1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >Administering the Protection Database</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
10 TITLE="AFS Administration Guide"
11 HREF="book1.html"><LINK
13 TITLE="Managing Users and Groups"
14 HREF="p24911.html"><LINK
16 TITLE="Administering User Accounts"
17 HREF="c27596.html"><LINK
19 TITLE="Managing Access Control Lists"
20 HREF="c31274.html"></HEAD
31 SUMMARY="Header navigation table"
40 >AFS Administration Guide: Version 3.6</TH
77 >Chapter 14. Administering the Protection Database</H1
79 >This chapter explains how to create and maintain user, machine, and group entries in the Protection Database.</P
86 >Summary of Instructions</A
89 >This chapter explains how to perform the following tasks by using the indicated commands:</P
104 >Display Protection Database entry</TD
116 >Map user, machine or group name to AFS ID</TD
128 >Display entry's owner or creator</TD
140 >Display number of users or machines belonging to group</TD
152 >Display number of groups user or machine belongs to</TD
164 >Display group-creation quota</TD
176 >Display entry's privacy flags</TD
188 >Display members of group, or groups that user or machine belongs to</TD
200 >Display groups that user or group owns</TD
212 >Display all entries in Protection Database</TD
224 >Create machine entry</TD
236 >Create group entry</TD
248 >Add users and machines to groups</TD
260 >Remove users and machines from groups</TD
272 >Delete machine or group entry</TD
284 >Change a group's owner</TD
296 >Change an entry's name</TD
308 >Set group creation quota</TD
320 >Set entry's privacy flags</TD
332 >Display AFS ID counters</TD
344 >Set AFS ID counters</TD
364 >About the Protection Database</A
367 >The Protection Database stores information about AFS users, client machines, and groups which the File Server process uses
368 to determine whether clients are authorized to access AFS data.</P
370 >To obtain authenticated access to an AFS cell, a user must have an entry in the cell's Protection Database. The first time
371 that a user requests access to the data stored on a file server machine, the File Server on that machine contacts the Protection
372 Server to request the user's <SPAN
376 >current protection subgroup</I
384 >), which lists all the
385 groups to which the user belongs. The File Server scans the access control list (ACL) of the directory that houses the data,
386 looking for groups on the CPS. It grants access in accordance with the permissions that the ACL extends to those groups or to
387 the user individually. (The File Server stores the CPS and uses it as long as the user has the same tokens. When a user's group
388 membership changes, he or she must reauthenticate for the File Server to recognize the change.)</P
390 >Only administrators who belong to the cell's <SPAN
394 >system:administrators</B
396 > group can create user
397 entries (the group is itself defined in the Protection Database, as discussed in <A
398 HREF="c29323.html#HDRWQ535"
401 >). Members of the <SPAN
405 >system:administrators</B
407 > group can also create machine entries,
408 which can then be used to control access based on the machine from which the access request originates. After creating a machine
409 entry, add it to a Protection Database group and place the group on ACLs (a machine cannot appear on ACLs directly). A machine
410 entry can represent a single machine or multiple machines with consecutive IP addresses as specified by a wildcard notation. For
412 HREF="c29323.html#HDRWQ542"
413 >Creating User and Machine Entries</A
414 >. Because all replicas of a volume share the
415 same ACL (the one on the volume's root directory mount point), machine entries enable you to replicate the volume that houses a
416 program's binary file while still complying with a machine-based license agreement as required by the program's manufacturer.
418 HREF="c29323.html#HDRWQ542"
419 >Creating User and Machine Entries</A
422 >A group entry is a list of user entries, machine entries, or both (groups cannot belong to other groups). Putting a group
423 on an ACL is a convenient way to extend or deny access to a set of users without listing them on the ACL individually.
424 Similarly, adding users to a group automatically grants them access to all files and directories for which the associated ACL
425 lists that group. Both administrators and regular users can create groups. </P
432 >The System Groups</A
435 >In addition to the groups that users and administrators can create, AFS defines the following three system groups. The
436 Protection Server creates them automatically when it builds the first version of a cell's Protection Database, and always
437 assigns them the same AFS GIDs. <DIV
450 >Represents all users able to access the cell's filespace from the local and foreign cells, authenticated or not.
457 >. The group has no stable membership listed in the Protection
458 Database. Accordingly, the <SPAN
464 > command displays <SPAN
471 CLASS="computeroutput"
473 > field, and the <SPAN
480 > command does not list any members for it.</P
482 >Placing this group on an ACL is a convenient way to extend access to all users. The File Server automatically
483 places this group on the CPS of any user who requests access to data stored on a file server machine. (Every
484 unauthenticated user is assigned the identity <SPAN
490 > and this group is the only
491 entry on the CPS for <SPAN
509 >Represents all users who are able to access the cell's filespace from the local and foreign cells and who have
510 successfully obtained an AFS token in the local cell (are authenticated). Its AFS GID is <SPAN
522 > group, it has no stable
523 membership listed in the Protection Database. Accordingly, the <SPAN
537 CLASS="computeroutput"
546 > command does not list any members for it.</P
548 >Placing this group on an ACL is therefore a convenient way to extend access to all authenticated users. The File
549 Server automatically places this group on the CPS of any authenticated user who requests access to data stored on a
550 file server machine.</P
557 >system:administrators</B
562 >Represents the small number of cell administrators authorized to issue privileged <SPAN
568 > commands and the <SPAN
574 > commands that set quota. The ACL on
575 the root directory of every newly created volume grants all permissions to the group. Even if you remove that entry,
576 the group implicitly retains the <SPAN
589 by default also the <SPAN
601 >), permission on every
602 ACL. Its AFS GID is <SPAN
608 >. For instructions on administering this group, see <A
609 HREF="c32432.html#HDRWQ586"
610 >Administering the system:administrators Group</A
624 >Displaying Information from the Protection Database</A
627 >This section describes the commands you can use to display Protection Database entries and associated information. In
628 addition to name and AFS ID, the Protection Database stores the following information about each user, machine, or group entry.
632 >The entry's owner, which is the user or group of users who can administer the entry</P
636 >The entry's creator, which serves mostly as an audit trail</P
640 >A membership count, which indicates how many groups a user or machine belongs to, or how many members belong to a
645 >A set of privacy flags, which control which users can administer or display information about the entry</P
649 >A group-creation quota, which defines how many groups a user can create</P
653 >A list of the groups to which a user or machine belongs, or of the users and machines that belong to a group</P
657 >A list of the groups that a user or group owns</P
667 >To display a Protection Database entry</A
673 >Verify that you belong to the <SPAN
677 >system:administrators</B
679 > group, which enables you to
680 display an entry regardless of the setting of its first (<SPAN
686 >) privacy flag. By default, any
687 user can display a Protection Database entry. If necessary, issue the <SPAN
694 command, which is fully described in <A
695 HREF="c32432.html#HDRWQ587"
696 >To display the members of the system:administrators
699 CLASS="programlisting"
704 >pts membership system:administrators</B
718 > command to display one or more Protection Database entries.
