1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >Administering User Accounts</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
10 TITLE="AFS Administration Guide"
11 HREF="book1.html"><LINK
13 TITLE="Managing Users and Groups"
14 HREF="p24911.html"><LINK
16 TITLE="Creating and Deleting User Accounts with the uss Command Suite"
17 HREF="c24913.html"><LINK
19 TITLE="Administering the Protection Database"
20 HREF="c29323.html"></HEAD
31 SUMMARY="Header navigation table"
40 >AFS Administration Guide: Version 3.6</TH
77 >Chapter 13. Administering User Accounts</H1
81 >This chapter explains how to create and maintain user accounts in your cell.</P
83 >The preferred method for creating user accounts is the <SPAN
89 > program, which enables you to
90 create multiple accounts with a single command. See <A
92 >Creating and Deleting User Accounts with the uss
94 >. If you prefer to create each account component individually, follow the instructions in <A
95 HREF="c27596.html#HDRWQ502"
96 >Creating AFS User Accounts</A
104 >Summary of Instructions</A
107 >This chapter explains how to perform the following tasks by using the indicated commands:</P
109 CLASS="informaltable"
122 >Create Protection Database entry</TD
134 >Create Authentication Database entry</TD
170 >Create entry on ACL</TD
182 >Examine Protection Database entry</TD
194 >Change directory ownership</TD
206 >Limit failed authentication attempts</TD
230 >Unlock Authentication Database entry</TD
242 >Set password lifetime</TD
260 >Prohibit password reuse</TD
278 >Change AFS password</TD
290 >List groups owned by user</TD
302 >Rename Protection Database entry</TD
314 >Delete Authentication Database entry</TD
338 >Remove mount point</TD
350 >Delete Protection Database entry</TD
362 >List volume location</TD
394 >The Components of an AFS User Account</A
397 >The differences between AFS and the UNIX file system imply that a complete AFS user account is not the same as a UNIX user
398 account. The following list describes the components of an AFS account. The same information appears in a corresponding section
401 >Creating and Deleting User Accounts with the uss Command Suite</A
402 >, but is repeated here for your
410 >Protection Database entry</I
412 > defines the username (the name provided when authenticating with
413 AFS), and maps it to an AFS user ID (AFS UID), a number that the AFS servers use internally when referencing users. The
414 Protection Database also tracks the groups to which the user belongs. For details, see <A
416 >Administering the Protection Database</A
425 >Authentication Database entry</I
427 > records the user's AFS password in a scrambled form suitable
428 for use as an encryption key.</P
438 > stores all the files in the user's home directory together on a single partition
439 of a file server machine. The volume has an associated quota that limits its size. For a complete discussion of volumes,
453 > makes the contents of the user's volume visible and accessible in the AFS
454 filespace, and acts as the user's home directory. For more details about mount points, see <A
455 HREF="c8420.html#HDRWQ183"
462 >Full access permissions on the home directory's <SPAN
466 >access control list (ACL)</I
468 > and ownership of the
469 directory (as displayed by the UNIX <SPAN
475 > command) enable the user to manage his or her
476 files. For details on AFS file protection, see <A
478 >Managing Access Control Lists</A
487 >local password file entry</I
496 equivalent) of each AFS client machine enables the user to log in and access AFS files through the Cache Manager. A
497 subsequent section in this chapter further discusses local password file entries.</P
501 >Other optional <SPAN
505 >configuration files</I
507 > make the account more convenient to use. Such files help the
508 user log in and log out more easily, receive electronic mail, print, and so on.</P
519 >Creating Local Password File Entries</A
522 >To obtain authenticated access to a cell's AFS filespace, a user must not only have a valid AFS token, but also an entry
523 in the local password file (<SPAN
529 > or equivalent) of the machine whose Cache Manager is
530 representing the user. This section discusses why it is important for the user's AFS UID to match to the UNIX UID listed in the
531 local password file, and describes the appropriate value to put in the file's password field.</P
533 >One reason to use <SPAN
539 > commands is that they enable you to generate local password file
540 entries automatically as part of account creation. See <A
541 HREF="c24913.html#HDRWQ458"
542 >Creating a Common Source Password
546 >Information similar to the information in this section appears in a corresponding section of <A
548 >Creating and Deleting User Accounts with the uss Command Suite</A
549 >, but is repeated here for your
557 >Assigning AFS and UNIX UIDs that Match</A
560 >A user account is easiest to administer and use if the AFS user ID number (AFS UID) and UNIX UID match. All instructions
561 in the AFS documentation assume that they do.</P
563 >The most basic reason to make AFS and UNIX UIDs the same is so that the owner name reported by the UNIX <SPAN
575 > commands makes sense for AFS files and directories.
576 Following standard UNIX practice, the File Server records a number rather than a username in an AFS file or directory's owner
577 field: the owner's AFS UID. When you issue the <SPAN
583 > command, it translates the UID to a
584 username according to the mapping in the local password file, not the AFS Protection Database. If the AFS and UNIX UIDs do not
591 > command reports an unexpected (and incorrect) owner. The output can even
592 vary on different client machines if their local password files map the same UNIX UID to different names.</P
594 >Follow the recommendations in the indicated sections to make AFS and UNIX UIDs match when creating accounts for various
598 >If creating an AFS account for a user who already has a UNIX UID, see <A
599 HREF="c27596.html#HDRWQ499"
606 >If some users in your cell have existing UNIX accounts but the user for whom you are creating an AFS account does
607 not, then it is best to allow the Protection Server to allocate an AFS UID automatically. To avoid overlap of AFS UIDs
608 with existing UNIX UIDs, set the Protection Database's <SAMP
609 CLASS="computeroutput"
611 > counter higher than
612 the largest UNIX UID, using the instructions in <A
613 HREF="c29323.html#HDRWQ560"
614 >Displaying and Setting the AFS UID and GID
620 >If none of your users have existing UNIX accounts, allow the Protection Server to allocate AFS UIDs automatically,
621 starting either at its default or at the value you have set for the <SAMP
622 CLASS="computeroutput"
636 >Specifying Passwords in the Local Password File</A
639 >Authenticating with AFS is easiest for your users if you install and configure an AFS-modified login utility, which logs
640 a user into the local file system and obtains an AFS token in one step. In this case, the local password file no longer
641 controls a user's ability to login in most circumstances, because the AFS-modified login utility does not consult the local
642 password file if the user provides the correct AFS password. You can nonetheless use a password file entry's password field
643 (usually, the second field) in the following ways to control login and authentication: <UL
646 >To prevent both local login and AFS authentication, place an asterisk ( * ) in the field. This is useful mainly in
647 emergencies, when you want to prevent a certain user from logging into the machine.</P
651 >To prevent login to the local file system if the user does not provide the correct AFS password, place a character
652 string of any length other than the standard thirteen characters in the field. This is appropriate if you want to allow
653 only people with local AFS accounts to log into to your machines. A single <SPAN
660 character is the most easily recognizable way to do this.</P
664 >To enable a user to log into the local file system even after providing an incorrect AFS password, record a
665 standard UNIX encrypted password in the field by issuing the standard UNIX password-setting command (<SPAN
676 >If you do not use an AFS-modified login utility, you must place a standard UNIX password in the local password file of
677 every client machine the user will use. The user logs into the local file system only, and then must issue the <SPAN
683 > command to authenticate with AFS. It is simplest if the passwords in the local password file and
684 the Authentication Database are the same, but this is not required. </P
693 >Converting Existing UNIX Accounts</A
696 >This section discusses the three main issues you need to consider if your cell has existing UNIX accounts that you wish to
697 convert to AFS accounts.</P
704 >Making UNIX and AFS UIDs Match</A
707 >As previously mentioned, AFS users must have an entry in the local password file on every client machine from which they
708 access the AFS filespace as an authenticated user. Both administration and use are much simpler if the UNIX UID and AFS UID
709 match. When converting existing UNIX accounts, you have two alternatives: <UL
712 >Make the AFS UIDs match the existing UNIX UIDs. In this case, you need to assign the AFS UID yourself by including
719 > argument to the <SPAN
726 create the AFS account.</P
728 >Because you are retaining the user's UNIX UID, you do not need to alter the UID in the local password file entry.
