Commit | Line | Data |
---|---|---|
805e021f CE |
1 | <?xml version="1.0" encoding="UTF-8"?> |
2 | <chapter id="HDRWQ491"> | |
3 | <title>Administering User Accounts</title> | |
4 | ||
5 | <para><indexterm> | |
6 | <primary>administering</primary> | |
7 | ||
8 | <secondary>user accounts</secondary> | |
9 | </indexterm></para> | |
10 | ||
11 | <para>This chapter explains how to create and maintain user accounts in your cell.</para> | |
12 | ||
13 | <para>The preferred method for creating user accounts is the <emphasis role="bold">uss</emphasis> program, which enables you to | |
14 | create multiple accounts with a single command. See <link linkend="HDRWQ449">Creating and Deleting User Accounts with the uss | |
15 | Command Suite</link>. If you prefer to create each account component individually, follow the instructions in <link | |
16 | linkend="HDRWQ502">Creating AFS User Accounts</link>.</para> | |
17 | ||
18 | <sect1 id="HDRWQ492"> | |
19 | <title>Summary of Instructions</title> | |
20 | ||
21 | <para>This chapter explains how to perform the following tasks by using the indicated commands:</para> | |
22 | ||
23 | <informaltable frame="none"> | |
24 | <tgroup cols="2"> | |
25 | <colspec colwidth="57*" /> | |
26 | ||
27 | <colspec colwidth="43*" /> | |
28 | ||
29 | <tbody> | |
30 | <row> | |
31 | <entry>Create Protection Database entry</entry> | |
32 | ||
33 | <entry><emphasis role="bold">pts createuser</emphasis></entry> | |
34 | </row> | |
35 | ||
36 | <row> | |
37 | <entry>Create Authentication Database entry</entry> | |
38 | ||
39 | <entry><emphasis role="bold">kas create</emphasis></entry> | |
40 | </row> | |
41 | ||
42 | <row> | |
43 | <entry>Create volume</entry> | |
44 | ||
45 | <entry><emphasis role="bold">vos create</emphasis></entry> | |
46 | </row> | |
47 | ||
48 | <row> | |
49 | <entry>Mount volume</entry> | |
50 | ||
51 | <entry><emphasis role="bold">fs mkmount</emphasis></entry> | |
52 | </row> | |
53 | ||
54 | <row> | |
55 | <entry>Create entry on ACL</entry> | |
56 | ||
57 | <entry><emphasis role="bold">fs setacl</emphasis></entry> | |
58 | </row> | |
59 | ||
60 | <row> | |
61 | <entry>Examine Protection Database entry</entry> | |
62 | ||
63 | <entry><emphasis role="bold">pts examine</emphasis></entry> | |
64 | </row> | |
65 | ||
66 | <row> | |
67 | <entry>Change directory ownership</entry> | |
68 | ||
69 | <entry><emphasis role="bold">/etc/chown</emphasis></entry> | |
70 | </row> | |
71 | ||
72 | <row> | |
73 | <entry>Limit failed authentication attempts</entry> | |
74 | ||
75 | <entry><emphasis role="bold">kas setfields</emphasis> with <emphasis role="bold">-attempts</emphasis> and <emphasis | |
76 | role="bold">-locktime</emphasis></entry> | |
77 | </row> | |
78 | ||
79 | <row> | |
80 | <entry>Unlock Authentication Database entry</entry> | |
81 | ||
82 | <entry><emphasis role="bold">kas unlock</emphasis></entry> | |
83 | </row> | |
84 | ||
85 | <row> | |
86 | <entry>Set password lifetime</entry> | |
87 | ||
88 | <entry><emphasis role="bold">kas setfields</emphasis> with <emphasis role="bold">-pwexpires</emphasis></entry> | |
89 | </row> | |
90 | ||
91 | <row> | |
92 | <entry>Prohibit password reuse</entry> | |
93 | ||
94 | <entry><emphasis role="bold">kas setfields</emphasis> with <emphasis role="bold">-reuse</emphasis></entry> | |
95 | </row> | |
96 | ||
97 | <row> | |
98 | <entry>Change AFS password</entry> | |
99 | ||
100 | <entry><emphasis role="bold">kas setpassword</emphasis></entry> | |
101 | </row> | |
102 | ||
103 | <row> | |
104 | <entry>List groups owned by user</entry> | |
105 | ||
106 | <entry><emphasis role="bold">pts listowned</emphasis></entry> | |
107 | </row> | |
108 | ||
109 | <row> | |
110 | <entry>Rename Protection Database entry</entry> | |
111 | ||
112 | <entry><emphasis role="bold">pts rename</emphasis></entry> | |
113 | </row> | |
114 | ||
115 | <row> | |
116 | <entry>Delete Authentication Database entry</entry> | |
117 | ||
118 | <entry><emphasis role="bold">kas delete</emphasis></entry> | |
119 | </row> | |
120 | ||
121 | <row> | |
122 | <entry>Rename volume</entry> | |
123 | ||
124 | <entry><emphasis role="bold">vos rename</emphasis></entry> | |
125 | </row> | |
126 | ||
127 | <row> | |
128 | <entry>Remove mount point</entry> | |
129 | ||
130 | <entry><emphasis role="bold">fs rmmount</emphasis></entry> | |
131 | </row> | |
132 | ||
133 | <row> | |
134 | <entry>Delete Protection Database entry</entry> | |
135 | ||
136 | <entry><emphasis role="bold">pts delete</emphasis></entry> | |
137 | </row> | |
138 | ||
139 | <row> | |
140 | <entry>List volume location</entry> | |
141 | ||
142 | <entry><emphasis role="bold">vos listvldb</emphasis></entry> | |
143 | </row> | |
144 | ||
145 | <row> | |
146 | <entry>Remove volume</entry> | |
147 | ||
148 | <entry><emphasis role="bold">vos remove</emphasis></entry> | |
149 | </row> | |
150 | </tbody> | |
151 | </tgroup> | |
152 | </informaltable> | |
153 | ||
154 | <indexterm> | |
155 | <primary>local password file</primary> | |
156 | ||
157 | <secondary>creating entry for AFS user</secondary> | |
158 | ||
159 | <tertiary>with manual account creation</tertiary> | |
160 | </indexterm> | |
161 | </sect1> | |
162 | ||
163 | <sect1 id="HDRWQ494"> | |
164 | <title>The Components of an AFS User Account</title> | |
165 | ||
166 | <para>The differences between AFS and the UNIX file system imply that a complete AFS user account is not the same as a UNIX user | |
167 | account. The following list describes the components of an AFS account. The same information appears in a corresponding section | |
168 | of <link linkend="HDRWQ449">Creating and Deleting User Accounts with the uss Command Suite</link>, but is repeated here for your | |
169 | convenience. <itemizedlist> | |
170 | <listitem> | |
171 | <para>A <emphasis>Protection Database entry</emphasis> defines the username (the name provided when authenticating with | |
172 | AFS), and maps it to an AFS user ID (AFS UID), a number that the AFS servers use internally when referencing users. The | |
173 | Protection Database also tracks the groups to which the user belongs. For details, see <link | |
174 | linkend="HDRWQ531">Administering the Protection Database</link>.</para> | |
175 | </listitem> | |
176 | ||
177 | <listitem> | |
178 | <para>An <emphasis>Authentication Database entry</emphasis> records the user's AFS password in a scrambled form suitable | |
179 | for use as an encryption key.</para> | |
180 | </listitem> | |
181 | ||
182 | <listitem> | |
183 | <para>A home <emphasis>volume</emphasis> stores all the files in the user's home directory together on a single partition | |
184 | of a file server machine. The volume has an associated quota that limits its size. For a complete discussion of volumes, | |
185 | see <link linkend="HDRWQ174">Managing Volumes</link>.</para> | |
186 | </listitem> | |
187 | ||
188 | <listitem> | |
189 | <para>A <emphasis>mount point</emphasis> makes the contents of the user's volume visible and accessible in the AFS | |
190 | filespace, and acts as the user's home directory. For more details about mount points, see <link linkend="HDRWQ183">About | |
191 | Mounting Volumes</link>.</para> | |
192 | </listitem> | |
193 | ||
194 | <listitem> | |
195 | <para>Full access permissions on the home directory's <emphasis>access control list (ACL)</emphasis> and ownership of the | |
196 | directory (as displayed by the UNIX <emphasis role="bold">ls -ld</emphasis> command) enable the user to manage his or her | |
197 | files. For details on AFS file protection, see <link linkend="HDRWQ562">Managing Access Control Lists</link>.</para> | |
198 | </listitem> | |
199 | ||
200 | <listitem> | |
201 | <para>A <emphasis>local password file entry</emphasis> (in the <emphasis role="bold">/etc/passwd</emphasis> file or | |
202 | equivalent) of each AFS client machine enables the user to log in and access AFS files through the Cache Manager. A | |
203 | subsequent section in this chapter further discusses local password file entries.</para> | |
204 | </listitem> | |
205 | ||
206 | <listitem> | |
207 | <para>Other optional <emphasis>configuration files</emphasis> make the account more convenient to use. Such files help the | |
208 | user log in and log out more easily, receive electronic mail, print, and so on.</para> | |
209 | </listitem> | |
210 | </itemizedlist></para> | |
211 | ||
212 | <indexterm> | |
213 | <primary>AFS UID</primary> | |
214 | ||
215 | <secondary>matching with UNIX UID</secondary> | |
216 | </indexterm> | |
217 | ||
218 | <indexterm> | |
219 | <primary>UNIX UID</primary> | |
220 | ||
221 | <secondary>matching with AFS UID</secondary> | |
222 | </indexterm> | |
223 | </sect1> | |
224 | ||
225 | <sect1 id="HDRWQ495"> | |
226 | <title>Creating Local Password File Entries</title> | |
227 | ||
228 | <para>To obtain authenticated access to a cell's AFS filespace, a user must not only have a valid AFS token, but also an entry | |
229 | in the local password file (<emphasis role="bold">/etc/passwd</emphasis> or equivalent) of the machine whose Cache Manager is | |
230 | representing the user. This section discusses why it is important for the user's AFS UID to match to the UNIX UID listed in the | |
231 | local password file, and describes the appropriate value to put in the file's password field.</para> | |
232 | ||
233 | <para>One reason to use <emphasis role="bold">uss</emphasis> commands is that they enable you to generate local password file | |
234 | entries automatically as part of account creation. See <link linkend="HDRWQ458">Creating a Common Source Password | |
235 | File</link>.</para> | |
236 | ||
237 | <para>Information similar to the information in this section appears in a corresponding section of <link | |
238 | linkend="HDRWQ449">Creating and Deleting User Accounts with the uss Command Suite</link>, but is repeated here for your | |
239 | convenience</para> | |
240 | ||
241 | <sect2 id="HDRWQ496"> | |
242 | <title>Assigning AFS and UNIX UIDs that Match</title> | |
243 | ||
244 | <para>A user account is easiest to administer and use if the AFS user ID number (AFS UID) and UNIX UID match. All instructions | |
245 | in the AFS documentation assume that they do.</para> | |
246 | ||
247 | <para>The most basic reason to make AFS and UNIX UIDs the same is so that the owner name reported by the UNIX <emphasis | |
248 | role="bold">ls -l</emphasis> and <emphasis role="bold">ls -ld</emphasis> commands makes sense for AFS files and directories. | |
249 | Following standard UNIX practice, the File Server records a number rather than a username in an AFS file or directory's owner | |
250 | field: the owner's AFS UID. When you issue the <emphasis role="bold">ls -l</emphasis> command, it translates the UID to a | |
251 | username according to the mapping in the local password file, not the AFS Protection Database. If the AFS and UNIX UIDs do not | |
252 | match, the <emphasis role="bold">ls -l</emphasis> command reports an unexpected (and incorrect) owner. The output can even | |
253 | vary on different client machines if their local password files map the same UNIX UID to different names.</para> | |
254 | ||
255 | <para>Follow the recommendations in the indicated sections to make AFS and UNIX UIDs match when creating accounts for various | |
256 | types of users: <itemizedlist> | |
257 | <listitem> | |
258 | <para>If creating an AFS account for a user who already has a UNIX UID, see <link linkend="HDRWQ499">Making UNIX and AFS | |
259 | UIDs Match</link>.</para> | |
260 | </listitem> | |
261 | ||
262 | <listitem> | |
263 | <para>If some users in your cell have existing UNIX accounts but the user for whom you are creating an AFS account does | |
264 | not, then it is best to allow the Protection Server to allocate an AFS UID automatically. To avoid overlap of AFS UIDs | |
265 | with existing UNIX UIDs, set the Protection Database's <computeroutput>max user id</computeroutput> counter higher than | |
266 | the largest UNIX UID, using the instructions in <link linkend="HDRWQ560">Displaying and Setting the AFS UID and GID | |
267 | Counters</link>.</para> | |
268 | </listitem> | |
269 | ||
270 | <listitem> | |
271 | <para>If none of your users have existing UNIX accounts, allow the Protection Server to allocate AFS UIDs automatically, | |
272 | starting either at its default or at the value you have set for the <computeroutput>max user id</computeroutput> | |
273 | counter.</para> | |
274 | </listitem> | |
275 | </itemizedlist></para> | |
276 | ||
277 | <indexterm> | |
278 | <primary>password</primary> | |
279 | ||
280 | <secondary>setting in local password file</secondary> | |
281 | ||
282 | <tertiary>with manual account creation</tertiary> | |
283 | </indexterm> | |
284 | ||
285 | <indexterm> | |
286 | <primary>local password file</primary> | |
287 | ||
288 | <secondary>setting password in</secondary> | |
289 | ||
290 | <tertiary>with manual account creation</tertiary> | |
291 | </indexterm> | |
292 | </sect2> | |
293 | ||
294 | <sect2 id="HDRWQ497"> | |
295 | <title>Specifying Passwords in the Local Password File</title> | |
296 | ||
297 | <para>Authenticating with AFS is easiest for your users if you install and configure an AFS-modified login utility, which logs | |
298 | a user into the local file system and obtains an AFS token in one step. In this case, the local password file no longer | |
299 | controls a user's ability to login in most circumstances, because the AFS-modified login utility does not consult the local | |
300 | password file if the user provides the correct AFS password. You can nonetheless use a password file entry's password field | |
301 | (usually, the second field) in the following ways to control login and authentication: <itemizedlist> | |
302 | <listitem> | |
303 | <para>To prevent both local login and AFS authentication, place an asterisk ( * ) in the field. This is useful mainly in | |
304 | emergencies, when you want to prevent a certain user from logging into the machine.</para> | |
305 | </listitem> | |
306 | ||
307 | <listitem> | |
308 | <para>To prevent login to the local file system if the user does not provide the correct AFS password, place a character | |
309 | string of any length other than the standard thirteen characters in the field. This is appropriate if you want to allow | |
310 | only people with local AFS accounts to log into to your machines. A single <emphasis role="bold">X</emphasis> or other | |
311 | character is the most easily recognizable way to do this.</para> | |
312 | </listitem> | |
313 | ||
314 | <listitem> | |
315 | <para>To enable a user to log into the local file system even after providing an incorrect AFS password, record a | |
316 | standard UNIX encrypted password in the field by issuing the standard UNIX password-setting command (<emphasis | |
317 | role="bold">passwd</emphasis> or equivalent).</para> | |
318 | </listitem> | |
319 | </itemizedlist></para> | |
320 | ||
321 | <para>If you do not use an AFS-modified login utility, you must place a standard UNIX password in the local password file of | |
322 | every client machine the user will use. The user logs into the local file system only, and then must issue the <emphasis | |
323 | role="bold">klog</emphasis> command to authenticate with AFS. It is simplest if the passwords in the local password file and | |
324 | the Authentication Database are the same, but this is not required. <indexterm> | |
325 | <primary>converting</primary> | |
326 | ||
327 | <secondary>existing UNIX accounts to AFS accounts</secondary> | |
328 | ||
329 | <tertiary>with manual account creation</tertiary> | |
330 | </indexterm> <indexterm> | |
331 | <primary>user account</primary> | |
332 | ||
333 | <secondary>converting existing UNIX to AFS</secondary> | |
334 | ||
335 | <tertiary>with manual account creation</tertiary> | |
336 | </indexterm></para> | |
337 | </sect2> | |
338 | </sect1> | |
339 | ||
340 | <sect1 id="HDRWQ498"> | |
341 | <title>Converting Existing UNIX Accounts</title> | |
342 | ||
343 | <para>This section discusses the three main issues you need to consider if your cell has existing UNIX accounts that you wish to | |
344 | convert to AFS accounts.</para> | |
345 | ||
346 | <sect2 id="HDRWQ499"> | |
