286) are: terry - smith + smith pat johnson @@ -347,7 +347,7 @@ Groups owned by pat (id: 1845) are: pat:accounting pat:plans - + @@ -536,7 +536,7 @@ % pts examine pat - Name: pat, id: 1045, owner: system:administrators, creator: admin, + Name: pat, id: 1045, owner: system:administrators, creator: admin, membership: 12, flags: S-M--, group quota: 17 @@ -693,7 +693,7 @@ % pts creategroup terry:team group terry:team has id -286 % pts examine terry:team - Name: terry:team, id: -286, owner: terry, creator: terry, + Name: terry:team, id: -286, owner: terry, creator: terry, membership: 0, flags: S----, group quota: 0. @@ -739,7 +739,7 @@ own the group. - If you already have a token when you are added to a group, you must issue the klog + If you already have a token when you are added to a group, you must issue the aklog command to reauthenticate before you can exercise the permissions granted to the group on ACLs. @@ -1131,8 +1131,8 @@ % pts chown pat:staff terry - % pts examine terry:staff - Name: terry:staff, id: -534, owner: terry, creator: pat, + % pts examine terry:staff + Name: terry:staff, id: -534, owner: terry, creator: pat, membership: 15, flags: SOm--, group quota: 0. @@ -1153,7 +1153,7 @@ % pts chown terry:team terry:team % pts examine terry:team - Name: terry:team, id: -286, owner: terry:team, creator: terry, + Name: terry:team, id: -286, owner: terry:team, creator: terry, membership: 6, flags: SOm--, group quota: 0. @@ -1169,11 +1169,11 @@ % pts examine sam:project - Name: sam:project, id: -522, owner: sam, creator: sam, + Name: sam:project, id: -522, owner: sam, creator: sam, membership: 33, flags: SOm--, group quota: 0. % pts chown sam:project smith:cpa % pts examine smith:project - Name: smith:project, id: -522, owner: smith:cpa, creator: sam, + Name: smith:project, id: -522, owner: smith:cpa, creator: sam, membership: 33, flags: SOm--, group quota: 0. @@ -1236,11 +1236,11 @@ % pts examine smith:project - Name: smith:project, id: -522, owner: smith:cpa, creator: sam, + Name: smith:project, id: -522, owner: smith:cpa, creator: sam, membership: 33, flags: SOm--, group quota: 0. % pts rename smith:project smith:fiscal-closing % pts examine smith:fiscal-closing - Name: smith:fiscal-closing, id: -522, owner: smith:cpa, creator: sam, + Name: smith:fiscal-closing, id: -522, owner: smith:cpa, creator: sam, membership: 33, flags: SOm--, group quota: 0. @@ -1257,12 +1257,12 @@ the name to terry:plans to reflect its actual ownership. - % pts examine pat:plans - Name: pat:plans, id: -535, owner: terry:staff, creator: pat, + % pts examine pat:plans + Name: pat:plans, id: -535, owner: terry:staff, creator: pat, membership: 8, flags: SOm--, group quota: 0. % pts rename pat:plans terry:plans - % pts examine terry:plans - Name: terry:plans, id: -535, owner: terry:staff, creator: pat, + % pts examine terry:plans + Name: terry:plans, id: -535, owner: terry:staff, creator: pat, membership: 8, flags: SOm--, group quota: 0. @@ -1482,7 +1482,7 @@ % pts setfields terry:team -access SOm-- - + @@ -1513,4 +1513,4 @@ - \ No newline at end of file + diff --git a/doc/xml/UserGuide/auusg009.xml b/doc/xml/UserGuide/auusg009.xml index 0693be7cb..ac0c15a0b 100644 --- a/doc/xml/UserGuide/auusg009.xml +++ b/doc/xml/UserGuide/auusg009.xml @@ -48,10 +48,10 @@ If your do not have tokens for the relevant cell, or they are expired, issue the klog command to authenticate. For complete instructions, see To + role="bold">aklog command to authenticate. You may also need to first obtain a kerberos ticket usingkinit since tokens often expire at the same time as TGT's. For complete instructions, see To Authenticate with AFS. Then try accessing or saving the file again. If you are not successful, proceed to Step 2. - % klog + % aklog @@ -74,7 +74,7 @@ Output like the following indicates that your Cache Manager cannot reach the indicated file server machines. - These servers unavailable due to network or server problem: + These servers unavailable due to network or server problem: list of machines. @@ -134,7 +134,7 @@ If you do not have the necessary permissions and do not own the directory, ask the owner or a system administrator to grant them to you. If they add you to a group that has the