3 dlog - Authenticates to the DCE Security Service
7 B<dlog> [B<-principal> <I<user name>>] [-cell <I<cell name>>]
8 [B<-password> <I<user's password>>] [B<-servers> <I<explicit list of servers>>+]
9 [-lifetime <I<ticket lifetime in hh[:mm[:ss]]>>]
10 [B<-setpag>] [B<-pipe>] [-help]
12 B<dlog> [B<-pr> <I<user name>>] [B<-c> <I<cell name>>] [-pw <I<user's password>>]
13 [B<-ser> <I<explicit list of servers>>+]
14 [B<-l> <I<ticket lifetime in hh[:mm[:ss]]>>] [B<-set>] [B<-pi>] [-h]
18 The dlog command obtains DCE credentials for the issuer from the
19 DCE Security Service in the cell named by the B<-cell> argument, and
20 stores them on the AFS client machine on which the user issues the
21 command. The AFS/DFS Migration Toolkit Protocol Translator processes
22 running on machines in the DCE cell accept the credentials, which enables the
23 user to access the DCE cell's filespace from the AFS client. The
24 user's identity in the local file system is unchanged.
26 If the issuer does not provide the -principal argument, the
27 B<dlog> command interpreter uses the user name under which the issuer
28 is logged into the local file system. Provide the DCE password for the
29 appropriate user name. As with the B<klog> command, the
30 password does not cross the network in clear text (unless the issuer is logged
31 into the AFS client from a remote machine).
33 The credentials are valid for a lifetime equivalent to the smallest of the
34 following, all but the last of which is defined by the DCE cell's
41 The maximum certificate lifetime for the issuer's DCE account
46 The maximum certificate lifetime for the afs principal's
52 The registry-wide maximum certificate lifetime
57 The registry-wide default certificate lifetime
62 The lifetime requested using the -lifetime argument
67 If the previous maximum certificate lifetime values are set to
68 B<default-policy>, the maximum possible ticket lifetime is defined by
69 the default certificate lifetime. Refer to the DCE vendor's
70 administration guide for more information before setting any of these
73 The AFS Cache Manager stores the ticket in a credential structure
74 associated with the name of the issuer (or the user named by the
75 B<-principal> argument. If the user already has a ticket for
76 the DCE cell, the ticket resulting from this command replaces it in the
79 The AFS tokens command displays the ticket obtained by the
80 B<dlog> command for the server principal B<afs>, regardless of
81 the principal to which it is actually granted. Note that the
82 B<tokens> command does not distinguish tickets for a DFSTM
83 File Server from tickets for an AFS File Server.
91 Specifies the DCE user name for which to obtain DCE credentials. If
92 this option is omitted, the B<dlog> command interpreter uses the name
93 under which the issuer is logged into the local file system.
97 Specifies the DCE cell in which to authenticate. During a single
98 login session on a given machine, a user can authenticate in multiple cells
99 simultaneously, but can have only one ticket at a time for each cell (that is,
100 it is possible to authenticate under only one identity per cell per
101 machine). It is legal to abbreviate the cell name to the shortest form
102 that distinguishes it from the other cells listed in the
103 B</usr/vice/etc/CellServDB> file on the local client machine.
105 If the issuer does not provide the -cell argument, the
106 B<dlog> command attempts to authenticate with the DCE Security Server
107 for the cell defined by
111 The value of the environment variable AFSCELL on the local AFS client
112 machine, if defined. The issuer can set the AFSCELL environment
113 variable to name the desired DCE cell.
118 The cell name in the /usr/vice/etc/ThisCell file on the local
119 AFS client machine. The machine's administrator can place the
120 desired DCE cell's name in the file.
125 Specifies the password for the issuer (or for the user named by the
126 B<-principal> argument). Using this argument is not
127 recommended, because it makes the password visible on the command line.
128 If this argument is omitted, the command prompts for the password and does not
133 Specifies a list of DFS database server machines running the Translator
134 Server through which the AFS client machine can attempt to
135 authenticate. Specify each server by hostname, shortened machine name,
136 or IP address. If this argument is omitted, the B<dlog> command
137 interpreter randomly selects a machine from the list of DFS Fileset Location
138 (FL) Servers in the B</usr/vice/etc/CellServDB> file for the DCE cell
139 specified by the B<-cell> argument. This argument is useful for
140 testing when authentication seems to be failing on certain server
145 Requests a ticket lifetime using the format
146 I<hh>B<:>I<mm>[B<:>I<ss>]
147 (hours, minutes, and optionally a number seconds between 00 and 59).
148 For example, the value B<168:30> requests a ticket lifetime of 7
149 days and 30 minutes, and B<96:00> requests a lifetime of 4
150 days. Acceptable values range from B<00:05> (5 minutes)
151 to B<720:00> (30 days). If this argument is not provided
152 and no other determinants of ticket lifetime have been changed from their
153 defaults, ticket lifetime is 10 hours.
155 The requested lifetime must be smaller than any of the DCE cell's
156 determinants for ticket lifetime; see the discussion in the preceding
157 B<Description> section.
161 Creates a process authentication group (PAG) in which the newly created
162 ticket is placed. If this flag is omitted, the ticket is instead
163 associated with the issuers' local user ID (UID).
167 Suppresses any prompts that the command interpreter otherwise produces,
168 including the prompt for the issuer's password. Instead, the
169 command interpreter accepts the password via the standard input stream.
173 Prints the online help for this command. All other valid options
180 If the dlog command interpreter cannot contact a Translator
181 Server, it produces a message similar to the following:
183 dlog: server or network not responding -- failed to contact
184 authentication service
188 The following command authenticates the issuer as cell_admin in
189 the B<dce.abc.com> cell.
191 % dlog -principal cell_admin -cell dce.abc.com
192 Password: I<cell_admin's password>
194 In the following example, the issuer authenticates as cell_admin
195 to the B<dce.abc.com> cell and request a ticket lifetime
196 of 100 hours. The B<tokens> command confirms that the user
197 obtained DCE credentials as the user B<cell_admin>: the AFS ID
198 is equivalent to the UNIX ID of B<1> assigned to B<cell_admin>
199 in B<dce.abc.com> cell's DCE registry.
201 % dlog -principal cell_admin -cell dce.abc.com -lifetime 100
202 Password: I<cell_admin's password>
205 Tokens held by the Cache Manager:
207 User's (AFS ID 1) tokens for afs@dce.abc.com [Expires Jul 6 14:12]
208 User's (AFS ID 4758) tokens for afs@abc.com [Expires Jul 2 13:14]
213 =head1 PRIVILEGE REQUIRED
226 IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
228 This documentation is covered by the IBM Public License Version 1.0. It was
229 converted from HTML to POD by software written by Chas Williams and Russ
230 Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.