347 | <title>Making UNIX and AFS UIDs Match</title> | |
348 | ||
349 | <para>As previously mentioned, AFS users must have an entry in the local password file on every client machine from which they | |
350 | access the AFS filespace as an authenticated user. Both administration and use are much simpler if the UNIX UID and AFS UID | |
351 | match. When converting existing UNIX accounts, you have two alternatives: <itemizedlist> | |
352 | <listitem> | |
353 | <para>Make the AFS UIDs match the existing UNIX UIDs. In this case, you need to assign the AFS UID yourself by including | |
354 | the <emphasis role="bold">-id</emphasis> argument to the <emphasis role="bold">pts createuser</emphasis> command as you | |
355 | create the AFS account.</para> | |
356 | ||
357 | <para>Because you are retaining the user's UNIX UID, you do not need to alter the UID in the local password file entry. | |
358 | However, if you are using an AFS-modified login utility, you possibly need to change the password field in the entry. | |
359 | For a discussion of how the value in the password field affects login with an AFS-modified login utility, see <link | |
360 | linkend="HDRWQ497">Specifying Passwords in the Local Password File</link>.</para> | |
361 | ||
362 | <para>If now or in the future you need to create AFS accounts for users who do not have an existing UNIX UID, then you | |
363 | must guarantee that new AFS UIDs do not conflict with any existing UNIX UIDs. The simplest way is to set the | |
364 | <computeroutput>max user id</computeroutput> counter in the Protection Database to a value higher than the largest | |
365 | existing UNIX UID. See <link linkend="HDRWQ560">Displaying and Setting the AFS UID and GID Counters</link>.</para> | |
366 | </listitem> | |
367 | ||
368 | <listitem> | |
369 | <para>Change the existing UNIX UIDs to match the new AFS UIDs that the Protection Server assigns automatically.</para> | |
370 | ||
371 | <para>Allow the Protection Server to allocate the AFS UIDs automatically as you create AFS accounts. You must then alter | |
372 | the user's entry in the local password file on every client machine to include the new UID.</para> | |
373 | ||
374 | <para>There is one drawback to changing the UNIX UID: any files and directories that the user owned in the local file | |
375 | system before becoming an AFS user still have the former UID in their owner field. If you want the <emphasis | |
376 | role="bold">ls -l</emphasis> and <emphasis role="bold">ls -ld</emphasis> commands to display the correct owner, you must | |
377 | use the <emphasis role="bold">chown</emphasis> command to change the value to the user's new UID, whether you are | |
378 | leaving the file in the local file system or moving it to AFS. See <link linkend="HDRWQ501">Moving Local Files into | |
379 | AFS</link>.</para> | |
380 | </listitem> | |
381 | </itemizedlist></para> | |
382 | </sect2> | |
383 | ||
384 | <sect2 id="HDRWQ500"> | |
385 | <title>Setting the Password Field Appropriately</title> | |
386 | ||
387 | <para>Existing UNIX accounts already have an entry in the local password file, probably with a (scrambled) password in the | |
388 | password field. You possibly need to change the value in the field, depending on the type of login utility you use: | |
389 | <itemizedlist> | |
390 | <listitem> | |
391 | <para>If the login utility is not modified for use with AFS, the actual password must appear (in scrambled form) in the | |
392 | local password file entry.</para> | |
393 | </listitem> | |
394 | ||
395 | <listitem> | |
396 | <para>If the login utility is modified for use with AFS, choose one of the values discussed in <link | |
397 | linkend="HDRWQ497">Specifying Passwords in the Local Password File</link>.</para> | |
398 | </listitem> | |
399 | </itemizedlist></para> | |
400 | </sect2> | |
401 | ||
402 | <sect2 id="HDRWQ501"> | |
403 | <title>Moving Local Files into AFS</title> | |
404 | ||
405 | <para>New AFS users with existing UNIX accounts probably already own files and directories stored in a machine's local file | |
406 | system, and it usually makes sense to transfer them into the new home volume. The easiest method is to move them onto the | |
407 | local disk of an AFS client machine, and then use the UNIX <emphasis role="bold">mv</emphasis> command to transfer them into | |
408 | the user's new AFS home directory.</para> | |
409 | ||
410 | <para>As you move files and directories into AFS, keep in mind that the meaning of their mode bits changes. AFS ignores the | |
411 | second and third sets of mode bits (group and other), and does not use the first set (the owner bits) directly, but only in | |
412 | conjunction with entries on the ACL (for details, see <link linkend="HDRWQ580">How AFS Interprets the UNIX Mode Bits</link>). | |
413 | Be sure that the ACL protects the file or directory at least as securely as the mode bits.</para> | |
414 | ||
415 | <para>If you have chosen to change a user's UNIX UID to match a new AFS UID, you must change the ownership of UNIX files and | |
416 | directories as well. Only members of the <emphasis role="bold">system:administrators</emphasis> group can issue the <emphasis | |
417 | role="bold">chown</emphasis> command on files and directories once they reside in AFS.</para> | |
418 | </sect2> | |
419 | </sect1> | |
420 | ||
421 | <sect1 id="HDRWQ502"> | |
422 | <title>Creating AFS User Accounts</title> | |
423 | ||
424 | <para>There are two methods for creating user accounts. The preferred method--using the <emphasis role="bold">uss</emphasis> | |
425 | commands--enables you to create multiple accounts with a single command. It uses a template to define standard values for the | |
426 | account components that are the same for each user (such as quota), but provide differing values for more variable components | |
427 | (such as username). See <link linkend="HDRWQ449">Creating and Deleting User Accounts with the uss Command Suite</link>.</para> | |
428 | ||
429 | <para>The second method involves issuing a separate command to create each component of the account. It is best suited to | |
430 | creation of one account at a time, since some of the commands can create only one instance of the relevant component. To review | |
431 | the function of each component, see <link linkend="HDRWQ494">The Components of an AFS User Account</link>.</para> | |
432 | ||
433 | <para>Use the following instructions to create any of the three types of user account, which differ in their levels of | |
434 | functionality. For a description of the types, see <link linkend="HDRWQ57">Configuring AFS User Accounts</link>. <itemizedlist> | |
435 | <listitem> | |
436 | <para>To create an authentication-only account, perform Step <link linkend="LIWQ504">1</link> through Step <link | |
437 | linkend="LIWQ507">4</link> and also Step <link linkend="LIWQ514">14</link>. This type of account consists only of entries | |
438 | in the Authentication Database and Protection Database.</para> | |
439 | </listitem> | |
440 | ||
441 | <listitem> | |
442 | <para>To create a basic account, perform Step <link linkend="LIWQ504">1</link> through Step <link | |
443 | linkend="LIWQ510">8</link> and Step <link linkend="LIWQ512">11</link> through Step <link linkend="LIWQ514">14</link>. In | |
444 | addition to Authentication Database and Protection Database entries, this type of account includes a volume mounted at the | |
445 | home directory with owner and ACL set appropriately.</para> | |
446 | </listitem> | |
447 | ||
448 | <listitem> | |
449 | <para>To create a full account, perform all steps in the following instructions. This type of account includes | |
450 | configuration files for basic functions such as logging in, printing, and mail delivery, making it more convenient and | |
451 | useful. For a discussion of some useful types of configuration files, see <link linkend="HDRWQ60">Creating Standard Files | |
452 | in New AFS Accounts</link>.</para> | |
453 | </listitem> | |
454 | </itemizedlist></para> | |
455 | ||
456 | <indexterm> | |
457 | <primary>creating</primary> | |
458 | ||
459 | <secondary>user account</secondary> | |
460 | ||
461 | <tertiary>with individual commands</tertiary> | |
462 | </indexterm> | |
463 | ||
464 | <indexterm> | |
465 | <primary>user account</primary> | |
466 | ||
467 | <secondary>creating</secondary> | |
468 | ||
469 | <tertiary>with individual commands</tertiary> | |
470 | </indexterm> | |
471 | ||
472 | <indexterm> | |
473 | <primary>creating</primary> | |
474 | ||
475 | <secondary>Protection Database user entry</secondary> | |
476 | ||
477 | <tertiary>with pts createuser command</tertiary> | |
478 | </indexterm> | |
479 | ||
480 | <indexterm> | |
481 | <primary>creating</primary> | |
482 | ||
483 | <secondary>Authentication Database entry</secondary> | |
484 | ||
485 | <tertiary>with kas create command</tertiary> | |
486 | </indexterm> | |
487 | ||
488 | <indexterm> | |
489 | <primary>Protection Database</primary> | |
490 | ||
491 | <secondary>user entry</secondary> | |
492 | ||
493 | <tertiary>creating with pts createuser command</tertiary> | |
494 | </indexterm> | |
495 | ||
496 | <indexterm> | |
497 | <primary>Authentication Database</primary> | |
498 | ||
499 | <secondary>entry</secondary> | |
500 | ||
501 | <tertiary>creating with kas create command</tertiary> | |
502 | </indexterm> | |
503 | ||
504 | <indexterm> | |
505 | <primary>username</primary> | |
506 | ||
507 | <secondary>assigning</secondary> | |
508 | ||
509 | <tertiary>with pts createuser command</tertiary> | |
510 | </indexterm> | |
511 | ||
512 | <indexterm> | |
513 | <primary>AFS UID</primary> | |
514 | ||
515 | <secondary>assigning</secondary> | |
516 | ||
517 | <tertiary>with pts createuser command</tertiary> | |
518 | </indexterm> | |
519 | ||
520 | <indexterm> | |
521 | <primary>user</primary> | |
522 | ||
523 | <secondary>AFS UID, assigning</secondary> | |
524 | </indexterm> | |
525 | ||
526 | <indexterm> | |
527 | <primary>assigning</primary> | |
528 | ||
529 | <secondary>AFS UID to user</secondary> | |
530 | </indexterm> | |
531 | ||
532 | <sect2 id="HDRWQ503"> | |
533 | <title>To create one user account with individual commands</title> | |
534 | ||
535 | <orderedlist> | |
536 | <listitem id="LIWQ504"> | |
537 | <para>Decide on the value to assign to each of the following account components. If you are | |
538 | creating an authentication-only account, you need to pick only a username, AFS UID, and initial password. <itemizedlist> | |
539 | <listitem> | |
540 | <para>The username. By convention, the names of many components of the user account incorporate this name. For a | |
541 | discussion of restrictions and suggested naming schemes, see <link linkend="HDRWQ58">Choosing Usernames and Naming | |
542 | Other Account Components</link>.</para> | |
543 | </listitem> | |
544 | ||
545 | <listitem> | |
546 | <para>The AFS UID, if you want to assign a specific one. It is generally best to have the Protection Server allocate | |
547 | one instead, except when you are creating an AFS account for a user who already has an existing UNIX account. In | |
548 | that case, migrating the user's files into AFS is simplest if you set the AFS UID to match the existing UNIX UID. | |
549 | See <link linkend="HDRWQ498">Converting Existing UNIX Accounts</link>.</para> | |
550 | </listitem> | |
551 | ||
552 | <listitem> | |
553 | <para>The initial password. Advise the user to change this at the first login, using the password changing | |
554 | instructions in the <emphasis>OpenAFS User Guide</emphasis>.</para> | |
555 | </listitem> | |
556 | ||
557 | <listitem> | |
558 | <para>The name of the user's home volume. The conventional name is <emphasis role="bold">user.</emphasis>username | |
559 | (for example, <emphasis role="bold">user.smith</emphasis>).</para> | |
560 | </listitem> | |
561 | ||
562 | <listitem> | |
563 | <para>The volume's site (disk partition on a file server machine). Some cells designate certain machines or | |
564 | partitions for user volumes only, or it possibly makes sense to place the volume on the emptiest partition that | |
565 | meets your other criteria. To display the size and available space on a partition, use the <emphasis role="bold">vos | |
566 | partinfo</emphasis> command, which is fully described in <link linkend="HDRWQ185">Creating Read/write | |
567 | Volumes</link>.</para> | |
568 | </listitem> | |
569 | ||
570 | <listitem> | |
571 | <para>The name of the user's home directory (the mount point for the home volume). The conventional location is a | |
572 | directory (or one of a set of directories) directly under the cell directory, such as <emphasis | |
573 | role="bold">/afs/</emphasis>cellname<emphasis role="bold">/usr</emphasis>. For suggestions on how to avoid the | |
574 | slowed directory lookup that can result from having large numbers of user home directories in a single <emphasis | |
575 | role="bold">usr</emphasis> directory, see <link linkend="HDRWQ472">Evenly Distributing User Home Directories with | |
576 | the G Instruction</link>.</para> | |
577 | </listitem> | |
578 | ||
579 | <listitem> | |
580 | <para>The volume's space quota. Include the <emphasis role="bold">-maxquota</emphasis> argument to the <emphasis | |
581 | role="bold">vos create</emphasis> command, or accept the default quota of 5000 KB.</para> | |
582 | </listitem> | |
583 | ||
584 | <listitem> | |
585 | <para>The ACL on the home directory. By default, the ACL on every new volume grants all seven permissions to the | |
586 | <emphasis role="bold">system:administrators</emphasis> group. After volume creation, use the <emphasis | |
587 | role="bold">fs setacl</emphasis> command to remove the entry if desired, and to grant all seven permissions to the | |
588 | user.</para> | |
589 | </listitem> | |
590 | </itemizedlist></para> | |
591 | </listitem> | |
592 | ||
593 | <listitem id="LIWQ505"> | |
594 | <para>Authenticate as an AFS identity with all of the following privileges. In the conventional | |
595 | configuration, the <emphasis role="bold">admin</emphasis> user account has them, or you possibly have a personal | |
596 | administrative account. (To increase cell security, it is best to create special privileged accounts for use only while | |
597 | performing administrative procedures; for further discussion, see <link linkend="HDRWQ584">An Overview of Administrative | |
598 | Privilege</link>.) If necessary, issue the <emphasis role="bold">klog</emphasis> command to authenticate. <programlisting> | |
599 | % <emphasis role="bold">klog</emphasis> admin_user | |
600 | Password: <<replaceable>admin_password</replaceable>> | |
601 | </programlisting></para> | |
602 | ||
603 | <para>The following list specifies the necessary privileges and indicates how to check that you have them.</para> | |
604 | ||
605 | <itemizedlist> | |
606 | <listitem> | |
607 | <para>Membership in the <emphasis role="bold">system:administrators</emphasis> group. If necessary, issue the | |
608 | <emphasis role="bold">pts membership</emphasis> command, which is fully described in <link linkend="HDRWQ587">To | |
609 | display the members of the system:administrators group</link>. <programlisting> | |
610 | % <emphasis role="bold">pts membership system:administrators</emphasis> | |
611 | </programlisting></para> | |
612 | </listitem> | |
613 | ||
614 | <listitem> | |
615 | <para>Inclusion in the <emphasis role="bold">/usr/afs/etc/UserList</emphasis> file. If necessary, issue the <emphasis | |
616 | role="bold">bos listusers</emphasis> command, which is fully described in <link linkend="HDRWQ593">To display the | |
617 | users in the UserList file</link>. <programlisting> | |
618 | % <emphasis role="bold">bos listusers</emphasis> <<replaceable>machine name</replaceable>> | |
619 | </programlisting></para> | |
620 | </listitem> | |
621 | ||
622 | <listitem> | |
623 | <para>The <computeroutput>ADMIN</computeroutput> flag on your Authentication Database entry. However, the | |
624 | Authentication Server performs its own authentication, so in Step <link linkend="LIWQ507">4</link> you specify an | |
625 | administrative identity on the <emphasis role="bold">kas</emphasis> command line itself.</para> | |
626 | </listitem> | |
