1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >Managing Administrative Privilege</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
10 TITLE="AFS Administration Guide"
11 HREF="book1.html"><LINK
13 TITLE="Managing Users and Groups"
14 HREF="p24911.html"><LINK
16 TITLE="Managing Access Control Lists"
17 HREF="c31274.html"><LINK
19 TITLE="Managing the NFS/AFS Translator"
20 HREF="a33047.html"></HEAD
31 SUMMARY="Header navigation table"
40 >AFS Administration Guide: Version 3.6</TH
77 >Chapter 16. Managing Administrative Privilege</H1
79 >This chapter explains how to enable system administrators and operators to perform privileged AFS operations.</P
86 >Summary of Instructions</A
89 >This chapter explains how to perform the following tasks by using the indicated commands:</P
104 >Display members of <SPAN
108 >system:administrators</B
126 >system:administrators</B
140 >Remove user from <SPAN
144 >system:administrators</B
159 CLASS="computeroutput"
161 > flag in Authentication Database entry</TD
174 CLASS="computeroutput"
176 > flag on Authentication Database entry</TD
188 >Display users in <SPAN
224 >Remove user from <SPAN
250 >An Overview of Administrative Privilege</A
253 >A fully privileged AFS system administrator has the following characteristics: <UL
256 >Membership in the cell's <SPAN
260 >system:administrators</B
263 HREF="c32432.html#HDRWQ586"
264 >Administering the system:administrators Group</A
270 CLASS="computeroutput"
272 > flag on his or her entry in the cell's Authentication Database. See <A
273 HREF="c32432.html#HDRWQ589"
274 >Granting Privilege for kas Commands: the ADMIN Flag</A
279 >Inclusion in the file <SPAN
283 >/usr/afs/etc/UserList</B
285 > on the local disk of each AFS server
286 machine in the cell. See <A
287 HREF="c32432.html#HDRWQ592"
288 >Administering the UserList File</A
294 >This section describes the three privileges and explains why more than one privilege is necessary.</P
302 >Never grant any administrative privilege to the user <SPAN
308 >, even when a server
309 outage makes it impossible to mutually authenticate. If you grant such privilege, then any user who can access a machine in
310 your cell can issue privileged commands. The alternative solution is to put the affected server machine into no-authentication
311 mode and use the <SPAN
317 > flag available on many commands to prevent mutual authentication
318 attempts. For further discussion, see <A
319 HREF="c3025.html#HDRWQ123"
320 >Managing Authentication and Authorization
331 >The Reason for Separate Privileges</A
334 >Often, a cell's administrators require full administrative privileges to perform their jobs effectively. However,
335 separating the three types of privilege makes it possible to grant only the minimum set of privileges that a given
336 administrator needs to complete his or her work.</P
342 >system:administrators</B
344 > group privilege is perhaps the most basic, and most
345 frequently used during normal operation (when all the servers are running normally). When the Protection Database is
346 unavailable due to machine or server outage, it is not possible to issue commands that require this type of privilege.</P
349 CLASS="computeroutput"
351 > flag privilege is separate because of the extreme sensitivity of the
352 information in the Authentication Database, especially the server encryption key in the <SPAN
359 entry. When the Authentication Database is unavailable due to machine or server outage, it is not possible to issue commands
360 that require this type of privilege.</P
362 >The ability to issue privileged <SPAN
375 recorded in the <SPAN
379 >/usr/afs/etc/UserList</B
381 > file on the local disk of each AFS server machine
382 rather than in a database, so that in case of serious server or network problems administrators can still log onto server
383 machines and use those commands while solving the problem.</P
392 >Administering the system:administrators Group</A
395 >The first type of AFS administrative privilege is membership . Members of the <SPAN
399 >system:administrators</B
401 > group in the Protection Database have the following privileges: <UL
404 >Permission to issue all <SPAN
410 > commands, which are used to administer the Protection
413 >Administering the Protection Database</A
418 >Permission to issue the <SPAN
431 commands, which set the space quota on volumes as described in <A
432 HREF="c8420.html#HDRWQ234"
433 >Setting and Displaying Volume
434 Quota and Current Size</A
