Administration Reference
![[Return to Library]](../books.gif)
![[Contents]](../toc.gif)
![[Previous Topic]](../prev.gif)
![[Bottom of Topic]](../bot.gif)
![[Next Topic]](../next.gif)
![[Index]](../index.gif)
Purpose
Introduction to the kas command suite
Description
The commands in the kas command suite are the administrative
interface to the Authentication Server, which runs on each database server
machine in a cell, maintains the Authentication Database, and provides the
authentication tickets that client applications must present to AFS servers in
order to obtain access to AFS data and other services.
There are several categories of commands in the kas command
suite:
- Commands to create, modify, examine and delete entries in the
Authentication Database, including passwords: kas create,
kas delete, kas examine, kas list, kas
setfields, kas setkey, kas setpassword, and
kas unlock
- Commands to create, delete, and examine tokens and server tickets:
kas forgetticket, kas listtickets, kas
noauthentication, and kas stringtokey
- A command to enter interactive mode: kas interactive
- A command to trace Authentication Server operations: kas
statistics
- Commands to obtain help: kas apropos and kas
help
Because of the sensitivity of information in the Authentication Database,
the Authentication Server authenticates issuers of kas commands
directly, rather than accepting the standard token generated by the Ticket
Granting Service. Any kas command that requires
administrative privilege prompts the issuer for a password. The
resulting ticket is valid for six hours unless the maximum ticket lifetime for
the issuer or the Authentication Server's Ticket Granting Service is
shorter.
To avoid having to provide a password repeatedly when issuing a sequence of
kas commands, enter interactive mode by issuing the
kas interactive command, typing kas without any
operation code, or typing kas followed by a user and cell name,
separated by an at-sign (@; an example is kas
smith.admin@abc.com). After prompting once for a
password, the Authentication Server accepts the resulting token for every
command issued during the interactive session. See the reference page
for the kas interactive command for a discussion of when to use
each method for entering interactive mode and of the effects of entering a
session.
The Authentication Server maintains two databases on the local disk of the
machine where it runs:
- The Authentication Database (/usr/afs/db/kaserver.DB0)
stores the information used to provide AFS authentication services to users
and servers, including the password scrambled as an encryption key. The
reference page for the kas examine command describes the
information in a database entry.
- An auxiliary file (/usr/afs/local/kaauxdb by default) that
tracks how often the user has provided an incorrect password to the local
Authentication Server. The reference page for the kas
setfields command describes how the Authentication Server uses this file
to enforce the limit on consecutive authentication failures. To
designate an alternate directory for the file, use the kaserver
command's -localfiles argument.
Options
The following arguments and flags are available on many commands in the
kas suite. (Some of them are unavailable on commands entered
in interactive mode, because the information they specify is established when
entering interactive mode and cannot be changed except by leaving interactive
mode.) The reference page for each command also lists them, but they
are described here in greater detail.
-
-admin_username
- Specifies the user identity under which to authenticate with the
Authentication Server for execution of the command. If this argument is
omitted, the kas command interpreter requests authentication for
the identity under which the issuer is logged onto the local machine.
Do not combine this argument with the -noauth flag.
- -cell <cell name>
- Names the cell in which to run the command. It is acceptable to
abbreviate the cell name to the shortest form that distinguishes it from the
other entries in the /usr/vice/etc/CellServDB file on the local
machine. If the -cell argument is omitted, the command
interpreter determines the name of the local cell by reading the following in
order:
- The value of the AFSCELL environment variable
- The local /usr/vice/etc/ThisCell file
The -cell argument is not available on commands issued in
interactive mode. The cell defined when the kas command
interpreter enters interactive mode applies to all commands issued during the
interactive session.
- -help
- Prints a command's online help message on the standard output
stream. Do not combine this flag with any of the command's other
options; when it is provided, the command interpreter ignores all other
options, and only prints the help message.
-
-noauth
- Establishes an unauthenticated connection to the Authentication Server, in
which the Authentication Server treats the issuer as the unprivileged user
anonymous. It is useful only when authorization checking is
disabled on the server machine (during the installation of a server machine or
when the bos setauth command has been used during other unusual
circumstances). In normal circumstances, the Authentication Server
allows only privileged users to issue most kas commands, and
refuses to perform such an action even if the -noauth flag is
provided. Do not combine this flag with the -admin_username
and -password_for_admin arguments.
-
-password_for_admin
- Specifies the password of the command's issuer. It is best to
omit this argument, which echoes the password visibly in the command shell,
instead enter the password at the prompt. Do not combine this argument
with the -noauth flag.
-
-servers
- Establishes a connection with the Authentication Server running on each
specified database server machine, instead of on each machine listed in the
local /usr/vice/etc/CellServDB file. In either case, the
kas command interpreter then chooses one of the machines at random
to contact for execution of each subsequent command. The issuer can
abbreviate the machine name to the shortest form that allows the local name
service to identify it uniquely.
Privilege Required
To issue most kas commands, the issuer must have the
ADMIN flag set in his or her Authentication Database entry (use the
kas setfields command to turn the flag on).
Related Information
CellServDB (client version)
kaserver.DB0 and kaserver.DBSYS1
kaserverauxdb
kas apropos
kas create
kas delete
kas examine
kas forgetticket
kas help
kas interactive
kas list
kas listtickets
kas noauthentication
kas quit
kas setfields
kas setpassword
kas statistics
kas stringtokey
kas unlock
kaserver
![[Top of Topic]](../top.gif)
© IBM Corporation 2000. All Rights Reserved