627 | ||
628 | <listitem> | |
629 | <para>The <emphasis role="bold">i</emphasis> (<emphasis role="bold">insert</emphasis>) and <emphasis | |
630 | role="bold">a</emphasis> (<emphasis role="bold">administer</emphasis>) permissions on the ACL of the directory where | |
631 | you are mounting the user's volume. If necessary, issue the <emphasis role="bold">fs listacl</emphasis> command, which | |
632 | is fully described in <link linkend="HDRWQ572">Displaying ACLs</link>. <programlisting> | |
633 | % <emphasis role="bold">fs listacl</emphasis> [<<replaceable>dir/file path</replaceable>>] | |
634 | </programlisting></para> | |
635 | ||
636 | <para>Members of the <emphasis role="bold">system:administrators</emphasis> group always implicitly have the <emphasis | |
637 | role="bold">a</emphasis> (<emphasis role="bold">administer</emphasis>) and by default also the <emphasis | |
638 | role="bold">l</emphasis> (<emphasis role="bold">lookup</emphasis>) permission on every ACL and can use the <emphasis | |
639 | role="bold">fs setacl</emphasis> command to grant other rights as necessary.</para> | |
640 | </listitem> | |
641 | ||
642 | <listitem> | |
643 | <para>Knowledge of the password for the local superuser <emphasis role="bold">root</emphasis>.</para> | |
644 | </listitem> | |
645 | </itemizedlist> | |
646 | ||
647 | <indexterm> | |
648 | <primary>pts commands</primary> | |
649 | ||
650 | <secondary>createuser</secondary> | |
651 | ||
652 | <tertiary>user account</tertiary> | |
653 | </indexterm> | |
654 | ||
655 | <indexterm> | |
656 | <primary>commands</primary> | |
657 | ||
658 | <secondary>pts createuser</secondary> | |
659 | ||
660 | <tertiary>user account</tertiary> | |
661 | </indexterm> | |
662 | </listitem> | |
663 | ||
664 | <listitem id="LIWQ506"> | |
665 | <para>Issue the <emphasis role="bold">pts createuser</emphasis> command to create an entry in the | |
666 | Protection Database. For a discussion of setting AFS UIDs, see <link linkend="HDRWQ496">Assigning AFS and UNIX UIDs that | |
667 | Match</link>. If you are converting an existing UNIX account into an AFS account, also see <link | |
668 | linkend="HDRWQ498">Converting Existing UNIX Accounts</link>. <programlisting> | |
669 | % <emphasis role="bold">pts createuser</emphasis> <<replaceable>user name</replaceable>> [<<replaceable>user id</replaceable>>] | |
670 | </programlisting></para> | |
671 | ||
672 | <para>where</para> | |
673 | ||
674 | <variablelist> | |
675 | <varlistentry> | |
676 | <term><emphasis role="bold">cu</emphasis></term> | |
677 | ||
678 | <listitem> | |
679 | <para>Is an acceptable alias for <emphasis role="bold">createuser</emphasis> (and <emphasis | |
680 | role="bold">createu</emphasis> is the shortest acceptable abbreviation).</para> | |
681 | </listitem> | |
682 | </varlistentry> | |
683 | ||
684 | <varlistentry> | |
685 | <term><emphasis role="bold">user name</emphasis></term> | |
686 | ||
687 | <listitem> | |
688 | <para>Specifies the user's username (the character string typed at login). It is best to limit the name to eight or | |
689 | fewer lowercase letters, because many application programs impose that limit. The AFS servers themselves accept | |
690 | names of up to 63 lowercase letters. Also avoid the following characters: colon (<emphasis | |
691 | role="bold">:</emphasis>), semicolon (<emphasis role="bold">;</emphasis>), comma (<emphasis | |
692 | role="bold">,</emphasis>), at sign (<emphasis role="bold">@</emphasis>), space, newline, and the period (<emphasis | |
693 | role="bold">.</emphasis>), which is conventionally used only in special administrative names.</para> | |
694 | </listitem> | |
695 | </varlistentry> | |
696 | ||
697 | <varlistentry> | |
698 | <term><emphasis role="bold">user id</emphasis></term> | |
699 | ||
700 | <listitem> | |
701 | <para>Is optional and appropriate only if the user already has a UNIX UID that the AFS UID must match. If you do not | |
702 | provide this argument, the Protection Server assigns one automatically based on the counter described in <link | |
703 | linkend="HDRWQ560">Displaying and Setting the AFS UID and GID Counters</link>. If the ID you specify is less than | |
704 | <emphasis role="bold">1</emphasis> (one) or is already in use, an error results.</para> | |
705 | </listitem> | |
706 | </varlistentry> | |
707 | </variablelist> | |
708 | ||
709 | <indexterm> | |
710 | <primary>kas commands</primary> | |
711 | ||
712 | <secondary>create</secondary> | |
713 | </indexterm> | |
714 | ||
715 | <indexterm> | |
716 | <primary>commands</primary> | |
717 | ||
718 | <secondary>kas create</secondary> | |
719 | </indexterm> | |
720 | </listitem> | |
721 | ||
722 | <listitem id="LIWQ507"> | |
723 | <para>Issue the <emphasis role="bold">kas create</emphasis> command to create an entry in the | |
724 | Authentication Database. To avoid having the user's temporary initial password echo visibly on the screen, omit the | |
725 | <emphasis role="bold">-initial_password</emphasis> argument; instead enter the password at the prompts that appear when | |
726 | you omit the argument, as shown in the following syntax specification.</para> | |
727 | ||
728 | <para>The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, | |
729 | it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. | |
730 | Include the <emphasis role="bold">-admin</emphasis> argument to name an identity that has the | |
731 | <computeroutput>ADMIN</computeroutput> flag on its Authentication Database entry. To verify that an entry has the flag, | |
732 | issue the <emphasis role="bold">kas examine</emphasis> command as described in <link linkend="HDRWQ590">To check if the | |
733 | ADMIN flag is set</link>.</para> | |
734 | ||
735 | <programlisting> | |
736 | % <emphasis role="bold">kas create</emphasis> <<replaceable>name of user</replaceable>> \ | |
737 | <emphasis role="bold">-admin</emphasis> <<replaceable>admin principal to use for authentication</replaceable>> | |
738 | Administrator's (admin_user) password: <<replaceable>admin_password</replaceable>> | |
739 | initial_password: <<replaceable>initial_password</replaceable>> | |
740 | Verifying, please re-enter initial_password: <<replaceable>initial_password</replaceable>> | |
741 | </programlisting> | |
742 | ||
743 | <para>where <variablelist> | |
744 | <varlistentry> | |
745 | <term><emphasis role="bold">cr</emphasis></term> | |
746 | ||
747 | <listitem> | |
748 | <para>Is the shortest acceptable abbreviation for <emphasis role="bold">create</emphasis>.</para> | |
749 | </listitem> | |
750 | </varlistentry> | |
751 | ||
752 | <varlistentry> | |
753 | <term><emphasis role="bold">name of user</emphasis></term> | |
754 | ||
755 | <listitem> | |
756 | <para>Specifies the same username as in Step <link linkend="LIWQ506">3</link>.</para> | |
757 | </listitem> | |
758 | </varlistentry> | |
759 | ||
760 | <varlistentry> | |
761 | <term><emphasis role="bold">-admin</emphasis></term> | |
762 | ||
763 | <listitem> | |
764 | <para>Names an administrative account that has the <computeroutput>ADMIN</computeroutput> flag on its | |
765 | Authentication Database entry, such as <emphasis role="bold">admin</emphasis>. The password prompt echoes it as | |
766 | admin_user. Enter the appropriate password as admin_password.</para> | |
767 | </listitem> | |
768 | </varlistentry> | |
769 | ||
770 | <varlistentry> | |
771 | <term><emphasis role="bold">initial_password</emphasis></term> | |
772 | ||
773 | <listitem> | |
774 | <para>Specifies the initial password as a string of eight characters or less, to comply with the length | |
775 | restriction that some applications impose. Possible choices for an initial password include the username, a string | |
776 | of digits from a personal identification number such as the Social Security number, or a standard string such as | |
777 | <emphasis role="bold">changeme</emphasis>. Instruct the user to change the string to a truly secret password as | |
778 | soon as possible by using the <emphasis role="bold">kpasswd</emphasis> command as described in the <emphasis>IBM | |
779 | AFS User Guide</emphasis>.</para> | |
780 | </listitem> | |
781 | </varlistentry> | |
782 | </variablelist></para> | |
783 | ||
784 | <indexterm> | |
785 | <primary>vos commands</primary> | |
786 | ||
787 | <secondary>create</secondary> | |
788 | ||
789 | <tertiary>when creating user account</tertiary> | |
790 | </indexterm> | |
791 | ||
792 | <indexterm> | |
793 | <primary>commands</primary> | |
794 | ||
795 | <secondary>vos create</secondary> | |
796 | ||
797 | <tertiary>when creating user account</tertiary> | |
798 | </indexterm> | |
799 | </listitem> | |
800 | ||
801 | <listitem id="LIWQ508"> | |
802 | <para>Issue the <emphasis role="bold">vos create</emphasis> command to create the user's volume. | |
803 | <programlisting> | |
804 | % <emphasis role="bold">vos create</emphasis> <<replaceable>machine name</replaceable>> <<replaceable>partition name</replaceable>> <<replaceable>volume name</replaceable>> \ | |
805 | [<emphasis role="bold">-maxquota</emphasis> <<replaceable>initial quota (KB)</replaceable>>] | |
806 | </programlisting></para> | |
807 | ||
808 | <para>where</para> | |
809 | ||
810 | <variablelist> | |
811 | <varlistentry> | |
812 | <term><emphasis role="bold">cr</emphasis></term> | |
813 | ||
814 | <listitem> | |
815 | <para>Is the shortest acceptable abbreviation of <emphasis role="bold">create</emphasis>.</para> | |
816 | </listitem> | |
817 | </varlistentry> | |
818 | ||
819 | <varlistentry> | |
820 | <term><emphasis role="bold">machine name</emphasis></term> | |
821 | ||
822 | <listitem> | |
823 | <para>Names the file server machine on which to place the new volume.</para> | |
824 | </listitem> | |
825 | </varlistentry> | |
826 | ||
827 | <varlistentry> | |
828 | <term><emphasis role="bold">partition name</emphasis></term> | |
829 | ||
830 | <listitem> | |
831 | <para>Names the partition on which to place the new volume.</para> | |
832 | </listitem> | |
833 | </varlistentry> | |
834 | ||
835 | <varlistentry> | |
836 | <term><emphasis role="bold">volume name</emphasis></term> | |
837 | ||
838 | <listitem> | |
839 | <para>Names the new volume. The name can include up to 22 characters. By convention, user volume names have the form | |
840 | <emphasis role="bold">user.</emphasis>username, where username is the name assigned in Step <link | |
841 | linkend="LIWQ506">3</link>.</para> | |
842 | </listitem> | |
843 | </varlistentry> | |
844 | ||
845 | <varlistentry> | |
846 | <term><emphasis role="bold">-maxquota</emphasis></term> | |
847 | ||
848 | <listitem> | |
849 | <para>Sets the volume's quota, as a number of kilobyte blocks. If you omit this argument, the default is 5000 | |
850 | KB.</para> | |
851 | </listitem> | |
852 | </varlistentry> | |
853 | </variablelist> | |
854 | ||
855 | <indexterm> | |
856 | <primary>fs commands</primary> | |
857 | ||
858 | <secondary>mkmount</secondary> | |
859 | ||
860 | <tertiary>when creating user account</tertiary> | |
861 | </indexterm> | |
862 | ||
863 | <indexterm> | |
864 | <primary>commands</primary> | |
865 | ||
866 | <secondary>fs mkmount</secondary> | |
867 | ||
868 | <tertiary>when creating user account</tertiary> | |
869 | </indexterm> | |
870 | </listitem> | |
871 | ||
872 | <listitem id="LIWQ509"> | |
873 | <para>Issue the <emphasis role="bold">fs mkmount</emphasis> command to mount the volume in the | |
874 | filespace and create the user's home directory. <programlisting> | |
875 | % <emphasis role="bold">fs mkmount</emphasis> <<replaceable>directory</replaceable>> <<replaceable>volume name</replaceable>> | |
876 | </programlisting></para> | |
877 | ||
878 | <para>where</para> | |
879 | ||
880 | <variablelist> | |
881 | <varlistentry> | |
882 | <term><emphasis role="bold">mk</emphasis></term> | |
883 | ||
884 | <listitem> | |
885 | <para>Is the shortest acceptable abbreviation for <emphasis role="bold">mkmount</emphasis>.</para> | |
886 | </listitem> | |
887 | </varlistentry> | |
888 | ||
889 | <varlistentry> | |
890 | <term><emphasis role="bold">directory</emphasis></term> | |
891 | ||
892 | <listitem> | |
893 | <para>Names the mount point to create. A directory of the same name must not already exist. Partial pathnames are | |
894 | interpreted relative to the current working directory. By convention, user home directories are mounted in a | |
895 | directory called something like <emphasis role="bold">/afs/.</emphasis>cellname<emphasis | |
896 | role="bold">/usr</emphasis>, and the home directory name matches the username assigned in Step <link | |
897 | linkend="LIWQ506">3</link>.</para> | |
898 | ||
899 | <para>Specify the read/write path to the mount point, to avoid the failure that results when you attempt to create | |
900 | the new mount point in a read-only volume. By convention, you indicate the read/write path by placing a period | |
901 | before the cell name at the pathname's second level (for example, <emphasis role="bold">/afs/.example.com</emphasis>). | |
902 | For further discussion of the concept of read/write and read-only paths through the filespace, see <link | |
903 | linkend="HDRWQ209">The Rules of Mount Point Traversal</link>.</para> | |
904 | </listitem> | |
905 | </varlistentry> | |
906 | ||
907 | <varlistentry> | |
908 | <term><emphasis role="bold">volume name</emphasis></term> | |
909 | ||
910 | <listitem> | |
911 | <para>Is the name of the volume created in Step <link linkend="LIWQ508">5</link>.</para> | |
912 | </listitem> | |
913 | </varlistentry> | |
914 | </variablelist> | |
915 | </listitem> | |
916 | ||
917 | <listitem> | |
918 | <para><emphasis role="bold">(Optional)</emphasis> Issue the <emphasis role="bold">fs setvol</emphasis> command with the | |
919 | <emphasis role="bold">-offlinemsg</emphasis> argument to record auxiliary information about the volume in its volume | |
920 | header. For example, you can record who owns the volume or where you have mounted it in the filespace. To display the | |
921 | information, use the <emphasis role="bold">fs examine</emphasis> command. <programlisting> | |
922 | % <emphasis role="bold">fs setvol</emphasis> <<replaceable>dir/file path</replaceable>> <emphasis role="bold">-offlinemsg</emphasis> <<replaceable>offline message</replaceable>> | |
923 | </programlisting></para> | |
924 | ||
925 | <para>where</para> | |
926 | ||
927 | <variablelist> | |
928 | <varlistentry> | |
929 | <term><emphasis role="bold">sv</emphasis></term> | |
930 | ||
931 | <listitem> | |
932 | <para>Is an acceptable alias for <emphasis role="bold">setvol</emphasis> (and <emphasis role="bold">setv</emphasis> | |
933 | the shortest acceptable abbreviation).</para> | |
934 | </listitem> | |
935 | </varlistentry> | |
936 | ||
937 | <varlistentry> | |
938 | <term><emphasis role="bold">dir/file path</emphasis></term> | |
939 | ||
940 | <listitem> | |
941 | <para>Names the mount point of the volume with which to associate the message. Partial pathnames are interpreted | |
942 | relative to the current working directory.</para> | |
943 | ||
944 | <para>Specify the read/write path to the mount point, to avoid the failure that results when you attempt to change a | |
945 | read-only volume. By convention, you indicate the read/write path by placing a period before the cell name at the | |
946 | pathname's second level (for example, <emphasis role="bold">/afs/.example.com</emphasis>). For further discussion of the | |
947 | concept of read/write and read-only paths through the filespace, see <link linkend="HDRWQ209">The Rules of Mount | |
948 | Point Traversal</link>.</para> | |
949 | </listitem> | |
950 | </varlistentry> | |
951 | ||
952 | <varlistentry> | |
953 | <term><emphasis role="bold">-offlinemsg</emphasis></term> | |
954 | ||
955 | <listitem> | |
956 | <para>Specifies up to 128 characters of auxiliary information to record in the volume header.</para> | |
957 | </listitem> | |
958 | </varlistentry> | |
959 | </variablelist> | |
960 | </listitem> | |
961 | ||
962 | <listitem id="LIWQ510"> | |
963 | <para>Issue the <emphasis role="bold">fs setacl</emphasis> command to set the ACL on the new home | |
964 | directory. At the least, create an entry that grants all permissions to the user, as shown.</para> | |