729 However, if you are using an AFS-modified login utility, you possibly need to change the password field in the entry.
730 For a discussion of how the value in the password field affects login with an AFS-modified login utility, see <A
731 HREF="c27596.html#HDRWQ497"
732 >Specifying Passwords in the Local Password File</A
735 >If now or in the future you need to create AFS accounts for users who do not have an existing UNIX UID, then you
736 must guarantee that new AFS UIDs do not conflict with any existing UNIX UIDs. The simplest way is to set the
738 CLASS="computeroutput"
740 > counter in the Protection Database to a value higher than the largest
741 existing UNIX UID. See <A
742 HREF="c29323.html#HDRWQ560"
743 >Displaying and Setting the AFS UID and GID Counters</A
748 >Change the existing UNIX UIDs to match the new AFS UIDs that the Protection Server assigns automatically.</P
750 >Allow the Protection Server to allocate the AFS UIDs automatically as you create AFS accounts. You must then alter
751 the user's entry in the local password file on every client machine to include the new UID.</P
753 >There is one drawback to changing the UNIX UID: any files and directories that the user owned in the local file
754 system before becoming an AFS user still have the former UID in their owner field. If you want the <SPAN
766 > commands to display the correct owner, you must
773 > command to change the value to the user's new UID, whether you are
774 leaving the file in the local file system or moving it to AFS. See <A
775 HREF="c27596.html#HDRWQ501"
776 >Moving Local Files into
789 >Setting the Password Field Appropriately</A
792 >Existing UNIX accounts already have an entry in the local password file, probably with a (scrambled) password in the
793 password field. You possibly need to change the value in the field, depending on the type of login utility you use:
797 >If the login utility is not modified for use with AFS, the actual password must appear (in scrambled form) in the
798 local password file entry.</P
802 >If the login utility is modified for use with AFS, choose one of the values discussed in <A
803 HREF="c27596.html#HDRWQ497"
804 >Specifying Passwords in the Local Password File</A
816 >Moving Local Files into AFS</A
819 >New AFS users with existing UNIX accounts probably already own files and directories stored in a machine's local file
820 system, and it usually makes sense to transfer them into the new home volume. The easiest method is to move them onto the
821 local disk of an AFS client machine, and then use the UNIX <SPAN
827 > command to transfer them into
828 the user's new AFS home directory.</P
830 >As you move files and directories into AFS, keep in mind that the meaning of their mode bits changes. AFS ignores the
831 second and third sets of mode bits (group and other), and does not use the first set (the owner bits) directly, but only in
832 conjunction with entries on the ACL (for details, see <A
833 HREF="c31274.html#HDRWQ580"
834 >How AFS Interprets the UNIX Mode Bits</A
836 Be sure that the ACL protects the file or directory at least as securely as the mode bits.</P
838 >If you have chosen to change a user's UNIX UID to match a new AFS UID, you must change the ownership of UNIX files and
839 directories as well. Only members of the <SPAN
843 >system:administrators</B
845 > group can issue the <SPAN
851 > command on files and directories once they reside in AFS.</P
860 >Creating AFS User Accounts</A
863 >There are two methods for creating user accounts. The preferred method--using the <SPAN
870 commands--enables you to create multiple accounts with a single command. It uses a template to define standard values for the
871 account components that are the same for each user (such as quota), but provide differing values for more variable components
872 (such as username). See <A
874 >Creating and Deleting User Accounts with the uss Command Suite</A
877 >The second method involves issuing a separate command to create each component of the account. It is best suited to
878 creation of one account at a time, since some of the commands can create only one instance of the relevant component. To review
879 the function of each component, see <A
880 HREF="c27596.html#HDRWQ494"
881 >The Components of an AFS User Account</A
884 >Use the following instructions to create any of the three types of user account, which differ in their levels of
885 functionality. For a description of the types, see <A
886 HREF="c667.html#HDRWQ57"
887 >Configuring AFS User Accounts</A
891 >To create an authentication-only account, perform Step <A
892 HREF="c27596.html#LIWQ504"
895 HREF="c27596.html#LIWQ507"
898 HREF="c27596.html#LIWQ514"
900 >. This type of account consists only of entries
901 in the Authentication Database and Protection Database.</P
905 >To create a basic account, perform Step <A
906 HREF="c27596.html#LIWQ504"
909 HREF="c27596.html#LIWQ510"
912 HREF="c27596.html#LIWQ512"
915 HREF="c27596.html#LIWQ514"
918 addition to Authentication Database and Protection Database entries, this type of account includes a volume mounted at the
919 home directory with owner and ACL set appropriately.</P
923 >To create a full account, perform all steps in the following instructions. This type of account includes
924 configuration files for basic functions such as logging in, printing, and mail delivery, making it more convenient and
925 useful. For a discussion of some useful types of configuration files, see <A
926 HREF="c667.html#HDRWQ60"
927 >Creating Standard Files
928 in New AFS Accounts</A
939 >To create one user account with individual commands</A
948 >Decide on the value to assign to each of the following account components. If you are
949 creating an authentication-only account, you need to pick only a username, AFS UID, and initial password. <UL
952 >The username. By convention, the names of many components of the user account incorporate this name. For a
953 discussion of restrictions and suggested naming schemes, see <A
954 HREF="c667.html#HDRWQ58"
955 >Choosing Usernames and Naming
956 Other Account Components</A
961 >The AFS UID, if you want to assign a specific one. It is generally best to have the Protection Server allocate
962 one instead, except when you are creating an AFS account for a user who already has an existing UNIX account. In
963 that case, migrating the user's files into AFS is simplest if you set the AFS UID to match the existing UNIX UID.
