| 1 | =head1 NAME |
| 2 | |
| 3 | knfs - Establishes authenticated access via the NFS/AFS Translator |
| 4 | |
| 5 | =head1 SYNOPSIS |
| 6 | |
| 7 | =for html |
| 8 | <div class="synopsis"> |
| 9 | |
| 10 | B<knfs> S<<< B<-host> <I<host name>> >>> S<<< [B<-id> <I<user ID (decimal)>>] >>> |
| 11 | S<<< [B<-sysname> <I<host's '@sys' value>>] >>> [B<-unlog>] [B<-tokens>] |
| 12 | [B<-help>] |
| 13 | |
| 14 | B<knfs> S<<< B<-ho> <I<host name>> >>> S<<< [B<-i> <I<user ID (decimal)>>] >>> |
| 15 | S<<< [B<-s> <I<host's '@sys' value>>] >>> [B<-u>] [B<-t>] [B<-he>] |
| 16 | |
| 17 | =for html |
| 18 | </div> |
| 19 | |
| 20 | =head1 DESCRIPTION |
| 21 | |
| 22 | The B<knfs> command creates an AFS credential structure on the local |
| 23 | machine, identifying it by a process authentication group (PAG) number |
| 24 | associated with the NFS client machine named by the B<-hostname> argument |
| 25 | and by default with a local UID on the NFS client machine that matches the |
| 26 | issuer's local UID on the local machine. It places in the credential |
| 27 | structure the AFS tokens that the issuer has previously obtained (by |
| 28 | logging onto the local machine if an AFS-modified login utility is |
| 29 | installed, by issuing the B<klog> command, or both). To associate the |
| 30 | credential structure with an NFS UID that does not match the issuer's |
| 31 | local UID, use the B<-id> argument. |
| 32 | |
| 33 | Issue this command only on the NFS(R)/AFS translator machine that is |
| 34 | serving the NFS client machine, after obtaining AFS tokens on the |
| 35 | translator machine for every cell to which authenticated access is |
| 36 | required. The Cache Manager on the translator machine uses the tokens to |
| 37 | obtain authenticated AFS access for the designated user working on the NFS |
| 38 | client machine. This command is not effective if issued on an NFS client |
| 39 | machine. |
| 40 | |
| 41 | To enable the user on the NFS client machine to issue AFS commands, use |
| 42 | the B<-sysname> argument to specify the NFS client machine's system type, |
| 43 | which can differ from the translator machine's. The NFS client machine |
| 44 | must be a system type for which AFS is supported. |
| 45 | |
| 46 | The B<-unlog> flag discards the tokens in the credential structure, but |
| 47 | does not destroy the credential structure itself. The Cache Manager on the |
| 48 | translator machine retains the credential structure until the next reboot, |
| 49 | and uses it each time the issuer accesses AFS through the translator |
| 50 | machine. The credential structure only has tokens in it if the user |
| 51 | reissues the B<knfs> command on the translator machine each time the user |
| 52 | logs into the NFS client machine. |
| 53 | |
| 54 | To display the tokens associated with the designated user on the NFS |
| 55 | client machine, include the B<-tokens> flag. |
| 56 | |
| 57 | Users working on NFS client machines of system types for which AFS |
| 58 | binaries are available can use the B<klog> command rather than the B<knfs> |
| 59 | command. |
| 60 | |
| 61 | =head1 CAUTIONS |
| 62 | |
| 63 | If the translator machine's administrator has enabled UID checking by |
| 64 | issuing the B<fs exportafs> command with the B<-uidcheck on> argument, it |
| 65 | is not possible to use the B<-id> argument to assign the tokens to an NFS |
| 66 | UID that differs from the issuer's local UID. In this case, there is no |
| 67 | point in including the B<-id> argument, because the only acceptable value |
| 68 | (the issuer's local UID) is the value used when the B<-id> argument is |
| 69 | omitted. Requiring matching UIDs is effective only when users have the |
| 70 | same local UID on the translator machine as on NFS client machines. In |
| 71 | that case, it guarantees that users assign their tokens only to their own |
| 72 | NFS sessions. |
| 73 | |
| 74 | This command does not make it possible for users working on non-supported |
| 75 | system types to issue AFS commands. This is possible only on NFS clients |
| 76 | of a system type for which AFS is available. |
| 77 | |
| 78 | =head1 OPTIONS |
| 79 | |
| 80 | =over 4 |
| 81 | |
| 82 | =item B<-host> <I<host name>> |
| 83 | |
| 84 | Names the NFS client machine on which the issuer is to work. Providing a |
| 85 | fully-qualified hostname is best, but abbreviated forms are possibly |