965 | ||
966 | <para>You can also use the command to edit or remove the entry that the <emphasis role="bold">vos create</emphasis> | |
967 | command automatically places on the ACL for a new volume's root directory, which grants all permissions to the <emphasis | |
968 | role="bold">system:administrators</emphasis> group. Keep in mind that even if you remove the entry, the members of the | |
969 | group by default have implicit <emphasis role="bold">a</emphasis> (<emphasis role="bold">administer</emphasis>) and by | |
970 | default <emphasis role="bold">l</emphasis> (<emphasis role="bold">lookup</emphasis>) permissions on every ACL, and can | |
971 | grant themselves other permissions as required.</para> | |
972 | ||
973 | <para>For detailed instructions for the <emphasis role="bold">fs setacl</emphasis> command, see <link | |
974 | linkend="HDRWQ573">Setting ACL Entries</link>.</para> | |
975 | ||
976 | <programlisting> | |
977 | % <emphasis role="bold">fs setacl</emphasis> <<replaceable>directory</replaceable>> <emphasis role="bold">-acl</emphasis> <<replaceable>user name</replaceable>> <emphasis | |
978 | role="bold">all</emphasis> \ | |
979 | [<emphasis role="bold">system:administrators</emphasis> desired_permissions] | |
980 | </programlisting> | |
981 | </listitem> | |
982 | ||
983 | <listitem id="LIWQ511"> | |
984 | <para><emphasis role="bold">(Optional)</emphasis> Create configuration files and subdirectories in | |
985 | the new home directory. Possibilities include <emphasis role="bold">.login</emphasis> and <emphasis | |
986 | role="bold">.logout</emphasis> files, a shell-initialization file such as <emphasis role="bold">.cshrc</emphasis>, files | |
987 | to help with printing and mail delivery, and so on.</para> | |
988 | ||
989 | <para>If you are converting an existing UNIX account into an AFS account, you possibly wish to move some files and | |
990 | directories into the user's new AFS home directory. See <link linkend="HDRWQ498">Converting Existing UNIX | |
991 | Accounts</link>.</para> | |
992 | </listitem> | |
993 | ||
994 | <listitem> | |
995 | <para><emphasis role="bold">(Optional)</emphasis> In the new <emphasis role="bold">.login</emphasis> or shell | |
996 | initialization file, define the user's $PATH environment variable to include the directories where AFS binaries are kept | |
997 | (for example, the <emphasis role="bold">/usr/afsws/bin</emphasis> and <emphasis role="bold">/usr/afsws/etc</emphasis> | |
998 | directories).</para> | |
999 | </listitem> | |
1000 | ||
1001 | <listitem id="LIWQ512"> | |
1002 | <para>In Step <link linkend="LIWQ513">12</link> and Step <link linkend="LIWQ514">14</link>, you | |
1003 | must know the user's AFS UID. If you had the Protection Server assign it in Step <link linkend="LIWQ506">3</link>, you | |
1004 | probably do not know it. If necessary, issue the <emphasis role="bold">pts examine</emphasis> command to display it. | |
1005 | <programlisting> | |
1006 | % <emphasis role="bold">pts examine</emphasis> <<replaceable>user or group name or id</replaceable>> | |
1007 | </programlisting></para> | |
1008 | ||
1009 | <para>where</para> | |
1010 | ||
1011 | <variablelist> | |
1012 | <varlistentry> | |
1013 | <term><emphasis role="bold">e</emphasis></term> | |
1014 | ||
1015 | <listitem> | |
1016 | <para>Is the shortest acceptable abbreviation of <emphasis role="bold">examine</emphasis>.</para> | |
1017 | </listitem> | |
1018 | </varlistentry> | |
1019 | ||
1020 | <varlistentry> | |
1021 | <term><emphasis role="bold">user or group name or id</emphasis></term> | |
1022 | ||
1023 | <listitem> | |
1024 | <para>Is the username that you assigned in Step <link linkend="LIWQ506">3</link>.</para> | |
1025 | </listitem> | |
1026 | </varlistentry> | |
1027 | </variablelist> | |
1028 | ||
1029 | <para>The first line of the output displays the username and AFS UID. For further discussion and an example of the output, | |
1030 | see <link linkend="HDRWQ536">Displaying Information from the Protection Database</link>.</para> | |
1031 | </listitem> | |
1032 | ||
1033 | <listitem id="LIWQ513"> | |
1034 | <para>Designate the user as the owner of the home directory and any files and subdirectories | |
1035 | created or moved in Step <link linkend="LIWQ511">9</link>. Specify the owner by the AFS UID you learned in Step <link | |
1036 | linkend="LIWQ512">11</link> rather than by username. This is necessary for new accounts because the user does not yet have | |
1037 | an entry in your local machine's password file (<emphasis role="bold">/etc/passwd</emphasis> or equivalent). If you are | |
1038 | converting an existing UNIX account, an entry possibly already exists, but the UID is possibly incorrect. In that case, | |
1039 | specifying a username means that the corresponding (possibly incorrect) UID is recorded as the owner.</para> | |
1040 | ||
1041 | <para>Some operating systems allow only the local superuser <emphasis role="bold">root</emphasis> to issue the <emphasis | |
1042 | role="bold">chown</emphasis> command. If necessary, issuing the <emphasis role="bold">su</emphasis> command before the | |
1043 | <emphasis role="bold">chown</emphasis> command.</para> | |
1044 | ||
1045 | <programlisting> | |
1046 | % <emphasis role="bold">chown</emphasis> new_owner_ID directory | |
1047 | </programlisting> | |
1048 | ||
1049 | <para>where <variablelist> | |
1050 | <varlistentry> | |
1051 | <term><emphasis role="bold">new_owner_ID</emphasis></term> | |
1052 | ||
1053 | <listitem> | |
1054 | <para>Is the user's AFS UID, which you learned in Step <link linkend="LIWQ512">11</link>.</para> | |
1055 | </listitem> | |
1056 | </varlistentry> | |
1057 | ||
1058 | <varlistentry> | |
1059 | <term><emphasis role="bold">directory</emphasis></term> | |
1060 | ||
1061 | <listitem> | |
1062 | <para>Names the home directory you created in Step <link linkend="LIWQ509">6</link>, plus each subdirectory or | |
1063 | file you created in Step <link linkend="LIWQ511">9</link>.</para> | |
1064 | </listitem> | |
1065 | </varlistentry> | |
1066 | </variablelist></para> | |
1067 | </listitem> | |
1068 | ||
1069 | <listitem> | |
1070 | <para>If the new user home directory resides in a replicated volume, use the <emphasis role="bold">vos release</emphasis> | |
1071 | command to release the volume, as described in <link linkend="HDRWQ194">To replicate a read/write volume (create a | |
1072 | read-only volume)</link>. <programlisting> | |
1073 | % <emphasis role="bold">vos release</emphasis> <<replaceable>volume name or ID</replaceable>> | |
1074 | </programlisting></para> | |
1075 | ||
1076 | <note> | |
1077 | <para>This step can be necessary even if the home directory's parent directory is not itself a mount point for a | |
1078 | replicated volume (and is easier to overlook in that case). Suppose, for example, that the Example Corporation puts the | |
1079 | mount points for user volumes in the <emphasis role="bold">/afs/example.com/usr</emphasis> directory. Because that is a | |
1080 | regular directory rather than a mount point, it resides in the <emphasis role="bold">root.cell</emphasis> volume mounted | |
1081 | at the <emphasis role="bold">/afs/example.com</emphasis> directory. That volume is replicated, so after changing it by | |
1082 | creating a new mount point the administrator must issue the <emphasis role="bold">vos release</emphasis> command.</para> | |
1083 | </note> | |
1084 | </listitem> | |
1085 | ||
1086 | <listitem id="LIWQ514"> | |
1087 | <para>Create or modify an entry for the new user in the local password file (<emphasis | |
1088 | role="bold">/etc/passwd</emphasis> or equivalent) of each machine the user can log onto. Remember to make the UNIX UID the | |
1089 | same as the AFS UID you learned in Step <link linkend="LIWQ512">11</link>, and to fill the password field appropriately | |
1090 | (for instructions, see <link linkend="HDRWQ497">Specifying Passwords in the Local Password File</link>).</para> | |
1091 | </listitem> | |
1092 | </orderedlist> | |
1093 | ||
1094 | <indexterm> | |
1095 | <primary>password</primary> | |
1096 | ||
1097 | <secondary>improving security</secondary> | |
1098 | </indexterm> | |
1099 | ||
1100 | <indexterm> | |
1101 | <primary>authentication</primary> | |
1102 | ||
1103 | <secondary>improving security</secondary> | |
1104 | </indexterm> | |
1105 | ||
1106 | <indexterm> | |
1107 | <primary>login</primary> | |
1108 | ||
1109 | <secondary>limiting failed attempts</secondary> | |
1110 | </indexterm> | |
1111 | ||
1112 | <indexterm> | |
1113 | <primary>klog command</primary> | |
1114 | ||
1115 | <secondary>limiting failed attempts</secondary> | |
1116 | </indexterm> | |
1117 | </sect2> | |
1118 | </sect1> | |
1119 | ||
1120 | <sect1 id="HDRWQ515"> | |
1121 | <title>Improving Password and Authentication Security</title> | |
1122 | ||
1123 | <para>AFS provides several optional features than can help to protect your cell's filespace against unauthorized access. The | |
1124 | following list summarizes them, and instructions follow. <itemizedlist> | |
1125 | <listitem> | |
1126 | <para>Limit the number of consecutive failed login attempts.</para> | |
1127 | ||
1128 | <para>One of the most common ways for an unauthorized user to access your filespace is to guess an authorized user's | |
1129 | password. This method of attack is most dangerous if the attacker can use many login processes in parallel or use the RPC | |
1130 | interfaces directly.</para> | |
1131 | ||
1132 | <para>To protect against this type of attack, use the <emphasis role="bold">-attempts</emphasis> argument to the <emphasis | |
1133 | role="bold">kas setfields</emphasis> command to limit the number of times that a user can consecutively fail to enter the | |
1134 | correct password when using either an AFS-modified login utility or the <emphasis role="bold">klog</emphasis> command. | |
1135 | When the limit is exceeded, the Authentication Server locks the user's Authentication Database entry (disallows | |
1136 | authentication attempts) for a period of time that you define with the <emphasis role="bold">-locktime</emphasis> argument | |
1137 | to the <emphasis role="bold">kas setfields</emphasis> command. If desired, system administrators can use the <emphasis | |
1138 | role="bold">kas unlock</emphasis> command to unlock the entry before the complete lockout time passes.</para> | |
1139 | ||
1140 | <para>In certain circumstances, the mechanism used to enforce the number of failed authentication attempts can cause a | |
1141 | lockout even though the number of failed attempts is less than the limit set by the <emphasis | |
1142 | role="bold">-attempts</emphasis> argument. Client-side authentication programs such as <emphasis | |
1143 | role="bold">klog</emphasis> and an AFS-modified login utility normally choose an Authentication Server at random for each | |
1144 | authentication attempt, and in case of a failure are likely to choose a different Authentication Server for the next | |
1145 | attempt. The Authentication Servers running on the various database server machines do not communicate with each other | |
1146 | about how many times a user has failed to provide the correct password to them. Instead, each Authentication Server | |
1147 | maintains its own separate copy of the auxiliary database file <emphasis role="bold">kaserverauxdb</emphasis> (located in | |
1148 | the <emphasis role="bold">/usr/afs/local</emphasis> directory by default), which records the number of consecutive | |
1149 | authentication failures for each user account and the time of the most recent failure. This implementation means that on | |
1150 | average each Authentication Server knows about only a fraction of the total number of failed attempts. The only way to | |
1151 | avoid allowing more than the number of attempts set by the <emphasis role="bold">-attempts</emphasis> argument is to have | |
1152 | each Authentication Server allow only some fraction of the total. More specifically, if the limit on failed attempts is | |
1153 | <emphasis>f</emphasis>, and the number of Authentication Servers is <emphasis>S</emphasis>, then each Authentication | |
1154 | Server can only permit a number of attempts equal to <emphasis>f</emphasis> divided by <emphasis>S</emphasis> (the Ubik | |
1155 | synchronization site for the Authentication Server tracks any remainder, <emphasis>f mod S</emphasis>).</para> | |
1156 | ||
1157 | <para>Normally, this implementation does not reduce the number of allowed attempts to less than the configured limit | |
1158 | (<emphasis>f</emphasis>). If one Authentication Server refuses an attempt, the client contacts another instance of the | |
1159 | server, continuing until either it successfully authenticates or has contacted all of the servers. However, if one or more | |
1160 | of the Authentication Server processes is unavailable, the limit is effectively reduced by a percentage equal to the | |
1161 | quantity <emphasis>U</emphasis> divided by <emphasis>S</emphasis>, where <emphasis>U</emphasis> is the number of | |
1162 | unavailable servers and <emphasis>S</emphasis> is the number normally available.</para> | |
1163 | ||
1164 | <para>To avoid the undesirable consequences of setting a limit on failed authentication attempts, note the following | |
1165 | recommendations: <itemizedlist> | |
1166 | <listitem> | |
1167 | <para>Do not set the <emphasis role="bold">-attempts</emphasis> argument (the limit on failed authentication | |
1168 | attempts) too low. A limit of nine failed attempts is recommended for regular user accounts, to allow three failed | |
1169 | attempts per Authentication Server in a cell with three database server machines.</para> | |
1170 | </listitem> | |
1171 | ||
1172 | <listitem> | |
1173 | <para>Set fairly short lockout times when including the <emphasis role="bold">-locktime</emphasis> argument. | |
1174 | Although guessing passwords is a common method of attack, it is not a very sophisticated one. Setting a lockout time | |
1175 | can help discourage attackers, but excessively long times are likely to be more of a burden to authorized users than | |
1176 | to potential attackers. A lockout time of 25 minutes is recommended for regular user accounts.</para> | |
1177 | </listitem> | |
1178 | ||
1179 | <listitem> | |
1180 | <para>Do not assign an infinite lockout time on an account (by setting the <emphasis | |
1181 | role="bold">-locktime</emphasis> argument to <emphasis role="bold">0</emphasis> [zero]) unless there is a highly | |
1182 | compelling reason. Such accounts almost inevitably become locked at some point, because each Authentication Server | |
1183 | never resets the account's failure counter in its copy of the <emphasis role="bold">kaauxdb</emphasis> file (in | |
1184 | contrast, when the lockout time is not infinite, the counter resets after the specified amount of time has passed | |
1185 | since the last failed attempt to that Authentication Server). Furthermore, the only way to unlock an account with an | |
1186 | infinite lockout time is for an administrator to issue the <emphasis role="bold">kas unlock</emphasis> command. It | |
1187 | is especially dangerous to set an infinite lockout time on an administrative account; if all administrative accounts | |
1188 | become locked, the only way to unlock them is to shut down all instances of the Authentication Server and remove the | |
1189 | <emphasis role="bold">kaauxdb</emphasis> file on each.</para> | |
1190 | </listitem> | |
1191 | </itemizedlist></para> | |
1192 | ||
1193 | <para>In summary, the recommended limit on authentication attempts is nine and lockout time 25 minutes.</para> | |
1194 | </listitem> | |
1195 | ||
1196 | <listitem> | |
1197 | <para>Limit password lifetime.</para> | |
1198 | ||
1199 | <para>The longer a password is in use, the more time an attacker has to try to learn it. To protect against this type of | |
1200 | attack, use the <emphasis role="bold">-pwexpires</emphasis> argument to the <emphasis role="bold">kas setfields</emphasis> | |
1201 | command to limit how many days a user's password is valid. The user becomes unable to authenticate with AFS after the | |
1202 | password expires, but has up to 30 days to use the <emphasis role="bold">kpasswd</emphasis> command to set a new password. | |