720 CLASS="programlisting"
729 >user or group name or id</VAR
748 >Is the shortest acceptable abbreviation of <SPAN
767 >user or group name or id</B
772 >Specifies the name or AFS ID of each entry to display. Precede any AFS GID with a hyphen (<SPAN
778 >) because it is a negative integer.</P
785 >The output includes the following fields. Examples follow. <DIV
794 CLASS="computeroutput"
801 >Specifies the entry's name. <UL
804 >For a user, this is the name used when authenticating with AFS and the name that appears on ACL
809 >For a machine, this is the IP address of a single machine, or a wildcard notation that represents a group
810 of machines with consecutive IP addresses, as described in <A
811 HREF="c29323.html#HDRWQ542"
812 >Creating User and Machine
818 >For a group, this is the name that appears on ACL entries and in the list of groups output by the
825 > command. The names of <SPAN
832 two parts, separated by a colon (<SPAN
838 >). The part before the colon indicates the
839 group's owner, and the part after is the unique name. A <SPAN
845 > group's name does not
846 have the owner prefix; only members of the <SPAN
850 >system:administrators</B
853 create prefix-less groups. For further discussion of group names, see <A
854 HREF="c29323.html#HDRWQ544"
868 CLASS="computeroutput"
875 >Specifies the entry's unique AFS identification number. For user and machine entries, the AFS user ID (AFS UID)
876 is a positive integer; for groups, the AFS group ID (AFS GID) is a negative integer. AFS UIDs and GIDs have the same
877 function as their counterparts in the UNIX file system, but are used by the AFS servers and the Cache Manager
880 >Normally, the Protection Server assigns an AFS UID or GID automatically when you create Protection Database
881 entries. Members of the <SPAN
885 >system:administrators</B
887 > group can specify an ID if desired. For
888 further discussion, see <A
889 HREF="c29323.html#HDRWQ542"
890 >Creating User and Machine Entries</A
892 HREF="c29323.html#HDRWQ544"
902 CLASS="computeroutput"
909 >Names the user or group who owns the entry and therefore can administer it (for more information about a group
910 owning another group, see <A
911 HREF="c29323.html#HDRWQ545"
912 >Using Groups Effectively</A
913 >). Other users possibly have
914 administrative privileges, too, depending on the setting of the entry's privacy flags. For instructions on changing
916 HREF="c29323.html#HDRWQ554"
917 >Changing a Group's Owner</A
926 CLASS="computeroutput"
933 >Names the user who created the entry, and serves as an audit trail. If the entry is deleted from the Protection
934 Database, the creator's group creation quota increases by one, even if the creator no longer owns the entry; see <A
935 HREF="c29323.html#HDRWQ558"
936 >Setting Group-Creation Quota</A
940 CLASS="computeroutput"
942 > in this field generally indicates that the entry was
943 created when the Protection Server was running in no-authentication mode, probably during initial configuration of the
944 cell's first file server machine. For a description of no-authentication mode, see <A
945 HREF="c3025.html#HDRWQ123"
947 Authentication and Authorization Requirements</A
956 CLASS="computeroutput"
963 >Specifies the number of groups to which the user or machine belongs, or the number of users or machines that
964 belong to the group.</P
972 CLASS="computeroutput"
979 >Specifies who can display or change information in a Protection Database entry. The five flags, each
980 representing a different capability, always appear in the same order. <UL
983 >For user entries, the default value is <SAMP
984 CLASS="computeroutput"
986 >, which indicates that anyone
993 > command on the entry, but only the user and members
998 >system:administrators</B
1000 > group can perform any other action.</P
1004 >For machine entries, the default value is <SAMP
1005 CLASS="computeroutput"
1007 >, which indicates that
1008 anyone can issue the <SPAN
1014 > command on the entry, but only members of the
1019 >system:administrators</B
1021 > group can perform any other action.</P
1025 >For group entries, the default value is <SAMP
1026 CLASS="computeroutput"
1028 >, which indicates that
1029 anyone can issue the <SPAN
1042 > commands on the entry, but only the group's owner and members of the <SPAN
1046 >system:administrators</B
1048 > group can perform any other action.</P
1053 >For a complete description of possible values for the flags, see <A
1054 HREF="c29323.html#HDRWQ559"
1055 >Setting the Privacy
1056 Flags on Database Entries</A
1065 CLASS="computeroutput"
1072 >Specifies how many more groups a user can create in the Protection Database. The value for a newly created user
1073 entry is 20, but members of the <SPAN
1077 >system:administrators</B
1079 > group can issue the <SPAN
1085 > command at any time to change the value; see <A
1086 HREF="c29323.html#HDRWQ558"
1088 Group-Creation Quota</A
1091 >Group creation quota has no meaning for a machine or group entry: the Protection Server recognizes the issuer of
1098 > command only as an authenticated user or as the <SPAN
1104 > user, never as a machine or group. The default value for group entries is 0 (zero),
1105 and there is no reason to change it.</P
1111 >The following examples show the output for a user called <SPAN
1117 >, a machine with IP address
1124 > and a group called <SPAN
1132 CLASS="programlisting"
1140 Name: pat, id: 1020, owner: system:administrators, creator: admin,
1141 membership: 12, flags: S----, group quota: 15.
1146 >pts ex 192.12.108.133</B
1149 Name: 192.12.108.133, id: 5151, owner: system:administrators, creator: admin,
1150 membership: 1, flags: S----, group quota: 20.
1155 >pts examine terry:friends</B
1158 Name: terry:friends, id: -567, owner: terry, creator: terry,
1159 membership: 12, flags: SOm--, group quota: 0.