| 86 | acceptable depending on the state of the cell's name server at the time |
| 87 | the command is issued. |
| 88 | |
| 89 | =item B<-id> <I<user ID (decimal)>> |
| 90 | |
| 91 | Specifies the local UID on the NFS client to which to assign the |
| 92 | tokens. The NFS client identifies file requests by the NFS UID, so |
| 93 | creating the association enables the Cache Manager on the translator |
| 94 | machine to use the appropriate tokens when filling the requests. If this |
| 95 | argument is omitted, the command interpreter uses an NFS UID that matches |
| 96 | the issuer's local UID on the translator machine (as returned by the |
| 97 | getuid() function). |
| 98 | |
| 99 | =item B<-sysname> <I<host's '@sys' value>> |
| 100 | |
| 101 | Specifies the value that the local (translator) machine's remote executor |
| 102 | daemon substitutes for the I<@sys> variable in pathnames when executing |
| 103 | AFS commands issued on the NFS client machine (which must be a supported |
| 104 | system type). If the NFS user's PATH environment variable uses the I<@sys> |
| 105 | variable in the pathnames for directories that house AFS binaries (as |
| 106 | recommended), then setting this argument enables NFS users to issue AFS |
| 107 | commands by leading the remote executor daemon to access the AFS binaries |
| 108 | appropriate to the NFS client machine even if its system type differs from |
| 109 | the translator machine's. |
| 110 | |
| 111 | =item B<-unlog> |
| 112 | |
| 113 | Discards the tokens stored in the credential structure identified by the |
| 114 | PAG associated with the B<-host> argument and, optionally, the B<-id> |
| 115 | argument. |
| 116 | |
| 117 | =item B<-tokens> |
| 118 | |
| 119 | Displays the AFS tokens assigned to the designated user on the indicated |
| 120 | NFS client machine. |
| 121 | |
| 122 | =item B<-help> |
| 123 | |
| 124 | Prints the online help for this command. All other valid options are |
| 125 | ignored. |
| 126 | |
| 127 | =back |
| 128 | |
| 129 | =head1 OUTPUT |
| 130 | |
| 131 | The following error message indicates that UID checking is enabled on the |
| 132 | translator machine and that the value provided for the B<-id> argument |
| 133 | differs from the issuer's local UID. |
| 134 | |
| 135 | knfs: Translator in 'passwd sync' mode; remote uid must be the same as |
| 136 | local uid |
| 137 | |
| 138 | =head1 EXAMPLES |
| 139 | |
| 140 | The following example illustrates a typical use of this command. The |
| 141 | issuer C<smith> is working on the machine C<nfscli1.example.com> and has user |
| 142 | ID C<1020> on that machine. The translator machine C<tx4.example.com> uses an |
| 143 | AFS-modified login utility, so C<smith> obtains tokens for the Example |
| 144 | Corporation cell automatically upon login via the B<telnet> program. She |
| 145 | then issues the B<klog> command to obtain tokens as C<admin> in the Example |
| 146 | Corporation's test cell, C<test.example.com>, and the B<knfs> command to |
| 147 | associate both tokens with the credential structure identified by machine |
| 148 | name C<nfs-cli1> and user ID C<1020>. She breaks the connection to C<tx4> |
| 149 | and works on C<nfscli1>. |
| 150 | |
| 151 | % telnet tx4.example.com |
| 152 | . . . |
| 153 | login: smith |
| 154 | Password: |
| 155 | AFS(R) login |
| 156 | |
| 157 | % klog admin -cell test.example.com |
| 158 | Password: |
| 159 | |
| 160 | % knfs nfscli1.example.com 1020 |
| 161 | |
| 162 | % exit |
| 163 | |
| 164 | The following example shows user smith again connecting to the machine |
| 165 | C<tx4> via the B<telnet> program and discarding the tokens. |
| 166 | |
| 167 | % telnet translator4.example.com |
| 168 | . . . |
| 169 | login: smith |
| 170 | Password: |
| 171 | AFS(R) login |
| 172 | |
| 173 | % knfs nfscli1.example.com 1020 -unlog |
| 174 | |
| 175 | % exit |
| 176 | |
| 177 | =head1 PRIVILEGE REQUIRED |
| 178 | |
| 179 | None |
| 180 | |
| 181 | =head1 SEE ALSO |
| 182 | |
| 183 | L<klog(1)>, |
| 184 | L<pagsh(1)> |
| 185 | |
| 186 | =head1 COPYRIGHT |
| 187 | |
| 188 | IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved. |
| 189 | |
| 190 | This documentation is covered by the IBM Public License Version 1.0. It was |
| 191 | converted from HTML to POD by software written by Chas Williams and Russ |
| 192 | Allbery, based on work by Alf Wachsmann and Elizabeth Cassell. |