1203 | After the 30 days pass, only an administrator who has the <computeroutput>ADMIN</computeroutput> flag on the | |
1204 | Authentication Database entry can change the password.</para> | |
1205 | ||
1206 | <para>If you set a password lifetime, many AFS-modified login utilities (but not the <emphasis role="bold">klog</emphasis> | |
1207 | command) set the PASSWORD_EXPIRES environment variable to the number of days remaining until the password expires. A | |
1208 | setting of zero means that the password expires today. If desired, you can customize your users' login scripts to display | |
1209 | the number of days remaining before expiration and even prompt for a password change when a small number of days remain | |
1210 | before expiration.</para> | |
1211 | </listitem> | |
1212 | ||
1213 | <listitem> | |
1214 | <para>Prohibit reuse of passwords.</para> | |
1215 | ||
1216 | <para>Forcing users to select new passwords periodically is not effective if they simply set the new password to the | |
1217 | current value. To prevent a user from setting a new password to a string similar to any of the last 20 passwords, use the | |
1218 | <emphasis role="bold">-reuse</emphasis> argument to the <emphasis role="bold">kas setfields</emphasis> command.</para> | |
1219 | ||
1220 | <para>If you prohibit password reuse and the user specifies an excessively similar password, the Authentication Server | |
1221 | generates the following message to reject it:</para> | |
1222 | ||
1223 | <programlisting> | |
1224 | Password was not changed because it seems like a reused password | |
1225 | </programlisting> | |
1226 | ||
1227 | <para>A persistent user can try to bypass this restriction by changing the password 20 times in quick succession (or | |
1228 | running a script to do so). If you believe this is likely to be a problem, you can include the <emphasis | |
1229 | role="bold">-minhours</emphasis> argument to the <emphasis role="bold">kaserver</emphasis> initialization command (for | |
1230 | details, see the command's reference page in the <emphasis>OpenAFS Administration Reference</emphasis>. If the user | |
1231 | attempts to change passwords too frequently, the following message appears.</para> | |
1232 | ||
1233 | <programlisting> | |
1234 | Password was not changed because you changed it too recently; see | |
1235 | your systems administrator | |
1236 | </programlisting> | |
1237 | </listitem> | |
1238 | ||
1239 | <listitem> | |
1240 | <para>Check the quality of new passwords.</para> | |
1241 | ||
1242 | <para>You can impose a minimum quality standard on passwords by writing a script or program called <emphasis | |
1243 | role="bold">kpwvalid</emphasis>. If the <emphasis role="bold">kpwvalid</emphasis> file exists, the <emphasis | |
1244 | role="bold">kpasswd</emphasis> and <emphasis role="bold">kas setpassword</emphasis> command interpreters invoke it to | |
1245 | check a new password. If the password does not comply with the quality standard, the <emphasis | |
1246 | role="bold">kpwvalid</emphasis> program returns an appropriate code and the command interpreter rejects the | |
1247 | password.</para> | |
1248 | ||
1249 | <para>The <emphasis role="bold">kpwvalid</emphasis> file must be executable, must reside in the same AFS directory as the | |
1250 | <emphasis role="bold">kpasswd</emphasis> and <emphasis role="bold">kas</emphasis> binaries, and its directory's ACL must | |
1251 | grant the <emphasis role="bold">w</emphasis> (<emphasis role="bold">write</emphasis>) permission only to the <emphasis | |
1252 | role="bold">system:administrators</emphasis> group.</para> | |
1253 | ||
1254 | <para>If you choose to write a <emphasis role="bold">kpwvalid</emphasis> program, consider imposing standards such as the | |
1255 | following. <itemizedlist> | |
1256 | <listitem> | |
1257 | <para>A minimum length</para> | |
1258 | </listitem> | |
1259 | ||
1260 | <listitem> | |
1261 | <para>Words found in the dictionary are prohibited</para> | |
1262 | </listitem> | |
1263 | ||
1264 | <listitem> | |
1265 | <para>Numbers, punctuation, or both must appear along with letters</para> | |
1266 | </listitem> | |
1267 | </itemizedlist></para> | |
1268 | ||
1269 | <para>The AFS distribution includes an example <emphasis role="bold">kpwvalid</emphasis> program. See the <emphasis | |
1270 | role="bold">kpwvalid</emphasis> reference page in the <emphasis>OpenAFS Administration Reference</emphasis>.</para> | |
1271 | </listitem> | |
1272 | </itemizedlist></para> | |
1273 | ||
1274 | <indexterm> | |
1275 | <primary>kas commands</primary> | |
1276 | ||
1277 | <secondary>setfields</secondary> | |
1278 | ||
1279 | <tertiary>limiting failed authentication attempts</tertiary> | |
1280 | </indexterm> | |
1281 | ||
1282 | <indexterm> | |
1283 | <primary>commands</primary> | |
1284 | ||
1285 | <secondary>kas setfields</secondary> | |
1286 | ||
1287 | <tertiary>limiting failed authentication attempts</tertiary> | |
1288 | </indexterm> | |
1289 | ||
1290 | <sect2 id="Header_585"> | |
1291 | <title>To limit the number of consecutive failed authentication attempts</title> | |
1292 | ||
1293 | <orderedlist> | |
1294 | <listitem> | |
1295 | <para>Issue the <emphasis role="bold">kas setfields</emphasis> command with the <emphasis role="bold">-attempts</emphasis> | |
1296 | and <emphasis role="bold">-locktime</emphasis> arguments.</para> | |
1297 | ||
1298 | <para>The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, | |
1299 | it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. | |
1300 | Include the <emphasis role="bold">-admin</emphasis> argument to name an identity that has the | |
1301 | <computeroutput>ADMIN</computeroutput> flag on its Authentication Database entry. To verify that an entry has the flag, | |
1302 | issue the <emphasis role="bold">kas examine</emphasis> command as described in <link linkend="HDRWQ590">To check if the | |
1303 | ADMIN flag is set</link>.</para> | |
1304 | ||
1305 | <programlisting> | |
1306 | % <emphasis role="bold">kas setfields</emphasis> <<replaceable>name of user</replaceable>> \ | |
1307 | <emphasis role="bold">-admin</emphasis> <<replaceable>admin principal to use for authentication</replaceable>> \ | |
1308 | <emphasis role="bold">-attempts</emphasis> <<replaceable>maximum successive failed login tries ([0..254])</replaceable>> \ | |
1309 | <emphasis role="bold">-locktime</emphasis> <<replaceable>failure penalty [hh:mm or minutes]</replaceable>> | |
1310 | Administrator's (admin_user) password: <<replaceable>admin_password</replaceable>> | |
1311 | </programlisting> | |
1312 | ||
1313 | <para>where <variablelist> | |
1314 | <varlistentry> | |
1315 | <term><emphasis role="bold">name of user</emphasis></term> | |
1316 | ||
1317 | <listitem> | |
1318 | <para>Names the Authentication Database entry to edit.</para> | |
1319 | </listitem> | |
1320 | </varlistentry> | |
1321 | ||
1322 | <varlistentry> | |
1323 | <term><emphasis role="bold">-admin</emphasis></term> | |
1324 | ||
1325 | <listitem> | |
1326 | <para>Names an administrative account that has the <computeroutput>ADMIN</computeroutput> flag on its | |
1327 | Authentication Database entry, such as the <emphasis role="bold">admin</emphasis> account. The password prompt | |
1328 | echoes it as admin_user. Enter the appropriate password as admin_password.</para> | |
1329 | </listitem> | |
1330 | </varlistentry> | |
1331 | ||
1332 | <varlistentry> | |
1333 | <term><emphasis role="bold">-attempts</emphasis></term> | |
1334 | ||
1335 | <listitem> | |
1336 | <para>Specifies the maximum consecutive number of times that a user can fail to provide the correct password | |
1337 | during authentication (via the <emphasis role="bold">klog</emphasis> command or an AFS-modified login utility) | |
1338 | before the Authentication Server refuses further attempts for the amount of time specified by the <emphasis | |
1339 | role="bold">-locktime</emphasis> argument. The range of valid values is <emphasis role="bold">0</emphasis> (zero) | |
1340 | through <emphasis role="bold">254</emphasis>. If you omit this argument or specify <emphasis | |
1341 | role="bold">0</emphasis>, the Authentication Server allows an unlimited number of failures.</para> | |
1342 | </listitem> | |
1343 | </varlistentry> | |
1344 | ||
1345 | <varlistentry> | |
1346 | <term><emphasis role="bold">-locktime</emphasis></term> | |
1347 | ||
1348 | <listitem> | |
1349 | <para>Specifies how long the Authentication Server refuses authentication attempts after the user exceeds the | |
1350 | failure limit specified by the <emphasis role="bold">-attempts</emphasis> argument.</para> | |
1351 | ||
1352 | <para>Specify a time in either hours and minutes (hh:mm) or minutes only (mm), from the range <emphasis | |
1353 | role="bold">01</emphasis> (one minute) through <emphasis role="bold">36:00</emphasis> (36 hours). The <emphasis | |
1354 | role="bold">kas</emphasis> command interpreter automatically reduces any larger value to 36:00 and also rounds up | |
1355 | each nonzero value to the next-higher multiple of 8.5 minutes.</para> | |
1356 | ||
1357 | <para>It is best not to provide a value of <emphasis role="bold">0</emphasis> (zero), especially on administrative | |
1358 | accounts, because it sets an infinite lockout time. An administrator must always issue the <emphasis | |
1359 | role="bold">kas unlock</emphasis> command to unlock such an account.</para> | |
1360 | </listitem> | |
1361 | </varlistentry> | |
1362 | </variablelist></para> | |
1363 | </listitem> | |
1364 | </orderedlist> | |
1365 | </sect2> | |
1366 | ||
1367 | <sect2 id="Header_586"> | |
1368 | <title>To unlock a locked user account</title> | |
1369 | ||
1370 | <orderedlist> | |
1371 | <listitem> | |
1372 | <para>Issue the <emphasis role="bold">kas</emphasis> command to enter interactive mode.</para> | |
1373 | ||
1374 | <para>The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, | |
1375 | it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. | |
1376 | Include the <emphasis role="bold">-admin</emphasis> argument to name an identity that has the | |
1377 | <computeroutput>ADMIN</computeroutput> flag on its Authentication Database entry. To verify that an entry has the flag, | |
1378 | issue the <emphasis role="bold">kas examine</emphasis> command as described in <link linkend="HDRWQ590">To check if the | |
1379 | ADMIN flag is set</link>.</para> | |
1380 | ||
1381 | <programlisting> | |
1382 | % <emphasis role="bold">kas -admin</emphasis> <<replaceable>admin principal to use for authentication</replaceable>> | |
1383 | Administrator's (admin_user) password: <<replaceable>admin_password</replaceable>> | |
1384 | ka> | |
1385 | </programlisting> | |
1386 | ||
1387 | <para>where <emphasis role="bold">-admin</emphasis> names an administrative account that has the | |
1388 | <computeroutput>ADMIN</computeroutput> flag on its Authentication Database entry, such as <emphasis | |
1389 | role="bold">admin</emphasis>. The password prompt echoes it as admin_user. Enter the appropriate password as | |
1390 | admin_password.</para> | |
1391 | </listitem> | |
1392 | ||
1393 | <listitem> | |
1394 | <para>Issue the <emphasis role="bold">(kas) examine</emphasis> command to verify that the user's account is in fact | |
1395 | locked, as indicated by the message shown: <programlisting> | |
1396 | ka> <emphasis role="bold">examine</emphasis> <<replaceable>name of user</replaceable>> | |
1397 | User is locked until time | |
1398 | </programlisting> <indexterm> | |
1399 | <primary>kas commands</primary> | |
1400 | ||
1401 | <secondary>unlock</secondary> | |
1402 | </indexterm> <indexterm> | |
1403 | <primary>commands</primary> | |
1404 | ||
1405 | <secondary>kas unlock</secondary> | |
1406 | </indexterm></para> | |
1407 | </listitem> | |
1408 | ||
1409 | <listitem> | |
1410 | <para>Issue the <emphasis role="bold">(kas) unlock</emphasis> command to unlock the account. <programlisting> | |
1411 | ka> <emphasis role="bold">unlock</emphasis> <<replaceable>authentication ID</replaceable>> | |
1412 | </programlisting></para> | |
1413 | ||
1414 | <para>where</para> | |
1415 | ||
1416 | <variablelist> | |
1417 | <varlistentry> | |
1418 | <term><emphasis role="bold">u</emphasis></term> | |
1419 | ||
1420 | <listitem> | |
1421 | <para>Is the shortest acceptable abbreviation of <emphasis role="bold">unlock</emphasis>.</para> | |
1422 | </listitem> | |
1423 | </varlistentry> | |
1424 | ||
1425 | <varlistentry> | |
1426 | <term><emphasis role="bold">authentication ID</emphasis></term> | |
1427 | ||
1428 | <listitem> | |
1429 | <para>Names the Authentication Database entry to unlock.</para> | |
1430 | </listitem> | |
1431 | </varlistentry> | |
1432 | </variablelist> | |
1433 | </listitem> | |
1434 | </orderedlist> | |
1435 | ||
1436 | <indexterm> | |
1437 | <primary>kas commands</primary> | |
1438 | ||
1439 | <secondary>setfields</secondary> | |
1440 | ||
1441 | <tertiary>setting password lifetime</tertiary> | |
1442 | </indexterm> | |
1443 | ||
1444 | <indexterm> | |
1445 | <primary>commands</primary> | |
1446 | ||
1447 | <secondary>kas setfields</secondary> | |
1448 | ||
1449 | <tertiary>setting password lifetime</tertiary> | |
1450 | </indexterm> | |
1451 | ||
1452 | <indexterm> | |
1453 | <primary>Authentication Database</primary> | |
1454 | ||
1455 | <secondary>password lifetime, setting</secondary> | |
1456 | </indexterm> | |
1457 | </sect2> | |
1458 | ||
1459 | <sect2 id="Header_587"> | |
1460 | <title>To set password lifetime</title> | |
1461 | ||
1462 | <orderedlist> | |
1463 | <listitem> | |
1464 | <para>Issue the <emphasis role="bold">kas setfields</emphasis> command with the <emphasis | |
1465 | role="bold">-pwexpires</emphasis> argument.</para> | |
1466 | ||
1467 | <para>The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, | |
1468 | it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. | |
1469 | Include the <emphasis role="bold">-admin</emphasis> argument to name an identity that has the | |
1470 | <computeroutput>ADMIN</computeroutput> flag on its Authentication Database entry. To verify that an entry has the flag, | |
1471 | issue the <emphasis role="bold">kas examine</emphasis> command as described in <link linkend="HDRWQ590">To check if the | |
1472 | ADMIN flag is set</link>.</para> | |
1473 | ||
1474 | <programlisting> | |
1475 | % <emphasis role="bold">kas setfields</emphasis> <<replaceable>name of user</replaceable>> \ | |
1476 | <emphasis role="bold">-pwexpires</emphasis> <<replaceable>number days password is valid [0..254])</replaceable>> \ | |
1477 | <emphasis role="bold">-admin</emphasis> <<replaceable>admin principal to use for authentication</replaceable>> | |
1478 | Administrator's (admin_user) password: <<replaceable>admin_password</replaceable>> | |
1479 | </programlisting> | |
1480 | ||
1481 | <para>where <variablelist> | |
1482 | <varlistentry> | |
1483 | <term><emphasis role="bold">name of user</emphasis></term> | |
1484 | ||
1485 | <listitem> | |
1486 | <para>Specifies the Authentication Database entry on which to impose a password expiration.</para> | |
1487 | </listitem> | |
1488 | </varlistentry> | |
1489 | ||
1490 | <varlistentry> | |
1491 | <term><emphasis role="bold">-pwexpires</emphasis></term> | |
1492 | ||
1493 | <listitem> | |
1494 | <para>Sets the number of days after the user's password was last changed that it remains valid. Provide an integer | |
1495 | from the range <emphasis role="bold">1</emphasis> through <emphasis role="bold">254</emphasis> to specify the | |
1496 | number of days until expiration.</para> | |
1497 | ||
1498 | <para>When the password becomes invalid (expires), the user is unable to authenticate, but has 30 more days in | |
1499 | which to issue the <emphasis role="bold">kpasswd</emphasis> or <emphasis role="bold">kas setpassword</emphasis> | |
1500 | command to change the password (after that, only an administrator can change it). Note that the clock starts at | |
1501 | the time the password was last changed, not when the <emphasis role="bold">kas setfields</emphasis> command is | |
1502 | issued. To avoid retroactive expiration, have the user change the password just before issuing the command.</para> | |
