.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .el \{\ . de IX .. .\} .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "DLOG 1" .TH DLOG 1 "2012-01-23" "OpenAFS" "AFS Command Reference" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" dlog \- Authenticates to the DCE Security Service .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBdlog\fR [\fB\-principal\fR\ <\fIuser\ name\fR>] [\fB\-cell\fR\ <\fIcell\ name\fR>] [\fB\-password\fR\ <\fIuser's\ password\fR>] [\fB\-servers\fR\ <\fIexplicit\ list\ of\ servers\fR>+] [\fB\-lifetime\fR\ <\fIticket\ lifetime\ in\ hh[:mm[:ss]]\fR>] [\fB\-setpag\fR] [\fB\-pipe\fR] [\fB\-help\fR] .PP \&\fBdlog\fR [\fB\-pr\fR\ <\fIuser\ name\fR>] [\fB\-c\fR\ <\fIcell\ name\fR>] [\fB\-pw\fR\ <\fIuser's\ password\fR>] [\fB\-ser\fR\ <\fIexplicit\ list\ of\ servers\fR>+] [\fB\-l\fR\ <\fIticket\ lifetime\ in\ hh[:mm[:ss]]\fR>] [\fB\-set\fR] [\fB\-pi\fR] [\fB\-h\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBdlog\fR command obtains \s-1DCE\s0 credentials for the issuer from the \s-1DCE\s0 Security Service in the cell named by the \fB\-cell\fR argument, and stores them on the \s-1AFS\s0 client machine on which the user issues the command. The \&\s-1AFS/DFS\s0 Migration Toolkit Protocol Translator processes running on machines in the \s-1DCE\s0 cell accept the credentials, which enables the user to access the \s-1DCE\s0 cell's filespace from the \s-1AFS\s0 client. The user's identity in the local file system is unchanged. .PP If the issuer does not provide the \fB\-principal\fR argument, the \fBdlog\fR command interpreter uses the user name under which the issuer is logged into the local file system. Provide the \s-1DCE\s0 password for the appropriate user name. As with the \fBklog\fR command, the password does not cross the network in clear text (unless the issuer is logged into the \s-1AFS\s0 client from a remote machine). .PP The credentials are valid for a lifetime equivalent to the smallest of the following, all but the last of which is defined by the \s-1DCE\s0 cell's Security Server: .IP "\(bu" 4 The maximum certificate lifetime for the issuer's \s-1DCE\s0 account. .IP "\(bu" 4 The maximum certificate lifetime for the \s-1AFS\s0 principal's \s-1DCE\s0 account. .IP "\(bu" 4 The registry-wide maximum certificate lifetime. .IP "\(bu" 4 The registry-wide default certificate lifetime. .IP "\(bu" 4 The lifetime requested using the \fB\-lifetime\fR argument. .PP If the previous maximum certificate lifetime values are set to \&\f(CW\*(C`default\-policy\*(C'\fR, the maximum possible ticket lifetime is defined by the default certificate lifetime. Refer to the \s-1DCE\s0 vendor's administration guide for more information before setting any of these values. .PP The \s-1AFS\s0 Cache Manager stores the ticket in a credential structure associated with the name of the issuer (or the user named by the \&\fB\-principal\fR argument. If the user already has a ticket for the \s-1DCE\s0 cell, the ticket resulting from this command replaces it in the credential structure. .PP The \s-1AFS\s0 tokens command displays the ticket obtained by the \fBdlog\fR command for the server principal \f(CW\*(C`afs\*(C'\fR, regardless of the principal to which it is actually granted. Note that the \fBtokens\fR command does not distinguish tickets for a \s-1DFSTM\s0 File Server from tickets for an \s-1AFS\s0 File Server. .SH "OPTIONS" .IX Header "OPTIONS" .IP "\fB\-principal\fR <\fIuser name\fR>" 4 .IX Item "-principal " Specifies the \s-1DCE\s0 user name for which to obtain \s-1DCE\s0 credentials. If this option is omitted, the \fBdlog\fR command interpreter uses the name under which the issuer is logged into the local file system. .IP "\fB\-cell\fR <\fIcell name\fR>" 4 .IX Item "-cell " Specifies the \s-1DCE\s0 cell in which to authenticate. During a single login session on a given machine, a user can authenticate in multiple cells simultaneously, but can have only one ticket at a time for each cell (that is, it is possible to authenticate under only one identity per cell per machine). It is legal to abbreviate the cell name to the shortest form that distinguishes it from the other cells listed in the \&\fI/usr/vice/etc/CellServDB\fR file on the local client machine. .Sp If the issuer does not provide the \fB\-cell\fR argument, the \fBdlog\fR command attempts to authenticate with the \s-1DCE\s0 Security Server for the cell defined by .RS 4 .IP "\(bu" 4 The value of the environment variable \s-1AFSCELL\s0 on the local \s-1AFS\s0 