pts - Introduction to the pts command suite
The pts command suite is the administrative interface to the Protection Servers. The Protection Servers store identity and group information used for evaluating access control lists (ACLs) by services such as the File Servers.
The /afs file namespace associates an ACL with each directory and file object. Each ACL consists of zero or more access control entries (ACEs). Each ACE associates a user identity or a group with a set of access permissions. ACLs stored within the /afs file namespace are enforced by the File Servers. Each /afs file namespace ACE grants (normal rights) or revokes (negative rights) a set of file system access permissions (see fs listacl).
User identities are unique identifiers that represent a single user entity. A user identifier can be associated with one or more Generic Security Service (GSS) Kerberos version 5 network identities (see rfc4121).
Groups can be defined whose membership consists of zero or more user identities and other groups. Including an ACE for a group in an ACL permits a set of permissions to be granted to or revoked from multiple users with one ACE. Groups simplify administration by making it possible to add someone to many ACLs by adding them to a group that already exists on those ACLs.
There are system groups that are automatically managed by the cell's Protection Servers. These include:
The group of all users including
The group of all local users excluding
anonymous and any users excluded from the
system:authuser group by setting the
N access flag (see pts setfields).
The group of all users granted administrator privileges within the cell.
In addition to normal users (for example,
machines can also be assigned a user identity.
It is useful to assign a machine a user identity when the machine has its own credentials that permit it to authenticate to the cell as itself.
It is best practice that machine identities be excluded from the
Machines can be included in groups other than
The final type of user identity is one associated with an IP version 4 network address or an IP version 4 sub-network.
Network user identities can never be authenticated and cannot be included in the
Networks can be included in groups other than
There are several categories of commands in the pts command suite:
A command to run commands from a file: pts source.
Command to display the program version: pts version.
The following arguments and flags are common to many commands in the pts suite. The reference page for each command also lists them, but they are described here in greater detail.
Names the cell in which to run the command. It is acceptable to abbreviate the cell name to the shortest form that distinguishes it from the other entries in the /etc/yfs/yfs-client.conf file.
If the -cell argument is omitted, the command interpreter determines the name of the local cell by reading the following in order:
The value of the AFSCELL environment variable.
The local cell as specified by the HKLM\SYSTEM\CurrentControlSet\Services\YourFileSystemClient\Parameters "Cell" registry value. (Microsoft Windows only)
The local cell as specified by the [defaults] thiscell parameter of the /etc/yfs/yfs-client.conf file.
Do not combine the -cell and -localauth options. A command on which the -localauth flag is included always runs in the workstation cell.
Sets the location of the configuration file to be used. The default file is /etc/yfs/yfs-client.conf.
Enables the command to continue executing as far as possible when errors or other problems occur, rather than halting execution immediately. Without it, the command halts as soon as the first error is encountered. In either case, the pts command interpreter reports errors at the command shell. This flag is especially useful if the issuer provides many values for a command line argument; if one of them is invalid, the command interpreter continues processing the remaining arguments.
Prints the online help for this command. All other valid options are ignored.
Establishes an unauthenticated connection to the Protection Server,
in which the server treats the issuer as the unprivileged user
It is useful only when:
Authorization checking is disabled on the Protection Server (during installation or when the bos setauth command has been used to disable server authorization). Unless authorization has been disabled, the Protection Server allows only privileged users to issue commands that change the Protection Database, and refuses to perform such an action even if the -noauth flag is provided.
Issuing commands such as pts examine that do not require privileges to complete. Specifying the -noauth flag can avoid warning messages.
Establishes an authenticated, encrypted connection to the Protection Server.
Obtains an authentication token using the server encryption key with the highest key version number in the local /etc/yfs/server/KeyFileExt file. The resulting token never expires and has Super User privileges.
Do not combine the -cell and -localauth options. .
Use this flag only when issuing a command on a server machine; client machines do not usually have either a /etc/yfs/server/KeyFileExt file or a /etc/yfs/server/yfs-server.conf file.
The issuer of a command that includes this flag must be logged on to the server machine as the local superuser
root or another account that has permission to read the /etc/yfs/server/KeyFileExt file.
The flag is useful for commands invoked by an unattended application program,
such as a process controlled by the UNIX cron utility.
It is also useful if an administrator is unable to authenticate to the cell but is logged in as the local superuser
Do not combine the -localauth and -noauth flags.
Use the calling user's tokens from the kernel or as obtained using the active Kerberos ticket granting ticket to communicate with the Volume Server and Location Service. This is the default if neither -localauth nor -noauth is given.
Since this option is the default, it is usually not useful for running single command line operations. However, it can be useful when running commands via pts_interactive(1), since otherwise it would be impossible to switch from, for example, -localauth back to using regular tokens during a bulk operation. See pts_interactive(1) for more details.
Members of the
system:administrators group can issue all pts commands on any entry managed by the Protection Service.
Users who do not belong to the
system:administrators group can list information about their own entry and any group entries they own.
The privacy flags set with the pts setfields command control access to entries owned by other users.
KeyFileExt(5), pts_adduser(1), pts_apropos(1), pts_chown(1), pts_creategroup(1), pts_createuser(1), pts_delete(1), pts_examine(1), pts_getcps(1), pts_help(1), pts_interactive(1), pts_listentries(1), pts_listmax(1), pts_listowned(1), pts_membership(1), pts_quit(1), pts_removeuser(1), pts_rename(1), pts_setfields(1), pts_setmax(1), pts_sleep(1), pts_source(1), pts_version(1), yfs-client.conf(5), yfs-server.conf(5), rfc4121
IBM Corporation 2000. http://www.ibm.com/ All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
"AFS" is a registered mark of International Business Machines Corporation, used under license. (USPTO Registration 1598389)
"OpenAFS" is a registered mark of International Business Machines Corporation. (USPTO Registration 4577045)
The "AuriStor" name, log 'S' brand mark, and icon are registered marks of AuriStor, Inc. (USPTO Registrations 4849419, 4849421, and 4928460) (EUIPO Registration 015539653).
"Your File System" is a registered mark of AuriStor, Inc. (USPTO Registrations 4801402 and 4849418).
"YFS" and "AuriStor File System" are trademarks of AuriStor, Inc.