1503 | </listitem> | |
1504 | </varlistentry> | |
1505 | ||
1506 | <varlistentry> | |
1507 | <term><emphasis role="bold">-admin</emphasis></term> | |
1508 | ||
1509 | <listitem> | |
1510 | <para>Names an administrative account that has the <computeroutput>ADMIN</computeroutput> flag on its | |
1511 | Authentication Database entry, such as <emphasis role="bold">admin</emphasis>. The password prompt echoes it as | |
1512 | admin_user. Enter the appropriate password as admin_password.</para> | |
1513 | </listitem> | |
1514 | </varlistentry> | |
1515 | </variablelist></para> | |
1516 | </listitem> | |
1517 | </orderedlist> | |
1518 | ||
1519 | <indexterm> | |
1520 | <primary>kas commands</primary> | |
1521 | ||
1522 | <secondary>setfields</secondary> | |
1523 | ||
1524 | <tertiary>prohibiting password reuse</tertiary> | |
1525 | </indexterm> | |
1526 | ||
1527 | <indexterm> | |
1528 | <primary>commands</primary> | |
1529 | ||
1530 | <secondary>kas setfields</secondary> | |
1531 | ||
1532 | <tertiary>prohibiting password reuse</tertiary> | |
1533 | </indexterm> | |
1534 | </sect2> | |
1535 | ||
1536 | <sect2 id="Header_588"> | |
1537 | <title>To prohibit reuse of passwords</title> | |
1538 | ||
1539 | <orderedlist> | |
1540 | <listitem> | |
1541 | <para>Issue the <emphasis role="bold">kas setfields</emphasis> command with the <emphasis role="bold">-reuse</emphasis> | |
1542 | argument.</para> | |
1543 | ||
1544 | <para>The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, | |
1545 | it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. | |
1546 | Include the <emphasis role="bold">-admin</emphasis> argument to name an identity that has the | |
1547 | <computeroutput>ADMIN</computeroutput> flag on its Authentication Database entry. To verify that an entry has the flag, | |
1548 | issue the <emphasis role="bold">kas examine</emphasis> command as described in <link linkend="HDRWQ590">To check if the | |
1549 | ADMIN flag is set</link>.</para> | |
1550 | ||
1551 | <programlisting> | |
1552 | % <emphasis role="bold">kas setfields</emphasis> <<replaceable>name of user</replaceable>> <emphasis role="bold">-reuse</emphasis> <<replaceable> permit password reuse (yes/no)</replaceable>> \ | |
1553 | <emphasis role="bold">-admin</emphasis> <<replaceable>admin principal to use for authentication</replaceable>> | |
1554 | Administrator's (admin_user) password: <<replaceable>admin_password</replaceable>> | |
1555 | </programlisting> | |
1556 | ||
1557 | <para>where <variablelist> | |
1558 | <varlistentry> | |
1559 | <term><emphasis role="bold">name of user</emphasis></term> | |
1560 | ||
1561 | <listitem> | |
1562 | <para>Names the Authentication Database entry for which to set the password reuse policy.</para> | |
1563 | </listitem> | |
1564 | </varlistentry> | |
1565 | ||
1566 | <varlistentry> | |
1567 | <term><emphasis role="bold">-reuse</emphasis></term> | |
1568 | ||
1569 | <listitem> | |
1570 | <para>Specifies whether the Authentication Server allows reuse of passwords similar to any of the user's last 20 | |
1571 | passwords. Specify the value <emphasis role="bold">no</emphasis> to prohibit reuse, or the value <emphasis | |
1572 | role="bold">yes</emphasis> to reinstate the default of allowing password reuse.</para> | |
1573 | </listitem> | |
1574 | </varlistentry> | |
1575 | ||
1576 | <varlistentry> | |
1577 | <term><emphasis role="bold">-admin</emphasis></term> | |
1578 | ||
1579 | <listitem> | |
1580 | <para>Names an administrative account that has the <computeroutput>ADMIN</computeroutput> flag on its | |
1581 | Authentication Database entry, such as <emphasis role="bold">admin</emphasis>. The password prompt echoes it as | |
1582 | admin_user. Enter the appropriate password as admin_password.</para> | |
1583 | </listitem> | |
1584 | </varlistentry> | |
1585 | </variablelist></para> | |
1586 | </listitem> | |
1587 | </orderedlist> | |
1588 | ||
1589 | <indexterm> | |
1590 | <primary>password</primary> | |
1591 | ||
1592 | <secondary>setting in Authentication Database</secondary> | |
1593 | </indexterm> | |
1594 | ||
1595 | <indexterm> | |
1596 | <primary>setting</primary> | |
1597 | ||
1598 | <secondary>password</secondary> | |
1599 | ||
1600 | <tertiary>in Authentication Database</tertiary> | |
1601 | </indexterm> | |
1602 | ||
1603 | <indexterm> | |
1604 | <primary>Authentication Database</primary> | |
1605 | ||
1606 | <secondary>password</secondary> | |
1607 | ||
1608 | <tertiary>setting</tertiary> | |
1609 | </indexterm> | |
1610 | </sect2> | |
1611 | </sect1> | |
1612 | ||
1613 | <sect1 id="HDRWQ516"> | |
1614 | <title>Changing AFS Passwords</title> | |
1615 | ||
1616 | <para>After setting an initial password during account creation, you normally do not need to change user passwords, since they | |
1617 | can use the <emphasis role="bold">kpasswd</emphasis> command themselves by following the instructions in the <emphasis>OpenAFS | |
1618 | User Guide</emphasis>. In the rare event that a user forgets the password or otherwise cannot log in, you can use the <emphasis | |
1619 | role="bold">kas setpassword</emphasis> command to set a new password.</para> | |
1620 | ||
1621 | <para>If entries in the local password file (<emphasis role="bold">/etc/passwd</emphasis> or equivalent) have actual scrambled | |
1622 | passwords in their password field, remember to change the password there also. For further discussion, see <link | |
1623 | linkend="HDRWQ497">Specifying Passwords in the Local Password File</link>. <indexterm> | |
1624 | <primary>kas commands</primary> | |
1625 | ||
1626 | <secondary>setpassword</secondary> | |
1627 | </indexterm> <indexterm> | |
1628 | <primary>commands</primary> | |
1629 | ||
1630 | <secondary>kas setpassword</secondary> | |
1631 | </indexterm></para> | |
1632 | ||
1633 | <sect2 id="Header_590"> | |
1634 | <title>To change an AFS password</title> | |
1635 | ||
1636 | <orderedlist> | |
1637 | <listitem> | |
1638 | <para>Issue the <emphasis role="bold">kas setpassword</emphasis> command to change the password. To avoid having the new | |
1639 | password echo visibly on the screen, omit the <emphasis role="bold">-new_password</emphasis> argument; instead enter the | |
1640 | password at the prompts that appear when you omit the argument, as shown.</para> | |
1641 | ||
1642 | <para>The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, | |
1643 | it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. | |
1644 | Include the <emphasis role="bold">-admin</emphasis> argument to name an identity that has the | |
1645 | <computeroutput>ADMIN</computeroutput> flag on its Authentication Database entry. To verify that an entry has the flag, | |
1646 | issue the <emphasis role="bold">kas examine</emphasis> command as described in <link linkend="HDRWQ590">To check if the | |
1647 | ADMIN flag is set</link>.</para> | |
1648 | ||
1649 | <programlisting> | |
1650 | % <emphasis role="bold">kas setpassword</emphasis> <<replaceable>name of user</replaceable>> \ | |
1651 | <emphasis role="bold">-admin</emphasis> <<replaceable>admin principal to use for authentication</replaceable>> | |
1652 | Administrator's (admin_user) password: <<replaceable>admin_password</replaceable>> | |
1653 | new_password: <<replaceable>new_password</replaceable>> | |
1654 | Verifying, please re-enter new_password: <<replaceable>new_password</replaceable>> | |
1655 | </programlisting> | |
1656 | ||
1657 | <para>where <variablelist> | |
1658 | <varlistentry> | |
1659 | <term><emphasis role="bold">sp</emphasis></term> | |
1660 | ||
1661 | <listitem> | |
1662 | <para>Is an acceptable alias for <emphasis role="bold">setpassword</emphasis> (<emphasis | |
1663 | role="bold">setp</emphasis> is the shortest acceptable abbreviation).</para> | |
1664 | </listitem> | |
1665 | </varlistentry> | |
1666 | ||
1667 | <varlistentry> | |
1668 | <term><emphasis role="bold">name of user</emphasis></term> | |
1669 | ||
1670 | <listitem> | |
1671 | <para>Names the Authentication Database entry for which to set the password.</para> | |
1672 | </listitem> | |
1673 | </varlistentry> | |
1674 | ||
1675 | <varlistentry> | |
1676 | <term><emphasis role="bold">-admin</emphasis></term> | |
1677 | ||
1678 | <listitem> | |
1679 | <para>Names an administrative account that has the <computeroutput>ADMIN</computeroutput> flag on its | |
1680 | Authentication Database entry, such as <emphasis role="bold">admin</emphasis>. The password prompt echoes it as | |
1681 | admin_user. Enter the appropriate password as admin_password.</para> | |
1682 | </listitem> | |
1683 | </varlistentry> | |
1684 | ||
1685 | <varlistentry> | |
1686 | <term><emphasis role="bold">new_password</emphasis></term> | |
1687 | ||
1688 | <listitem> | |
1689 | <para>Specifies the user's new password. It is subject to the restrictions imposed by the <emphasis | |
1690 | role="bold">kpwvalid</emphasis> program, if you use it.</para> | |
1691 | </listitem> | |
1692 | </varlistentry> | |
1693 | </variablelist></para> | |
1694 | </listitem> | |
1695 | </orderedlist> | |
1696 | </sect2> | |
1697 | </sect1> | |
1698 | ||
1699 | <sect1 id="HDRWQ517"> | |
1700 | <title>Displaying and Setting the Quota on User Volumes</title> | |
1701 | ||
1702 | <para>User volumes are like all other volumes with respect to quota. Each new AFS volume has a default quota of 5000 KB, unless | |
1703 | you use the <emphasis role="bold">-maxquota</emphasis> argument to the <emphasis role="bold">vos create</emphasis> command to | |
1704 | set a different quota. You can also use either of the following commands to change quota at any time: <itemizedlist> | |
1705 | <listitem> | |
1706 | <para><emphasis role="bold">fs setquota</emphasis></para> | |
1707 | </listitem> | |
1708 | ||
1709 | <listitem> | |
1710 | <para><emphasis role="bold">fs setvol</emphasis></para> | |
1711 | </listitem> | |
1712 | </itemizedlist></para> | |
1713 | ||
1714 | <para>You can use any of the three following commands to display a volume's quota: <itemizedlist> | |
1715 | <listitem> | |
1716 | <para><emphasis role="bold">fs quota</emphasis></para> | |
1717 | </listitem> | |
1718 | ||
1719 | <listitem> | |
1720 | <para><emphasis role="bold">fs listquota</emphasis></para> | |
1721 | </listitem> | |
1722 | ||
1723 | <listitem> | |
1724 | <para><emphasis role="bold">fs examine</emphasis></para> | |
1725 | </listitem> | |
1726 | </itemizedlist></para> | |
1727 | ||
1728 | <para>For instructions, see <link linkend="HDRWQ234">Setting and Displaying Volume Quota and Current Size</link>. <indexterm> | |
1729 | <primary>username</primary> | |
1730 | ||
1731 | <secondary>changing</secondary> | |
1732 | </indexterm> <indexterm> | |
1733 | <primary>changing</primary> | |
1734 | ||
1735 | <secondary>username</secondary> | |
1736 | </indexterm> <indexterm> | |
1737 | <primary>renaming</primary> | |
1738 | ||
1739 | <secondary>user account components</secondary> | |
1740 | </indexterm> <indexterm> | |
1741 | <primary>Protection Database</primary> | |
1742 | ||
1743 | <secondary>changing username</secondary> | |
1744 | </indexterm> <indexterm> | |
1745 | <primary>Authentication Database</primary> | |
1746 | ||
1747 | <secondary>changing username</secondary> | |
1748 | </indexterm></para> | |
1749 | </sect1> | |
1750 | ||
1751 | <sect1 id="HDRWQ518"> | |
1752 | <title>Changing Usernames</title> | |
1753 | ||
1754 | <para>By convention, many components of a user account incorporate the username, including the Protection and Authentication | |
1755 | Database entries, the volume name and the home directory name. When changing a username, it is best to maintain consistency by | |
1756 | changing the names of all components, so the procedure for changing a username has almost as many steps as the procedure for | |
1757 | creating a new user account.</para> | |
1758 | ||
1759 | <sect2 id="Header_593"> | |
1760 | <title>To change a username</title> | |
1761 | ||
1762 | <orderedlist> | |
1763 | <indexterm> | |
1764 | <primary>pts commands</primary> | |
1765 | ||
1766 | <secondary>rename</secondary> | |
1767 | ||
1768 | <tertiary>username</tertiary> | |
1769 | </indexterm> | |
1770 | ||
1771 | <indexterm> | |
1772 | <primary>commands</primary> | |
1773 | ||
1774 | <secondary>pts rename</secondary> | |
1775 | ||
1776 | <tertiary>username</tertiary> | |
1777 | </indexterm> | |
1778 | ||
1779 | <listitem> | |
1780 | <para>Authenticate as an AFS identity with all of the following privileges. In the conventional configuration, the | |
1781 | <emphasis role="bold">admin</emphasis> user account has them, or you possibly have a personal administrative account. (To | |
1782 | increase cell security, it is best to create special privileged accounts for use only while performing administrative | |
1783 | procedures; for further discussion, see <link linkend="HDRWQ584">An Overview of Administrative Privilege</link>.) If | |
1784 | necessary, issue the <emphasis role="bold">klog</emphasis> command to authenticate. <programlisting> | |
1785 | % <emphasis role="bold">klog</emphasis> admin_user | |
1786 | Password: <<replaceable>admin_password</replaceable>> | |
1787 | </programlisting></para> | |
1788 | ||
1789 | <para>The following list specifies the necessary privileges and indicates how to check that you have them.</para> | |
1790 | ||
1791 | <itemizedlist> | |
1792 | <listitem> | |
1793 | <para>Membership in the <emphasis role="bold">system:administrators</emphasis> group. If necessary, issue the | |
1794 | <emphasis role="bold">pts membership</emphasis> command, which is fully described in <link linkend="HDRWQ587">To | |
1795 | display the members of the system:administrators group</link>. <programlisting> | |
1796 | % <emphasis role="bold">pts membership system:administrators</emphasis> | |
1797 | </programlisting></para> | |
1798 | </listitem> | |
1799 | ||
1800 | <listitem> | |
1801 | <para>Inclusion in the <emphasis role="bold">/usr/afs/etc/UserList</emphasis> file. If necessary, issue the <emphasis | |
1802 | role="bold">bos listusers</emphasis> command, which is fully described in <link linkend="HDRWQ593">To display the | |
1803 | users in the UserList file</link>. <programlisting> | |
1804 | % <emphasis role="bold">bos listusers</emphasis> <<replaceable>machine name</replaceable>> | |
1805 | </programlisting></para> | |
1806 | </listitem> | |
1807 | ||
1808 | <listitem> | |
1809 | <para>The <computeroutput>ADMIN</computeroutput> flag on the Authentication Database entry. However, the | |
1810 | Authentication Server performs its own authentication, so the following instructions direct you to specify an | |
1811 | administrative identity on the <emphasis role="bold">kas</emphasis> command line itself.</para> | |
1812 | </listitem> | |
1813 | ||
1814 | <listitem> | |
1815 | <para>The <emphasis role="bold">a</emphasis> (<emphasis role="bold">administer</emphasis>), <emphasis | |
1816 | role="bold">d</emphasis> (<emphasis role="bold">delete</emphasis>), and <emphasis role="bold">i</emphasis> (<emphasis | |
1817 | role="bold">insert</emphasis>) permissions on the ACL of the directory where you are removing the current mount point | |
1818 | and creating a new one. If necessary, issue the <emphasis role="bold">fs listacl</emphasis> command, which is fully | |
1819 | described in <link linkend="HDRWQ572">Displaying ACLs</link>. <programlisting> | |
1820 | % <emphasis role="bold">fs listacl</emphasis> [<<replaceable>dir/file path</replaceable>>] | |
1821 | </programlisting></para> | |
1822 | ||
1823 | <para>Members of the <emphasis role="bold">system:administrators</emphasis> group always implicitly have the <emphasis | |
1824 | role="bold">a</emphasis> (<emphasis role="bold">administer</emphasis>) and by default also the <emphasis | |
1825 | role="bold">l</emphasis> (<emphasis role="bold">lookup</emphasis>) permission on every ACL and can use the <emphasis | |
1826 | role="bold">fs setacl</emphasis> command to grant other rights as necessary.</para> | |
1827 | </listitem> | |
1828 | </itemizedlist> | |
1829 | </listitem> | |
1830 | ||
1831 | <listitem id="LIWQ519"> | |
1832 | <para>Issue the <emphasis role="bold">pts listowned</emphasis> command to display the names of the | |
