--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
+<HTML><HEAD>
+<TITLE>Administration Reference</TITLE>
+<!-- Begin Header Records ========================================== -->
+<!-- /tmp/idwt3672/auarf000.scr converted by idb2h R4.2 (359) ID -->
+<!-- Workbench Version (AIX) on 3 Oct 2000 at 16:18:30 -->
+<META HTTP-EQUIV="updated" CONTENT="Tue, 03 Oct 2000 16:18:29">
+<META HTTP-EQUIV="review" CONTENT="Wed, 03 Oct 2001 16:18:29">
+<META HTTP-EQUIV="expires" CONTENT="Thu, 03 Oct 2002 16:18:29">
+</HEAD><BODY>
+<!-- (C) IBM Corporation 2000. All Rights Reserved -->
+<BODY bgcolor="ffffff">
+<!-- End Header Records ============================================ -->
+<A NAME="Top_Of_Page"></A>
+<H1>Administration Reference</H1>
+<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf180.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auarf182.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
+<P>
+<H2><A NAME="HDRKAS_INTRO" HREF="auarf002.htm#ToC_195">kas</A></H2>
+<A NAME="IDX5057"></A>
+<A NAME="IDX5058"></A>
+<A NAME="IDX5059"></A>
+<A NAME="IDX5060"></A>
+<A NAME="IDX5061"></A>
+<P><STRONG>Purpose</STRONG>
+<P>Introduction to the <B>kas</B> command suite
+<P><STRONG>Description</STRONG>
+<P>The commands in the <B>kas</B> command suite are the administrative
+interface to the Authentication Server, which runs on each database server
+machine in a cell, maintains the Authentication Database, and provides the
+authentication tickets that client applications must present to AFS servers in
+order to obtain access to AFS data and other services.
+<P>There are several categories of commands in the <B>kas</B> command
+suite:
+<UL>
+<P><LI>Commands to create, modify, examine and delete entries in the
+Authentication Database, including passwords: <B>kas create</B>,
+<B>kas delete</B>, <B>kas examine</B>, <B>kas list</B>, <B>kas
+setfields</B>, <B>kas setkey</B>, <B>kas setpassword</B>, and
+<B>kas unlock</B>
+<P><LI>Commands to create, delete, and examine tokens and server tickets:
+<B>kas forgetticket</B>, <B>kas listtickets</B>, <B>kas
+noauthentication</B>, and <B>kas stringtokey</B>
+<P><LI>A command to enter interactive mode: <B>kas interactive</B>
+<P><LI>A command to trace Authentication Server operations: <B>kas
+statistics</B>
+<P><LI>Commands to obtain help: <B>kas apropos</B> and <B>kas
+help</B>
+</UL>
+<P>Because of the sensitivity of information in the Authentication Database,
+the Authentication Server authenticates issuers of <B>kas</B> commands
+directly, rather than accepting the standard token generated by the Ticket
+Granting Service. Any <B>kas</B> command that requires
+administrative privilege prompts the issuer for a password. The
+resulting ticket is valid for six hours unless the maximum ticket lifetime for
+the issuer or the Authentication Server's Ticket Granting Service is
+shorter.
+<A NAME="IDX5062"></A>
+<A NAME="IDX5063"></A>
+<P>To avoid having to provide a password repeatedly when issuing a sequence of
+<B>kas</B> commands, enter <I>interactive mode</I> by issuing the
+<B>kas interactive</B> command, typing <B>kas</B> without any
+operation code, or typing <B>kas</B> followed by a user and cell name,
+separated by an at-sign (<B>@</B>; an example is <B>kas
+smith.admin@abc.com</B>). After prompting once for a
+password, the Authentication Server accepts the resulting token for every
+command issued during the interactive session. See the reference page
+for the <B>kas interactive</B> command for a discussion of when to use
+each method for entering interactive mode and of the effects of entering a
+session.
+<P>The Authentication Server maintains two databases on the local disk of the
+machine where it runs:
+<UL>
+<P><LI>The Authentication Database (<B>/usr/afs/db/kaserver.DB0</B>)
+stores the information used to provide AFS authentication services to users
+and servers, including the password scrambled as an encryption key. The
+reference page for the <B>kas examine</B> command describes the
+information in a database entry.
+<P><LI>An auxiliary file (<B>/usr/afs/local/kaauxdb</B> by default) that
+tracks how often the user has provided an incorrect password to the local
+Authentication Server. The reference page for the <B>kas
+setfields</B> command describes how the Authentication Server uses this file
+to enforce the limit on consecutive authentication failures. To
+designate an alternate directory for the file, use the <B>kaserver</B>
+command's <B>-localfiles</B> argument.
+</UL>
+<P><STRONG>Options</STRONG>
+<P>The following arguments and flags are available on many commands in the
+<B>kas</B> suite. (Some of them are unavailable on commands entered
+in interactive mode, because the information they specify is established when
+entering interactive mode and cannot be changed except by leaving interactive
+mode.) The reference page for each command also lists them, but they
+are described here in greater detail.
+<DL>
+<P><DT><B>
+<A NAME="IDX5064"></A>
+<B>-admin_username</B>
+</B><DD>Specifies the user identity under which to authenticate with the
+Authentication Server for execution of the command. If this argument is
+omitted, the <B>kas</B> command interpreter requests authentication for
+the identity under which the issuer is logged onto the local machine.
