.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.20) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .el \{\ . de IX .. .\} .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "AKLOG 1" .TH AKLOG 1 "2021-12-09" "OpenAFS" "AFS Command Reference" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" aklog \- Obtain tokens for authentication to AFS .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBaklog\fR [\fB\-d\fR] [\fB\-hosts\fR] [\fB\-zsubs\fR] [\fB\-noprdb\fR] [\fB\-noauth\fR] [\fB\-linked\fR] [\fB\-force\fR] [\fB\-524\fR] [\fB\-setpag\fR] [\fB\-insecure_des\fR] [[\fB\-cell\fR\ |\ \fB\-c\fR]\ <\fIcell\fR>\ [\fB\-k\fR\ <\fIKerberos\ realm\fR>]]+ .PP \&\fBaklog\fR [\fB\-d\fR] [\fB\-hosts\fR] [\fB\-zsubs\fR] [\fB\-noprdb\fR] [\fB\-noauth\fR] [\fB\-linked\fR] [\fB\-force\fR] [\fB\-524\fR] [\fB\-setpag\fR] [\fB\-insecure_des\fR] [\fB\-path\fR | \fB\-p\fR] <\fIpath\fR>+ .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBaklog\fR program authenticates to a cell in \s-1AFS\s0 by obtaining \s-1AFS\s0 tokens using a Kerberos 5 ticket. If \fBaklog\fR is invoked with no command-line arguments, it will obtain tokens for the workstation's local cell. It may be invoked with an arbitrary number of cells and pathnames to obtain tokens for multiple cells. \fBaklog\fR knows how to expand cell name abbreviations, so cells can be referred to by enough letters to make the cell name unique among the cells the workstation knows about. .PP \&\fBaklog\fR obtains tokens by obtaining a Kerberos service ticket for the \s-1AFS\s0 service and then storing it as a token. By default, it obtains that ticket from the realm corresponding to that cell (the uppercase version of the cell name), but a different realm for a particular cell can be specified with \fB\-k\fR. \fB\-k\fR cannot be used in \fB\-path\fR mode (see below). .PP When a Kerberos 5 cross-realm trust is used, \fBaklog\fR looks up the \s-1AFS\s0 \s-1ID\s0 corresponding to the name (Kerberos principal) of the person invoking the command, and if the user doesn't exist and the \&\f(CW\*(C`system:authuser@FOREIGN.REALM\*(C'\fR \s-1PTS\s0 group exists, then it attempts automatic registration of the user with the foreign cell. The user is then added to the \f(CW\*(C`system:authuser@FOREIGN.REALM\*(C'\fR \s-1PTS\s0 group if registration is successful. Automatic registration in the foreign cell will fail if the group quota for the \f(CW\*(C`system:authuser@FOREIGN.REALM\*(C'\fR group is less than one. Each automatic registration decrements the group quota by one. .SH "CAUTIONS" .IX Header "CAUTIONS" When using \fBaklog\fR, be aware that \s-1AFS\s0 uses the Kerberos v4 principal naming format, not the Kerberos v5 format, when referring to principals in \&\s-1PTS\s0 ACLs, \fIUserList\fR, and similar locations. \s-1AFS\s0 will internally map Kerberos v5 principal names to the Kerberos v4 syntax by removing any portion of the instance after the first period (generally the domain name of a host principal), changing any \f(CW\*(C`/\*(C'\fR to \f(CW\*(C`.\*(C'\fR, and changing an initial principal part of \f(CW\*(C`host\*(C'\fR to \f(CW\*(C`rcmd\*(C'\fR. In other words, to create a \s-1PTS\s0 entry for the Kerberos v5 principal \f(CW\*(C`user/admin\*(C'\fR, refer to it as \&\f(CW\*(C`user.admin\*(C'\fR, and for the principal \f(CW\*(C`host/shell.example.com\*(C'\fR, refer to it as \f(CW\*(C`rcmd.shell\*(C'\fR. .PP The \fBaklog\fR mapping of Kerberos v5 principal to Kerberos v4 principal and the determination that a Kerberos realm is foreign is performed in the absence of the actual \s-1AFS\s0 server configuration. If the \fBaklog\fR mapping of Kerberos v5 principal to Kerberos v4 principal or the foreign realm determination is wrong, the \s-1PTS\s0 name-to-id lookup will produce the wrong \&\s-1AFS\s0 \s-1ID\s0 for the user. The \s-1AFS\s0 \s-1ID\s0 is only used for display purposes and should not be trusted. Use the \fB\-noprdb\fR switch to disable the \s-1PTS\s0 name-to-id lookup. .SH "OPTIONS" .IX Header "OPTIONS" .IP "\fB\-524\fR" 4 .IX Item "-524" Normally, \fBaklog\fR generates native K5 tokens. This flag tells \fBaklog\fR to instead use the krb524 translation service to generate K4 or rxkad2b tokens, which may be necessary for \s-1AFS\s0 cells that don't support native K5 tokens. Support for native K5 tokens were added in OpenAFS 1.2.8. .IP "\fB\-cell\fR <\fIcell\fR>, \fB\-c\fR <\fIcell\fR>" 4 .IX Item "-cell , -c " This flag tells \fBaklog\fR that the next argument is the name of a cell to authenticate to. It normally isn't necessary; \fBaklog\fR normally determines whether an argument is a cell or a path name based on whether it contains \f(CW\*(C`/\*(C'\fR or is \f(CW\*(C`.\*(C'\fR or \f(CW\*(C`..\*(C'\fR. The cell may be followed by \fB\-k\fR to specify the corresponding Kerberos realm. .IP "\fB\-d\fR" 4 .IX Item "-d" Turns on printing of debugging information. This option is not intended for general users. .IP "\fB\-force\fR" 4 .IX Item "-force" Normally, aklog will not replace tokens with new tokens that appear to be identical. If this flag is given, it will skip that check. .IP "\fB\-hosts\fR" 4 .IX Item "-hosts" Prints all the server addresses which may act as a single point of failure in accessing the specified directory path. Each element of the path is examined, and as new volumes are traversed, if they are not replicated, the server's \s-1IP\s0 address containing the volume will be displayed. The output is of the form: .Sp .Vb 1 \& host: .Ve .Sp This option is only useful in combination with paths as arguments rather than cells. .IP "\fB\-k\fR <\fIKerberos realm\fR>" 4 .IX Item "-k " This flag is valid only immediately after the name of the cell. It tells \&\fBaklog\fR to use that Kerberos realm when authenticating to the preceding cell. By default, \fBaklog\fR will use the realm (per the local Kerberos configuration) of the first database server in the cell, so this flag normally won't be necessary. .IP "\fB\-linked\fR" 4 .IX Item "-linked" If the \s-1AFS\s0 cell is linked to another \s-1AFS\s0 cell, get tokens for both. .Sp \&\-item \fB\-insecure_des\fR .Sp Configure libkrb5 to allow the use of the (insecure) single-DES encryption types. When rxkad\-k5 is in use, this is not needed. .IP "\fB\-noauth\fR" 4 .IX Item "-noauth" Don't actually authenticate, just do everything else \fBaklog\fR does up to setting tokens. .IP "\fB\-noprdb\fR" 4 .IX Item "-noprdb" Ordinarily, \fBaklog\fR looks up the \s-1AFS\s0 \s-1ID\s0 corresponding to the name of the person invoking the command, and if the user doesn't exist, the cell is a foreign one, the system:authuser@FOREIGN.REALM \s-1PTS\s0 group exists, and has a positive group quota, then it attempts automatic registration of the user with the foreign cell. Specifying this flag turns off this functionality. This may be desirable if the protection database is unavailable for some reason and tokens are desired anyway, or if one wants to disable user registration. .IP "\fB\-path\fR <\fIpathname\fR>, \fB\-p\fR <\fIpathname\fR>" 4 .IX Item "-path , -p " This flag tells \fBaklog\fR that the next argument is a path in \s-1AFS\s0. \&\fBaklog\fR will walk that path and obtain tokens for every cell needed to access all of the directories. Normally, this flag isn't necessary; \&\fBaklog\fR assumes an argument is a path if it contains \f(CW\*(C`/\*(C'\fR or is \f(CW\*(C`.\*(C'\fR or \&\f(CW\*(C`..