Commit | Line | Data |
---|---|---|
805e021f CE |
1 | =head1 NAME |
2 | ||
3 | knfs - Establishes authenticated access via the NFS/AFS Translator | |
4 | ||
5 | =head1 SYNOPSIS | |
6 | ||
7 | =for html | |
8 | <div class="synopsis"> | |
9 | ||
10 | B<knfs> S<<< B<-host> <I<host name>> >>> S<<< [B<-id> <I<user ID (decimal)>>] >>> | |
11 | S<<< [B<-sysname> <I<host's '@sys' value>>] >>> [B<-unlog>] [B<-tokens>] | |
12 | [B<-help>] | |
13 | ||
14 | B<knfs> S<<< B<-ho> <I<host name>> >>> S<<< [B<-i> <I<user ID (decimal)>>] >>> | |
15 | S<<< [B<-s> <I<host's '@sys' value>>] >>> [B<-u>] [B<-t>] [B<-he>] | |
16 | ||
17 | =for html | |
18 | </div> | |
19 | ||
20 | =head1 DESCRIPTION | |
21 | ||
22 | The B<knfs> command creates an AFS credential structure on the local | |
23 | machine, identifying it by a process authentication group (PAG) number | |
24 | associated with the NFS client machine named by the B<-hostname> argument | |
25 | and by default with a local UID on the NFS client machine that matches the | |
26 | issuer's local UID on the local machine. It places in the credential | |
27 | structure the AFS tokens that the issuer has previously obtained (by | |
28 | logging onto the local machine if an AFS-modified login utility is | |
29 | installed, by issuing the B<klog> command, or both). To associate the | |
30 | credential structure with an NFS UID that does not match the issuer's | |
31 | local UID, use the B<-id> argument. | |
32 | ||
33 | Issue this command only on the NFS(R)/AFS translator machine that is | |
34 | serving the NFS client machine, after obtaining AFS tokens on the | |
35 | translator machine for every cell to which authenticated access is | |
36 | required. The Cache Manager on the translator machine uses the tokens to | |
37 | obtain authenticated AFS access for the designated user working on the NFS | |
38 | client machine. This command is not effective if issued on an NFS client | |
39 | machine. | |
40 | ||
41 | To enable the user on the NFS client machine to issue AFS commands, use | |
42 | the B<-sysname> argument to specify the NFS client machine's system type, | |
43 | which can differ from the translator machine's. The NFS client machine | |
44 | must be a system type for which AFS is supported. | |
45 | ||
46 | The B<-unlog> flag discards the tokens in the credential structure, but | |
47 | does not destroy the credential structure itself. The Cache Manager on the | |
48 | translator machine retains the credential structure until the next reboot, | |
49 | and uses it each time the issuer accesses AFS through the translator | |
50 | machine. The credential structure only has tokens in it if the user | |
51 | reissues the B<knfs> command on the translator machine each time the user | |
52 | logs into the NFS client machine. | |
53 | ||
54 | To display the tokens associated with the designated user on the NFS | |
55 | client machine, include the B<-tokens> flag. | |
56 | ||
57 | Users working on NFS client machines of system types for which AFS | |
58 | binaries are available can use the B<klog> command rather than the B<knfs> | |
59 | command. | |
60 | ||
61 | =head1 CAUTIONS | |
62 | ||
63 | If the translator machine's administrator has enabled UID checking by | |
64 | issuing the B<fs exportafs> command with the B<-uidcheck on> argument, it | |
65 | is not possible to use the B<-id> argument to assign the tokens to an NFS | |
66 | UID that differs from the issuer's local UID. In this case, there is no | |
67 | point in including the B<-id> argument, because the only acceptable value | |
68 | (the issuer's local UID) is the value used when the B<-id> argument is | |
69 | omitted. Requiring matching UIDs is effective only when users have the | |
70 | same local UID on the translator machine as on NFS client machines. In | |
71 | that case, it guarantees that users assign their tokens only to their own | |
72 | NFS sessions. | |
73 | ||
74 | This command does not make it possible for users working on non-supported | |
75 | system types to issue AFS commands. This is possible only on NFS clients | |
76 | of a system type for which AFS is available. | |
77 | ||
78 | =head1 OPTIONS | |
79 | ||
80 | =over 4 | |
81 | ||
82 | =item B<-host> <I<host name>> | |
83 | ||
84 | Names the NFS client machine on which the issuer is to work. Providing a | |
85 | fully-qualified hostname is best, but abbreviated forms are possibly | |