965 HREF="c27596.html#HDRWQ498"
966 >Converting Existing UNIX Accounts</A
971 >The initial password. Advise the user to change this at the first login, using the password changing
972 instructions in the <SPAN
976 >IBM AFS User Guide</I
982 >The name of the user's home volume. The conventional name is <SPAN
999 >The volume's site (disk partition on a file server machine). Some cells designate certain machines or
1000 partitions for user volumes only, or it possibly makes sense to place the volume on the emptiest partition that
1001 meets your other criteria. To display the size and available space on a partition, use the <SPAN
1008 > command, which is fully described in <A
1009 HREF="c8420.html#HDRWQ185"
1010 >Creating Read/write
1016 >The name of the user's home directory (the mount point for the home volume). The conventional location is a
1017 directory (or one of a set of directories) directly under the cell directory, such as <SPAN
1029 >. For suggestions on how to avoid the
1030 slowed directory lookup that can result from having large numbers of user home directories in a single <SPAN
1037 HREF="c24913.html#HDRWQ472"
1038 >Evenly Distributing User Home Directories with
1039 the G Instruction</A
1044 >The volume's space quota. Include the <SPAN
1050 > argument to the <SPAN
1056 > command, or accept the default quota of 5000 KB.</P
1060 >The ACL on the home directory. By default, the ACL on every new volume grants all seven permissions to the
1065 >system:administrators</B
1067 > group. After volume creation, use the <SPAN
1073 > command to remove the entry if desired, and to grant all seven permissions to the
1084 >Authenticate as an AFS identity with all of the following privileges. In the conventional
1085 configuration, the <SPAN
1091 > user account has them, or you possibly have a personal
1092 administrative account. (To increase cell security, it is best to create special privileged accounts for use only while
1093 performing administrative procedures; for further discussion, see <A
1094 HREF="c32432.html#HDRWQ584"
1095 >An Overview of Administrative
1097 >.) If necessary, issue the <SPAN
1103 > command to authenticate. <PRE
1104 CLASS="programlisting"
1114 >admin_password</VAR
1119 >The following list specifies the necessary privileges and indicates how to check that you have them.</P
1123 >Membership in the <SPAN
1127 >system:administrators</B
1129 > group. If necessary, issue the
1136 > command, which is fully described in <A
1137 HREF="c32432.html#HDRWQ587"
1139 display the members of the system:administrators group</A
1141 CLASS="programlisting"
1146 >pts membership system:administrators</B
1154 >Inclusion in the <SPAN
1158 >/usr/afs/etc/UserList</B
1160 > file. If necessary, issue the <SPAN
1166 > command, which is fully described in <A
1167 HREF="c32432.html#HDRWQ593"
1169 users in the UserList file</A
1171 CLASS="programlisting"
1188 CLASS="computeroutput"
1190 > flag on your Authentication Database entry. However, the
1191 Authentication Server performs its own authentication, so in Step <A
1192 HREF="c27596.html#LIWQ507"
1195 administrative identity on the <SPAN
1201 > command line itself.</P
1229 >) permissions on the ACL of the directory where
1230 you are mounting the user's volume. If necessary, issue the <SPAN
1237 is fully described in <A
1238 HREF="c31274.html#HDRWQ572"
1241 CLASS="programlisting"
1255 >Members of the <SPAN
1259 >system:administrators</B
1261 > group always implicitly have the <SPAN
1273 >) and by default also the <SPAN
1285 >) permission on every ACL and can use the <SPAN
1291 > command to grant other rights as necessary.</P
1295 >Knowledge of the password for the local superuser <SPAN
1316 > command to create an entry in the
1317 Protection Database. For a discussion of setting AFS UIDs, see <A
1318 HREF="c27596.html#HDRWQ496"
1319 >Assigning AFS and UNIX UIDs that
1321 >. If you are converting an existing UNIX account into an AFS account, also see <A
1322 HREF="c27596.html#HDRWQ498"
1323 >Converting Existing UNIX Accounts</A
1325 CLASS="programlisting"
1344 CLASS="variablelist"
1356 >Is an acceptable alias for <SPAN
1368 > is the shortest acceptable abbreviation).</P
1380 >Specifies the user's username (the character string typed at login). It is best to limit the name to eight or
1381 fewer lowercase letters, because many application programs impose that limit. The AFS servers themselves accept
1382 names of up to 63 lowercase letters. Also avoid the following characters: colon (<SPAN
1388 >), semicolon (<SPAN
1406 >), space, newline, and the period (<SPAN
1412 >), which is conventionally used only in special administrative names.</P
1424 >Is optional and appropriate only if the user already has a UNIX UID that the AFS UID must match. If you do not
1425 provide this argument, the Protection Server assigns one automatically based on the counter described in <A
1426 HREF="c29323.html#HDRWQ560"
1427 >Displaying and Setting the AFS UID and GID Counters</A
1428 >. If the ID you specify is less than
1435 > (one) or is already in use, an error results.</P
1451 > command to create an entry in the
1452 Authentication Database. To avoid having the user's temporary initial password echo visibly on the screen, omit the
1457 >-initial_password</B
1459 > argument; instead enter the password at the prompts that appear when
1460 you omit the argument, as shown in the following syntax specification.</P
1462 >The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default,
1463 it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator.
1470 > argument to name an identity that has the
1472 CLASS="computeroutput"
1474 > flag on its Authentication Database entry. To verify that an entry has the flag,
1481 > command as described in <A
1482 HREF="c32432.html#HDRWQ590"
1484 ADMIN flag is set</A
1487 CLASS="programlisting"
1506 >admin principal to use for authentication</VAR
1508 Administrator's (admin_user) password: <<VAR
1510 >admin_password</VAR
1512 initial_password: <<VAR
1514 >initial_password</VAR
1516 Verifying, please re-enter initial_password: <<VAR
1518 >initial_password</VAR
1523 CLASS="variablelist"
1535 >Is the shortest acceptable abbreviation for <SPAN
1553 >Specifies the same username as in Step <A
1554 HREF="c27596.html#LIWQ506"
1568 >Names an administrative account that has the <SAMP
1569 CLASS="computeroutput"
1572 Authentication Database entry, such as <SPAN
1578 >. The password prompt echoes it as
1579 admin_user. Enter the appropriate password as admin_password.</P
1586 >initial_password</B
1591 >Specifies the initial password as a string of eight characters or less, to comply with the length
1592 restriction that some applications impose. Possible choices for an initial password include the username, a string
1593 of digits from a personal identification number such as the Social Security number, or a standard string such as
1600 >. Instruct the user to change the string to a truly secret password as
1601 soon as possible by using the <SPAN
1607 > command as described in the <SPAN
1631 > command to create the user's volume.