1168 >To display group membership</A
1174 >Verify that you belong to the <SPAN
1178 >system:administrators</B
1180 > group, which enables you to
1181 display an entry's group membership information regardless of the setting of its third (<SPAN
1187 >) privacy flag. By default the owner and the user can display group membership for a user entry,
1188 the owner for a machine entry, and anyone for a group entry. If necessary, issue the <SPAN
1195 > command, which is fully described in <A
1196 HREF="c32432.html#HDRWQ587"
1197 >To display the members of the
1198 system:administrators group</A
1200 CLASS="programlisting"
1205 >pts membership system:administrators</B
1222 > command to display the list of
1223 groups to which a user or machine belongs, or the list of users and machines that belong to a group. <PRE
1224 CLASS="programlisting"
1233 >user or group name or id</VAR
1240 CLASS="variablelist"
1252 >Is the shortest acceptable abbreviation of <SPAN
1265 >user or group name or id</B
1270 >Specifies the name or AFS UID of each user or machine for which to list the groups it belongs to, or the name
1271 or AFS GID of each group for which to list the members.</P
1278 >For user and machine entries, the output begins with the following string, and then each group appears on its own
1281 CLASS="programlisting"
1282 > Groups user_or_machine (id: AFS_UID) is a member of:
1285 >For group entries, the output begins with the following string, and then each member appears on its own line:</P
1287 CLASS="programlisting"
1288 > Members of group (id: AFS_GID) are:
1291 >For the system groups <SPAN
1303 >, the output includes the initial header string only, because these groups do not have a
1304 stable membership listed in their Protection Database entry. See <A
1305 HREF="c29323.html#HDRWQ535"
1306 >The System Groups</A
1309 >The following examples show the output for a user called <SPAN
1315 > and a group called
1324 CLASS="programlisting"
1332 Groups terry (id: 5347) is a member of:
1340 >pts mem terry:friends</B
1343 Members of terry:friends (id: -567) are:
1355 >To list the groups that a user or group owns</A
1361 >Verify that you belong to the <SPAN
1365 >system:administrators</B
1367 > group, which enables you to
1368 display an entry's group ownership information regardless of the setting of its second (<SPAN
1374 >) privacy flag. By default the owner can list the groups owned by group, and a user the groups he
1375 or she owns. If necessary, issue the <SPAN
1381 > command, which is fully described in
1383 HREF="c32432.html#HDRWQ587"
1384 >To display the members of the system:administrators group</A
1386 CLASS="programlisting"
1391 >pts membership system:administrators</B
1405 > command to list the groups owned by each user or group.
1407 CLASS="programlisting"
1416 >user or group name or id</VAR
1423 CLASS="variablelist"
1435 >Is the shortest acceptable abbreviation of <SPAN
1448 >user or group name or id</B
1453 >Specifies the name or AFS UID of each user, or the name or AFS GID or each group, for which to list the groups
1461 >The output begins with the following string, and then each group appears on its own line:</P
1463 CLASS="programlisting"
1464 > Groups owned by user_or_group (id: AFS_ID) are:
1467 >The following examples show the output for a user called <SPAN
1473 > and a group called
1482 CLASS="programlisting"
1490 Groups owned by terry (id: 5347) are:
1497 >pts listo terry:friends</B
1500 Groups owned by terry:friends (id: -567) are:
1511 >To display all Protection Database entries</A
1517 >Verify that you belong to the <SPAN
1521 >system:administrators</B
1523 > group. If necessary, issue the
1530 > command, which is fully described in <A
1531 HREF="c32432.html#HDRWQ587"
1533 the members of the system:administrators group</A
1535 CLASS="programlisting"
1540 >pts membership system:administrators</B
1554 > command to display all Protection Database entries.
1556 CLASS="programlisting"
1581 CLASS="variablelist"
1593 >Is the shortest acceptable abbreviation of <SPAN
1611 >Displays user and machine entries. The same output results if you omit both this flag and the <SPAN
1629 >Displays group entries.</P
1636 >The output is a table that includes the following columns. Examples follow. <DIV
1637 CLASS="variablelist"
1645 CLASS="computeroutput"
1652 >Specifies the entry's name.</P
1660 CLASS="computeroutput"
1667 >Specifies the entry's AFS identification number. For user and machine entries, the AFS user ID (AFS UID) is a
1668 positive integer; for groups, the AFS group ID (AFS GID) is a negative integer.</P
1676 CLASS="computeroutput"
1683 >Specifies the AFS ID of the user or group who owns the entry and therefore can administer it.</P
1691 CLASS="computeroutput"
1698 >Specifies the AFS UID of the user who created the entry.</P
1704 >The following example is from the ABC Corporation cell. The issuer provides no options, so the output includes user and
1707 CLASS="programlisting"
1715 Name ID Owner Creator
1716 anonymous 32766 -204 -204
1722 192.12.105.33 2000 -204 1
1723 192.12.105.46 2001 -204 1
1733 >Creating User and Machine Entries</A
1736 >An entry in the Protection Database is one of the two required components of every AFS user account, along with an entry
1737 in the Authentication Database. It is best to create a Protection Database user entry only in the context of creating a complete
1738 user account, by using the <SPAN
1753 >Creating and Deleting User Accounts with the uss Command Suite</A
1760 > command as described in <A
1761 HREF="c27596.html#HDRWQ502"
1762 >Creating AFS User Accounts</A
1765 >You can also use the <SPAN
1771 > command to create Protection Database machine
1772 entries, which can then be used to control access based on the machine from which the access request originates. After creating
1773 a machine entry, add it to a Protection Database group and place the group on ACLs ( a machine cannot appear on ACLs directly).
1774 Because all replicas of a volume share the same ACL (the one on the volume's root directory mount point), you can replicate the
1775 volume that houses a program's binary file while still complying with a machine-based license agreement as required by the
1776 program's manufacturer. If you do not place any other entries on the ACL, then only users working on the designated machines can
1779 >Keep in mind that creating an ACL entry for a group with machine entries in it extends access to both authenticated and
1780 unauthenticated users working on the machine. However, you can deny access to unauthenticated users by omitting an entry for the
1787 > group from the ACLs of the parent directories in the file's pathname.
1788 Conversely, if you want to enable unauthenticated users on the machine to access a file, then the ACL on every directory leading
1789 to it must include an entry for either the <SPAN
1795 > group or a group to which the machine
1796 entry belongs. For more information on the <SPAN
1803 HREF="c29323.html#HDRWQ535"
1804 >The System Groups</A
1807 >Because a machine entry can include unauthenticated users, it is best not to add both machine entries and user entries to
1808 the same group. In general, it is easier to use and administer nonmixed groups. A machine entry can represent a single machine,
1809 or multiple machines with consecutive IP addresses (that is, all machines on a network or subnet) specified by a wildcard
1810 notation. See the instructions in <A
1811 HREF="c29323.html#HDRWQ543"
1812 >To create machine entries in the Protection Database</A
1815 >By default, the Protection Server assigns the next available AFS UID to a new user or machine entry. It is best to allow
1816 this, especially for machine entries. For user entries, it makes sense to assign an AFS UID only if the user already has a UNIX
1817 UID that the AFS UID needs to match (see <A
1818 HREF="c27596.html#HDRWQ496"
1819 >Assigning AFS and UNIX UIDs that Match</A
1821 automatically allocating an AFS UID, the Protection Server increments the <SAMP
1822 CLASS="computeroutput"
1825 by one and assigns the result to the new entry. Use the <SPAN
1831 > command to display the
1832 counter, as described in <A
1833 HREF="c29323.html#HDRWQ560"
1834 >Displaying and Setting the AFS UID and GID Counters</A
1837 >Do not reuse the AFS UIDs of users who have left your cell permanently or machine entries you have removed, even though
1838 doing so seems to avoid the apparent waste of IDs. When you remove a user or machine entry from the Protection Database, the
1845 > command displays the AFS UID associated with the former entry, rather than the name.
