credential structure already contains a token for the requested cell, the
token resulting from this command replaces it.
-Sites that employ standard Kerberos authentication instead of the AFS
-Authentication Server must use the Kerberos version of this command,
+Sites that employ Kerberos authentication instead of the AFS
+Authentication Server should normally use the combination of B<kinit> and
+B<aklog> instead of B<klog>.
+
+Sites using Kerberos v4 authentication (perhaps with the AFS
+Authentication Server) must use the Kerberos version of this command,
B<klog.krb>, on all client machines. It automatically places the issuer's
Kerberos tickets in the file named by the KRBTKFILE environment variable,
which the B<pagsh.krb> command defines automatically as F</tmp/tktpI<X>>
S<<< [B<-confdir> <I<configuration directory>>] >>>
S<<< [B<-logfile> <I<Place to keep the CM log>>] >>>
[B<-waitclose>] [B<-shutdown>] [B<-enable_peer_stats>]
- [B<-enable_process_stats>] [B<-help>]
+ [B<-enable_process_stats>] [B<-dynroot>] [B<-help>]
=for html
</div>
other machines. To display or otherwise access the records, use the Rx
Monitoring API.
+=item B<-dynroot>
+
+The standard behaviour of the AFS client without the B<-dynroot> option is
+to mount the root.afs volume from the default cell on the F</afs> path. The
+F</afs> folder and root.afs volume traditionally shows the folders for
+F<ThisCell> and other cells as configured by the AFS cell administrator.
+
+The B<-dynroot> option changes this. Using this option, the AFS client does
+NOT mount the root.afs volume on F</afs>. Instead it uses the contents of
+the F<CellServDB> file to populate the listing of cells in F</afs>. This
+is known as a DYNamic ROOT. A cell is not contacted until the path
+F</afs/I<cellname>> if accessed. This functions similarly to an automounter.
+The main advantage of using B<-dynroot> is that the AFS client will
+start properly even without network access, whereas the client not using
+B<-dynroot> will freeze upon startup if cannot contact the default cell
+specified in F<ThisCell> and mount the root.afs volume. Dynamic root mode
+is also sometimes called travelling mode because it works well for laptops
+which don't always have network connectivity.
+
+Two advantages of not using dynroot are that listing F</afs> will usually
+be faster because the contents of F</afs> are limited to what the AFS
+administrator decides and that symbolic links are traditionally created
+by the AFS administrator to provide a short name for the cell (i.e.
+cellname.domain.com is aliased to cellname). However, with dynroot, the
+local system administrator can limit the default contents of F</afs> by
+installing a stripped-down F<CellServDB> file, and if dynroot is in effect,
+the F<CellAlias> file can be used to provide shortname for common AFS cells
+which provides equivalent functionality to the most commonly used symbolic
+links.
+
=item B<-help>
Prints the online help for this command. All other valid options are
=item B<-skipauth>
-Bypasses mutual authentication with the AFS Authentication Server,
-allowing a site that uses Kerberos instead of the AFS Authentication
-Server to substitute that form of authentication.
+Bypasses mutual authentication with the AFS Authentication Server, allowing
+a site that uses Kerberos instead of the AFS Authentication Server to
+substitute that form of authentication. If this option is given, B<uss> does
+not create or manipulate Kerberos principals. A Kerberos principal must be
+created separately from the B<uss add> command.
=back