1633 CLASS="programlisting"
1645 >partition name</VAR
1658 >initial quota (KB)</VAR
1665 CLASS="variablelist"
1677 >Is the shortest acceptable abbreviation of <SPAN
1695 >Names the file server machine on which to place the new volume.</P
1707 >Names the partition on which to place the new volume.</P
1719 >Names the new volume. The name can include up to 22 characters. By convention, user volume names have the form
1726 >username, where username is the name assigned in Step <A
1727 HREF="c27596.html#LIWQ506"
1741 >Sets the volume's quota, as a number of kilobyte blocks. If you omit this argument, the default is 5000
1758 > command to mount the volume in the
1759 filespace and create the user's home directory. <PRE
1760 CLASS="programlisting"
1779 CLASS="variablelist"
1791 >Is the shortest acceptable abbreviation for <SPAN
1809 >Names the mount point to create. A directory of the same name must not already exist. Partial pathnames are
1810 interpreted relative to the current working directory. By convention, user home directories are mounted in a
1811 directory called something like <SPAN
1823 >, and the home directory name matches the username assigned in Step <A
1824 HREF="c27596.html#LIWQ506"
1828 >Specify the read/write path to the mount point, to avoid the failure that results when you attempt to create
1829 the new mount point in a read-only volume. By convention, you indicate the read/write path by placing a period
1830 before the cell name at the pathname's second level (for example, <SPAN
1837 For further discussion of the concept of read/write and read-only paths through the filespace, see <A
1838 HREF="c8420.html#HDRWQ209"
1839 >The Rules of Mount Point Traversal</A
1852 >Is the name of the volume created in Step <A
1853 HREF="c27596.html#LIWQ508"
1881 > argument to record auxiliary information about the volume in its volume
1882 header. For example, you can record who owns the volume or where you have mounted it in the filespace. To display the
1883 information, use the <SPAN
1890 CLASS="programlisting"
1908 >offline message</VAR
1915 CLASS="variablelist"
1927 >Is an acceptable alias for <SPAN
1940 the shortest acceptable abbreviation).</P
1952 >Names the mount point of the volume with which to associate the message. Partial pathnames are interpreted
1953 relative to the current working directory.</P
1955 >Specify the read/write path to the mount point, to avoid the failure that results when you attempt to change a
1956 read-only volume. By convention, you indicate the read/write path by placing a period before the cell name at the
1957 pathname's second level (for example, <SPAN
1963 >). For further discussion of the
1964 concept of read/write and read-only paths through the filespace, see <A
1965 HREF="c8420.html#HDRWQ209"
1980 >Specifies up to 128 characters of auxiliary information to record in the volume header.</P
1996 > command to set the ACL on the new home
1997 directory. At the least, create an entry that grants all permissions to the user, as shown.</P
1999 >You can also use the command to edit or remove the entry that the <SPAN
2006 command automatically places on the ACL for a new volume's root directory, which grants all permissions to the <SPAN
2010 >system:administrators</B
2012 > group. Keep in mind that even if you remove the entry, the members of the
2013 group by default have implicit <SPAN
2038 >) permissions on every ACL, and can
2039 grant themselves other permissions as required.</P
2041 >For detailed instructions for the <SPAN
2048 HREF="c31274.html#HDRWQ573"
2049 >Setting ACL Entries</A
2052 CLASS="programlisting"
2082 >system:administrators</B
2084 > desired_permissions]
2098 > Create configuration files and subdirectories in
2099 the new home directory. Possibilities include <SPAN
2111 > files, a shell-initialization file such as <SPAN
2118 to help with printing and mail delivery, and so on.</P
2120 >If you are converting an existing UNIX account into an AFS account, you possibly wish to move some files and
2121 directories into the user's new AFS home directory. See <A
2122 HREF="c27596.html#HDRWQ498"
2123 >Converting Existing UNIX
2142 initialization file, define the user's $PATH environment variable to include the directories where AFS binaries are kept
2143 (for example, the <SPAN
2164 HREF="c27596.html#LIWQ513"
2167 HREF="c27596.html#LIWQ514"
2170 must know the user's AFS UID. If you had the Protection Server assign it in Step <A
2171 HREF="c27596.html#LIWQ506"
2174 probably do not know it. If necessary, issue the <SPAN
2180 > command to display it.
2182 CLASS="programlisting"
2191 >user or group name or id</VAR
2198 CLASS="variablelist"
2210 >Is the shortest acceptable abbreviation of <SPAN
2223 >user or group name or id</B
2228 >Is the username that you assigned in Step <A
2229 HREF="c27596.html#LIWQ506"
2236 >The first line of the output displays the username and AFS UID. For further discussion and an example of the output,
2238 HREF="c29323.html#HDRWQ536"
2239 >Displaying Information from the Protection Database</A
2247 >Designate the user as the owner of the home directory and any files and subdirectories
2248 created or moved in Step <A
2249 HREF="c27596.html#LIWQ511"
2251 >. Specify the owner by the AFS UID you learned in Step <A
2252 HREF="c27596.html#LIWQ512"
2254 > rather than by username. This is necessary for new accounts because the user does not yet have
2255 an entry in your local machine's password file (<SPAN
2261 > or equivalent). If you are
2262 converting an existing UNIX account, an entry possibly already exists, but the UID is possibly incorrect. In that case,
2263 specifying a username means that the corresponding (possibly incorrect) UID is recorded as the owner.</P
2265 >Some operating systems allow only the local superuser <SPAN
2271 > to issue the <SPAN
2277 > command. If necessary, issuing the <SPAN
2283 > command before the
2292 CLASS="programlisting"
2299 > new_owner_ID directory
2303 CLASS="variablelist"
2315 >Is the user's AFS UID, which you learned in Step <A
2316 HREF="c27596.html#LIWQ512"
2330 >Names the home directory you created in Step <A
2331 HREF="c27596.html#LIWQ509"
2333 >, plus each subdirectory or
2334 file you created in Step <A
2335 HREF="c27596.html#LIWQ511"
2345 >If the new user home directory resides in a replicated volume, use the <SPAN
2352 command to release the volume, as described in <A
2353 HREF="c8420.html#HDRWQ194"
2354 >To replicate a read/write volume (create a
2355 read-only volume)</A
2357 CLASS="programlisting"
2366 >volume name or ID</VAR
2377 >This step can be necessary even if the home directory's parent directory is not itself a mount point for a
2378 replicated volume (and is easier to overlook in that case). Suppose, for example, that the ABC Corporation puts the
2379 mount points for user volumes in the <SPAN
2383 >/afs/abc.com/usr</B
2385 > directory. Because that is a
2386 regular directory rather than a mount point, it resides in the <SPAN
2399 > directory. That volume is replicated, so after changing it by
2400 creating a new mount point the administrator must issue the <SPAN
2415 >Create or modify an entry for the new user in the local password file (<SPAN
2421 > or equivalent) of each machine the user can log onto. Remember to make the UNIX UID the
2422 same as the AFS UID you learned in Step <A
2423 HREF="c27596.html#LIWQ512"
2425 >, and to fill the password field appropriately
2426 (for instructions, see <A
2427 HREF="c27596.html#HDRWQ497"
2428 >Specifying Passwords in the Local Password File</A
2431 >If you use the <SPAN
2437 > utility to distribute a common version of the password file
2438 to all client machines, then you need to make the change only in the common version. See <A
2440 >Configuring Client Machines with the package Program</A
2452 >Improving Password and Authentication Security</A
2455 >AFS provides several optional features than can help to protect your cell's filespace against unauthorized access. The
2456 following list summarizes them, and instructions follow. <UL
2459 >Limit the number of consecutive failed login attempts.</P
2461 >One of the most common ways for an unauthorized user to access your filespace is to guess an authorized user's
2462 password. This method of attack is most dangerous if the attacker can use many login processes in parallel or use the RPC
2463 interfaces directly.</P
2465 >To protect against this type of attack, use the <SPAN
2471 > argument to the <SPAN
2477 > command to limit the number of times that a user can consecutively fail to enter the
2478 correct password when using either an AFS-modified login utility or the <SPAN
2485 When the limit is exceeded, the Authentication Server locks the user's Authentication Database entry (disallows
2486 authentication attempts) for a period of time that you define with the <SPAN
2499 > command. If desired, system administrators can use the <SPAN
2505 > command to unlock the entry before the complete lockout time passes.</P
2507 >In certain circumstances, the mechanism used to enforce the number of failed authentication attempts can cause a
2508 lockout even though the number of failed attempts is less than the limit set by the <SPAN
2514 > argument. Client-side authentication programs such as <SPAN
2520 > and an AFS-modified login utility normally choose an Authentication Server at random for each