1846 If you then assign the AFS UID to a new user or machine, the new user or machine automatically inherits permissions that were
1847 granted to the previous possessor of the ID. To remove obsolete AFS UIDs from ACLs, use the <SPAN
1854 > command described in <A
1855 HREF="c31274.html#HDRWQ579"
1856 >Removing Obsolete AFS IDs from ACLs</A
1859 >In addition to the name and AFS UID, the Protection Server records the following values in the indicated fields of a new
1860 user or machine's entry. For more information and instructions on displaying an entry, see <A
1861 HREF="c29323.html#HDRWQ537"
1863 Protection Database entry</A
1868 CLASS="computeroutput"
1870 > field to the <SPAN
1874 >system:administrators</B
1876 > group, indicating that the group's members administer the entry.</P
1881 CLASS="computeroutput"
1883 > field to the username of the user who issued the <SPAN
1889 > command (or the <SPAN
1906 CLASS="computeroutput"
1915 the new entry does not yet belong to any groups.</P
1920 CLASS="computeroutput"
1930 HREF="c29323.html#HDRWQ559"
1931 >Setting the Privacy Flags on Database Entries</A
1937 CLASS="computeroutput"
1946 the new user can create 20 groups. This field has no meaning for machine entries. For further discussion, see <A
1947 HREF="c29323.html#HDRWQ558"
1948 >Setting Group-Creation Quota</A
1959 >To create machine entries in the Protection Database</A
1965 >Verify that you belong to the <SPAN
1969 >system:administrators</B
1971 > group. If necessary, issue the
1978 > command, which is fully described in <A
1979 HREF="c32432.html#HDRWQ587"
1981 the members of the system:administrators group</A
1983 CLASS="programlisting"
1988 >pts membership system:administrators</B
2002 > command to create one or more machine entries.
2004 CLASS="programlisting"
2009 >pts createuser -name</B
2020 CLASS="variablelist"
2032 >Is an alias for <SPAN
2045 the shortest acceptable abbreviation).</P
2057 >Specifies an IP address in dotted-decimal notation for each machine entry. An entry can represent a single
2058 machine or a set of several machines with consecutive IP addresses, using the wildcard notation described in the
2059 following list. The letters <SPAN
2083 > each represent an actual number value in the field:
2093 > represents a single machine, for example <SPAN
2109 > matches all machines whose IP addresses start with the first
2110 three numbers. For example, <SPAN
2116 > matches both <SPAN
2128 >, but does not match
2145 > matches all machines whose IP addresses start with the first
2146 two numbers. For example, the address <SPAN
2152 > matches both <SPAN
2164 >, but does not match
2181 > matches all machines whose IP addresses start with the first
2182 number in the specified address. For example, the address <SPAN
2202 does not match <SPAN
2213 >Do not define a machine entry with the name <SPAN
2219 > to match every machine.
2226 > group is equivalent.</P
2233 >The following example creates a machine entry that includes all of the machines in the <SPAN
2241 CLASS="programlisting"
2246 >pts cu 192.12.0.0</B
2261 >Before you can add members to a group, you must create the group entry itself. The instructions in this section explain
2262 how to create both regular and prefix-less groups: <UL
2271 >'s name is preceded by a prefix that indicates who owns the group, in the
2272 following format:</P
2282 >Any user can create a regular group. Group names must always be typed in full, so a short group_name that indicates
2283 the group's purpose or its members' common interest is practical. Groups with names like <SPAN
2295 > are less useful because their purpose is
2296 unclear. For more details on the required format for regular group names, see the instructions in <A
2297 HREF="c29323.html#HDRWQ546"
2298 >To create groups</A
2307 >prefix-less group</I
2309 >, as its name suggests, has only one field in its name, equivalent to a
2310 regular group's group_name field.</P
2312 >Only members of the <SPAN
2316 >system:administrators</B
2318 > group can create prefix-less groups. For
2319 a discussion of their purpose, see <A
2320 HREF="c29323.html#HDRWQ548"
2321 >Using Prefix-Less Groups</A
2327 >By default, the Protection Server assigns the next available AFS GID to a new group entry, and it is best to allow this.
2328 When automatically allocating an AFS GID (which is a negative integer), the Protection Server decrements the <SAMP
2329 CLASS="computeroutput"
2332 > counter by one and assigns the result to the new group. Use the <SPAN
2339 > command to display the counter, as described in <A
2340 HREF="c29323.html#HDRWQ560"
2341 >Displaying and Setting the AFS UID
2345 >In addition to the name and AFS GID, the Protection Server records the following values in the indicated fields of a new
2346 group's entry. See <A
2347 HREF="c29323.html#HDRWQ537"
2348 >To display a Protection Database entry</A
2353 CLASS="computeroutput"
2355 > field to the issuer of the <SPAN
2362 > command, or to the user or group specified by the <SPAN
2374 CLASS="computeroutput"
2376 > field to the username of the user who issued the <SPAN
2387 CLASS="computeroutput"
2396 the group currently has no members.</P
2401 CLASS="computeroutput"
2411 HREF="c29323.html#HDRWQ559"
2412 >Setting the Privacy Flags on Database Entries</A
2418 CLASS="computeroutput"
2427 field has no meaning for group entries.</P
2437 >Using Groups Effectively</A
2440 >The main reason to create groups is to place them on ACLs, which enables you to control access for multiple users
2441 without having to list them individually on the ACL. There are three basic ways to use groups, each suited to a different
2451 >: you create a group and place it on the ACL of directories you own, without
2452 necessarily informing the group's members that they belong to it. Members notice only that they can or cannot access the
2453 directory in a certain way. You retain sole administrative control over the group, since you are the owner.</P
2455 >The existence of the group and the identity of its members is not necessarily secret. Other users can use the
2462 > command and see the group's name on a directory's ACL, or use the <SPAN
2468 > command to list the groups they themselves belong to. You can set the group's
2469 third privacy flag to limit who can use the <SPAN
2475 > command to list the group's
2476 membership, but a member of the <SPAN
2480 >system:administrators</B
2482 > group always can; see <A
2483 HREF="c29323.html#HDRWQ559"
2484 >Setting the Privacy Flags on Database Entries</A
2495 >: you inform the group's members that they belong to the group, but you still
2496 remain the sole administrator. For example, the manager of a work group can create a group of all the members in the
2497 work group, and encourage them to use it on the ACLs of directories that house information they want to share with other
2498 members of the group.</P
2506 >If you place a group owned by someone else on your ACLs, the group's owner can change the group's membership
2507 without informing you. Someone new can gain or lose access in a way you did not intend and without your
2520 >: you create a group and then use the <SPAN
2527 command to assign ownership to a group, either another group or the group itself (the latter type is a self-owned
2528 group). You inform the members of the owning group that they all can administer the owned group.</P