required permissions, you must issue the klog command to reauthenticate before you can exercise them. + role="bold">aklog command to reauthenticate before you can exercise them. If you still cannot access the file even though you have the necessary permissions, contact your system administrator for help in investigating further possible causes of your problem. If you still cannot copy or save the file even though you @@ -153,8 +153,8 @@ % fs listquota /afs/abc.com/usr/terry - Volume Name Quota Used % Used Partition - user.terry 10000 3400 34% 86% + Volume Name Quota Used % Used Partition + user.terry 10000 3400 34% 86% @@ -241,7 +241,7 @@ Ask the directory's owner or your system administrator to grant you the permissions you need. If they add you to a - group that has the required permissions, you must issue the klog command to + group that has the required permissions, you must issue the aklog command to reauthenticate before you can exercise them. @@ -284,7 +284,7 @@ Output like the following indicates that your Cache Manager cannot reach the indicated file server machines. You must wait until they are again accessible before continuing to work with the files that are stored on them. - These servers unavailable due to network or server problem: + These servers unavailable due to network or server problem: list_of_machines. @@ -322,4 +322,4 @@ Follow the instructions in Problem: Cannot Access, Copy, or Save File. - \ No newline at end of file + diff --git a/doc/xml/UserGuide/auusg010.xml b/doc/xml/UserGuide/auusg010.xml index a4d5f232b..7480a5e33 100644 --- a/doc/xml/UserGuide/auusg010.xml +++ b/doc/xml/UserGuide/auusg010.xml @@ -2,11 +2,11 @@ Using the NFS/AFS Translator NFSaccessing AFS from client - + NFS/AFS Translator - + AFSaccessing from NFS client machine - + access to AFS filespacefrom NFS client machines Some cells use the Network File System (NFS) in addition to AFS. If you work on an NFS client machine, your system @@ -20,7 +20,7 @@ Requirements for Using the NFS/AFS Translator NFSissuing AFS commands on NFS client machine - + commandsAFS, issuing on NFS client machine For you to use the NFS/AFS Translator, your system administrator must configure the following types of machines as indicated: @@ -42,9 +42,9 @@ configure it to enable you to issue many AFS commands on the machine. Ask him or her about the configuration and which commands you can issue. Accessing AFS via the Translator - + authenticationto AFS on NFS client machines - + If you do not have an AFS account or choose not to access AFS as an authenticated user, then all you do to access AFS is provide the pathname of the relevant file. Its ACL must grant the necessary permissions to the system:anyuser group. @@ -57,7 +57,7 @@ Log into the NFS client machine using your NFS username. Issue the klog command. For complete instructions, see - To Authenticate with AFS. + To Authenticate with AFS. % klog -setpag @@ -72,12 +72,12 @@ If the NFS/AFS translator machine uses an AFS-modified login utility, then you obtained AFS tokens in Step 2. To check, issue the tokens command, - which is described fully in To Display Your Tokens. + which is described fully in To Display Your Tokens. % tokens If you do not have tokens, issue the klog command, which is described fully in - To Authenticate with AFS. + To Authenticate with AFS. % klog -setpag @@ -85,14 +85,14 @@ Issue the knfs command to associate your AFS tokens with your UNIX UID on the NFS client machine where you are working. This enables the Cache Manager on the - translator machine to use the tokens properly when you access AFS from the NFS client machine. + translator machine to use the tokens properly when you access AFS from the NFS client machine. If your NFS client machine is a system type for which AFS defines a system name, it can make sense to add the -sysname argument. This argument helps the Cache Manager access binaries specific to your NFS client machine, if your system administrator has used the @sys variable in pathnames. Ask your system administrator if this argument is useful for - you. + you. knfs command - + commandsknfs @@ -123,7 +123,7 @@ arguments as in Step 4, and add the -unlog flag to destroy your tokens. If you