Commit | Line | Data |
---|---|---|
805e021f CE |
1 | =head1 NAME |
2 | ||
3 | dlog - Authenticates to the DCE Security Service | |
4 | ||
5 | =head1 SYNOPSIS | |
6 | ||
7 | =for html | |
8 | <div class="synopsis"> | |
9 | ||
10 | B<dlog> S<<< [B<-principal> <I<user name>>] >>> S<<< [B<-cell> <I<cell name>>] >>> | |
11 | S<<< [B<-password> <I<user's password>>] >>> | |
12 | S<<< [B<-servers> <I<explicit list of servers>>+] >>> | |
13 | S<<< [B<-lifetime> <I<ticket lifetime in hh[:mm[:ss]]>>] >>> | |
14 | [B<-setpag>] [B<-pipe>] [B<-help>] | |
15 | ||
16 | B<dlog> S<<< [B<-pr> <I<user name>>] >>> S<<< [B<-c> <I<cell name>>] >>> | |
17 | S<<< [B<-pw> <I<user's password>>] >>> | |
18 | S<<< [B<-ser> <I<explicit list of servers>>+] >>> | |
19 | S<<< [B<-l> <I<ticket lifetime in hh[:mm[:ss]]>>] >>> | |
20 | [B<-set>] [B<-pi>] [B<-h>] | |
21 | ||
22 | =for html | |
23 | </div> | |
24 | ||
25 | =head1 DESCRIPTION | |
26 | ||
27 | The B<dlog> command obtains DCE credentials for the issuer from the DCE | |
28 | Security Service in the cell named by the B<-cell> argument, and stores | |
29 | them on the AFS client machine on which the user issues the command. The | |
30 | AFS/DFS Migration Toolkit Protocol Translator processes running on | |
31 | machines in the DCE cell accept the credentials, which enables the user to | |
32 | access the DCE cell's filespace from the AFS client. The user's identity | |
33 | in the local file system is unchanged. | |
34 | ||
35 | If the issuer does not provide the B<-principal> argument, the B<dlog> | |
36 | command interpreter uses the user name under which the issuer is logged | |
37 | into the local file system. Provide the DCE password for the appropriate | |
38 | user name. As with the B<klog> command, the password does not cross the | |
39 | network in clear text (unless the issuer is logged into the AFS client | |
40 | from a remote machine). | |
41 | ||
42 | The credentials are valid for a lifetime equivalent to the smallest of the | |
43 | following, all but the last of which is defined by the DCE cell's Security | |
44 | Server: | |
45 | ||
46 | =over 4 | |
47 | ||
48 | =item * | |
49 | ||
50 | The maximum certificate lifetime for the issuer's DCE account. | |
51 | ||
52 | =item * | |
53 | ||
54 | The maximum certificate lifetime for the AFS principal's DCE account. | |
55 | ||
56 | =item * | |
57 | ||
58 | The registry-wide maximum certificate lifetime. | |
59 | ||
60 | =item * | |
61 | ||
62 | The registry-wide default certificate lifetime. | |
63 | ||
64 | =item * | |
65 | ||
66 | The lifetime requested using the B<-lifetime> argument. | |
67 | ||
68 | =back | |
69 | ||
70 | If the previous maximum certificate lifetime values are set to | |
71 | C<default-policy>, the maximum possible ticket lifetime is defined by the | |
72 | default certificate lifetime. Refer to the DCE vendor's administration | |
73 | guide for more information before setting any of these values. | |
74 | ||
75 | The AFS Cache Manager stores the ticket in a credential structure | |
76 | associated with the name of the issuer (or the user named by the | |
77 | B<-principal> argument. If the user already has a ticket for the DCE cell, | |
78 | the ticket resulting from this command replaces it in the credential | |
79 | structure. | |
80 | ||
81 | The AFS tokens command displays the ticket obtained by the B<dlog> command | |
82 | for the server principal C<afs>, regardless of the principal to which it | |
83 | is actually granted. Note that the B<tokens> command does not distinguish | |
84 | tickets for a DFSTM File Server from tickets for an AFS File Server. | |
85 | ||
86 | =head1 OPTIONS | |
87 | ||
88 | =over 4 | |
89 | ||
90 | =item B<-principal> <I<user name>> | |
91 | ||
92 | Specifies the DCE user name for which to obtain DCE credentials. If this | |
93 | option is omitted, the B<dlog> command interpreter uses the name under | |
94 | which the issuer is logged into the local file system. | |
95 | ||
96 | =item B<-cell> <I<cell name>> | |
97 | ||
98 | Specifies the DCE cell in which to authenticate. During a single login | |
99 | session on a given machine, a user can authenticate in multiple cells | |
100 | simultaneously, but can have only one ticket at a time for each cell (that | |
101 | is, it is possible to authenticate under only one identity per cell per | |
102 | machine). It is legal to abbreviate the cell name to the shortest form | |
103 | that distinguishes it from the other cells listed in the | |
104 | F</usr/vice/etc/CellServDB> file on the local client machine. | |
105 | ||
106 | If the issuer does not provide the B<-cell> argument, the B<dlog> command | |
107 | attempts to authenticate with the DCE Security Server for the cell defined | |
108 | by | |
109 | ||
110 | =over 4 | |
111 | ||
112 | =item * | |
113 | ||
114 | The value of the environment variable AFSCELL on the local AFS client | |