\*(C'\fR. .IP "\fB\-setpag\fR" 4 .IX Item "-setpag" When setting tokens, attempt to put the parent process in a new \s-1PAG\s0. This is usually used as part of the login process but can be used any time to create a new \s-1AFS\s0 authentication context. Note that this in some cases relies on dangerous and tricky manipulations of kernel records and will not work on all platforms or with all Linux kernels. .IP "\fB\-zsubs\fR" 4 .IX Item "-zsubs" Prints out the Zephyr subscription information to get alerts regarding all of the file servers required to access a particular path. The output is of the form: .Sp .Vb 1 \& zsub: .Ve .Sp where is the instance of a class \f(CW\*(C`filsrv\*(C'\fR Zephyr subscription. .SH "ENVIRONMENT" .IX Header "ENVIRONMENT" .IP "\s-1KRB5CCNAME\s0" 4 .IX Item "KRB5CCNAME" As with most programs that use an existing Kerberos ticket cache, \fBaklog\fR can be told to use a cache other than the default by setting the environment variable \s-1KRB5CCNAME\s0. On \s-1UNIX\s0 and Linux systems, this variable is normally set to a file name, but may point to other types of caches. See the documentation of your Kerberos implementation for more details. .SH "FILES" .IX Header "FILES" .IP "\fI~/.xlog\fR" 4 .IX Item "~/.xlog" If this file exists in the user's home directory, it should contain a list of \s-1AFS\s0 cells to which to authenticate, one per line. If \fBaklog\fR is invoked without any options, it will attempt to obtain tokens in every cell listed in this file if it exists, rather than only obtaining tokens for the local cell. .SH "EXIT CODES" .IX Header "EXIT CODES" The exit status of \fBaklog\fR will be one of the following: .ie n .IP "0" 3 .el .IP "\f(CW0\fR" 3 .IX Item "0" Success \*(-- No error occurred. .ie n .IP "1" 3 .el .IP "\f(CW1\fR" 3 .IX Item "1" Usage \*(-- Bad command syntax; accompanied by a usage message. .ie n .IP "2" 3 .el .IP "\f(CW2\fR" 3 .IX Item "2" Something failed \*(-- More than one cell or pathname was given on the command line and at least one failure occurred. A more specific error status is returned when only one directive is given. .ie n .IP "3" 3 .el .IP "\f(CW3\fR" 3 .IX Item "3" \&\s-1AFS\s0 \*(-- Unable to get \s-1AFS\s0 configuration or unable to get information about a specific cell. .ie n .IP "4" 3 .el .IP "\f(CW4\fR" 3 .IX Item "4" Kerberos \*(-- Unable to get tickets for authentication. .ie n .IP "5" 3 .el .IP "\f(CW5\fR" 3 .IX Item "5" Token \*(-- Unable to get tokens. .ie n .IP "6" 3 .el .IP "\f(CW6\fR" 3 .IX Item "6" Bad pathname \*(-- The path given was not a directory or \fIlstat\fR\|(2) failed on some component of the pathname. .ie n .IP "7" 3 .el .IP "\f(CW7\fR" 3 .IX Item "7" Miscellaneous \*(-- An internal failure occurred. For example, \fBaklog\fR returns this if it runs out of memory. .SH "EXAMPLES" .IX Header "EXAMPLES" To get tokens for the local cell: .PP .Vb 1 \& % aklog .Ve .PP To get tokens for the \f(CW\*(C`prod.example.org\*(C'\fR cell: .PP .Vb 1 \& % aklog prod.example.org .Ve .PP or .PP .Vb 1 \& % aklog prod .Ve .PP The latter will work if you local cache manager already knows about the \&\f(CW\*(C`prod\*(C'\fR cell. .PP To get tokens adequate to read \fI/afs/prod.example.org/user/p/potato\fR: .PP .Vb 1 \& % aklog /afs/prod.example.org/user/p/potato .Ve .PP To get tokens for \f(CW\*(C`testcell.example.org\*(C'\fR that is in a test Kerberos realm: .PP .Vb 1 \& % aklog testcell.example.org \-k TESTREALM.EXAMPLE.ORG .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIkinit\fR\|(1), \fItokens\fR\|(1), \fIunlog\fR\|(1) .SH "AUTHOR" .IX Header "AUTHOR" Manpage originally written by Emanuel Jay Berkenbilt (MIT-Project Athena). Extensively modified by Russ Allbery . .SH "COPYRIGHT" .IX Header "COPYRIGHT" Original manpage is copyright 1990, 1991 Massachusetts Institute of Technology. All rights reserved. .PP Copyright 2006 Russ Allbery . .PP Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. .PP \&\s-1WITHIN\s0 \s-1THAT\s0 \s-1CONSTRAINT\s0, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original \s-1MIT\s0 software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided \*(L"as is\*(R" without express or implied warranty. .PP \&\s-1THIS\s0 \s-1SOFTWARE\s0 \s-1IS\s0 \s-1PROVIDED\s0 ``\s-1AS\s0 \s-1IS\s0'' \s-1AND\s0 \s-1WITHOUT\s0 \s-1ANY\s0 \s-1EXPRESS\s0 \s-1OR\s0 \s-1IMPLIED\s0 \&\s-1WARRANTIES\s0, \s-1INCLUDING\s0, \s-1WITHOUT\s0 \s-1LIMITATION\s0, \s-1THE\s0 \s-1IMPLIED\s0 \s-1WARRANTIES\s0 \s-1OF\s0 \&\s-1MERCHANTIBILITY\s0 \s-1AND\s0 \s-1FITNESS\s0 \s-1FOR\s0 A \s-1PARTICULAR\s0 \s-1PURPOSE\s0.