86 | acceptable depending on the state of the cell's name server at the time | |
87 | the command is issued. | |
88 | ||
89 | =item B<-id> <I<user ID (decimal)>> | |
90 | ||
91 | Specifies the local UID on the NFS client to which to assign the | |
92 | tokens. The NFS client identifies file requests by the NFS UID, so | |
93 | creating the association enables the Cache Manager on the translator | |
94 | machine to use the appropriate tokens when filling the requests. If this | |
95 | argument is omitted, the command interpreter uses an NFS UID that matches | |
96 | the issuer's local UID on the translator machine (as returned by the | |
97 | getuid() function). | |
98 | ||
99 | =item B<-sysname> <I<host's '@sys' value>> | |
100 | ||
101 | Specifies the value that the local (translator) machine's remote executor | |
102 | daemon substitutes for the I<@sys> variable in pathnames when executing | |
103 | AFS commands issued on the NFS client machine (which must be a supported | |
104 | system type). If the NFS user's PATH environment variable uses the I<@sys> | |
105 | variable in the pathnames for directories that house AFS binaries (as | |
106 | recommended), then setting this argument enables NFS users to issue AFS | |
107 | commands by leading the remote executor daemon to access the AFS binaries | |
108 | appropriate to the NFS client machine even if its system type differs from | |
109 | the translator machine's. | |
110 | ||
111 | =item B<-unlog> | |
112 | ||
113 | Discards the tokens stored in the credential structure identified by the | |
114 | PAG associated with the B<-host> argument and, optionally, the B<-id> | |
115 | argument. | |
116 | ||
117 | =item B<-tokens> | |
118 | ||
119 | Displays the AFS tokens assigned to the designated user on the indicated | |
120 | NFS client machine. | |
121 | ||
122 | =item B<-help> | |
123 | ||
124 | Prints the online help for this command. All other valid options are | |
125 | ignored. | |
126 | ||
127 | =back | |
128 | ||
129 | =head1 OUTPUT | |
130 | ||
131 | The following error message indicates that UID checking is enabled on the | |
132 | translator machine and that the value provided for the B<-id> argument | |
133 | differs from the issuer's local UID. | |
134 | ||
135 | knfs: Translator in 'passwd sync' mode; remote uid must be the same as | |
136 | local uid | |
137 | ||
138 | =head1 EXAMPLES | |
139 | ||
140 | The following example illustrates a typical use of this command. The | |
141 | issuer C<smith> is working on the machine C<nfscli1.example.com> and has user | |
142 | ID C<1020> on that machine. The translator machine C<tx4.example.com> uses an | |
143 | AFS-modified login utility, so C<smith> obtains tokens for the Example | |
144 | Corporation cell automatically upon login via the B<telnet> program. She | |
145 | then issues the B<klog> command to obtain tokens as C<admin> in the Example | |
146 | Corporation's test cell, C<test.example.com>, and the B<knfs> command to | |
147 | associate both tokens with the credential structure identified by machine | |
148 | name C<nfs-cli1> and user ID C<1020>. She breaks the connection to C<tx4> | |
149 | and works on C<nfscli1>. | |
150 | ||
151 | % telnet tx4.example.com | |
152 | . . . | |
153 | login: smith | |
154 | Password: | |
155 | AFS(R) login | |
156 | ||
157 | % klog admin -cell test.example.com | |
158 | Password: | |
159 | ||
160 | % knfs nfscli1.example.com 1020 | |
161 | ||
162 | % exit | |
163 | ||
164 | The following example shows user smith again connecting to the machine | |
165 | C<tx4> via the B<telnet> program and discarding the tokens. | |
166 | ||
167 | % telnet translator4.example.com | |
168 | . . . | |
169 | login: smith | |
170 | Password: | |
171 | AFS(R) login | |
172 | ||
173 | % knfs nfscli1.example.com 1020 -unlog | |
174 | ||
175 | % exit | |
176 | ||
177 | =head1 PRIVILEGE REQUIRED | |
178 | ||
179 | None | |
180 | ||
181 | =head1 SEE ALSO | |
182 | ||
183 | L<klog(1)>, | |
184 | L<pagsh(1)> | |
185 | ||
186 | =head1 COPYRIGHT | |
187 | ||
188 | IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved. | |
189 | ||
190 | This documentation is covered by the IBM Public License Version 1.0. It was | |
191 | converted from HTML to POD by software written by Chas Williams and Russ | |
192 | Allbery, based on work by Alf Wachsmann and Elizabeth Cassell. |