451 >) and by default <SPAN
463 >) permissions on the access control list (ACL) on every
464 directory in the cell's AFS filespace. Members of the group can use the <SPAN
471 to grant themselves any other permissions they require, as described in <A
472 HREF="c31274.html#HDRWQ573"
477 >You can change the ACL permissions that the File Server on a given file server machine implicitly grants to the
482 >system:administrators</B
484 > group for the data in volumes that it houses. When
491 > command to create and start the <SPAN
497 > process on the machine, include the <SPAN
510 > initialization command. For syntax details, see the <SPAN
516 > reference page in the <SPAN
520 >IBM AFS Administration Reference</I
523 grant additional permissions, or remove the <SPAN
529 > permission. However, the File Server always
530 implicitly grants the <SPAN
536 > permission to members of the group, even if you set the value of
559 >To display the members of the system:administrators group</A
571 > command to display the <SPAN
575 >system:administrators</B
577 > group's list of members. Any user can issue this command as long as the first
578 privacy flag on the <SPAN
582 >system:administrators</B
584 > group's Protection Database entry is not
585 changed from the default value of uppercase <SAMP
586 CLASS="computeroutput"
589 CLASS="programlisting"
594 >pts membership system:administrators</B
606 > is the shortest acceptable abbreviation of <SPAN
622 >To add users to the system:administrators group</A
628 >Verify that you belong to the <SPAN
632 >system:administrators</B
634 > group. If necessary, issue the
641 > command, which is fully described in <A
642 HREF="c32432.html#HDRWQ587"
644 the members of the system:administrators group</A
646 CLASS="programlisting"
651 >pts membership system:administrators</B
665 > group to add one or more users. <PRE
666 CLASS="programlisting"
671 >pts adduser -user</B
680 >-group system:administrators</B
699 >Is the shortest acceptable abbreviation of <SPAN
717 >Names each user to add to the <SPAN
721 >system:administrators</B
737 >To remove users from the system:administrators group</A
743 >Verify that you belong to the <SPAN
747 >system:administrators</B
749 > group. If necessary, issue the
756 > command, which is fully described in <A
757 HREF="c32432.html#HDRWQ587"
759 the members of the system:administrators group</A
761 CLASS="programlisting"
766 >pts membership system:administrators</B
780 > command to remove one or more users. <PRE
781 CLASS="programlisting"
786 >pts removeuser -user</B
795 >-group system:administrators</B
814 >Is the shortest acceptable abbreviation of <SPAN
832 >Names each user to remove from the <SPAN
836 >system:administrators</B
853 >Granting Privilege for kas Commands: the ADMIN Flag</A
856 >Administrators who have the <SAMP
857 CLASS="computeroutput"
859 > flag on their Authentication Database entry can issue
866 > commands, which enable them to administer the Authentication Database. </P
873 >To check if the ADMIN flag is set</A
888 > command to display an entry from the
889 Authentication Database.</P
891 >The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default,
892 it authenticates your local (UFS) identity, which possibly does not correspond to an AFS-privileged administrator. Include
899 > argument (here abbreviated to <SPAN
905 >) to name a user identity that has the <SAMP
906 CLASS="computeroutput"
909 Authentication Database entry.</P
911 CLASS="programlisting"
930 >admin principal to use for authentication</VAR
932 Administrator's (admin_user) password: <<VAR
951 >Is the shortest acceptable abbreviation of <SPAN
969 >Names the entry to display.</P
981 >Names an administrative account with the <SAMP
982 CLASS="computeroutput"
984 > flag on its Authentication
985 Database entry, such as the <SPAN
991 > account. The password prompt echoes it as
992 admin_user. Enter the appropriate password as admin_password.</P
1001 CLASS="computeroutput"
1003 > flag is turned on, it appears on the first line, as in this
1006 CLASS="programlisting"
1011 >kas e terry -admin admin</B
1014 Administrator's (admin) password: <<VAR
1016 >admin_password</VAR
1018 User data for terry (ADMIN)
1019 key version is 0, etc...
1028 >To set or remove the ADMIN flag</A
1040 > command to turn on the
1042 CLASS="computeroutput"
1044 > flag in an Authentication Database entry.</P
1046 >The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default,
1047 it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator.
