3 aklog - Obtain tokens for authentication to AFS
10 B<aklog> [B<-d>] [B<-hosts>] [B<-zsubs>] [B<-noprdb>] [B<-noauth>] [B<-linked>]
11 [B<-force>] [B<-524>] [B<-setpag>]
12 S<<< [[B<-cell> | B<-c>] <I<cell>> [B<-k> <I<Kerberos realm>>]]+ >>>
14 B<aklog> [B<-d>] [B<-hosts>] [B<-zsubs>] [B<-noprdb>] [B<-noauth>] [B<-linked>]
15 [B<-force>] [B<-524>] [B<-setpag>] [B<-path> | B<-p>] <I<path>>+
22 The B<aklog> program authenticates to a cell in AFS by obtaining AFS
23 tokens. If B<aklog> is invoked with no command-line arguments, it will
24 obtain tokens for the workstation's local cell. It may be invoked with an
25 arbitrary number of cells and pathnames to obtain tokens for multiple
26 cells. B<aklog> knows how to expand cell name abbreviations, so cells can
27 be referred to by enough letters to make the cell name unique among the
28 cells the workstation knows about.
30 B<aklog> obtains tokens by obtaining a Kerberos service ticket for the AFS
31 service and then storing it as a token. By default, it obtains that
32 ticket from the realm corresponding to that cell (the upcase version of
33 the cell name), but a different realm for a particular cell can be
34 specified with B<-k>. B<-k> cannot be used in B<-path> mode (see below).
42 Normally, B<aklog> generates native K5 tokens. This flag tells B<aklog>
43 to instead use the krb524 translation service to generate K4 or rxkad2b
44 tokens, which may be necessary for AFS cells that don't support native K5
45 tokens. Support for native K5 tokens were added in OpenAFS 1.2.8.
47 =item B<-cell> <I<cell>>, B<-c> <I<cell>>
49 This flag tells B<aklog> that the next argument is the name of a cell to
50 authenticate to. It normally isn't necessary; B<aklog> normally
51 determines whether an argument is a cell or a path name based on whether
52 it contains C</> or is C<.> or C<..>. The cell may be followed by B<-k>
53 to specify the corresponding Kerberos realm.
57 Turns on printing of debugging information. This option is not intended
62 Normally, aklog will not replace tokens with new tokens that appear to be
63 identical. If this flag is given, it will skip that check.
67 Prints all the server addresses which may act as a single point of
68 failure in accessing the specified directory path. Each element of the
69 path is examined, and as new volumes are traversed, if they are not
70 replicated, the server's IP address containing the volume will be
71 displayed. The output is of the form:
75 This option is only useful in combination with paths as arguments rather
78 =item B<-k> <I<Kerberos realm>>
80 This flag is valid only immediately after the name of the cell. It tells
81 B<aklog> to use that Kerberos realm when authenticating to the preceding
82 cell. By default, B<aklog> will use the realm (per the local Kerberos
83 configuration) of the first database server in the cell, so this flag
84 normally won't be necessary.
88 If the AFS cell is linked to a DCE cell, get tokens for both.
92 Don't actually authenticate, just do everything else B<aklog> does up to
97 Ordinarily, B<aklog> looks up the AFS ID corresponding to the name of the
98 person invoking the command, and if the user doesn't exist and the cell is
99 a foreign one, attempts automatic registration of the user with the remote
100 cell. Specifying this flag turns off this functionality. This may be
101 desirable if the protection database is unavailable for some reason and
102 tokens are desired anyway, or if one wants to disable user registration.
104 =item B<-path> <I<pathname>>, B<-p> <I<pathname>>
106 This flag tells B<aklog> that the next argument is a path in AFS.
107 B<aklog> will walk that path and obtain tokens for every cell needed to
108 access all of the directories. Normally, this flag isn't necessary;
109 B<aklog> assumes an argument is a path if it contains C</> or is C<.> or
114 When setting tokens, attempt to put the parent process in a new PAG. This
115 is usually used as part of the login process but can be used any time to
116 create a new AFS authentication context.
120 Prints out the Zephyr subscription information to get alerts regarding all
121 of the file servers required to access a particular path. The output is
126 where <instance> is the instance of a class C<filsrv> Zephyr subscription.
136 If this file exists in the user's home directory, it should contain a list
137 of AFS cells to which to authenticate, one per line. If B<aklog> is
138 invoked without any options, it will attempt to obtain tokens in every
139 cell listed in this file if it exists, rather than only obtaining tokens
146 The exit status of B<aklog> will be one of the following:
152 Success -- No error occurred.
156 Usage -- Bad command syntax; accompanied by a usage message.
160 Something failed -- More than one cell or pathname was given on the
161 command line and at least one failure occurred. A more specific error
162 status is returned when only one directive is given.
166 AFS -- Unable to get AFS configuration or unable to get information about
171 Kerberos -- Unable to get tickets for authentication.
175 Token -- Unable to get tokens.
179 Bad pathname -- The path given was not a directory or lstat(2) failed on
180 some component of the pathname.
184 Miscellaneous -- An internal failure occurred. For example, B<aklog>
185 returns this if it runs out of memory.
191 To get tokens for the local cell:
195 To get tokens for the C<athena.mit.edu> cell:
197 % aklog athena.mit.edu
203 The latter will work if you local cache manager already knows about the
206 To get tokens adequate to read F</afs/athena.mit.edu/user/p/potato>:
208 % aklog /afs/athena.mit.edu/user/p/potato
210 To get tokens for C<testcell.mit.edu> that is in a test Kerberos realm:
212 % aklog testcell.mit.edu -k TESTREALM.MIT.EDU
216 kinit(1), tokens(1), unlog(1)
220 Manpage originally written by Emanuel Jay Berkenbilt (MIT-Project
221 Athena). Extensively modified by Russ Allbery <rra@stanford.edu>.
225 Original manpage is copyright 1990, 1991 Massachusetts Institute of
226 Technology. All rights reserved.
228 Copyright 2006 Russ Allbery <rra@stanford.edu>.
230 Export of this software from the United States of America may require
231 a specific license from the United States Government. It is the
232 responsibility of any person or organization contemplating export to
233 obtain such a license before exporting.
235 WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute
236 this software and its documentation for any purpose and without fee is
237 hereby granted, provided that the above copyright notice appear in all
238 copies and that both that copyright notice and this permission notice
239 appear in supporting documentation, and that the name of M.I.T. not be
240 used in advertising or publicity pertaining to distribution of the
241 software without specific, written prior permission. Furthermore if you
242 modify this software you must label your software as modified software and
243 not distribute it in such a fashion that it might be confused with the
244 original MIT software. M.I.T. makes no representations about the
245 suitability of this software for any purpose. It is provided "as is"
246 without express or implied warranty.
248 THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
249 WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
250 MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.