2521 authentication attempt, and in case of a failure are likely to choose a different Authentication Server for the next
2522 attempt. The Authentication Servers running on the various database server machines do not communicate with each other
2523 about how many times a user has failed to provide the correct password to them. Instead, each Authentication Server
2524 maintains its own separate copy of the auxiliary database file <SPAN
2537 > directory by default), which records the number of consecutive
2538 authentication failures for each user account and the time of the most recent failure. This implementation means that on
2539 average each Authentication Server knows about only a fraction of the total number of failed attempts. The only way to
2540 avoid allowing more than the number of attempts set by the <SPAN
2546 > argument is to have
2547 each Authentication Server allow only some fraction of the total. More specifically, if the limit on failed attempts is
2554 >, and the number of Authentication Servers is <SPAN
2560 >, then each Authentication
2561 Server can only permit a number of attempts equal to <SPAN
2574 synchronization site for the Authentication Server tracks any remainder, <SPAN
2582 >Normally, this implementation does not reduce the number of allowed attempts to less than the configured limit
2589 >). If one Authentication Server refuses an attempt, the client contacts another instance of the
2590 server, continuing until either it successfully authenticates or has contacted all of the servers. However, if one or more
2591 of the Authentication Server processes is unavailable, the limit is effectively reduced by a percentage equal to the
2611 unavailable servers and <SPAN
2617 > is the number normally available.</P
2619 >To avoid the undesirable consequences of setting a limit on failed authentication attempts, note the following
2620 recommendations: <UL
2623 >Do not set the <SPAN
2629 > argument (the limit on failed authentication
2630 attempts) too low. A limit of nine failed attempts is recommended for regular user accounts, to allow three failed
2631 attempts per Authentication Server in a cell with three database server machines.</P
2635 >Set fairly short lockout times when including the <SPAN
2642 Although guessing passwords is a common method of attack, it is not a very sophisticated one. Setting a lockout time
2643 can help discourage attackers, but excessively long times are likely to be more of a burden to authorized users than
2644 to potential attackers. A lockout time of 25 minutes is recommended for regular user accounts.</P
2648 >Do not assign an infinite lockout time on an account (by setting the <SPAN
2660 > [zero]) unless there is a highly
2661 compelling reason. Such accounts almost inevitably become locked at some point, because each Authentication Server
2662 never resets the account's failure counter in its copy of the <SPAN
2669 contrast, when the lockout time is not infinite, the counter resets after the specified amount of time has passed
2670 since the last failed attempt to that Authentication Server). Furthermore, the only way to unlock an account with an
2671 infinite lockout time is for an administrator to issue the <SPAN
2678 is especially dangerous to set an infinite lockout time on an administrative account; if all administrative accounts
2679 become locked, the only way to unlock them is to shut down all instances of the Authentication Server and remove the
2691 >In summary, the recommended limit on authentication attempts is nine and lockout time 25 minutes.</P
2695 >Limit password lifetime.</P
2697 >The longer a password is in use, the more time an attacker has to try to learn it. To protect against this type of
2698 attack, use the <SPAN
2704 > argument to the <SPAN
2711 command to limit how many days a user's password is valid. The user becomes unable to authenticate with AFS after the
2712 password expires, but has up to 30 days to use the <SPAN
2718 > command to set a new password.
2719 After the 30 days pass, only an administrator who has the <SAMP
2720 CLASS="computeroutput"
2723 Authentication Database entry can change the password.</P
2725 >If you set a password lifetime, many AFS-modified login utilities (but not the <SPAN
2732 command) set the PASSWORD_EXPIRES environment variable to the number of days remaining until the password expires. A
2733 setting of zero means that the password expires today. If desired, you can customize your users' login scripts to display
2734 the number of days remaining before expiration and even prompt for a password change when a small number of days remain
2735 before expiration.</P
2739 >Prohibit reuse of passwords.</P
2741 >Forcing users to select new passwords periodically is not effective if they simply set the new password to the
2742 current value. To prevent a user from setting a new password to a string similar to any of the last 20 passwords, use the
2749 > argument to the <SPAN
2757 >If you prohibit password reuse and the user specifies an excessively similar password, the Authentication Server
2758 generates the following message to reject it:</P
2760 CLASS="programlisting"
2761 > Password was not changed because it seems like a reused password
2764 >A persistent user can try to bypass this restriction by changing the password 20 times in quick succession (or
2765 running a script to do so). If you believe this is likely to be a problem, you can include the <SPAN
2771 > argument to the <SPAN
2777 > initialization command (for
2778 details, see the command's reference page in the <SPAN
2782 >IBM AFS Administration Reference</I
2785 attempts to change passwords too frequently, the following message appears.</P
2787 CLASS="programlisting"
2788 > Password was not changed because you changed it too recently; see
2789 your systems administrator
2794 >Check the quality of new passwords.</P
2796 >You can impose a minimum quality standard on passwords by writing a script or program called <SPAN
2808 > file exists, the <SPAN
2820 > command interpreters invoke it to
2821 check a new password. If the password does not comply with the quality standard, the <SPAN
2827 > program returns an appropriate code and the command interpreter rejects the
2836 > file must be executable, must reside in the same AFS directory as the
2849 > binaries, and its directory's ACL must
2862 >) permission only to the <SPAN
2866 >system:administrators</B
2870 >If you choose to write a <SPAN
2876 > program, consider imposing standards such as the
2880 >A minimum length</P
2884 >Words found in the dictionary are prohibited</P
2888 >Numbers, punctuation, or both must appear along with letters</P
2893 >The AFS distribution includes an example <SPAN
2899 > program. See the <SPAN
2905 > reference page in the <SPAN
2909 >IBM AFS Administration Reference</I
2921 >To limit the number of consecutive failed authentication attempts</A
2933 > command with the <SPAN
2948 >The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default,
2949 it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator.
2956 > argument to name an identity that has the
2958 CLASS="computeroutput"
2960 > flag on its Authentication Database entry. To verify that an entry has the flag,
2967 > command as described in <A
2968 HREF="c32432.html#HDRWQ590"
2970 ADMIN flag is set</A
2973 CLASS="programlisting"
2992 >admin principal to use for authentication</VAR
3002 >maximum successive failed login tries ([0..254])</VAR
3012 >failure penalty [hh:mm or minutes]</VAR
3014 Administrator's (admin_user) password: <<VAR
3016 >admin_password</VAR
3021 CLASS="variablelist"
3033 >Names the Authentication Database entry to edit.</P
3045 >Names an administrative account that has the <SAMP
3046 CLASS="computeroutput"
3049 Authentication Database entry, such as the <SPAN
3055 > account. The password prompt
3056 echoes it as admin_user. Enter the appropriate password as admin_password.</P
3068 >Specifies the maximum consecutive number of times that a user can fail to provide the correct password
3069 during authentication (via the <SPAN
3075 > command or an AFS-modified login utility)
3076 before the Authentication Server refuses further attempts for the amount of time specified by the <SPAN
3082 > argument. The range of valid values is <SPAN
3095 >. If you omit this argument or specify <SPAN
3101 >, the Authentication Server allows an unlimited number of failures.</P
3113 >Specifies how long the Authentication Server refuses authentication attempts after the user exceeds the
3114 failure limit specified by the <SPAN
3122 >Specify a time in either hours and minutes (hh:mm) or minutes only (mm), from the range <SPAN
3128 > (one minute) through <SPAN
3134 > (36 hours). The <SPAN
3140 > command interpreter automatically reduces any larger value to 36:00 and also rounds up
3141 each nonzero value to the next-higher multiple of 8.5 minutes.</P
3143 >It is best not to provide a value of <SPAN
3149 > (zero), especially on administrative
3150 accounts, because it sets an infinite lockout time. An administrator must always issue the <SPAN
3156 > command to unlock such an account.</P
3170 >To unlock a locked user account</A
3182 > command to enter interactive mode.</P
3184 >The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default,
3185 it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator.