2530 >The main advantage of designating a group as an owner is that it spreads responsibility for administering a group
2531 among several people. A single person does not have to perform all administrative tasks, and if the original creator
2532 leaves the group, ownership does not have to be transferred.</P
2534 >However, everyone in the owner group can make changes that affect others negatively, such as adding or removing
2535 people from the group inappropriately or changing the group's ownership to themselves exclusively. These problems can be
2536 particularly sensitive in a <SPAN
2542 > group. Using an owner group works best if all the members
2543 know and trust each other; it is probably wise to keep the number of people in an owner group small.</P
2554 >To create groups</A
2560 >If creating a prefix-less group, verify that you belong to the <SPAN
2564 >system:administrators</B
2566 > group. If necessary, issue the <SPAN
2573 > command, which is fully described in <A
2574 HREF="c32432.html#HDRWQ587"
2575 >To display the members of the
2576 system:administrators group</A
2578 CLASS="programlisting"
2583 >pts membership system:administrators</B
2597 > command to create each group. All of the groups have the
2599 CLASS="programlisting"
2604 >pts creategroup -name</B
2617 >owner of the group</VAR
2624 CLASS="variablelist"
2636 >Is an alias for <SPAN
2649 the shortest acceptable abbreviation). </P
2661 >Names each group to create. The name can include up to 63 lowercase letters or numbers, but it is best not to
2662 include punctuation characters, especially those that have a special meaning to the shell.</P
2664 >A prefix-less group name cannot include the colon (<SPAN
2670 >), because it is used to
2671 separate the two parts of a regular group name:</P
2681 >The Protection Server requires that the owner_name prefix of a regular group name accurately indicate the
2682 group's owner. By default, you are recorded as the owner, and the owner_name must be your AFS username. You can
2689 > argument to designate another AFS user, a regular group, or a
2690 prefix-less group as the owner, providing the required value in the owner_name field: <UL
2693 >If the owner is a user, it must be the AFS username.</P
2697 >If the owner is another regular group, it must match the owning group's owner_name field. For example,
2698 if the owner is the group <SPAN
2702 >terry:associates</B
2704 >, the owner field must be <SPAN
2714 >If the owner is a prefix-less group, it must be the owning group's name.</P
2719 >(For a discussion of why it is useful for a group to own another group, see <A
2720 HREF="c29323.html#HDRWQ545"
2722 Groups Effectively</A
2735 >Is optional and designates an owner other than the issuer of the command. Specify either an AFS username or
2736 the name of a regular or prefix-less group that already has at least one member. Do not include this argument if you
2737 want to make the group self-owned as described in <A
2738 HREF="c29323.html#HDRWQ545"
2739 >Using Groups Effectively</A
2741 instructions, see <A
2742 HREF="c29323.html#HDRWQ547"
2743 >To create a self-owned group</A
2746 >Do not designate a machine as a group's owner. Because a machine cannot authenticate, there is no way for a
2747 machine to administer the group.</P
2760 >To create a self-owned group</A
2772 > command to create a group. Do not include the <SPAN
2778 > argument, because you must own a group to reassign ownership. For complete instructions, see
2780 HREF="c29323.html#HDRWQ546"
2781 >To create groups</A
2783 CLASS="programlisting"
2805 > command to add one or more members to the group (a group must
2806 already have at least one member before owning another group). For complete instructions, see <A
2807 HREF="c29323.html#HDRWQ549"
2808 >Adding and Removing Group Members</A
2810 CLASS="programlisting"
2815 >pts adduser -user</B
2841 > command to assign group ownership to the group itself. For
2842 complete instructions, see <A
2843 HREF="c29323.html#HDRWQ555"
2844 >To change a group's owner</A
2846 CLASS="programlisting"
2871 >Using Prefix-Less Groups</A
2874 >Members of the <SPAN
2878 >system:administrators</B
2880 > group can create prefix-less groups, which are
2881 particularly suitable for <SPAN
2887 >, which is described in <A
2888 HREF="c29323.html#HDRWQ545"
2893 >Suppose, for example, that the manager of the ABC Corporation's Accounting Department, user <SPAN
2899 >, creates a group that includes all of the corporation's accountants and places the group on the
2900 ACLs of directories that house departmental records. Using a prefix-less group rather than a regular group is appropriate for
2901 the following reasons: <UL
2904 >The fact that <SPAN
2910 > created and owns the group is irrelevant, and a regular group
2911 must be called <SPAN
2917 >. A prefix-less name like <SPAN
2923 > is more appropriate.</P
2927 >If another user (say <SPAN
2933 >) ever replaces <SPAN
2940 as manager of the Accounting Department, <SPAN
2946 > needs to become the new owner of the
2947 group. If the group is a regular one, its owner_name prefix automatically changes to <SPAN
2953 >, but the change in the owner_name prefix does not propagate to any regular groups owned by
2954 the group. Someone must use the <SPAN
2960 > command to change each one's owner_name
2978 >A possible solution is to create an authentication account for a fictional user called <SPAN
2984 > and make it the owner of regular groups which have <SPAN
2991 their owner_name prefix. However, if the <SPAN
2997 > account is also used for other purposes, then
2998 the number of people who need to know user <SPAN
3004 >'s password is possibly larger than the
3005 number of people who need to administer the groups it owns.</P
3007 >A prefix-less group called <SPAN
3013 > solves the problem of inappropriate owner names. The
3014 groups that it owns have <SPAN
3020 > as their owner_name prefix, which more accurately reflects
3021 their purpose than having the manager's name there. Prefix-less groups are also more accountable than dummy authentication
3022 accounts. Belonging to the group enables individuals to exercise the permissions granted to the group on ACLs, but users
3023 continue to perform tasks under their own names rather than under the dummy username. Even if the group owns itself, only a
3024 finite number of people can administer the group entry.</P
3033 >Adding and Removing Group Members</A
3036 >Users and machines can be members of groups; groups cannot belong to other groups. Newly created groups have no members at
3037 all. To add them, use the <SPAN
3043 > command; to remove them, use the <SPAN
3056 >To add users and machines to groups</A
3062 >Verify that you belong to the <SPAN
3066 >system:administrators</B
3068 > group, which enables you to add
3069 members to a group regardless of the setting of its fourth (<SPAN
3075 >) privacy flag. By default
3076 the group's owner also has the necessary privilege. If necessary, issue the <SPAN
3083 > command, which is fully described in <A
3084 HREF="c32432.html#HDRWQ587"
3085 >To display the members of the
3086 system:administrators group</A
3088 CLASS="programlisting"
3093 >pts membership system:administrators</B
3107 > command to add one or more members to one or more groups.