115 | machine, if defined. The issuer can set the AFSCELL environment variable | |
116 | to name the desired DCE cell. | |
117 | ||
118 | =item * | |
119 | ||
120 | The cell name in the F</usr/vice/etc/ThisCell> file on the local AFS | |
121 | client machine. The machine's administrator can place the desired DCE | |
122 | cell's name in the file. | |
123 | ||
124 | =back | |
125 | ||
126 | =item B<-password> <I<user's password>> | |
127 | ||
128 | Specifies the password for the issuer (or for the user named by the | |
129 | B<-principal> argument). Using this argument is not recommended, because | |
130 | it makes the password visible on the command line. If this argument is | |
131 | omitted, the command prompts for the password and does not echo it | |
132 | visibly. | |
133 | ||
134 | =item B<-servers> <I<list of servers>>+ | |
135 | ||
136 | Specifies a list of DFS database server machines running the Translator | |
137 | Server through which the AFS client machine can attempt to | |
138 | authenticate. Specify each server by hostname, shortened machine name, or | |
139 | IP address. If this argument is omitted, the B<dlog> command interpreter | |
140 | randomly selects a machine from the list of DFS Fileset Location (FL) | |
141 | Servers in the F</usr/vice/etc/CellServDB> file for the DCE cell specified | |
142 | by the B<-cell> argument. This argument is useful for testing when | |
143 | authentication seems to be failing on certain server machines. | |
144 | ||
145 | =item B<-lifetime> <I<ticket lifetime>> | |
146 | ||
147 | Requests a ticket lifetime using the format I<hh>B<:>I<mm>[B<:>I<ss>] | |
148 | (hours, minutes, and optionally a number seconds between 00 and 59). For | |
149 | example, the value C<168:30> requests a ticket lifetime of 7 days and 30 | |
150 | minutes, and C<96:00> requests a lifetime of 4 days. Acceptable values | |
151 | range from C<00:05> (5 minutes) to C<720:00> (30 days). If this argument | |
152 | is not provided and no other determinants of ticket lifetime have been | |
153 | changed from their defaults, ticket lifetime is 10 hours. | |
154 | ||
155 | The requested lifetime must be smaller than any of the DCE cell's | |
156 | determinants for ticket lifetime; see the discussion in the preceding | |
157 | B<Description> section. | |
158 | ||
159 | =item B<-setpag> | |
160 | ||
161 | Creates a process authentication group (PAG) in which the newly created | |
162 | ticket is placed. If this flag is omitted, the ticket is instead | |
163 | associated with the issuers' local user ID (UID). | |
164 | ||
165 | =item B<-pipe> | |
166 | ||
167 | Suppresses any prompts that the command interpreter otherwise produces, | |
168 | including the prompt for the issuer's password. Instead, the command | |
169 | interpreter accepts the password via the standard input stream. | |
170 | ||
171 | =item B<-help> | |
172 | ||
173 | Prints the online help for this command. All other valid options are | |
174 | ignored. | |
175 | ||
176 | =back | |
177 | ||
178 | =head1 OUTPUT | |
179 | ||
180 | If the dlog command interpreter cannot contact a Translator | |
181 | Server, it produces a message similar to the following: | |
182 | ||
183 | dlog: server or network not responding -- failed to contact | |
184 | authentication service | |
185 | ||
186 | =head1 EXAMPLES | |
187 | ||
188 | The following command authenticates the issuer as cell_admin in the | |
189 | C<dce.example.com> cell. | |
190 | ||
191 | % dlog -principal cell_admin -cell dce.example.com | |
192 | Password: <cell_admin's password> | |
193 | ||
194 | In the following example, the issuer authenticates as cell_admin to the | |
195 | C<dce.example.com> cell and request a ticket lifetime of 100 hours. The | |
196 | B<tokens> command confirms that the user obtained DCE credentials as the | |
197 | user C<cell_admin>: the AFS ID is equivalent to the UNIX ID of C<1> | |
198 | assigned to C<cell_admin> in C<dce.example.com> cell's DCE registry. | |
199 | ||
200 | % dlog -principal cell_admin -cell dce.example.com -lifetime 100 | |
201 | Password: <cell_admin's password> | |
202 | ||
203 | % tokens | |
204 | Tokens held by the Cache Manager: | |
205 | ||
206 | User's (AFS ID 1) tokens for afs@dce.example.com [Expires Jul 6 14:12] | |
207 | User's (AFS ID 4758) tokens for afs@example.com [Expires Jul 2 13:14] | |
208 | ||
209 | --End of list-- | |
210 | ||
211 | =head1 PRIVILEGE REQUIRED | |
212 | ||
213 | None | |
214 | ||
215 | =head1 SEE ALSO | |
216 | ||
217 | L<dpass(1)>, | |
218 | L<klog(1)>, | |
219 | L<tokens(1)>, | |
220 | L<unlog(1)> | |
221 | ||
222 | =head1 COPYRIGHT | |
223 | ||
224 | IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved. | |
225 | ||
226 | This documentation is covered by the IBM Public License Version 1.0. It was | |
227 | converted from HTML to POD by software written by Chas Williams and Russ | |
228 | Allbery, based on work by Alf Wachsmann and Elizabeth Cassell. |