+Do not combine this argument with the <B>-noauth</B> flag.
+<A NAME="IDX5065"></A>
+<P><DT><B>-cell <<VAR>cell name</VAR>>
+</B><DD>Names the cell in which to run the command. It is acceptable to
+abbreviate the cell name to the shortest form that distinguishes it from the
+other entries in the <B>/usr/vice/etc/CellServDB</B> file on the local
+machine. If the <B>-cell</B> argument is omitted, the command
+interpreter determines the name of the local cell by reading the following in
+order:
+<OL TYPE=1>
+<P><LI>The value of the AFSCELL environment variable
+<P><LI>The local <B>/usr/vice/etc/ThisCell</B> file
+</OL>
+<P>
+<P>The <B>-cell</B> argument is not available on commands issued in
+interactive mode. The cell defined when the <B>kas</B> command
+interpreter enters interactive mode applies to all commands issued during the
+interactive session.
+<A NAME="IDX5066"></A>
+<P><DT><B>-help
+</B><DD>Prints a command's online help message on the standard output
+stream. Do not combine this flag with any of the command's other
+options; when it is provided, the command interpreter ignores all other
+options, and only prints the help message.
+<P><DT><B>
+<A NAME="IDX5067"></A>
+<B>-noauth</B>
+</B><DD>Establishes an unauthenticated connection to the Authentication Server, in
+which the Authentication Server treats the issuer as the unprivileged user
+<B>anonymous</B>. It is useful only when authorization checking is
+disabled on the server machine (during the installation of a server machine or
+when the <B>bos setauth</B> command has been used during other unusual
+circumstances). In normal circumstances, the Authentication Server
+allows only privileged users to issue most <B>kas</B> commands, and
+refuses to perform such an action even if the <B>-noauth</B> flag is
+provided. Do not combine this flag with the <B>-admin_username</B>
+and <B>-password_for_admin</B> arguments.
+<P><DT><B>
+<A NAME="IDX5068"></A>
+<B>-password_for_admin</B>
+</B><DD>Specifies the password of the command's issuer. It is best to
+omit this argument, which echoes the password visibly in the command shell,
+instead enter the password at the prompt. Do not combine this argument
+with the <B>-noauth</B> flag.
+<P><DT><B>
+<A NAME="IDX5069"></A>
+<B>-servers</B>
+</B><DD>Establishes a connection with the Authentication Server running on each
+specified database server machine, instead of on each machine listed in the
+local <B>/usr/vice/etc/CellServDB</B> file. In either case, the
+<B>kas</B> command interpreter then chooses one of the machines at random
+to contact for execution of each subsequent command. The issuer can
+abbreviate the machine name to the shortest form that allows the local name
+service to identify it uniquely.
+</DL>
+<P><STRONG>Privilege Required</STRONG>
+<P>To issue most <B>kas</B> commands, the issuer must have the
+<TT>ADMIN</TT> flag set in his or her Authentication Database entry (use the
+<B>kas setfields</B> command to turn the flag on).
+<P><STRONG>Related Information</STRONG>
+<P><A HREF="auarf019.htm#HDRCLI_CSDB">CellServDB (client version)</A>
+<P><A HREF="auarf045.htm#HDRKASERVERDB">kaserver.DB0 and kaserver.DBSYS1</A>
+<P><A HREF="auarf046.htm#HDRKASERVERAUXDB">kaserverauxdb</A>
+<P><A HREF="auarf182.htm#HDRKAS_APROPOS">kas apropos</A>
+<P><A HREF="auarf183.htm#HDRKAS_CREATE">kas create</A>
+<P><A HREF="auarf184.htm#HDRKAS_DELETE">kas delete</A>
+<P><A HREF="auarf185.htm#HDRKAS_EXAMINE">kas examine</A>
+<P><A HREF="auarf186.htm#HDRKAS_FORGETTICKET">kas forgetticket</A>
+<P><A HREF="auarf187.htm#HDRKAS_HELP">kas help</A>
+<P><A HREF="auarf188.htm#HDRKAS_INTERACTIVE">kas interactive</A>
+<P><A HREF="auarf189.htm#HDRKAS_LIST">kas list</A>
+<P><A HREF="auarf190.htm#HDRKAS_LISTTICKETS">kas listtickets</A>
+<P><A HREF="auarf191.htm#HDRKAS_NOAUTH">kas noauthentication</A>
+<P><A HREF="auarf192.htm#HDRKAS_QUIT">kas quit</A>
+<P><A HREF="auarf193.htm#HDRKAS_SETFIELDS">kas setfields</A>
+<P><A HREF="auarf194.htm#HDRKAS_SETPASSWORD">kas setpassword</A>
+<P><A HREF="auarf195.htm#HDRKAS_STATISTICS">kas statistics</A>
+<P><A HREF="auarf196.htm#HDRKAS_STRINGTOKEY">kas stringtokey</A>
+<P><A HREF="auarf197.htm#HDRKAS_UNLOCK">kas unlock</A>
+<P><A HREF="auarf198.htm#HDRKASERVER">kaserver</A>
+<P>
+<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf180.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auarf182.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
+<!-- Begin Footer Records ========================================== -->
+<P><HR><B>
+<br>© <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A> All Rights Reserved
+</B>
+<!-- End Footer Records ============================================ -->
+<A NAME="Bot_Of_Page"></A>
+</BODY></HTML>
git://git.openafs.org / openafs.git / blobdiff