logged out from the translator machine in Step 5, then you must first reestablish a connection to the translator machine - as in Step 2. + as in Step 2. % knfs <host name> [<user ID (decimal)>] -unlog diff --git a/doc/xml/UserGuide/auusg011.xml b/doc/xml/UserGuide/auusg011.xml index 334c56fce..d29b2cf4e 100644 --- a/doc/xml/UserGuide/auusg011.xml +++ b/doc/xml/UserGuide/auusg011.xml @@ -1,8 +1,8 @@ OpenAFS Command Syntax and Online Help - + syntax of AFS commands described - + The AFS commands available to you are used to authenticate, list AFS information, protect directories, create and manage groups, and create and manage ACLs. There are three general types of commands available to all AFS users: file server commands, protection server commands, and miscellaneous commands. This chapter discusses the @@ -17,9 +17,9 @@ The command suite indicates the general type of command and the server process that performs the command. Regular AFS users have access to two main command suites and a miscellaneous set of commands: - + commandssuite organization for AFS - + suite, defined for AFS command @@ -30,26 +30,26 @@ The miscellaneous commands are not associated with any command suite. The operation code indicates the action that the command performs. Miscellaneous - commands have operation codes only. + commands have operation codes only. operation codes in AFS commandsdefined A command can have multiple options, which can be arguments or flags: Arguments are used to supply additional information for use by the command. - + arguments to AFS commands They consist of a paired switch and instance. - + switches on AFS commandsdefined - + instances to AFS commands A switch defines the type of argument and is always preceded by a hyphen; arguments can take multiple instances if a plus sign (+) appears after the instance. An instance represents some variable piece of information that is used by the command. Arguments can be optional or required. Flags are used to direct a command to perform in a specific way (for example, to generate a - specific type of output). + specific type of output). flags on AFS commands Flags are always preceded by a hyphen and are always optional. @@ -65,7 +65,7 @@ the File Server process to set an access control list. -dir $HOME and -acl pat all terry none are - arguments. + arguments. -dir and -acl are switches; -dir indicates the name of the directory on which to set the ACL, and @@ -88,9 +88,9 @@ Type all AFS commands on one line, followed by a carriage return. Some commands in this document appear on more than one line, but that is for legibility only. Abbreviations and Aliases for Operation Codes - + operation codes in AFS commandsabbreviating - + You can type operation codes in one of three ways: You can type the operation code in full. @@ -107,9 +107,9 @@ The OpenAFS Administration Reference provides information on the full and abbreviated command syntax as well as any aliases for all of the commands discussed in this guide. Omitting Argument Switches - + switches on AFS commandsomitting - + You can omit an argument's switch if the command takes only one argument, or if the following conditions are met. @@ -165,7 +165,7 @@ If the current working directory is terry's home directory, he can issue the following command. - % fs setacl -dir . -acl pat rl + % fs setacl -dir . -acl pat rl Both of the previous examples are acceptable short forms for the following command: @@ -176,21 +176,21 @@ pts commands. For more detailed information, see the OpenAFS Administration Reference. About the fs Commands - + fs commandsintroduction - + Some fs commands extend UNIX file system semantics by invoking file-related functions that UNIX does not provide (setting access control lists, for example). Other fs commands help you control the performance of the Cache Manager running on your - local client machine. + local client machine. fs commandshelp flag - + fs commandsgetting help All fs commands accept the optional -help flag. It has the same function as the fs help command: it prints a command's online help message on the screen. Do not provide other options at the same time as this flag. It overrides them, - and the only effect of issuing the command is