3192 > argument to name an identity that has the
3194 CLASS="computeroutput"
3196 > flag on its Authentication Database entry. To verify that an entry has the flag,
3203 > command as described in <A
3204 HREF="c32432.html#HDRWQ590"
3206 ADMIN flag is set</A
3209 CLASS="programlisting"
3218 >admin principal to use for authentication</VAR
3220 Administrator's (admin_user) password: <<VAR
3222 >admin_password</VAR
3233 > names an administrative account that has the
3235 CLASS="computeroutput"
3237 > flag on its Authentication Database entry, such as <SPAN
3243 >. The password prompt echoes it as admin_user. Enter the appropriate password as
3254 > command to verify that the user's account is in fact
3255 locked, as indicated by the message shown: <PRE
3256 CLASS="programlisting"
3257 > ka> <SPAN
3267 User is locked until time
3279 > command to unlock the account. <PRE
3280 CLASS="programlisting"
3281 > ka> <SPAN
3289 >authentication ID</VAR
3296 CLASS="variablelist"
3308 >Is the shortest acceptable abbreviation of <SPAN
3321 >authentication ID</B
3326 >Names the Authentication Database entry to unlock.</P
3339 >To set password lifetime</A
3351 > command with the <SPAN
3359 >The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default,
3360 it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator.
3367 > argument to name an identity that has the
3369 CLASS="computeroutput"
3371 > flag on its Authentication Database entry. To verify that an entry has the flag,
3378 > command as described in <A
3379 HREF="c32432.html#HDRWQ590"
3381 ADMIN flag is set</A
3384 CLASS="programlisting"
3403 >number days password is valid [0..254])</VAR
3413 >admin principal to use for authentication</VAR
3415 Administrator's (admin_user) password: <<VAR
3417 >admin_password</VAR
3422 CLASS="variablelist"
3434 >Specifies the Authentication Database entry on which to impose a password expiration.</P
3446 >Sets the number of days after the user's password was last changed that it remains valid. Provide an integer
3447 from the range <SPAN
3460 number of days until expiration.</P
3462 >When the password becomes invalid (expires), the user is unable to authenticate, but has 30 more days in
3463 which to issue the <SPAN
3476 command to change the password (after that, only an administrator can change it). Note that the clock starts at
3477 the time the password was last changed, not when the <SPAN
3484 issued. To avoid retroactive expiration, have the user change the password just before issuing the command.</P
3496 >Names an administrative account that has the <SAMP
3497 CLASS="computeroutput"
3500 Authentication Database entry, such as <SPAN
3506 >. The password prompt echoes it as
3507 admin_user. Enter the appropriate password as admin_password.</P
3521 >To prohibit reuse of passwords</A
3533 > command with the <SPAN
3542 >The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default,
3543 it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator.
3550 > argument to name an identity that has the
3552 CLASS="computeroutput"
3554 > flag on its Authentication Database entry. To verify that an entry has the flag,
3561 > command as described in <A
3562 HREF="c32432.html#HDRWQ590"
3564 ADMIN flag is set</A
3567 CLASS="programlisting"
3585 > permit password reuse (yes/no)</VAR
3595 >admin principal to use for authentication</VAR
3597 Administrator's (admin_user) password: <<VAR
3599 >admin_password</VAR
3604 CLASS="variablelist"
3616 >Names the Authentication Database entry for which to set the password reuse policy.</P
3628 >Specifies whether the Authentication Server allows reuse of passwords similar to any of the user's last 20
3629 passwords. Specify the value <SPAN
3635 > to prohibit reuse, or the value <SPAN
3641 > to reinstate the default of allowing password reuse.</P
3653 >Names an administrative account that has the <SAMP
3654 CLASS="computeroutput"
3657 Authentication Database entry, such as <SPAN
3663 >. The password prompt echoes it as
3664 admin_user. Enter the appropriate password as admin_password.</P
3679 >Changing AFS Passwords</A
3682 >After setting an initial password during account creation, you normally do not need to change user passwords, since they
3689 > command themselves by following the instructions in the <SPAN
3696 >. In the rare event that a user forgets the password or otherwise cannot log in, you can use the <SPAN
3702 > command to set a new password.</P
3704 >If entries in the local password file (<SPAN
3710 > or equivalent) have actual scrambled
3711 passwords in their password field, remember to change the password there also. For further discussion, see <A
3712 HREF="c27596.html#HDRWQ497"
3713 >Specifying Passwords in the Local Password File</A
3721 >To change an AFS password</A
3733 > command to change the password. To avoid having the new
3734 password echo visibly on the screen, omit the <SPAN
3740 > argument; instead enter the
3741 password at the prompts that appear when you omit the argument, as shown.</P
3743 >The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default,
3744 it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator.