client machine, if defined. The issuer can set the \s-1AFSCELL\s0 environment variable to name the desired \s-1DCE\s0 cell. .IP "\(bu" 4 The cell name in the \fI/usr/vice/etc/ThisCell\fR file on the local \s-1AFS\s0 client machine. The machine's administrator can place the desired \s-1DCE\s0 cell's name in the file. .RE .RS 4 .RE .IP "\fB\-password\fR <\fIuser's password\fR>" 4 .IX Item "-password " Specifies the password for the issuer (or for the user named by the \&\fB\-principal\fR argument). Using this argument is not recommended, because it makes the password visible on the command line. If this argument is omitted, the command prompts for the password and does not echo it visibly. .IP "\fB\-servers\fR <\fIlist of servers\fR>+" 4 .IX Item "-servers +" Specifies a list of \s-1DFS\s0 database server machines running the Translator Server through which the \s-1AFS\s0 client machine can attempt to authenticate. Specify each server by hostname, shortened machine name, or \&\s-1IP\s0 address. If this argument is omitted, the \fBdlog\fR command interpreter randomly selects a machine from the list of \s-1DFS\s0 Fileset Location (\s-1FL\s0) Servers in the \fI/usr/vice/etc/CellServDB\fR file for the \s-1DCE\s0 cell specified by the \fB\-cell\fR argument. This argument is useful for testing when authentication seems to be failing on certain server machines. .IP "\fB\-lifetime\fR <\fIticket lifetime\fR>" 4 .IX Item "-lifetime " Requests a ticket lifetime using the format \fIhh\fR\fB:\fR\fImm\fR[\fB:\fR\fIss\fR] (hours, minutes, and optionally a number seconds between 00 and 59). For example, the value \f(CW\*(C`168:30\*(C'\fR requests a ticket lifetime of 7 days and 30 minutes, and \f(CW\*(C`96:00\*(C'\fR requests a lifetime of 4 days. Acceptable values range from \f(CW\*(C`00:05\*(C'\fR (5 minutes) to \f(CW\*(C`720:00\*(C'\fR (30 days). If this argument is not provided and no other determinants of ticket lifetime have been changed from their defaults, ticket lifetime is 10 hours. .Sp The requested lifetime must be smaller than any of the \s-1DCE\s0 cell's determinants for ticket lifetime; see the discussion in the preceding \&\fBDescription\fR section. .IP "\fB\-setpag\fR" 4 .IX Item "-setpag" Creates a process authentication group (\s-1PAG\s0) in which the newly created ticket is placed. If this flag is omitted, the ticket is instead associated with the issuers' local user \s-1ID\s0 (\s-1UID\s0). .IP "\fB\-pipe\fR" 4 .IX Item "-pipe" Suppresses any prompts that the command interpreter otherwise produces, including the prompt for the issuer's password. Instead, the command interpreter accepts the password via the standard input stream. .IP "\fB\-help\fR" 4 .IX Item "-help" Prints the online help for this command. All other valid options are ignored. .SH "OUTPUT" .IX Header "OUTPUT" If the dlog command interpreter cannot contact a Translator Server, it produces a message similar to the following: .PP .Vb 2 \& dlog: server or network not responding \-\- failed to contact \& authentication service .Ve .SH "EXAMPLES" .IX Header "EXAMPLES" The following command authenticates the issuer as cell_admin in the \&\f(CW\*(C`dce.abc.com\*(C'\fR cell. .PP .Vb 2 \& % dlog \-principal cell_admin \-cell dce.abc.com \& Password: .Ve .PP In the following example, the issuer authenticates as cell_admin to the \&\f(CW\*(C`dce.abc.com\*(C'\fR cell and request a ticket lifetime of 100 hours. The \&\fBtokens\fR command confirms that the user obtained \s-1DCE\s0 credentials as the user \f(CW\*(C`cell_admin\*(C'\fR: the \s-1AFS\s0 \s-1ID\s0 is equivalent to the \s-1UNIX\s0 \s-1ID\s0 of \f(CW1\fR assigned to \f(CW\*(C`cell_admin\*(C'\fR in \f(CW\*(C`dce.abc.com\*(C'\fR cell's \s-1DCE\s0 registry. .PP .Vb 2 \& % dlog \-principal cell_admin \-cell dce.abc.com \-lifetime 100 \& Password: \& \& % tokens \& Tokens held by the Cache Manager: \& \& User\*(Aqs (AFS ID 1) tokens for afs@dce.abc.com [Expires Jul 6 14:12] \& User\*(Aqs (AFS ID 4758) tokens for afs@abc.com [Expires Jul 2 13:14] \& \& \-\-End of list\-\- .Ve .SH "PRIVILEGE REQUIRED" .IX Header "PRIVILEGE REQUIRED" None .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIdpass\fR\|(1), \&\fIklog\fR\|(1), \&\fItokens\fR\|(1), \&\fIunlog\fR\|(1) .SH "COPYRIGHT" .IX Header "COPYRIGHT" \&\s-1IBM\s0 Corporation 2000. All Rights Reserved. .PP This documentation is covered by the \s-1IBM\s0 Public License Version 1.0. It was converted from \s-1HTML\s0 to \s-1POD\s0 by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.