3109 CLASS="programlisting"
3114 >pts adduser -user</B
3134 CLASS="variablelist"
3146 >Is the shortest acceptable abbreviation of <SPAN
3164 >Specifies each username or machine IP address to add as a member of each group named by the <SPAN
3170 > argument. A group cannot belong to another group.</P
3182 >Names each group to which to add the new members.</P
3195 >To remove users and machines from groups</A
3201 >Verify that you belong to the <SPAN
3205 >system:administrators</B
3207 > group, which enables you to
3208 remove members from a group regardless of the setting of its fifth (<SPAN
3215 default the group's owner also has the necessary privilege. If necessary, issue the <SPAN
3222 > command, which is fully described in <A
3223 HREF="c32432.html#HDRWQ587"
3224 >To display the members of the
3225 system:administrators group</A
3227 CLASS="programlisting"
3232 >pts membership system:administrators</B
3246 > command to remove one or more members from one or more
3248 CLASS="programlisting"
3253 >pts removeuser -user</B
3273 CLASS="variablelist"
3285 >Is the shortest acceptable abbreviation of <SPAN
3303 >Specifies each user or machine IP address to remove from each group named by the <SPAN
3321 >Names each group from which to remove members.</P
3335 >Deleting Protection Database Entries</A
3338 >It is best to delete a Protection Database user entry only if you are removing the complete user account. Use either the
3345 > command as described in <A
3346 HREF="c24913.html#HDRWQ486"
3347 >Deleting Individual Accounts with
3348 the uss delete Command</A
3355 > command as described in <A
3356 HREF="c27596.html#HDRWQ524"
3357 >Removing a User Account</A
3360 >To remove machine and group entries, use the <SPAN
3366 > command as described in this
3367 section. The operation has the following results: <UL
3370 >When you delete a machine entry, its name (IP address wildcard) is removed from groups.</P
3374 >When you delete a group entry, its AFS GID appears on ACLs instead of the name. The <SPAN
3381 > of the user who created the group increases by one, even if the user no longer owns the group.</P
3383 >To remove obsolete AFS IDs from ACLs, use the <SPAN
3389 > command as described in
3391 HREF="c31274.html#HDRWQ579"
3392 >Removing Obsolete AFS IDs from ACLs</A
3403 >To delete Protection Database entries</A
3409 >Verify that you belong to the <SPAN
3413 >system:administrators</B
3415 > group or own the group you are
3416 deleting. If necessary, issue the <SPAN
3422 > command, which is fully described in
3424 HREF="c32432.html#HDRWQ587"
3425 >To display the members of the system:administrators group</A
3427 CLASS="programlisting"
3432 >pts membership system:administrators</B
3446 > command to delete one or more entries from the Protection
3448 CLASS="programlisting"
3457 >user or group name or id</VAR
3464 CLASS="variablelist"
3476 >Is the shortest acceptable abbreviation of <SPAN
3489 >user or group name or id</B
3494 >Specifies the IP address or AFS UID of each machine or the name or AFS GID or each group to remove.</P
3508 >Changing a Group's Owner</A
3511 >For user and machine entries, the Protection Server automatically assigns ownership to the <SPAN
3515 >system:administrators</B
3517 > group at creation time, and this cannot be changed. For group entries, you can
3518 change ownership. This transfers administrative responsibility for it to another user or group (for information on group
3519 ownership of other groups, see <A
3520 HREF="c29323.html#HDRWQ545"
3521 >Using Groups Effectively</A
3524 >When you create a regular group, its owner_name prefix must accurately reflect its owner, as described in <A
3525 HREF="c29323.html#HDRWQ546"
3526 >To create groups</A
3530 >If the owner is a user, owner_name is the username.</P
3534 >If the owner is a regular group, owner_name is the owning group's owner_name prefix.</P
3538 >If the owner is a prefix-less group, owner_name is the owner group's name.</P
3543 >When you change a regular group's owner, the Protection Server automatically changes its owner_name prefix appropriately.
3544 For example, if the user <SPAN
3550 > becomes the new owner of the group <SPAN
3556 >, its name automatically changes to <SPAN
3563 the Protection Database and on ACLs.</P
3565 >However, the Protection Server does not automatically change the owner_name prefix of any regular groups that the group
3566 owns. To continue with the previous example, suppose that the group <SPAN
3585 > becomes the new owner of <SPAN
3597 > does not change. To change the
3598 owner_name prefix of a regular group that is owned by another group (in the example, to change the group's name to <SPAN
3610 > command as described in <A
3611 HREF="c29323.html#HDRWQ556"
3612 >Changing a Protection Database Entry's Name</A
3620 >To change a group's owner</A
3626 >Verify that you belong to the <SPAN
3630 >system:administrators</B
3632 > group or own the group for
3633 which you are changing the owner. If necessary, issue the <SPAN
3640 is fully described in <A
3641 HREF="c32432.html#HDRWQ587"
3642 >To display the members of the system:administrators group</A
3645 CLASS="programlisting"
3650 >pts membership system:administrators</B
3664 > If you are changing the group's owner to another group (or to itself)
3665 and want to retain administrative privilege on the owned group, verify that you belong to the new owner group. If
3666 necessary, issue the <SPAN
3672 > command, which is fully described in <A
3673 HREF="c29323.html#HDRWQ538"
3674 >To display group membership</A
3676 CLASS="programlisting"
3685 >user or group name or id</VAR
3696 > command to add yourself if necessary, as fully described in
3698 HREF="c29323.html#HDRWQ550"
3699 >To add users and machines to groups</A
3702 CLASS="programlisting"
3726 > command to change the group's owner. <PRE
3727 CLASS="programlisting"
3746 CLASS="variablelist"
3758 >Is the shortest acceptable abbreviation of <SPAN
3776 >Specifies the current name of the group.</P
3788 >Names the user or group to become the group's owner.</P
3808 display any groups that the group owns. As discussed in the introduction to this section, the <SPAN
3815 > command does not automatically change the owner_name prefix of any regular groups that a group owns.
