| 1 | =head1 NAME |
| 2 | |
| 3 | dlog - Authenticates to the DCE Security Service |
| 4 | |
| 5 | =head1 SYNOPSIS |
| 6 | |
| 7 | =for html |
| 8 | <div class="synopsis"> |
| 9 | |
| 10 | B<dlog> S<<< [B<-principal> <I<user name>>] >>> S<<< [B<-cell> <I<cell name>>] >>> |
| 11 | S<<< [B<-password> <I<user's password>>] >>> |
| 12 | S<<< [B<-servers> <I<explicit list of servers>>+] >>> |
| 13 | S<<< [B<-lifetime> <I<ticket lifetime in hh[:mm[:ss]]>>] >>> |
| 14 | [B<-setpag>] [B<-pipe>] [B<-help>] |
| 15 | |
| 16 | B<dlog> S<<< [B<-pr> <I<user name>>] >>> S<<< [B<-c> <I<cell name>>] >>> |
| 17 | S<<< [B<-pw> <I<user's password>>] >>> |
| 18 | S<<< [B<-ser> <I<explicit list of servers>>+] >>> |
| 19 | S<<< [B<-l> <I<ticket lifetime in hh[:mm[:ss]]>>] >>> |
| 20 | [B<-set>] [B<-pi>] [B<-h>] |
| 21 | |
| 22 | =for html |
| 23 | </div> |
| 24 | |
| 25 | =head1 DESCRIPTION |
| 26 | |
| 27 | The B<dlog> command obtains DCE credentials for the issuer from the DCE |
| 28 | Security Service in the cell named by the B<-cell> argument, and stores |
| 29 | them on the AFS client machine on which the user issues the command. The |
| 30 | AFS/DFS Migration Toolkit Protocol Translator processes running on |
| 31 | machines in the DCE cell accept the credentials, which enables the user to |
| 32 | access the DCE cell's filespace from the AFS client. The user's identity |
| 33 | in the local file system is unchanged. |
| 34 | |
| 35 | If the issuer does not provide the B<-principal> argument, the B<dlog> |
| 36 | command interpreter uses the user name under which the issuer is logged |
| 37 | into the local file system. Provide the DCE password for the appropriate |
| 38 | user name. As with the B<klog> command, the password does not cross the |
| 39 | network in clear text (unless the issuer is logged into the AFS client |
| 40 | from a remote machine). |
| 41 | |
| 42 | The credentials are valid for a lifetime equivalent to the smallest of the |
| 43 | following, all but the last of which is defined by the DCE cell's Security |
| 44 | Server: |
| 45 | |
| 46 | =over 4 |
| 47 | |
| 48 | =item * |
| 49 | |
| 50 | The maximum certificate lifetime for the issuer's DCE account. |
| 51 | |
| 52 | =item * |
| 53 | |
| 54 | The maximum certificate lifetime for the AFS principal's DCE account. |
| 55 | |
| 56 | =item * |
| 57 | |
| 58 | The registry-wide maximum certificate lifetime. |
| 59 | |
| 60 | =item * |
| 61 | |
| 62 | The registry-wide default certificate lifetime. |
| 63 | |
| 64 | =item * |
| 65 | |
| 66 | The lifetime requested using the B<-lifetime> argument. |
| 67 | |
| 68 | =back |
| 69 | |
| 70 | If the previous maximum certificate lifetime values are set to |
| 71 | C<default-policy>, the maximum possible ticket lifetime is defined by the |
| 72 | default certificate lifetime. Refer to the DCE vendor's administration |
| 73 | guide for more information before setting any of these values. |
| 74 | |
| 75 | The AFS Cache Manager stores the ticket in a credential structure |
| 76 | associated with the name of the issuer (or the user named by the |
| 77 | B<-principal> argument. If the user already has a ticket for the DCE cell, |
| 78 | the ticket resulting from this command replaces it in the credential |
| 79 | structure. |
| 80 | |
| 81 | The AFS tokens command displays the ticket obtained by the B<dlog> command |
| 82 | for the server principal C<afs>, regardless of the principal to which it |
| 83 | is actually granted. Note that the B<tokens> command does not distinguish |
| 84 | tickets for a DFSTM File Server from tickets for an AFS File Server. |
| 85 | |
| 86 | =head1 OPTIONS |
| 87 | |
| 88 | =over 4 |
| 89 | |
| 90 | =item B<-principal> <I<user name>> |
| 91 | |
| 92 | Specifies the DCE user name for which to obtain DCE credentials. If this |
| 93 | option is omitted, the B<dlog> command interpreter uses the name under |
| 94 | which the issuer is logged into the local file system. |
| 95 | |
| 96 | =item B<-cell> <I<cell name>> |
| 97 | |
| 98 | Specifies the DCE cell in which to authenticate. During a single login |
| 99 | session on a given machine, a user can authenticate in multiple cells |
| 100 | simultaneously, but can have only one ticket at a time for each cell (that |
| 101 | is, it is possible to authenticate under only one identity per cell per |
| 102 | machine). It is legal to abbreviate the cell name to the shortest form |
| 103 | that distinguishes it from the other cells listed in the |
| 104 | F</usr/vice/etc/CellServDB> file on the local client machine. |
| 105 | |
| 106 | If the issuer does not provide the B<-cell> argument, the B<dlog> command |
| 107 | attempts to authenticate with the DCE Security Server for the cell defined |
| 108 | by |
| 109 | |
| 110 | =over 4 |
| 111 | |
| 112 | =item * |
| 113 | |
| 114 | The value of the environment variable AFSCELL on the local AFS client |
| 115 | machine, if defined. The issuer can set the AFSCELL environment variable |
