Man Linux: Main Page and Category List

NAME

       pts_examine - Displays a Protection Database entry

SYNOPSIS

       pts examine -nameorid <user or group name or id>+
           [-cell <cell name>] [-noauth] [-localauth]
           [-force] [-auth] [-help]

       pts e -na <user or group name or id>+ [-c <cell name>]
           [-no] [-l] [-f] [-a] [-h]

       pts check -na <user or group name or id>+ [-c <cell name>]
           [-no] [-l] [-f] [-a] [-h]

       pts che -na <user or group name or id>+ [-c <cell name>]
           [-no] [-l] [-f] [-a] [-h]

DESCRIPTION

       The pts examine command displays information from the Protection
       Database entry of each user, machine or group specified by the
       -nameorid argument.

OPTIONS

       -nameorid <user or group name or id>+
           Specifies the name or AFS UID of each user, the name or AFS GID of
           each group, or the IP address (complete or wildcard-style) or AFS
           UID of each machine for which to display the Protection Database
           entry. It is acceptable to mix users, machines, and groups on the
           same command line, as well as names (IP addresses for machines) and
           IDs. Precede the GID of each group with a hyphen to indicate that
           it is negative.

       -cell <cell name>
           Names the cell in which to run the command. For more details, see
           pts(1).

       -noauth
           Assigns the unprivileged identity anonymous to the issuer. For more
           details, see pts(1).

       -localauth
           Constructs a server ticket using a key from the local
           /etc/openafs/server/KeyFile file. Do not combine this flag with the
           -cell or -noauth options. For more details, see pts(1).

       -force
           Enables the command to continue executing as far as possible when
           errors or other problems occur, rather than halting execution at
           the first error.

       -auth
           Run using the user’s current authentication. This is the default
           unless the -noauth or -localauth options are used.

       -help
           Prints the online help for this command. All other valid options
           are ignored.

OUTPUT

       The output for each entry consists of two lines that include the
       following fields:

       Name
           The contents of this field depend on the type of entry:

           ·   For a user entry, it is the username that the user types when
               authenticating with AFS.

           ·   For a machine entry, it is either the IP address of a single
               machine in dotted decimal format, or a wildcard notation that
               represents a group of machines on the same network. See the pts
               createuser reference page for an explanation of the wildcard
               notation.

           ·   For a group entry, it is one of two types of group name. If the
               name has a colon between the two parts, it represents a regular
               group and the part before the prefix reflects the group’s
               owner. A prefix-less group does not have the owner field or the
               colon. For more details on group names, see the pts creategroup
               reference page.

       id  A unique number that the AFS server processes use to identify AFS
           users, machines and groups. AFS UIDs for user and machine entries
           are positive integers, and AFS GIDs for group entries are negative
           integers. AFS UIDs and GIDs are similar in function to the UIDs and
           GIDs used in local file systems such as UFS, but apply only to AFS
           operations.

       owner
           The user or group that owns the entry and thus can administer it
           (change the values in most of the fields displayed in the output of
           this command), or delete it entirely. The Protection Server
           automatically records the system:administrators group in this field
           for user and machine entries at creation time.

       creator
           The user who issued the pts createuser or pts creategroup command
           to create the entry. This field serves as an audit trail, and
           cannot be changed.

       membership
           An integer that for users and machines represents the number of
           groups to which the user or machine belongs. For groups, it
           represents the number of group members.

       flags
           A string of five characters, referred to as privacy flags, which
           indicate who can display or administer certain aspects of the
           entry.

           s   Controls who can issue the pts examine command to display the
               entry.

           o   Controls who can issue the pts listowned command to display the
               groups that a user or group owns.

           m   Controls who can issue the pts membership command to display
               the groups a user or machine belongs to, or which users or
               machines belong to a group.

           a   Controls who can issue the pts adduser command to add a user or
               machine to a group. It is meaningful only for groups, but a
               value must always be set for it even on user and machine
               entries.

           r   Controls who can issue the pts removeuser command to remove a
               user or machine from a group. It is meaningful only for groups,
               but a value must always be set for it even on user and machine
               entries.

           Each flag can take three possible types of values to enable a
           different set of users to issue the corresponding command:

           ·   A hyphen (-) designates the members of the
               system:administrators group and the entry’s owner. For user
               entries, it designates the user in addition.

           ·   The lowercase version of the letter applies meaningfully to
               groups only, and designates members of the group in addition to
               the individuals designated by the hyphen.

           ·   The uppercase version of the letter designates everyone.

           For example, the flags "SOmar" on a group entry indicate that
           anyone can examine the group’s entry and display the groups that it
           owns, and that only the group’s members can display, add, or remove
           its members.

           The default privacy flags for user and machine entries are "S----",
           meaning that anyone can display the entry. The ability to perform
           any other functions is restricted to members of the
           system:administrators group and the entry’s owner (as well as the
           user for a user entry).

           The default privacy flags for group entries are "S-M--", meaning
           that all users can display the entry and the members of the group,
           but only the entry owner and members of the system:administrators
           group can perform other functions. The defaults for the privacy
           flags may be changed by running ptserver with the -default_access
           option. See ptserver(8) for more discussion of the -default_access
           option.

       group quota
           The number of additional groups the user is allowed to create. The
           pts createuser command sets it to 20 for both users and machines,
           but it has no meaningful interpretation for a machine, because it
           is not possible to authenticate as a machine. Similarly, it has no
           meaning in group entries that only deal with the local cell and the
           pts creategroup command sets it to 0 (zero); do not change this
           value.

           When using cross-realm authentication, a special group of the form
           system:authuser@FOREIGN.REALM is created by an administrator and
           used.  If the group quota for this special group is greater than
           zero, then aklog will automatically register foreign users in the
           local PTS database, add the foreign user to the
           system:authuser@FOREIGN.REALM, and decrement the group quota by
           one.

EXAMPLES

       The following example displays the user entry for "terry" and the
       machine entry 158.12.105.44.

          % pts examine terry 158.12.105.44
          Name: terry, id: 1045, owner: system:administrators, creator: admin,
            membership: 9, flags: S----, group quota: 15.
          Name: 158.12.105.44, id: 5151, owner: system:administrators,
            creator: byu, membership: 1, flags: S----, group quota: 20.

       The following example displays the entries for the AFS groups with GIDs
       -673 and -674.

          % pts examine -673 -674
          Name: terry:friends, id: -673, owner: terry, creator: terry,
            membership: 5, flags: S-M--, group quota: 0.
          Name: smith:colleagues, id: -674, owner: smith, creator: smith,
            membership: 14, flags: SOM--, group quota: 0.

PRIVILEGE REQUIRED

       The required privilege depends on the setting of the first privacy flag
       in the Protection Database entry of each entry specified by the
       -nameorid argument:

       ·   If it is lowercase "s", members of the system:administrators group
           and the user associated with a user entry can examine it, and only
           members of the system:administrators group can examine a machine or
           group entry.

       ·   If it is uppercase "S", anyone who can access the cell’s database
           server machines can examine the entry.

SEE ALSO

       pts(1), pts_adduser(1), pts_chown(1), pts_creategroup(1),
       pts_createuser(1), pts_listowned(1), pts_membership(1),
       pts_removeuser(1), pts_rename(1), pts_setfields(1)

COPYRIGHT

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.
       It was converted from HTML to POD by software written by Chas Williams
       and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.