3751 > argument to name an identity that has the
3753 CLASS="computeroutput"
3755 > flag on its Authentication Database entry. To verify that an entry has the flag,
3762 > command as described in <A
3763 HREF="c32432.html#HDRWQ590"
3765 ADMIN flag is set</A
3768 CLASS="programlisting"
3787 >admin principal to use for authentication</VAR
3789 Administrator's (admin_user) password: <<VAR
3791 >admin_password</VAR
3793 new_password: <<VAR
3797 Verifying, please re-enter new_password: <<VAR
3804 CLASS="variablelist"
3816 >Is an acceptable alias for <SPAN
3828 > is the shortest acceptable abbreviation).</P
3840 >Names the Authentication Database entry for which to set the password.</P
3852 >Names an administrative account that has the <SAMP
3853 CLASS="computeroutput"
3856 Authentication Database entry, such as <SPAN
3862 >. The password prompt echoes it as
3863 admin_user. Enter the appropriate password as admin_password.</P
3875 >Specifies the user's new password. It is subject to the restrictions imposed by the <SPAN
3881 > program, if you use it.</P
3896 >Displaying and Setting the Quota on User Volumes</A
3899 >User volumes are like all other volumes with respect to quota. Each new AFS volume has a default quota of 5000 KB, unless
3906 > argument to the <SPAN
3913 set a different quota. You can also use either of the following commands to change quota at any time: <UL
3937 >You can use any of the three following commands to display a volume's quota: <UL
3971 >For instructions, see <A
3972 HREF="c8420.html#HDRWQ234"
3973 >Setting and Displaying Volume Quota and Current Size</A
3982 >Changing Usernames</A
3985 >By convention, many components of a user account incorporate the username, including the Protection and Authentication
3986 Database entries, the volume name and the home directory name. When changing a username, it is best to maintain consistency by
3987 changing the names of all components, so the procedure for changing a username has almost as many steps as the procedure for
3988 creating a new user account.</P
3995 >To change a username</A
4001 >Authenticate as an AFS identity with all of the following privileges. In the conventional configuration, the
4008 > user account has them, or you possibly have a personal administrative account. (To
4009 increase cell security, it is best to create special privileged accounts for use only while performing administrative
4010 procedures; for further discussion, see <A
4011 HREF="c32432.html#HDRWQ584"
4012 >An Overview of Administrative Privilege</A
4014 necessary, issue the <SPAN
4020 > command to authenticate. <PRE
4021 CLASS="programlisting"
4031 >admin_password</VAR
4036 >The following list specifies the necessary privileges and indicates how to check that you have them.</P
4040 >Membership in the <SPAN
4044 >system:administrators</B
4046 > group. If necessary, issue the
4053 > command, which is fully described in <A
4054 HREF="c32432.html#HDRWQ587"
4056 display the members of the system:administrators group</A
4058 CLASS="programlisting"
4063 >pts membership system:administrators</B
4071 >Inclusion in the <SPAN
4075 >/usr/afs/etc/UserList</B
4077 > file. If necessary, issue the <SPAN
4083 > command, which is fully described in <A
4084 HREF="c32432.html#HDRWQ593"
4086 users in the UserList file</A
4088 CLASS="programlisting"
4105 CLASS="computeroutput"
4107 > flag on the Authentication Database entry. However, the
4108 Authentication Server performs its own authentication, so the following instructions direct you to specify an
4109 administrative identity on the <SPAN
4115 > command line itself.</P
4155 >) permissions on the ACL of the directory where you are removing the current mount point
4156 and creating a new one. If necessary, issue the <SPAN
4162 > command, which is fully
4164 HREF="c31274.html#HDRWQ572"
4167 CLASS="programlisting"
4181 >Members of the <SPAN
4185 >system:administrators</B
4187 > group always implicitly have the <SPAN
4199 >) and by default also the <SPAN
4211 >) permission on every ACL and can use the <SPAN
4217 > command to grant other rights as necessary.</P
4232 > command to display the names of the
4233 groups the user owns. After you change the username in the Protection Database in Step <A
4234 HREF="c27596.html#LIWQ520"
4237 you must issue the <SPAN
4243 > command to change each group's owner prefix to match the
4244 new name, because the Protection Server does not automatically make this change. For a complete description of the
4252 HREF="c29323.html#HDRWQ536"
4253 >Displaying Information from the
4254 Protection Database</A
4256 CLASS="programlisting"
4265 >user or group name or id</VAR
4281 > command to change the user's name in
4282 the Protection Database. <PRE
4283 CLASS="programlisting"
4308 > command to change the group names you noted in Step <A
4309 HREF="c27596.html#LIWQ519"
4311 >, so that their owner prefix (the part of the group name before the colon) accurately reflects
4312 the owner's new name.</P
4314 >Repeat the command for each group. Step <A
4315 HREF="c27596.html#LIWQ520"
4317 > details its syntax.</P
4319 CLASS="programlisting"
4343 > command to enter interactive mode.</P
4345 >The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default,
4346 it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator.
4353 > argument to name an identity that has the
4355 CLASS="computeroutput"
4357 > flag on its Authentication Database entry. To verify that an entry has the flag,
4364 > command as described in <A
4365 HREF="c32432.html#HDRWQ590"
4367 ADMIN flag is set</A
4370 CLASS="programlisting"
4379 >admin principal to use for authentication</VAR
4381 Administrator's (admin_user) password: <<VAR
4383 >admin_password</VAR
4394 > names an administrative account that has the
4396 CLASS="computeroutput"
4398 > flag on its Authentication Database entry, such as <SPAN
4404 >. The password prompt echoes it as admin_user. Enter the appropriate password as
4415 > command to delete the user's existing Authentication
4416 Database entry. <PRE
4417 CLASS="programlisting"
4418 > ka> <SPAN
4433 CLASS="variablelist"
4445 >Is the shortest acceptable abbreviation for <SPAN
4451 >, or you can use the alias
4470 >Names the Authentication Database entry to delete.</P
4483 > command to create an Authentication Database entry for the
4484 new username. To avoid having the user's password echo visibly on the screen, do not include the <SPAN
4488 >-initial_password</B
4490 > argument; instead enter the password at the prompts that appear in that case, as
4491 shown in the following syntax specification. <PRE
4492 CLASS="programlisting"
4493 > ka> <SPAN
4503 initial_password: <<VAR
4507 Verifying, please re-enter initial_password: <<VAR
4516 CLASS="variablelist"
4528 >Is the shortest acceptable abbreviation for <SPAN
4546 >Specifies the new username.</P
4558 >Specifies the password for the new user account. If the user is willing to tell you his or her current
4559 password, you can retain it. Otherwise, provide a string of eight characters or less to comply with the length
4560 restriction that some applications impose. Possible choices for an initial password include the username, a string
4561 of digits from a personal identification number such as the Social Security number, or a standard string such as
4568 >. Instruct the user to change the string to a truly secret password as soon
4569 as possible by using the <SPAN
4575 > command as instructed in the <SPAN
4595 > command to leave interactive mode. <PRE
4596 CLASS="programlisting"
4597 > ka> <SPAN
4618 > command to change the name of the
4619 user's volume. For complete syntax, see <A
4620 HREF="c8420.html#HDRWQ246"
4621 >To rename a volume</A
4623 CLASS="programlisting"
4632 >old volume name</VAR
4635 >new volume name</VAR
4651 > command to remove the existing mount
4652 point. For the directory argument, specify the read/write path to the mount point, to avoid the failure that results when
4653 you attempt to delete a mount point from a read-only volume. <PRE
4654 CLASS="programlisting"
4679 > command to create a mount point for the
4680 volume's new name. Specify the read/write path to the mount point for the directory argument, as in the previous step. For
4681 complete syntax, see Step <A
4682 HREF="c27596.html#LIWQ509"
4685 HREF="c27596.html#HDRWQ503"
4686 >To create one user account with
4687 individual commands</A
4689 CLASS="programlisting"
4708 >If the changes you made in Step <A
4709 HREF="c27596.html#LIWQ522"
4712 HREF="c27596.html#LIWQ523"
4715 a mount point that resides in a replicated volume, use the <SPAN
4721 > command to release
4722 the volume, as described in <A
4723 HREF="c8420.html#HDRWQ194"
4724 >To replicate a read/write volume (create a read-only volume)</A
4727 CLASS="programlisting"
4736 >volume name or ID</VAR