| 116 | to name the desired DCE cell. |
| 117 | |
| 118 | =item * |
| 119 | |
| 120 | The cell name in the F</usr/vice/etc/ThisCell> file on the local AFS |
| 121 | client machine. The machine's administrator can place the desired DCE |
| 122 | cell's name in the file. |
| 123 | |
| 124 | =back |
| 125 | |
| 126 | =item B<-password> <I<user's password>> |
| 127 | |
| 128 | Specifies the password for the issuer (or for the user named by the |
| 129 | B<-principal> argument). Using this argument is not recommended, because |
| 130 | it makes the password visible on the command line. If this argument is |
| 131 | omitted, the command prompts for the password and does not echo it |
| 132 | visibly. |
| 133 | |
| 134 | =item B<-servers> <I<list of servers>>+ |
| 135 | |
| 136 | Specifies a list of DFS database server machines running the Translator |
| 137 | Server through which the AFS client machine can attempt to |
| 138 | authenticate. Specify each server by hostname, shortened machine name, or |
| 139 | IP address. If this argument is omitted, the B<dlog> command interpreter |
| 140 | randomly selects a machine from the list of DFS Fileset Location (FL) |
| 141 | Servers in the F</usr/vice/etc/CellServDB> file for the DCE cell specified |
| 142 | by the B<-cell> argument. This argument is useful for testing when |
| 143 | authentication seems to be failing on certain server machines. |
| 144 | |
| 145 | =item B<-lifetime> <I<ticket lifetime>> |
| 146 | |
| 147 | Requests a ticket lifetime using the format I<hh>B<:>I<mm>[B<:>I<ss>] |
| 148 | (hours, minutes, and optionally a number seconds between 00 and 59). For |
| 149 | example, the value C<168:30> requests a ticket lifetime of 7 days and 30 |
| 150 | minutes, and C<96:00> requests a lifetime of 4 days. Acceptable values |
| 151 | range from C<00:05> (5 minutes) to C<720:00> (30 days). If this argument |
| 152 | is not provided and no other determinants of ticket lifetime have been |
| 153 | changed from their defaults, ticket lifetime is 10 hours. |
| 154 | |
| 155 | The requested lifetime must be smaller than any of the DCE cell's |
| 156 | determinants for ticket lifetime; see the discussion in the preceding |
| 157 | B<Description> section. |
| 158 | |
| 159 | =item B<-setpag> |
| 160 | |
| 161 | Creates a process authentication group (PAG) in which the newly created |
| 162 | ticket is placed. If this flag is omitted, the ticket is instead |
| 163 | associated with the issuers' local user ID (UID). |
| 164 | |
| 165 | =item B<-pipe> |
| 166 | |
| 167 | Suppresses any prompts that the command interpreter otherwise produces, |
| 168 | including the prompt for the issuer's password. Instead, the command |
| 169 | interpreter accepts the password via the standard input stream. |
| 170 | |
| 171 | =item B<-help> |
| 172 | |
| 173 | Prints the online help for this command. All other valid options are |
| 174 | ignored. |
| 175 | |
| 176 | =back |
| 177 | |
| 178 | =head1 OUTPUT |
| 179 | |
| 180 | If the dlog command interpreter cannot contact a Translator |
| 181 | Server, it produces a message similar to the following: |
| 182 | |
| 183 | dlog: server or network not responding -- failed to contact |
| 184 | authentication service |
| 185 | |
| 186 | =head1 EXAMPLES |
| 187 | |
| 188 | The following command authenticates the issuer as cell_admin in the |
| 189 | C<dce.example.com> cell. |
| 190 | |
| 191 | % dlog -principal cell_admin -cell dce.example.com |
| 192 | Password: <cell_admin's password> |
| 193 | |
| 194 | In the following example, the issuer authenticates as cell_admin to the |
| 195 | C<dce.example.com> cell and request a ticket lifetime of 100 hours. The |
| 196 | B<tokens> command confirms that the user obtained DCE credentials as the |
| 197 | user C<cell_admin>: the AFS ID is equivalent to the UNIX ID of C<1> |
| 198 | assigned to C<cell_admin> in C<dce.example.com> cell's DCE registry. |
| 199 | |
| 200 | % dlog -principal cell_admin -cell dce.example.com -lifetime 100 |
| 201 | Password: <cell_admin's password> |
| 202 | |
| 203 | % tokens |
| 204 | Tokens held by the Cache Manager: |
| 205 | |
| 206 | User's (AFS ID 1) tokens for afs@dce.example.com [Expires Jul 6 14:12] |
| 207 | User's (AFS ID 4758) tokens for afs@example.com [Expires Jul 2 13:14] |
| 208 | |
| 209 | --End of list-- |
| 210 | |
| 211 | =head1 PRIVILEGE REQUIRED |
| 212 | |
| 213 | None |
| 214 | |
| 215 | =head1 SEE ALSO |
| 216 | |
| 217 | L<dpass(1)>, |
| 218 | L<klog(1)>, |
| 219 | L<tokens(1)>, |
| 220 | L<unlog(1)> |
| 221 | |
| 222 | =head1 COPYRIGHT |
| 223 | |
| 224 | IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved. |
| 225 | |
| 226 | This documentation is covered by the IBM Public License Version 1.0. It was |
| 227 | converted from HTML to POD by software written by Chas Williams and Russ |
| 228 | Allbery, based on work by Alf Wachsmann and Elizabeth Cassell. |