to display the help message. + and the only effect of issuing the command is to display the help message. fs commandsprivileges required The privilege required for issuing fs commands varies. The necessary @@ -208,11 +208,11 @@ not require any special privilege. About the pts Commands - + pts commandsprivilege required - + Protection Database - + The pts command suite is the interface through which you can create protection groups and add members to them. System administrators who belong to a special system group called system:administrators group can manipulate any group, and also create the user and @@ -224,7 +224,7 @@ command descriptions in the OpenAFS Administration Reference and are described here in detail: - + pts commandscell argument [-cell <cell name>] @@ -232,7 +232,7 @@ This argument indicates that the command runs in the indicated cell. The issuer can abbreviate the cell name value to the shortest form that distinguishes it from the other cells listed in the /usr/vice/etc/CellServDB file on the client machine on which the - command is issued. By default, commands are executed in the local cell as defined + command is issued. By default, commands are executed in the local cell as defined First, by the value of the environment variable AFSCELL. (This variable is normally not defined by default. If you are working in another, nonlocal cell for an extended period of time, you can set @@ -246,7 +246,7 @@ [-force] This flag directs the pts command interpreter to continue executing the command, if possible, even if it encounters problems during the command's execution. - + pts commandsforce flag The command interpreter performs as much of the requested operation as possible, rather than halting if it encounters a problem. The command interpreter reports any errors it encounters during the @@ -255,10 +255,10 @@ arguments. - [-help] + [-help] pts commandshelp flag - + pts commandsgetting help This flag has the same function as the pts help command: it @@ -267,27 +267,27 @@ message. Getting Help in AFS - + helponline for AFS commands - + online help - + AFS online help consists of basic syntax messages. The AFS distribution also includes help in HTML format which your system administrator can make available to you. Displaying Command Syntax and Aliases - + apropos operation code - + helpoperation code in AFS command suites - + helpexamples - + To display a brief description of a command, its syntax statement, and alias if any, use the help operation code. For example, to display the online help entry for the fs listacl command, enter the following command: % fs help listacl - fs listacl: list access control list + fs listacl: list access control list aliases: la Usage: fs listacl [-path <dir/file path>+] [-id] [-if] [-help] @@ -296,14 +296,14 @@ setacl command, enter the following command: % fs setacl -help - Usage: fs setacl -dir <directory>+ -acl <access list entries>+ [-clear] [-negative] + Usage: fs setacl -dir <directory>+ -acl <access list entries>+ [-clear] [-negative] [-id] [-if] [-help] Displaying Operation Code Descriptions To display a short description of all of a command suite's operation codes, issue the help operation code without any other arguments. For example, the fs help command displays a short description of every operation code in the - fs command suite. + fs command suite. keyword for apropos command To display a list of the commands in a command suite that concern a certain type of object, provide a diff --git a/doc/xml/UserGuide/auusg012.xml b/doc/xml/UserGuide/auusg012.xml index 3fc6780bd..d5bd02858 100644 --- a/doc/xml/UserGuide/auusg012.xml +++ b/doc/xml/UserGuide/auusg012.xml @@ -82,8 +82,8 @@ Authenticate - To become recognized as a valid AFS user by providing the correct password. Authenticate by logging onto a machine - that uses an AFS-modified login utility or by issuing the klog command. Only authenticated + To become recognized as a valid AFS user by getting an AFS token using your kerberos TGT. Authenticate by logging onto a machine + that uses an AFS enabled login utility or by issuing the aklog command after using kinit to obtain a kerberos TGT. Only authenticated users can perform most AFS actions. -- 2.39.5