4747 >This step can be necessary even if the home directory's parent directory is not itself a mount point for a
4748 replicated volume (and is easier to overlook in that case). For example, the ABC Corporation template puts the mount
4749 points for user volumes in the <SPAN
4753 >/afs/abc.com/usr</B
4755 > directory. Because that is a regular
4756 directory rather than a mount point, it resides in the <SPAN
4762 > volume mounted at the
4769 > directory. That volume is replicated, so after changing it the
4770 administrator must issue the <SPAN
4789 >Removing a User Account</A
4792 >Before removing an account, it is best to make a backup copy of the user's home volume on a permanent storage medium such
4793 as tape. If you need to remove several accounts, it is probably more efficient to use the <SPAN
4800 > command instead; see <A
4801 HREF="c24913.html#HDRWQ486"
4802 >Deleting Individual Accounts with the uss delete
4811 >To remove a user account</A
4817 >Authenticate as an AFS identity with all of the following privileges. In the conventional configuration, the
4824 > user account has them, or you possibly have a personal administrative account. (To
4825 increase cell security, it is best to create special privileged accounts for use only while performing administrative
4826 procedures; for further discussion, see <A
4827 HREF="c32432.html#HDRWQ584"
4828 >An Overview of Administrative Privilege</A
4830 necessary, issue the <SPAN
4836 > command to authenticate. <PRE
4837 CLASS="programlisting"
4847 >admin_password</VAR
4852 >The following list specifies the necessary privileges and indicates how to check that you have them.</P
4856 >Membership in the <SPAN
4860 >system:administrators</B
4862 > group. If necessary, issue the
4869 > command, which is fully described in <A
4870 HREF="c32432.html#HDRWQ587"
4872 display the members of the system:administrators group</A
4874 CLASS="programlisting"
4879 >pts membership system:administrators</B
4887 >Inclusion in the <SPAN
4891 >/usr/afs/etc/UserList</B
4893 > file. If necessary, issue the <SPAN
4899 > command, which is fully described in <A
4900 HREF="c32432.html#HDRWQ593"
4902 users in the UserList file</A
4904 CLASS="programlisting"
4921 CLASS="computeroutput"
4923 > flag on the Authentication Database entry. However, the
4924 Authentication Server performs its own authentication, so the following instructions direct you to specify an
4925 administrative identity on the <SPAN
4931 > command line itself.</P
4947 >) permission on the ACL of the
4948 directory where you are removing the user volume's mount point. If necessary, issue the <SPAN
4955 > command, which is fully described in <A
4956 HREF="c31274.html#HDRWQ572"
4960 CLASS="programlisting"
4974 >Members of the <SPAN
4978 >system:administrators</B
4980 > group always implicitly have the <SPAN
4992 >) and by default also the <SPAN
5004 >) permission on every ACL and can use the <SPAN
5010 > command to grant other rights as necessary.</P
5022 > If it is possible you need to restore the user's account someday, note
5023 the username and AFS UID, possibly in a file designated for that purpose. You can later restore the account with its
5024 original AFS UID.</P
5034 > Copy the contents of the user's volume to tape. You can use the
5041 > command as described in <A
5042 HREF="c8420.html#HDRWQ240"
5043 >Dumping and Restoring
5045 > or the AFS Backup System as described in <A
5046 HREF="c15383.html#HDRWQ296"
5061 > If you intend to remove groups that the user owns
5062 from the Protection Database after removing the user's entry, issue the <SPAN
5069 command to display them. For complete instructions, see <A
5070 HREF="c29323.html#HDRWQ536"
5071 >Displaying Information from the
5072 Protection Database</A
5074 CLASS="programlisting"
5083 >user or group name or id</VAR
5106 > command to remove the groups the user owns. However, if it is likely that other users have placed the
5107 groups on the ACLs of directories they own, it is best not to remove them. <PRE
5108 CLASS="programlisting"
5117 >user or group name or id</VAR
5124 CLASS="variablelist"
5136 >Is the shortest acceptable abbreviation for <SPAN
5149 >user or group name or id</B
5154 >Specifies the name or AFS UID of each group displayed in the output from Step <A
5155 HREF="c27596.html#LIWQ525"
5170 > command to remove the user's Authentication Database
5173 >The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default,
5174 it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator.
5181 > argument to name an identity that has the
5183 CLASS="computeroutput"
5185 > flag on its Authentication Database entry. To verify that an entry has the flag,
5192 > command as described in <A
5193 HREF="c32432.html#HDRWQ590"
5195 ADMIN flag is set</A
5198 CLASS="programlisting"
5217 >admin principal to use for authentication</VAR
5219 Administrator's (admin_user) password: <<VAR
5221 >admin_password</VAR
5226 CLASS="variablelist"
5238 >Is the shortest acceptable abbreviation for <SPAN
5256 >Names the Authentication Database entry to delete.</P
5268 >Names an administrative account that has the <SAMP
5269 CLASS="computeroutput"
5272 Authentication Database entry, such as <SPAN
5278 >. The password prompt echoes it as
5279 admin_user. Enter the appropriate password as admin_password.</P
5296 > command to display the site of the
5297 user's home volume in preparation for removing it. By convention, user volumes are named <SPAN
5304 CLASS="programlisting"
5313 >volume name or ID</VAR
5320 CLASS="variablelist"
5332 >Is the shortest acceptable abbreviation of <SPAN
5345 >volume name or ID</B
5350 >Specifies the volume's name or volume ID number.</P
5366 > command to remove the user's volume. It
5367 automatically removes the backup version of the volume, if it exists. It is not conventional to replicate user volumes, so
5368 the command usually also completely removes the volume's entry from the Volume Location Database (VLDB). If there are
5369 ReadOnly replicas of the volume, you must repeat the <SPAN
5375 > command to remove each
5376 one individually. <PRE
5377 CLASS="programlisting"
5389 >partition name</VAR
5392 >volume name or ID</VAR
5399 CLASS="variablelist"
5411 >Is the shortest acceptable abbreviation of <SPAN
5429 >Names the file server machine that houses the volume, as specified in the output from Step <A
5430 HREF="c27596.html#LIWQ527"
5444 >Names the partition that houses the volume, as specified in the output from Step <A
5445 HREF="c27596.html#LIWQ527"
5454 >volume name or ID</B
5459 >Specifies the volume's name or ID number.</P
5475 > command to remove the volume's mount
5478 >If you mounted the user's backup volume as a subdirectory of the home directory, then this command is sufficient to
5479 unmount the backup version as well. If you mounted the backup version at an unrelated location in the filespace, repeat
5486 > command for it.</P
5488 CLASS="programlisting"
5502 CLASS="variablelist"
5514 >Is the shortest acceptable abbreviation of <SPAN
5532 >Names the mount point for the volume's previous name (the former home directory). Partial pathnames are
5533 interpreted relative to the current working directory.</P
5535 >Specify the read/write path to the mount point, to avoid the failure that results when you attempt to delete
5536 a mount point from a read-only volume. By convention, you indicate the read/write path by placing a period before
5537 the cell name at the pathname's second level (for example, <SPAN
5544 further discussion of the concept of read/write and read-only paths through the filespace, see <A
5545 HREF="c8420.html#HDRWQ208"
5546 >Mounting Volumes</A
5564 > command to remove the user's Protection
5565 Database entry. A complete description of this command appears in Step <A
5566 HREF="c27596.html#LIWQ526"
5569 CLASS="programlisting"
5578 >user or group name or id</VAR
5585 >If the deleted user home directory resided in a replicated volume, use the <SPAN
5592 > command to release the volume, as described in <A
5593 HREF="c8420.html#HDRWQ194"
5594 >To replicate a read/write
5595 volume (create a read-only volume)</A
5597 CLASS="programlisting"
5606 >volume name or ID</VAR
5617 >This step can be necessary even if the home directory's parent directory is not itself a mount point for a
5618 replicated volume (and is easier to overlook in that case). For example, the ABC Corporation template puts the mount
5619 points for user volumes in the <SPAN
5623 >/afs/abc.com/usr</B
5625 > directory. Because that is a regular
5626 directory rather than a mount point, it resides in the <SPAN
5632 > volume mounted at the
5639 > directory. That volume is replicated, so after changing it by deleting a
5640 mount point the administrator must issue the <SPAN
5659 SUMMARY="Footer navigation table"
5698 >Creating and Deleting User Accounts with the uss Command Suite</TD
5712 >Administering the Protection Database</TD