man8-editing-pass-20051213

[openafs.git] / doc / man-pages / pod8 / kaserver.pod

=head1 NAME

kaserver - Initializes the Authentication Server

=head1 DESCRIPTION

B<kaserver> [B<-noAuth>] [B<-fastKeys>] [B<-database> <I<dbpath>>] 
    [B<-localfiles> <I<lclpath>>] [B<-minhours> <I<n>>] 
    [B<-servers> <I<serverlist>>] [B<-enable_peer_stats>]
    [B<-enable_process_stats>] [B<-help>]

=head1 DESCRIPTION

The B<kaserver> command initializes the Authentication Server, which runs
on every database server machine. In the conventional configuration, its
binary file is located in the F</usr/afs/bin> directory on a file server
machine.

The B<kaserver> command is not normally issued at the command shell prompt
but rather placed into a file server machine's F</usr/afs/local/BosConfig>
file with the B<bos create> command. If it is ever issued at the command
shell prompt, the issuer must be logged onto a database server machine as
the local superuser C<root>.

As it initializes, the Authentication Server process creates the two files
that constitute the Authentication Database, F<kaserver.DB0> and
F<kaserver.DBSYS1>, in the F</usr/afs/db> directory if they do not already
exist. Use the commands in the B<kas> suite to administer the database.

The Authentication Server is responsible for several aspects of AFS
security, including:

=over 4

=item *

Maintenance of all AFS server encryption keys and user passwords in the
Authentication Database.

=item *

Creation of the tickets and tokens that users and servers use to establish
secure connections. Its Ticket Granting Service (TGS) component performs
this function.

=back

The Authentication Server records a trace of its activity in the
F</usr/afs/logs/AuthLog> file. Use the B<bos getlog> command to display
the contents of the file. Use the B<kdb> command to read the protected
files associated with the F<AuthLog> file, F<AuthLog.dir> and
F<AuthLog.pag>.

This command does not use the syntax conventions of the AFS command
suites. Provide the command name and all option names in full.

=head1 OPTIONS

=over 4

=item B<-noAuth>

Assigns the unprivileged identity C<anonymous> to the issuer. Thus, it
establishes an unauthenticated connection between the issuer and the
Authentication Server. It is useful only when authorization checking is
disabled on the database server machine. In normal circumstances, the
Authentication Server allows only authorized (privileged) users to issue
commands that affect or contact the Authentication Database and will
refuse to perform such an action even if the B<-noAuth> flag is used.

=item B<-fastKeys>

Is a test flag for use by the AFS Development staff; it serves no
functional purpose.

=item B<-database> <I<dbpath>>

Specifies the pathname of an alternate directory in which the
Authentication Database files reside. Provide the complete pathname,
ending in the base filename to which the C<.DB0> and C<.DBSYS1> extensions
are appended. For example, the appropriate value for the default database
files is F</usr/afs/db/kaserver>.

Provide the B<-localfiles> argument along with this one; otherwise, the
B<-localfiles> argument is also set to the value of this argument, which
is probably inappropriate.

=item B<-localfiles> <I<lclpath>>

Specifies the pathname of an alternate directory in which the auxiliary
Authentication Database file resides. Provide the complete pathname,
ending in the base filename to which the C<auxdb> suffix is appended. For
example, the appropriate value for the default auxiliary database file is
F</usr/afs/local/kaserver>.

=item B<-minhours> <I<n>>

Specifies the minimum number of hours that must pass between password
changes made by any regular user. System administrators (with the C<ADMIN>
flag in their Authentication Database entry) can change passwords as often
as desired. Setting a minimum time between password changes is not
recommended.

=item B<-servers> <I<authentication servers>>+

Names each database server machine running an Authentication Server with
which the local Authentication Server is to synchronize its copy of the
Authentication Database, rather than with the machines listed in the local
F</usr/afs/etc/CellServDB> file.

=item B<-enable_peer_stats>

Activates the collection of Rx statistics and allocates memory for their
storage. For each connection with a specific UDP port on another machine,
a separate record is kept for each type of RPC (FetchFile, GetStatus, and
so on) sent or received. To display or otherwise access the records, use
the Rx Monitoring API.

=item B<-enable_process_stats>

Activates the collection of Rx statistics and allocates memory for their
storage. A separate record is kept for each type of RPC (FetchFile,
GetStatus, and so on) sent or received, aggregated over all connections to
other machines. To display or otherwise access the records, use the Rx
Monitoring API.

=item B<-help>

Prints the online help for this command. All other valid options are
ignored.

=back

=head1 EXAMPLES

The following B<bos create> command creates a C<kaserver> process on
C<fs3.abc.com> (the command appears on two lines here only for
legibility):

   % bos create -server fs3.abc.com -instance kaserver \
                -type simple -cmd /usr/afs/bin/kaserver

=head1 PRIVILEGE REQUIRED

The issuer must be logged in as the superuser C<root> on a file server
machine to issue the command at a command shell prompt. It is conventional
instead to create and start the process by issuing the B<bos create>
command.

=head1 SEE ALSO

L<AuthLog(5)>,
L<BosConfig(5)>,
L<CellServDB(5)>,
L<kaserver.DB0(5)>,
L<kaserverauxdb(5)>,
L<bos(8)>,
L<bos_create(8)>,
L<bos_getlog(8)>,
L<kas(8)>,
L<kdb(8)>

=head1 COPYRIGHT

IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0.  It was
converted from HTML to POD by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.