Initial IBM OpenAFS 1.0 tree

[openafs.git] / src / WINNT / doc / install / Documentation / en_US / html / CmdRef / auarf181.htm

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 3//EN">
<HTML><HEAD>
<TITLE>Administration Reference</TITLE>
<!-- Begin Header Records  ========================================== -->
<!-- /tmp/idwt3190/auarf000.scr converted by idb2h R4.2 (359) ID      -->
<!-- Workbench Version (AIX) on 5 Nov 1999 at 13:58:29                -->
<META HTTP-EQUIV="updated" CONTENT="Fri, 05 Nov 1999 13:58:29">
<META HTTP-EQUIV="review" CONTENT="Sun, 05 Nov 2000 13:58:29">
<META HTTP-EQUIV="expires" CONTENT="Mon, 05 Nov 2001 13:58:29">
</HEAD><BODY>
<!-- (C) IBM Corporation 2000. All Rights Reserved    --> 
<BODY bgcolor="ffffff"> 
<!-- End Header Records  ============================================ -->
<A NAME="Top_Of_Page"></A>
<H1>Administration Reference</H1>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf180.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auarf182.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P> 
<P>
<H2><A NAME="HDRKAS_INTRO" HREF="auarf002.htm#ToC_195">kas</A></H2>
<A NAME="IDX5057"></A>
<A NAME="IDX5058"></A>
<A NAME="IDX5059"></A>
<A NAME="IDX5060"></A>
<A NAME="IDX5061"></A>
<P><STRONG>Purpose</STRONG>
<P>Introduction to the <B>kas</B> command suite
<P><STRONG>Description</STRONG>
<P>The commands in the <B>kas</B> command suite are the administrative
interface to the Authentication Server, which runs on each database server
machine in a cell, maintains the Authentication Database, and provides the
authentication tickets that client applications must present to AFS servers in
order to obtain access to AFS data and other services.
<P>There are several categories of commands in the <B>kas</B> command
suite&#58;
<UL>
<P><LI>Commands to create, modify, examine and delete entries in the
Authentication Database, including passwords&#58; <B>kas create</B>,
<B>kas delete</B>, <B>kas examine</B>, <B>kas list</B>, <B>kas
setfields</B>, <B>kas setkey</B>, <B>kas setpassword</B>, and
<B>kas unlock</B>
<P><LI>Commands to create, delete, and examine tokens and server tickets&#58;
<B>kas forgetticket</B>, <B>kas listtickets</B>, <B>kas
noauthentication</B>, and <B>kas stringtokey</B>
<P><LI>A command to enter interactive mode&#58; <B>kas interactive</B>
<P><LI>A command to trace Authentication Server operations&#58; <B>kas
statistics</B>
<P><LI>Commands to obtain help&#58; <B>kas apropos</B> and <B>kas
help</B>
</UL>
<P>Because of the sensitivity of information in the Authentication Database,
the Authentication Server authenticates issuers of <B>kas</B> commands
directly, rather than accepting the standard token generated by the Ticket
Granting Service. Any <B>kas</B> command that requires
administrative privilege prompts the issuer for a password. The
resulting ticket is valid for six hours unless the maximum ticket lifetime for
the issuer or the Authentication Server&#39;s Ticket Granting Service is
shorter.
<A NAME="IDX5062"></A>
<A NAME="IDX5063"></A>
<P>To avoid having to provide a password repeatedly when issuing a sequence of
<B>kas</B> commands, enter <I>interactive mode</I> by issuing the
<B>kas interactive</B> command, typing <B>kas</B> without any
operation code, or typing <B>kas</B> followed by a user and cell name,
separated by an at-sign (<B>@</B>; an example is <B>kas
smith.admin@abc.com</B>). After prompting once for a
password, the Authentication Server accepts the resulting token for every
command issued during the interactive session. See the reference page
for the <B>kas interactive</B> command for a discussion of when to use
each method for entering interactive mode and of the effects of entering a
session.
<P>The Authentication Server maintains two databases on the local disk of the
machine where it runs&#58;
<UL>
<P><LI>The Authentication Database (<B>/usr/afs/db/kaserver.DB0</B>)
stores the information used to provide AFS authentication services to users
and servers, including the password scrambled as an encryption key. The
reference page for the <B>kas examine</B> command describes the
information in a database entry.
<P><LI>An auxiliary file (<B>/usr/afs/local/kaauxdb</B> by default) that
tracks how often the user has provided an incorrect password to the local
Authentication Server. The reference page for the <B>kas
setfields</B> command describes how the Authentication Server uses this file
to enforce the limit on consecutive authentication failures. To
designate an alternate directory for the file, use the <B>kaserver</B>
command&#39;s <B>-localfiles</B> argument.
</UL>
<P><STRONG>Options</STRONG>
<P>The following arguments and flags are available on many commands in the
<B>kas</B> suite. (Some of them are unavailable on commands entered
in interactive mode, because the information they specify is established when
entering interactive mode and cannot be changed except by leaving interactive
mode.) The reference page for each command also lists them, but they
are described here in greater detail.
<DL>
<P><DT><B>
<A NAME="IDX5064"></A>
<B>-admin_username</B>
</B><DD>Specifies the user identity under which to authenticate with the
Authentication Server for execution of the command. If this argument is
omitted, the <B>kas</B> command interpreter requests authentication for
the identity under which the issuer is logged onto the local machine.