1833 | groups the user owns. After you change the username in the Protection Database in Step <link linkend="LIWQ520">3</link>, | |
1834 | you must issue the <emphasis role="bold">pts rename</emphasis> command to change each group's owner prefix to match the | |
1835 | new name, because the Protection Server does not automatically make this change. For a complete description of the | |
1836 | <emphasis role="bold">pts listowned</emphasis> command, see <link linkend="HDRWQ536">Displaying Information from the | |
1837 | Protection Database</link>. <programlisting> | |
1838 | % <emphasis role="bold">pts listowned</emphasis> <<replaceable>user or group name or id</replaceable>> | |
1839 | </programlisting></para> | |
1840 | </listitem> | |
1841 | ||
1842 | <listitem id="LIWQ520"> | |
1843 | <para>Issue the <emphasis role="bold">pts rename</emphasis> command to change the user's name in | |
1844 | the Protection Database. <programlisting> | |
1845 | % <emphasis role="bold">pts rename</emphasis> <<replaceable>old name</replaceable>> <<replaceable>new name</replaceable>> | |
1846 | </programlisting></para> | |
1847 | </listitem> | |
1848 | ||
1849 | <listitem> | |
1850 | <para>Issue the <emphasis role="bold">pts rename</emphasis> command to change the group names you noted in Step <link | |
1851 | linkend="LIWQ519">2</link>, so that their owner prefix (the part of the group name before the colon) accurately reflects | |
1852 | the owner's new name.</para> | |
1853 | ||
1854 | <para>Repeat the command for each group. Step <link linkend="LIWQ520">3</link> details its syntax.</para> | |
1855 | ||
1856 | <programlisting> | |
1857 | % <emphasis role="bold">pts rename</emphasis> <<replaceable>old name</replaceable>> <<replaceable>new name</replaceable>> | |
1858 | </programlisting> | |
1859 | </listitem> | |
1860 | ||
1861 | <listitem> | |
1862 | <para>Issue the <emphasis role="bold">kas</emphasis> command to enter interactive mode.</para> | |
1863 | ||
1864 | <para>The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, | |
1865 | it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. | |
1866 | Include the <emphasis role="bold">-admin</emphasis> argument to name an identity that has the | |
1867 | <computeroutput>ADMIN</computeroutput> flag on its Authentication Database entry. To verify that an entry has the flag, | |
1868 | issue the <emphasis role="bold">kas examine</emphasis> command as described in <link linkend="HDRWQ590">To check if the | |
1869 | ADMIN flag is set</link>.</para> | |
1870 | ||
1871 | <programlisting> | |
1872 | % <emphasis role="bold">kas -admin</emphasis> <<replaceable>admin principal to use for authentication</replaceable>> | |
1873 | Administrator's (admin_user) password: <<replaceable>admin_password</replaceable>> | |
1874 | ka> | |
1875 | </programlisting> | |
1876 | ||
1877 | <para>where <emphasis role="bold">-admin</emphasis> names an administrative account that has the | |
1878 | <computeroutput>ADMIN</computeroutput> flag on its Authentication Database entry, such as <emphasis | |
1879 | role="bold">admin</emphasis>. The password prompt echoes it as admin_user. Enter the appropriate password as | |
1880 | admin_password. <indexterm> | |
1881 | <primary>kas commands</primary> | |
1882 | ||
1883 | <secondary>delete</secondary> | |
1884 | ||
1885 | <tertiary>when changing username</tertiary> | |
1886 | </indexterm> <indexterm> | |
1887 | <primary>commands</primary> | |
1888 | ||
1889 | <secondary>kas delete</secondary> | |
1890 | ||
1891 | <tertiary>when changing username</tertiary> | |
1892 | </indexterm></para> | |
1893 | </listitem> | |
1894 | ||
1895 | <listitem> | |
1896 | <para>Issue the <emphasis role="bold">(kas) delete</emphasis> command to delete the user's existing Authentication | |
1897 | Database entry. <programlisting> | |
1898 | ka> <emphasis role="bold">delete</emphasis> <<replaceable>name of user</replaceable>> | |
1899 | </programlisting></para> | |
1900 | ||
1901 | <para>where</para> | |
1902 | ||
1903 | <variablelist> | |
1904 | <varlistentry> | |
1905 | <term><emphasis role="bold">del</emphasis></term> | |
1906 | ||
1907 | <listitem> | |
1908 | <para>Is the shortest acceptable abbreviation for <emphasis role="bold">delete</emphasis>, or you can use the alias | |
1909 | <emphasis role="bold">rm</emphasis>.</para> | |
1910 | </listitem> | |
1911 | </varlistentry> | |
1912 | ||
1913 | <varlistentry> | |
1914 | <term><emphasis role="bold">name of user</emphasis></term> | |
1915 | ||
1916 | <listitem> | |
1917 | <para>Names the Authentication Database entry to delete.</para> | |
1918 | </listitem> | |
1919 | </varlistentry> | |
1920 | </variablelist> | |
1921 | ||
1922 | <indexterm> | |
1923 | <primary>kas commands</primary> | |
1924 | ||
1925 | <secondary>create</secondary> | |
1926 | ||
1927 | <tertiary>when changing username</tertiary> | |
1928 | </indexterm> | |
1929 | ||
1930 | <indexterm> | |
1931 | <primary>commands</primary> | |
1932 | ||
1933 | <secondary>kas create</secondary> | |
1934 | ||
1935 | <tertiary>when changing username</tertiary> | |
1936 | </indexterm> | |
1937 | </listitem> | |
1938 | ||
1939 | <listitem> | |
1940 | <para>Issue the <emphasis role="bold">(kas) create</emphasis> command to create an Authentication Database entry for the | |
1941 | new username. To avoid having the user's password echo visibly on the screen, do not include the <emphasis | |
1942 | role="bold">-initial_password</emphasis> argument; instead enter the password at the prompts that appear in that case, as | |
1943 | shown in the following syntax specification. <programlisting> | |
1944 | ka> <emphasis role="bold">create</emphasis> <<replaceable>name of user</replaceable>> | |
1945 | initial_password: <<replaceable>password</replaceable>> | |
1946 | Verifying, please re-enter initial_password: <<replaceable>password</replaceable>> | |
1947 | </programlisting></para> | |
1948 | ||
1949 | <para>where</para> | |
1950 | ||
1951 | <variablelist> | |
1952 | <varlistentry> | |
1953 | <term><emphasis role="bold">cr</emphasis></term> | |
1954 | ||
1955 | <listitem> | |
1956 | <para>Is the shortest acceptable abbreviation for <emphasis role="bold">create</emphasis>.</para> | |
1957 | </listitem> | |
1958 | </varlistentry> | |
1959 | ||
1960 | <varlistentry> | |
1961 | <term><emphasis role="bold">name of user</emphasis></term> | |
1962 | ||
1963 | <listitem> | |
1964 | <para>Specifies the new username.</para> | |
1965 | </listitem> | |
1966 | </varlistentry> | |
1967 | ||
1968 | <varlistentry> | |
1969 | <term><emphasis role="bold">password</emphasis></term> | |
1970 | ||
1971 | <listitem> | |
1972 | <para>Specifies the password for the new user account. If the user is willing to tell you his or her current | |
1973 | password, you can retain it. Otherwise, provide a string of eight characters or less to comply with the length | |
1974 | restriction that some applications impose. Possible choices for an initial password include the username, a string | |
1975 | of digits from a personal identification number such as the Social Security number, or a standard string such as | |
1976 | <emphasis role="bold">changeme</emphasis>. Instruct the user to change the string to a truly secret password as soon | |
1977 | as possible by using the <emphasis role="bold">kpasswd</emphasis> command as instructed in the <emphasis>OpenAFS | |
1978 | User Guide</emphasis>.</para> | |
1979 | </listitem> | |
1980 | </varlistentry> | |
1981 | </variablelist> | |
1982 | </listitem> | |
1983 | ||
1984 | <listitem> | |
1985 | <para>Issue the <emphasis role="bold">quit</emphasis> command to leave interactive mode. <programlisting> | |
1986 | ka> <emphasis role="bold">quit</emphasis> | |
1987 | </programlisting> <indexterm> | |
1988 | <primary>vos commands</primary> | |
1989 | ||
1990 | <secondary>rename</secondary> | |
1991 | ||
1992 | <tertiary>when changing username</tertiary> | |
1993 | </indexterm> <indexterm> | |
1994 | <primary>commands</primary> | |
1995 | ||
1996 | <secondary>vos rename</secondary> | |
1997 | ||
1998 | <tertiary>when changing username</tertiary> | |
1999 | </indexterm> <indexterm> | |
2000 | <primary>volume name</primary> | |
2001 | ||
2002 | <secondary>changing</secondary> | |
2003 | ||
2004 | <tertiary>when renaming user</tertiary> | |
2005 | </indexterm> <indexterm> | |
2006 | <primary>renaming</primary> | |
2007 | ||
2008 | <secondary>volume when changing username</secondary> | |
2009 | </indexterm> <indexterm> | |
2010 | <primary>changing</primary> | |
2011 | ||
2012 | <secondary>volume name when renaming user</secondary> | |
2013 | </indexterm></para> | |
2014 | </listitem> | |
2015 | ||
2016 | <listitem> | |
2017 | <para>Issue the <emphasis role="bold">vos rename</emphasis> command to change the name of the | |
2018 | user's volume. For complete syntax, see <link linkend="HDRWQ246">To rename a volume</link>. <programlisting> | |
2019 | % <emphasis role="bold">vos rename</emphasis> <<replaceable>old volume name</replaceable>> <<replaceable>new volume name</replaceable>> | |
2020 | </programlisting><indexterm> | |
2021 | <primary>fs commands</primary> | |
2022 | ||
2023 | <secondary>rmmount</secondary> | |
2024 | ||
2025 | <tertiary>when changing username</tertiary> | |
2026 | </indexterm><indexterm> | |
2027 | <primary>commands</primary> | |
2028 | ||
2029 | <secondary>fs rmmount</secondary> | |
2030 | </indexterm><indexterm> | |
2031 | <primary>mount point</primary> | |
2032 | ||
2033 | <secondary>changing when renaming user</secondary> | |
2034 | </indexterm><indexterm> | |
2035 | <primary>removing</primary> | |
2036 | ||
2037 | <secondary>mount point</secondary> | |
2038 | ||
2039 | <tertiary>when changing username</tertiary> | |
2040 | </indexterm><indexterm> | |
2041 | <primary>changing</primary> | |
2042 | ||
2043 | <secondary>mount point when renaming user</secondary> | |
2044 | </indexterm></para> | |
2045 | </listitem> | |
2046 | ||
2047 | <listitem id="LIWQ522"> | |
2048 | <para>Issue the <emphasis role="bold">fs rmmount</emphasis> command to remove the existing mount | |
2049 | point. For the directory argument, specify the read/write path to the mount point, to avoid the failure that results when | |
2050 | you attempt to delete a mount point from a read-only volume. <programlisting> | |
2051 | % <emphasis role="bold">fs rmmount</emphasis> <<replaceable>directory</replaceable>> | |
2052 | </programlisting><indexterm> | |
2053 | <primary>fs commands</primary> | |
2054 | ||
2055 | <secondary>mkmount</secondary> | |
2056 | ||
2057 | <tertiary>when changing username</tertiary> | |
2058 | </indexterm><indexterm> | |
2059 | <primary>commands</primary> | |
2060 | ||
2061 | <secondary>fs mkmount</secondary> | |
2062 | ||
2063 | <tertiary>when changing username</tertiary> | |
2064 | </indexterm><indexterm> | |
2065 | <primary>creating</primary> | |
2066 | ||
2067 | <secondary>mount point when changing username</secondary> | |
2068 | </indexterm></para> | |
2069 | </listitem> | |
2070 | ||
2071 | <listitem id="LIWQ523"> | |
2072 | <para>Issue the <emphasis role="bold">fs mkmount</emphasis> command to create a mount point for the | |
2073 | volume's new name. Specify the read/write path to the mount point for the directory argument, as in the previous step. For | |
2074 | complete syntax, see Step <link linkend="LIWQ509">6</link> in <link linkend="HDRWQ503">To create one user account with | |
2075 | individual commands</link>. <programlisting> | |
2076 | % <emphasis role="bold">fs mkmount</emphasis> <<replaceable>directory</replaceable>> <<replaceable>volume name</replaceable>> | |
2077 | </programlisting></para> | |
2078 | </listitem> | |
2079 | ||
2080 | <listitem> | |
2081 | <para>If the changes you made in Step <link linkend="LIWQ522">10</link> and Step <link linkend="LIWQ523">11</link> are to | |
2082 | a mount point that resides in a replicated volume, use the <emphasis role="bold">vos release</emphasis> command to release | |
2083 | the volume, as described in <link linkend="HDRWQ194">To replicate a read/write volume (create a read-only volume)</link>. | |
2084 | <programlisting> | |
2085 | % <emphasis role="bold">vos release</emphasis> <<replaceable>volume name or ID</replaceable>> | |
2086 | </programlisting></para> | |
2087 | ||
2088 | <note> | |
2089 | <para>This step can be necessary even if the home directory's parent directory is not itself a mount point for a | |
2090 | replicated volume (and is easier to overlook in that case). For example, the Example Corporation template puts the mount | |
2091 | points for user volumes in the <emphasis role="bold">/afs/example.com/usr</emphasis> directory. Because that is a regular | |
2092 | directory rather than a mount point, it resides in the <emphasis role="bold">root.cell</emphasis> volume mounted at the | |
2093 | <emphasis role="bold">/afs/example.com</emphasis> directory. That volume is replicated, so after changing it the | |
2094 | administrator must issue the <emphasis role="bold">vos release</emphasis> command.</para> | |
2095 | </note> | |
2096 | </listitem> | |
2097 | </orderedlist> | |
2098 | </sect2> | |
2099 | </sect1> | |
2100 | ||
2101 | <sect1 id="HDRWQ524"> | |
2102 | <title>Removing a User Account</title> | |
2103 | ||
2104 | <indexterm> | |
2105 | <primary>removing</primary> | |
2106 | ||
2107 | <secondary>user account components</secondary> | |
2108 | </indexterm> | |
2109 | ||
2110 | <indexterm> | |
2111 | <primary>user account</primary> | |
2112 | ||
2113 | <secondary>removing from system</secondary> | |
2114 | </indexterm> | |
2115 | ||
2116 | <para>Before removing an account, it is best to make a backup copy of the user's home volume on a permanent storage medium such | |
2117 | as tape. If you need to remove several accounts, it is probably more efficient to use the <emphasis role="bold">uss | |
2118 | delete</emphasis> command instead; see <link linkend="HDRWQ486">Deleting Individual Accounts with the uss delete | |
2119 | Command</link>.</para> | |
2120 | ||
2121 | <sect2 id="Header_595"> | |
2122 | <title>To remove a user account</title> | |
2123 | ||
2124 | <orderedlist> | |
2125 | <listitem> | |
2126 | <para>Authenticate as an AFS identity with all of the following privileges. In the conventional configuration, the | |
2127 | <emphasis role="bold">admin</emphasis> user account has them, or you possibly have a personal administrative account. (To | |
2128 | increase cell security, it is best to create special privileged accounts for use only while performing administrative | |
2129 | procedures; for further discussion, see <link linkend="HDRWQ584">An Overview of Administrative Privilege</link>.) If | |
2130 | necessary, issue the <emphasis role="bold">klog</emphasis> command to authenticate. <programlisting> | |
2131 | % <emphasis role="bold">klog</emphasis> admin_user | |
2132 | Password: <<replaceable>admin_password</replaceable>> | |
2133 | </programlisting></para> | |
2134 | ||
2135 | <para>The following list specifies the necessary privileges and indicates how to check that you have them.</para> | |
2136 | ||
2137 | <itemizedlist> | |
2138 | <listitem> | |
2139 | <para>Membership in the <emphasis role="bold">system:administrators</emphasis> group. If necessary, issue the | |
2140 | <emphasis role="bold">pts membership</emphasis> command, which is fully described in <link linkend="HDRWQ587">To | |
2141 | display the members of the system:administrators group</link>. <programlisting> | |
2142 | % <emphasis role="bold">pts membership system:administrators</emphasis> | |
2143 | </programlisting></para> | |
2144 | </listitem> | |
2145 | ||
2146 | <listitem> | |
2147 | <para>Inclusion in the <emphasis role="bold">/usr/afs/etc/UserList</emphasis> file. If necessary, issue the <emphasis | |
2148 | role="bold">bos listusers</emphasis> command, which is fully described in <link linkend="HDRWQ593">To display the | |
2149 | users in the UserList file</link>. <programlisting> | |
2150 | % <emphasis role="bold">bos listusers</emphasis> <<replaceable>machine name</replaceable>> | |
2151 | </programlisting></para> | |
2152 | </listitem> | |
2153 | ||
2154 | <listitem> | |
2155 | <para>The <computeroutput>ADMIN</computeroutput> flag on the Authentication Database entry. However, the | |