3817 CLASS="programlisting"
3826 >user or group name or id</VAR
3831 >If you want to change their names to match the new owning group, use the <SPAN
3838 command on each one, as described in <A
3839 HREF="c29323.html#HDRWQ557"
3840 >To change the name of a machine or group
3844 CLASS="programlisting"
3869 >Changing a Protection Database Entry's Name</A
3872 >To change the name of a Protection Database entry, use the <SPAN
3878 > command. It is best
3879 to change a user entry's name only when renaming the entire user account, since so many components of the account
3880 (Authentication Database entry, volume name, home directory mount point, and so on) share the name. For instructions, see <A
3881 HREF="c27596.html#HDRWQ518"
3882 >Changing Usernames</A
3883 >. A machine entry's name maps to the actual IP address of one or more machine, so
3884 changing the entry's name is appropriate only if the IP addresses have changed.</P
3886 >It is likely, then, that most often you need to change group names. The following types of name changes are possible:
3890 >Changing a regular group's name to another regular group name. The most common reason for this type of change is
3891 that you have used the <SPAN
3897 > command to change the owner of the group. That operation
3898 does not change the owner_name prefix of a regular group owned by the group whose name has been changed. Therefore, you
3905 > command to change it appropriately. For example, when user
3912 > becomes the owner of the <SPAN
3919 name changes automatically to <SPAN
3925 >, but the name of a group it owns, <SPAN
3931 >, does not change. Use the <SPAN
3950 >. The Protection Server does not
3951 accept changes to the owner_name prefix that do not reflect the true ownership (changing <SPAN
3963 > is not possible).</P
3965 >You can also use the <SPAN
3971 > command to change the group_name portion of a
3972 regular group name, with or without changing the owner_name prefix.</P
3974 >Both the group's owner and the members of the <SPAN
3978 >system:administrators</B
3981 change its name to another regular group name.</P
3985 >Changing a regular group's name to a prefix-less name. If you change a group's name in this way, you must also use
3992 > command to change the name of any regular group that the group owns. Only
3993 members of the <SPAN
3997 >system:administrators</B
3999 > group can make this type of name change.</P
4003 >Changing a prefix-less name to another prefix-less name. As with other name changes, the owner_name prefix of any
4004 regular groups that the prefix-less group owns does not change automatically. You must issue the <SPAN
4011 > command on them to maintain consistency.</P
4013 >Both the group's owner and the members of the <SPAN
4017 >system:administrators</B
4020 change its name to another prefix-less name.</P
4024 >Changing a prefix-less name to a regular name. The owner_name prefix on the new name must accurately reflect the
4025 group's ownership. As with other name changes, the owner_name prefix of any regular groups that the prefix-less group owns
4026 does not change automatically. You must issue the <SPAN
4032 > command on them to maintain
4035 >Only members of the <SPAN
4039 >system:administrators</B
4041 > group can make this type of name
4052 >To change the name of a machine or group entry</A
4058 >Verify that you belong to the <SPAN
4062 >system:administrators</B
4064 > group. If necessary, issue the
4071 > command, which is fully described in <A
4072 HREF="c32432.html#HDRWQ587"
4074 the members of the system:administrators group</A
4076 CLASS="programlisting"
4081 >pts membership system:administrators</B
4095 > command to change the entry's name. <PRE
4096 CLASS="programlisting"
4115 CLASS="variablelist"
4127 >Is the shortest acceptable abbreviation of <SPAN
4145 >Specifies the entry's current name.</P
4157 >Specifies the new name. If the new name is for a regular group, the owner_name prefix must correctly indicate
4172 >Setting Group-Creation Quota</A
4175 >To prevent abuse of system resources, the Protection Server imposes a group-creation quota that limits how many more
4176 groups a user can create. When a new user entry is created, the quota is set to 20, but members of the <SPAN
4180 >system:administrators</B
4182 > group can use the <SPAN
4189 increase or decrease it at any time.</P
4191 >It is pointless to change group-creation quota for machine or group entries. It is not possible to authenticate as a group
4192 or machine and then create groups.</P
4194 >To display the group-creation quota, use the <SPAN
4200 > command to display a user
4202 CLASS="computeroutput"
4203 >group quota field</SAMP
4204 >, as described in <A
4205 HREF="c29323.html#HDRWQ537"
4206 >To display a Protection
4215 >To set group-creation quota</A
4221 >Verify that you belong to the <SPAN
4225 >system:administrators</B
4227 > group. If necessary, issue the
4234 > command, which is fully described in <A
4235 HREF="c32432.html#HDRWQ587"
4237 the members of the system:administrators group</A
4239 CLASS="programlisting"
4244 >pts membership system:administrators</B
4258 > command to specify how many more groups each of one or more
4259 users can create. <PRE
4260 CLASS="programlisting"
4265 >pts setfields -nameorid</B
4269 >user or group name or id</VAR
4279 >set limit on group creation</VAR
4286 CLASS="variablelist"
4298 >Is the shortest acceptable abbreviation of <SPAN
4316 >Specifies the name or AFS UID of each user for which to set group-creation quota.</P
4328 >Defines how many groups each user can create in addition to existing groups (in other words, groups that
4329 already exist do not count against the quota). The value you specify overwrites the current value, rather than
4344 >Setting the Privacy Flags on Database Entries</A
4347 >Members of the <SPAN
4351 >system:administrators</B
4353 > group can always display and administer Protection
4354 Database entries in any way, and regular users can display and administer their own entries and any group entries they own. The
4361 > on a Protection Database entry determine who else can display certain information from the
4362 entry, and who can add and remove members in a group.</P
4364 >To display the flags, use the <SPAN
4370 > command as described in <A
4371 HREF="c29323.html#HDRWQ537"
4372 >To display a Protection Database entry</A
4373 >. The flags appear in the output's
4375 CLASS="computeroutput"
4377 > field. To set the flags, include the <SPAN
4392 >The five flags always appear, and always must be set, in the following order:</P
4394 CLASS="variablelist"
4406 >Controls who can issue the <SPAN
4412 > command to display the entry.</P
4424 >Controls who can issue the <SPAN
4430 > command to display the groups that a user
4443 >Controls who can issue the <SPAN
4449 > command to display the groups a user or
4450 machine belongs to, or which users or machines belong to a group.</P
4462 >Controls who can issue the <SPAN
4468 > command to add a user or machine to a group.