1054 > argument to name an identity that has the
1056 CLASS="computeroutput"
1058 > flag on its Authentication Database entry. To verify that an entry has the flag,
1065 > command as described in <A
1066 HREF="c32432.html#HDRWQ590"
1068 ADMIN flag is set</A
1071 >The following command appears on two lines only for legibility.</P
1073 CLASS="programlisting"
1104 >admin principal to use for authentication</VAR
1106 Administrator's (admin_user) password: <<VAR
1108 >admin_password</VAR
1113 CLASS="variablelist"
1125 >Is an alias for <SPAN
1138 shortest acceptable abbreviation).</P
1150 >Names the entry for which to set or remove the <SAMP
1151 CLASS="computeroutput"
1165 >Sets or removes the <SAMP
1166 CLASS="computeroutput"
1168 > flag, respectively.</P
1180 >Names an administrative account with the <SAMP
1181 CLASS="computeroutput"
1183 > flag on its Authentication
1184 Database entry, such as the <SPAN
1190 > account. The password prompt echoes it as
1191 admin_user. Enter the appropriate password as admin_password.</P
1206 >Administering the UserList File</A
1209 >Inclusion in the file <SPAN
1213 >/usr/afs/etc/UserList</B
1215 > on the local disk of each AFS server machine
1216 enables an administrator to issue commands from the indicated suites. <UL
1225 > commands enable the administrator to manage server processes and the server
1226 configuration files that define the cell's database server machines, server encryption keys, and privileged users. See
1229 >Administering Server Machines</A
1232 >Monitoring and Controlling
1244 > commands enable the administrator to manage volumes and the Volume Location
1245 Database (VLDB). See <A
1247 >Managing Volumes</A
1258 > commands enable the administrator to use the AFS Backup System to copy
1259 data to permanent storage. See <A
1261 >Configuring the AFS Backup System</A
1264 >Backing Up and Restoring AFS Data</A
1270 >Although each AFS server machine maintains a separate copy of the file on its local disk, it is conventional to keep all
1271 copies the same. It can be confusing for an administrator to have the privilege on some machines but not others. </P
1273 >If your cell runs the United States edition of AFS and uses the Update Server to distribute the contents of the system
1274 control machine's <SPAN
1280 > directory, then edit only the copy of the <SPAN
1286 > file stored on the system control machine. If you have forgotten which machine is the system
1287 control machine, see <A
1288 HREF="c3025.html#HDRWQ90"
1289 >The Four Roles for File Server Machines</A
1292 >If your cell runs the international edition of AFS, or does not use a system control machine, then you must edit the
1299 > file on each server machine individually.</P
1301 >To avoid making formatting errors that can result in performance problems, never edit the <SPAN
1307 > file directly. Instead, use the <SPAN
1319 > commands as described in this section. </P
1326 >To display the users in the UserList file</A
1338 > command to display the contents of the <SPAN
1342 >/usr/afs/etc/UserList</B
1345 CLASS="programlisting"
1360 CLASS="variablelist"
1372 >Is the shortest acceptable abbreviation of <SPAN
1390 >Names an AFS server machine. In the normal case, any machine is acceptable because the file is the same on
1405 >To add users to the UserList file</A
1411 >Verify you are listed in the <SPAN
1415 >/usr/afs/etc/UserList</B
1417 > file. If not, you must have a
1418 qualified administrator add you before you can add entries to it yourself. If necessary, issue the <SPAN
1424 > command, which is fully described in <A
1425 HREF="c32432.html#HDRWQ593"
1426 >To display the users in
1427 the UserList file</A
1429 CLASS="programlisting"
1451 > command to add one or more users to the <SPAN
1458 CLASS="programlisting"
1476 CLASS="variablelist"
1488 >Is the shortest acceptable abbreviation of <SPAN
1506 >Names the system control machine if you use the Update Server to distribute the contents of the <SPAN
1512 > directory (possible only in cells running the United States edition of AFS).
1513 By default, it can take up to five minutes for the Update Server to distribute the changes, so newly added users
1514 must wait that long before attempting to issue privileged commands.</P
1516 >If you are running the international edition of AFS, or do not use the Update Server, repeat the command,
1517 substituting the name of each AFS server machine for machine name in turn.</P
1529 >Specifies the username of each administrator to add to the <SPAN
1550 >To remove users from the UserList file</A
1556 >Verify you are listed in the <SPAN
1560 >/usr/afs/etc/UserList</B
1562 > file. If not, you must have a
1563 qualified administrator add you before you can remove entries from it yourself. If necessary, issue the <SPAN
1569 > command, which is fully described in <A
1570 HREF="c32432.html#HDRWQ593"
1571 >To display the users in
1572 the UserList file</A
1574 CLASS="programlisting"
1596 > command to remove one or more users from the <SPAN
1603 CLASS="programlisting"
1621 CLASS="variablelist"
1633 >Is the shortest acceptable abbreviation of <SPAN
1651 >Names the system control machine if you use the Update Server to distribute the contents of the <SPAN
1657 > directory (possible only in cells running the United States edition of AFS).
1658 By default, it can take up to five minutes for the Update Server to distribute the change, so newly removed users
1659 can continue to issue privileged commands during that time.</P
1661 >If you are running the international edition of AFS, or do not use the Update Server, repeat the command,
1662 substituting the name of each AFS server machine for machine name in turn.</P
1674 >Specifies the username of each administrator to add to the <SPAN
1696 SUMMARY="Footer navigation table"
1735 >Managing Access Control Lists</TD
1749 >Managing the NFS/AFS Translator</TD
git://git.openafs.org / openafs.git / blob