Do not combine this argument with the <B>-noauth</B> flag.
<A NAME="IDX5065"></A>
<P><DT><B>-cell &lt;<VAR>cell name</VAR>>
</B><DD>Names the cell in which to run the command. It is acceptable to
abbreviate the cell name to the shortest form that distinguishes it from the
other entries in the <B>/usr/vice/etc/CellServDB</B> file on the local
machine. If the <B>-cell</B> argument is omitted, the command
interpreter determines the name of the local cell by reading the following in
order&#58; 
<OL TYPE=1>
<P><LI>The value of the AFSCELL environment variable
<P><LI>The local <B>/usr/vice/etc/ThisCell</B> file
</OL>
<P>
<P>The <B>-cell</B> argument is not available on commands issued in
interactive mode. The cell defined when the <B>kas</B> command
interpreter enters interactive mode applies to all commands issued during the
interactive session.
<A NAME="IDX5066"></A>
<P><DT><B>-help
</B><DD>Prints a command&#39;s online help message on the standard output
stream. Do not combine this flag with any of the command&#39;s other
options; when it is provided, the command interpreter ignores all other
options, and only prints the help message.
<P><DT><B>
<A NAME="IDX5067"></A>
<B>-noauth</B>
</B><DD>Establishes an unauthenticated connection to the Authentication Server, in
which the Authentication Server treats the issuer as the unprivileged user
<B>anonymous</B>. It is useful only when authorization checking is
disabled on the server machine (during the installation of a server machine or
when the <B>bos setauth</B> command has been used during other unusual
circumstances). In normal circumstances, the Authentication Server
allows only privileged users to issue most <B>kas</B> commands, and
refuses to perform such an action even if the <B>-noauth</B> flag is
provided. Do not combine this flag with the <B>-admin_username</B>
and <B>-password_for_admin</B> arguments.
<P><DT><B>
<A NAME="IDX5068"></A>
<B>-password_for_admin</B>
</B><DD>Specifies the password of the command&#39;s issuer. It is best to
omit this argument, which echoes the password visibly in the command shell,
instead enter the password at the prompt. Do not combine this argument
with the <B>-noauth</B> flag.
<P><DT><B>
<A NAME="IDX5069"></A>
<B>-servers</B>
</B><DD>Establishes a connection with the Authentication Server running on each
specified database server machine, instead of on each machine listed in the
local <B>/usr/vice/etc/CellServDB</B> file. In either case, the
<B>kas</B> command interpreter then chooses one of the machines at random
to contact for execution of each subsequent command. The issuer can
abbreviate the machine name to the shortest form that allows the local name
service to identify it uniquely.
</DL>
<P><STRONG>Privilege Required</STRONG>
<P>To issue most <B>kas</B> commands, the issuer must have the
<TT>ADMIN</TT> flag set in his or her Authentication Database entry (use the
<B>kas setfields</B> command to turn the flag on).
<P><STRONG>Related Information</STRONG>
<P><A HREF="auarf019.htm#HDRCLI_CSDB">CellServDB (client version)</A>
<P><A HREF="auarf045.htm#HDRKASERVERDB">kaserver.DB0 and kaserver.DBSYS1</A>
<P><A HREF="auarf046.htm#HDRKASERVERAUXDB">kaserverauxdb</A>
<P><A HREF="auarf182.htm#HDRKAS_APROPOS">kas apropos</A>
<P><A HREF="auarf183.htm#HDRKAS_CREATE">kas create</A>
<P><A HREF="auarf184.htm#HDRKAS_DELETE">kas delete</A>
<P><A HREF="auarf185.htm#HDRKAS_EXAMINE">kas examine</A>
<P><A HREF="auarf186.htm#HDRKAS_FORGETTICKET">kas forgetticket</A>
<P><A HREF="auarf187.htm#HDRKAS_HELP">kas help</A>
<P><A HREF="auarf188.htm#HDRKAS_INTERACTIVE">kas interactive</A>
<P><A HREF="auarf189.htm#HDRKAS_LIST">kas list</A>
<P><A HREF="auarf190.htm#HDRKAS_LISTTICKETS">kas listtickets</A>
<P><A HREF="auarf191.htm#HDRKAS_NOAUTH">kas noauthentication</A>
<P><A HREF="auarf192.htm#HDRKAS_QUIT">kas quit</A>
<P><A HREF="auarf193.htm#HDRKAS_SETFIELDS">kas setfields</A>
<P><A HREF="auarf194.htm#HDRKAS_SETPASSWORD">kas setpassword</A>
<P><A HREF="auarf195.htm#HDRKAS_STATISTICS">kas statistics</A>
<P><A HREF="auarf196.htm#HDRKAS_STRINGTOKEY">kas stringtokey</A>
<P><A HREF="auarf197.htm#HDRKAS_UNLOCK">kas unlock</A>
<P><A HREF="auarf198.htm#HDRKASERVER">kaserver</A>
<P>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf180.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auarf182.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P> 
<!-- Begin Footer Records  ========================================== -->
<P><HR><B> 
<br>&#169; <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A>  All Rights Reserved 
</B> 
<!-- End Footer Records  ============================================ -->
<A NAME="Bot_Of_Page"></A>
</BODY></HTML>