2156 | Authentication Server performs its own authentication, so the following instructions direct you to specify an | |
2157 | administrative identity on the <emphasis role="bold">kas</emphasis> command line itself.</para> | |
2158 | </listitem> | |
2159 | ||
2160 | <listitem> | |
2161 | <para>The <emphasis role="bold">d</emphasis> (<emphasis role="bold">delete</emphasis>) permission on the ACL of the | |
2162 | directory where you are removing the user volume's mount point. If necessary, issue the <emphasis role="bold">fs | |
2163 | listacl</emphasis> command, which is fully described in <link linkend="HDRWQ572">Displaying ACLs</link>. | |
2164 | <programlisting> | |
2165 | % <emphasis role="bold">fs listacl</emphasis> [<<replaceable>dir/file path</replaceable>>] | |
2166 | </programlisting></para> | |
2167 | ||
2168 | <para>Members of the <emphasis role="bold">system:administrators</emphasis> group always implicitly have the <emphasis | |
2169 | role="bold">a</emphasis> (<emphasis role="bold">administer</emphasis>) and by default also the <emphasis | |
2170 | role="bold">l</emphasis> (<emphasis role="bold">lookup</emphasis>) permission on every ACL and can use the <emphasis | |
2171 | role="bold">fs setacl</emphasis> command to grant other rights as necessary.</para> | |
2172 | </listitem> | |
2173 | </itemizedlist> | |
2174 | </listitem> | |
2175 | ||
2176 | <listitem> | |
2177 | <para><emphasis role="bold">(Optional)</emphasis> If it is possible you need to restore the user's account someday, note | |
2178 | the username and AFS UID, possibly in a file designated for that purpose. You can later restore the account with its | |
2179 | original AFS UID.</para> | |
2180 | </listitem> | |
2181 | ||
2182 | <listitem> | |
2183 | <para><emphasis role="bold">(Optional)</emphasis> Copy the contents of the user's volume to tape. You can use the | |
2184 | <emphasis role="bold">vos dump</emphasis> command as described in <link linkend="HDRWQ240">Dumping and Restoring | |
2185 | Volumes</link> or the AFS Backup System as described in <link linkend="HDRWQ296">Backing Up Data</link>.</para> | |
2186 | </listitem> | |
2187 | ||
2188 | <listitem id="LIWQ525"> | |
2189 | <para><emphasis role="bold">(Optional)</emphasis> If you intend to remove groups that the user owns | |
2190 | from the Protection Database after removing the user's entry, issue the <emphasis role="bold">pts listowned</emphasis> | |
2191 | command to display them. For complete instructions, see <link linkend="HDRWQ536">Displaying Information from the | |
2192 | Protection Database</link>. <programlisting> | |
2193 | % <emphasis role="bold">pts listowned</emphasis> <<replaceable>user or group name or id</replaceable>> | |
2194 | </programlisting></para> | |
2195 | </listitem> | |
2196 | ||
2197 | <listitem id="LIWQ526"> | |
2198 | <para>(<emphasis role="bold">Optional)</emphasis> Issue the <emphasis role="bold">pts | |
2199 | delete</emphasis> command to remove the groups the user owns. However, if it is likely that other users have placed the | |
2200 | groups on the ACLs of directories they own, it is best not to remove them. <programlisting> | |
2201 | % <emphasis role="bold">pts delete</emphasis> <<replaceable>user or group name or id</replaceable>>+ | |
2202 | </programlisting></para> | |
2203 | ||
2204 | <para>where</para> | |
2205 | ||
2206 | <variablelist> | |
2207 | <varlistentry> | |
2208 | <term><emphasis role="bold">del</emphasis></term> | |
2209 | ||
2210 | <listitem> | |
2211 | <para>Is the shortest acceptable abbreviation for <emphasis role="bold">delete</emphasis>.</para> | |
2212 | </listitem> | |
2213 | </varlistentry> | |
2214 | ||
2215 | <varlistentry> | |
2216 | <term><emphasis role="bold">user or group name or id</emphasis></term> | |
2217 | ||
2218 | <listitem> | |
2219 | <para>Specifies the name or AFS UID of each group displayed in the output from Step <link | |
2220 | linkend="LIWQ525">4</link>.</para> | |
2221 | </listitem> | |
2222 | </varlistentry> | |
2223 | </variablelist> | |
2224 | ||
2225 | <indexterm> | |
2226 | <primary>kas commands</primary> | |
2227 | ||
2228 | <secondary>delete</secondary> | |
2229 | ||
2230 | <tertiary>when removing user account</tertiary> | |
2231 | </indexterm> | |
2232 | ||
2233 | <indexterm> | |
2234 | <primary>commands</primary> | |
2235 | ||
2236 | <secondary>kas delete</secondary> | |
2237 | </indexterm> | |
2238 | ||
2239 | <indexterm> | |
2240 | <primary>Authentication Database</primary> | |
2241 | ||
2242 | <secondary>entry</secondary> | |
2243 | ||
2244 | <tertiary>removing</tertiary> | |
2245 | </indexterm> | |
2246 | </listitem> | |
2247 | ||
2248 | <listitem> | |
2249 | <para>Issue the <emphasis role="bold">kas delete</emphasis> command to remove the user's Authentication Database | |
2250 | entry.</para> | |
2251 | ||
2252 | <para>The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, | |
2253 | it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. | |
2254 | Include the <emphasis role="bold">-admin</emphasis> argument to name an identity that has the | |
2255 | <computeroutput>ADMIN</computeroutput> flag on its Authentication Database entry. To verify that an entry has the flag, | |
2256 | issue the <emphasis role="bold">kas examine</emphasis> command as described in <link linkend="HDRWQ590">To check if the | |
2257 | ADMIN flag is set</link>.</para> | |
2258 | ||
2259 | <programlisting> | |
2260 | % <emphasis role="bold">kas delete</emphasis> <<replaceable>name of user</replaceable>> \ | |
2261 | <emphasis role="bold">-admin</emphasis> <<replaceable>admin principal to use for authentication</replaceable>> | |
2262 | Administrator's (admin_user) password: <<replaceable>admin_password</replaceable>> | |
2263 | </programlisting> | |
2264 | ||
2265 | <para>where <variablelist> | |
2266 | <varlistentry> | |
2267 | <term><emphasis role="bold">d</emphasis></term> | |
2268 | ||
2269 | <listitem> | |
2270 | <para>Is the shortest acceptable abbreviation for <emphasis role="bold">delete</emphasis>.</para> | |
2271 | </listitem> | |
2272 | </varlistentry> | |
2273 | ||
2274 | <varlistentry> | |
2275 | <term><emphasis role="bold">name of user</emphasis></term> | |
2276 | ||
2277 | <listitem> | |
2278 | <para>Names the Authentication Database entry to delete.</para> | |
2279 | </listitem> | |
2280 | </varlistentry> | |
2281 | ||
2282 | <varlistentry> | |
2283 | <term><emphasis role="bold">-admin</emphasis></term> | |
2284 | ||
2285 | <listitem> | |
2286 | <para>Names an administrative account that has the <computeroutput>ADMIN</computeroutput> flag on its | |
2287 | Authentication Database entry, such as <emphasis role="bold">admin</emphasis>. The password prompt echoes it as | |
2288 | admin_user. Enter the appropriate password as admin_password.</para> | |
2289 | </listitem> | |
2290 | </varlistentry> | |
2291 | </variablelist></para> | |
2292 | </listitem> | |
2293 | ||
2294 | <listitem id="LIWQ527"> | |
2295 | <para>Issue the <emphasis role="bold">vos listvldb</emphasis> command to display the site of the | |
2296 | user's home volume in preparation for removing it. By convention, user volumes are named <emphasis | |
2297 | role="bold">user</emphasis>.username. <programlisting> | |
2298 | % <emphasis role="bold">vos listvldb</emphasis> <<replaceable>volume name or ID</replaceable>> | |
2299 | </programlisting></para> | |
2300 | ||
2301 | <para>where</para> | |
2302 | ||
2303 | <variablelist> | |
2304 | <varlistentry> | |
2305 | <term><emphasis role="bold">listvl</emphasis></term> | |
2306 | ||
2307 | <listitem> | |
2308 | <para>Is the shortest acceptable abbreviation of <emphasis role="bold">listvldb</emphasis>.</para> | |
2309 | </listitem> | |
2310 | </varlistentry> | |
2311 | ||
2312 | <varlistentry> | |
2313 | <term><emphasis role="bold">volume name or ID</emphasis></term> | |
2314 | ||
2315 | <listitem> | |
2316 | <para>Specifies the volume's name or volume ID number.</para> | |
2317 | </listitem> | |
2318 | </varlistentry> | |
2319 | </variablelist> | |
2320 | ||
2321 | <indexterm> | |
2322 | <primary>vos commands</primary> | |
2323 | ||
2324 | <secondary>remove</secondary> | |
2325 | ||
2326 | <tertiary>when removing user account</tertiary> | |
2327 | </indexterm> | |
2328 | ||
2329 | <indexterm> | |
2330 | <primary>commands</primary> | |
2331 | ||
2332 | <secondary>vos remove</secondary> | |
2333 | </indexterm> | |
2334 | ||
2335 | <indexterm> | |
2336 | <primary>volume</primary> | |
2337 | ||
2338 | <secondary>removing</secondary> | |
2339 | ||
2340 | <tertiary>when removing user account</tertiary> | |
2341 | </indexterm> | |
2342 | ||
2343 | <indexterm> | |
2344 | <primary>removing</primary> | |
2345 | ||
2346 | <secondary>volume when removing user account</secondary> | |
2347 | </indexterm> | |
2348 | </listitem> | |
2349 | ||
2350 | <listitem> | |
2351 | <para>Issue the <emphasis role="bold">vos remove</emphasis> command to remove the user's volume. It | |
2352 | automatically removes the backup version of the volume, if it exists. It is not conventional to replicate user volumes, so | |
2353 | the command usually also completely removes the volume's entry from the Volume Location Database (VLDB). If there are | |
2354 | ReadOnly replicas of the volume, you must repeat the <emphasis role="bold">vos remove</emphasis> command to remove each | |
2355 | one individually. <programlisting> | |
2356 | % <emphasis role="bold">vos remove</emphasis> <<replaceable>machine name</replaceable>> <<replaceable>partition name</replaceable>> <<replaceable>volume name or ID</replaceable>> | |
2357 | </programlisting></para> | |
2358 | ||
2359 | <para>where</para> | |
2360 | ||
2361 | <variablelist> | |
2362 | <varlistentry> | |
2363 | <term><emphasis role="bold">remo</emphasis></term> | |
2364 | ||
2365 | <listitem> | |
2366 | <para>Is the shortest acceptable abbreviation of <emphasis role="bold">remove</emphasis>.</para> | |
2367 | </listitem> | |
2368 | </varlistentry> | |
2369 | ||
2370 | <varlistentry> | |
2371 | <term><emphasis role="bold">machine name</emphasis></term> | |
2372 | ||
2373 | <listitem> | |
2374 | <para>Names the file server machine that houses the volume, as specified in the output from Step <link | |
2375 | linkend="LIWQ527">7</link>.</para> | |
2376 | </listitem> | |
2377 | </varlistentry> | |
2378 | ||
2379 | <varlistentry> | |
2380 | <term><emphasis role="bold">partition name</emphasis></term> | |
2381 | ||
2382 | <listitem> | |
2383 | <para>Names the partition that houses the volume, as specified in the output from Step <link | |
2384 | linkend="LIWQ527">7</link>.</para> | |
2385 | </listitem> | |
2386 | </varlistentry> | |
2387 | ||
2388 | <varlistentry> | |
2389 | <term><emphasis role="bold">volume name or ID</emphasis></term> | |
2390 | ||
2391 | <listitem> | |
2392 | <para>Specifies the volume's name or ID number.</para> | |
2393 | </listitem> | |
2394 | </varlistentry> | |
2395 | </variablelist> | |
2396 | ||
2397 | <indexterm> | |
2398 | <primary>fs commands</primary> | |
2399 | ||
2400 | <secondary>rmmount</secondary> | |
2401 | ||
2402 | <tertiary>when removing user account</tertiary> | |
2403 | </indexterm> | |
2404 | ||
2405 | <indexterm> | |
2406 | <primary>commands</primary> | |
2407 | ||
2408 | <secondary>fs rmmount</secondary> | |
2409 | </indexterm> | |
2410 | ||
2411 | <indexterm> | |
2412 | <primary>mount point</primary> | |
2413 | ||
2414 | <secondary>removing when removing user account</secondary> | |
2415 | </indexterm> | |
2416 | ||
2417 | <indexterm> | |
2418 | <primary>removing</primary> | |
2419 | ||
2420 | <secondary>mount point when removing user account</secondary> | |
2421 | </indexterm> | |
2422 | </listitem> | |
2423 | ||
2424 | <listitem> | |
2425 | <para>Issue the <emphasis role="bold">fs rmmount</emphasis> command to remove the volume's mount | |
2426 | point.</para> | |
2427 | ||
2428 | <para>If you mounted the user's backup volume as a subdirectory of the home directory, then this command is sufficient to | |
2429 | unmount the backup version as well. If you mounted the backup version at an unrelated location in the filespace, repeat | |
2430 | the <emphasis role="bold">fs rmmount</emphasis> command for it.</para> | |
2431 | ||
2432 | <programlisting> | |
2433 | % <emphasis role="bold">fs rmmount</emphasis> <<replaceable>directory</replaceable>> | |
2434 | </programlisting> | |
2435 | ||
2436 | <para>where <variablelist> | |
2437 | <varlistentry> | |
2438 | <term><emphasis role="bold">rmm</emphasis></term> | |
2439 | ||
2440 | <listitem> | |
2441 | <para>Is the shortest acceptable abbreviation of <emphasis role="bold">rmmount</emphasis>.</para> | |
2442 | </listitem> | |
2443 | </varlistentry> | |
2444 | ||
2445 | <varlistentry> | |
2446 | <term><emphasis role="bold">directory</emphasis></term> | |
2447 | ||
2448 | <listitem> | |
2449 | <para>Names the mount point for the volume's previous name (the former home directory). Partial pathnames are | |
2450 | interpreted relative to the current working directory.</para> | |
2451 | ||
2452 | <para>Specify the read/write path to the mount point, to avoid the failure that results when you attempt to delete | |
2453 | a mount point from a read-only volume. By convention, you indicate the read/write path by placing a period before | |
2454 | the cell name at the pathname's second level (for example, <emphasis role="bold">/afs/.example.com</emphasis>). For | |
2455 | further discussion of the concept of read/write and read-only paths through the filespace, see <link | |
2456 | linkend="HDRWQ208">Mounting Volumes</link>.</para> | |
2457 | </listitem> | |
2458 | </varlistentry> | |
2459 | </variablelist></para> | |
2460 | ||
2461 | <indexterm> | |
2462 | <primary>pts commands</primary> | |
2463 | ||
2464 | <secondary>delete</secondary> | |
2465 | ||
2466 | <tertiary>when removing user account</tertiary> | |
2467 | </indexterm> | |
2468 | ||
2469 | <indexterm> | |
2470 | <primary>commands</primary> | |
2471 | ||
2472 | <secondary>pts delete</secondary> | |
2473 | </indexterm> | |
2474 | ||
2475 | <indexterm> | |
2476 | <primary>Protection Database</primary> | |
2477 | ||
2478 | <secondary>user entry</secondary> | |
2479 | ||
2480 | <tertiary>deleting</tertiary> | |
2481 | </indexterm> | |
2482 | ||
2483 | <indexterm> | |
2484 | <primary>removing</primary> | |
2485 | ||
2486 | <secondary>Protection Database entry</secondary> | |
2487 | </indexterm> | |
2488 | </listitem> | |
2489 | ||
2490 | <listitem> | |
2491 | <para>Issue the <emphasis role="bold">pts delete</emphasis> command to remove the user's Protection | |
2492 | Database entry. A complete description of this command appears in Step <link linkend="LIWQ526">5</link>. <programlisting> | |
2493 | % <emphasis role="bold">pts delete</emphasis> <<replaceable>user or group name or id</replaceable>> | |
2494 | </programlisting></para> | |
2495 | </listitem> | |
2496 | ||
2497 | <listitem> | |
2498 | <para>If the deleted user home directory resided in a replicated volume, use the <emphasis role="bold">vos | |
2499 | release</emphasis> command to release the volume, as described in <link linkend="HDRWQ194">To replicate a read/write | |
2500 | volume (create a read-only volume)</link>. <programlisting> | |
2501 | % <emphasis role="bold">vos release</emphasis> <<replaceable>volume name or ID</replaceable>> | |
2502 | </programlisting></para> | |
2503 | ||
2504 | <note> | |
2505 | <para>This step can be necessary even if the home directory's parent directory is not itself a mount point for a | |
2506 | replicated volume (and is easier to overlook in that case). For example, the Example Corporation template puts the mount | |
2507 | points for user volumes in the <emphasis role="bold">/afs/example.com/usr</emphasis> directory. Because that is a regular | |
2508 | directory rather than a mount point, it resides in the <emphasis role="bold">root.cell</emphasis> volume mounted at the | |
2509 | <emphasis role="bold">/afs/example.com</emphasis> directory. That volume is replicated, so after changing it by deleting a | |
2510 | mount point the administrator must issue the <emphasis role="bold">vos release</emphasis> command.</para> | |
2511 | </note> | |
2512 | </listitem> | |
2513 | </orderedlist> | |
2514 | </sect2> | |
2515 | </sect1> | |
2516 | </chapter> |