4469 It is meaningful only for groups, but a value must always be set for it even on user and machine entries.</P
4481 >Controls who can issue the <SPAN
4487 > command to remove a user or machine from
4488 a group. It is meaningful only for groups, but a value must always be set for it even on user and machine entries.</P
4493 >Each flag can take three possible types of values to enable a different set of users to issue the corresponding command:
4503 >) designates the members of the <SPAN
4507 >system:administrators</B
4509 > group and the entry's owner. For user entries, it designates the user in
4514 >The lowercase version of the letter applies meaningfully to groups only, and designates members of the group in
4515 addition to the individuals designated by the hyphen.</P
4519 >The uppercase version of the letter designates everyone.</P
4524 >For example, the flags <SAMP
4525 CLASS="computeroutput"
4527 > on a group entry indicate that anyone can examine the
4528 group's entry and display the groups that it owns, and that only the group's members can display, add, or remove its
4531 >The default privacy flags for user and machine entries are <SAMP
4532 CLASS="computeroutput"
4534 >, meaning that anyone can
4535 display the entry. The ability to perform any other functions is restricted to members of the <SPAN
4539 >system:administrators</B
4541 > group and the entry's owner (as well as the user for a user entry).</P
4543 >The default privacy flags for group entries are <SAMP
4544 CLASS="computeroutput"
4546 >, meaning that all users can display
4547 the entry and the members of the group, but only the entry owner and members of the <SPAN
4551 >system:administrators</B
4553 > group can perform other functions. </P
4560 >To set a Protection Database entry's privacy flags</A
4566 >Verify that you belong to the <SPAN
4570 >system:administrators</B
4572 > group. If necessary, issue the
4579 > command, which is fully described in <A
4580 HREF="c32432.html#HDRWQ587"
4582 the members of the system:administrators group</A
4584 CLASS="programlisting"
4589 >pts membership system:administrators</B
4603 > command to set the privacy flags. <PRE
4604 CLASS="programlisting"
4613 >user or group name or id</VAR
4622 >set privacy flags</VAR
4629 CLASS="variablelist"
4641 >Is the shortest acceptable abbreviation of <SPAN
4654 >user or group name or id</B
4659 >Specifies the name or AFS UID of each user, the IP address or AFS UID of each machine, or the name or AFS GID
4660 of each group for which to set the privacy flags.</P
4672 >Specifies the set of privacy flags to associate with each entry. Provide a value for each of the five flags,
4673 observing the following constraints: <UL
4676 >Provide a value for all five flags, even though the fourth and fifth flags are not meaningful for user
4677 and machine entries.</P
4681 >For self-owned groups, the hyphen is equivalent to a lowercase letter, because all the members of a
4682 self-owned group own it.</P
4686 >Set the first flag to lowercase <SPAN
4692 > or uppercase <SPAN
4698 > only. For user and machine entries, the Protection Server interprets the lowercase
4705 > as equivalent to the hyphen.</P
4709 >Set the second flag to the hyphen (<SPAN
4715 >) or uppercase <SPAN
4721 > only. For groups, the Protection Server interprets the hyphen as equivalent to
4728 > (that is, members of a group can always list the groups that it
4733 >Set the third flag to the hyphen (<SPAN
4745 >, or uppercase <SPAN
4751 >. For user and machine entries, the
4758 > does not have a meaningful interpretation, because they have no
4763 >Set the fourth flag to the hyphen (<SPAN
4775 >, or uppercase <SPAN
4781 >. Although this flag does not have a
4782 meaningful interpretation for user and machine entries (because they have no members), it must be set,
4783 preferably to the hyphen.</P
4787 >Set the fifth flag to the hyphen (<SPAN
4793 >) or lowercase <SPAN
4799 > only. Although this flag does not have a meaningful interpretation for user and
4800 machine entries (because they have no members), it must be set, preferably to the hyphen.</P
4817 >Displaying and Setting the AFS UID and GID Counters</A
4820 >When you use the <SPAN
4826 > command to create a user or machine entry in the
4827 Protection Database, the Protection Server by default automatically allocates an AFS user ID (AFS UID) for it; similarly, it
4828 allocates an AFS group ID (AFS GID) for each group entry you create with the <SPAN
4835 command. It tracks the next available AFS UID (which is a positive integer) and AFS GID (which is a negative integer) with the
4837 CLASS="computeroutput"
4840 CLASS="computeroutput"
4842 > counters, respectively.</P
4844 >Members of the <SPAN
4848 >system:administrators</B
4850 > group can include the <SPAN
4856 > argument to either <SPAN
4862 > creation command to assign a specific ID to a
4863 new user, machine, or group. It often makes sense to assign AFS UIDs explicitly when creating AFS accounts for users with
4864 existing UNIX accounts, as discussed in <A
4865 HREF="c24913.html#HDRWQ456"
4866 >Assigning AFS and UNIX UIDs that Match</A
4868 useful if you want to establish ranges of IDs that correspond to departmental affiliations (for example, assigning AFS UIDs from
4869 300 to 399 to members of one department, AFS UIDs from 400 to 499 to another department, and so on).</P
4871 >To display the current value of the counters, use the <SPAN
4877 > command. When you next
4878 create a user or machine entry and do not specify its AFS UID, the Protection Server increments the <SAMP
4879 CLASS="computeroutput"
4882 > counter by one and assigns that number to the new entry. When you create a new group and do not specify its
4883 AFS GID, the Protection Server decrements the <SAMP
4884 CLASS="computeroutput"
4886 > counter by one (makes it more
4887 negative), and assigns that number to the new group.</P
4889 >You can change the value of either counter, or both, in one of two ways:</P
4893 >Directly, using the <SPAN
4903 >Indirectly, by using the <SPAN
4909 > argument to the <SPAN
4916 > command to assign an AFS UID that is larger than the <SAMP
4917 CLASS="computeroutput"
4920 counter, or by using the <SPAN
4933 command to assign an AFS GID that is less (more negative) than the max group id counter. In either case, the Protection
4934 Server changes the counter to the value of the <SPAN
4940 > argument. The Protection Server does not
4941 use the IDs between the previous value of the counter and the new one when allocating IDs automatically, unless you use the
4948 > command to move the counter back to its old value.</P
4950 >If the value you specify with the <SPAN
4956 > argument is less than the <SAMP
4957 CLASS="computeroutput"
4960 > counter or greater (less negative) than the <SAMP
4961 CLASS="computeroutput"
4964 then the counter does not change.</P
4973 >To display the AFS ID counters</A
4985 > command to display the counters. <PRE
4986 CLASS="programlisting"
5003 > is an acceptable abbreviation of <SPAN
5013 >The following example illustrates the output's format. In this case, the next automatically assigned AFS UID is 5439 and
5016 CLASS="programlisting"
5024 Max user id is 5438 and max group id is -468.
5033 >To set the AFS ID counters</A
5039 >Verify that you belong to the <SPAN
5043 >system:administrators</B
5045 > group. If necessary, issue the
5052 > command, which is fully described in <A
5053 HREF="c32432.html#HDRWQ587"
5055 the members of the system:administrators group</A
5057 CLASS="programlisting"
5062 >pts membership system:administrators</B
5076 > command to set the <SAMP
5077 CLASS="computeroutput"
5080 > counter, the <SAMP
5081 CLASS="computeroutput"
5083 > counter, or both. <PRE
5084 CLASS="programlisting"
5115 CLASS="variablelist"
5127 >Is the shortest acceptable abbreviation of <SPAN
5145 >Specifies an integer one greater (less negative) than the AFS GID that the Protection Server is to assign to
5146 the next group entry. Because the value is a negative integer, precede it with a hyphen (<SPAN
5164 >Specifies an integer one less than the AFS UID that the Protection Server is to assign to the next user or
5179 SUMMARY="Footer navigation table"
5218 >Administering User Accounts</TD
5232 >Managing Access Control Lists</TD