Provided by: openafs-client_1.8.2-1ubuntu0.1_amd64 bug


       pts - Introduction to the pts command suite


       The commands in the pts command suite are the administrative interface to the Protection
       Server, which runs on each database server machine in a cell and maintains the Protection
       Database. The database stores the information that AFS uses to augment and refine the
       standard UNIX scheme for controlling access to files and directories.

       Instead of relying only on the mode bits that define access rights for individual files,
       AFS associates an access control list (ACL) with each directory. The ACL lists users and
       groups and specifies which of seven possible access permissions they have for the
       directory and the files it contains. (It is still possible to set a directory or file's
       mode bits, but AFS interprets them in its own way; see the chapter on protection in the
       OpenAFS Administration Guide for details.)

       AFS enables users to define groups in the Protection Database and place them on ACLs to
       extend a set of rights to multiple users simultaneously.  Groups simplify administration
       by making it possible to add someone to many ACLs by adding them to a group that already
       exists on those ACLs. Machines can also be members of a group, so that users logged into
       the machine automatically inherit the permissions granted to the group.

       There are several categories of commands in the pts command suite:

       ·   Commands to create and remove Protection Database entries: pts creategroup, pts
           createuser, and pts delete.

       ·   Commands to administer and display group membership: pts adduser, pts listowned, pts
           membership, and pts removeuser.

       ·   Commands to administer and display properties of user and group entries other than
           membership: pts chown, pts examine, pts listentries, pts rename, and pts setfields.

       ·   Commands to set and examine the counters used when assigning IDs to users and groups:
           pts listmax and pts setmax.

       ·   Commands to run commands interactively: pts interactive, pts sleep, and pts quit.

       ·   A command to run commands from a file: pts source.

       ·   Commands to obtain help: pts apropos and pts help.

       ·   A command to display the OpenAFS command suite version: pts version.


       The following arguments and flags are available on many commands in the pts suite. The
       reference page for each command also lists them, but they are described here in greater

       -cell <cell name>
           Names the cell in which to run the command. It is acceptable to abbreviate the cell
           name to the shortest form that distinguishes it from the other entries in the
           /etc/openafs/CellServDB file on the local machine. If the -cell argument is omitted,
           the command interpreter determines the name of the local cell by reading the following
           in order:

           ·   The value of the AFSCELL environment variable.

           ·   The local /etc/openafs/ThisCell file.

               Do not combine the -cell and -localauth options. A command on which the -localauth
               flag is included always runs in the local cell (as defined in the server machine's
               local /etc/openafs/server/ThisCell file), whereas a command on which the -cell
               argument is included runs in the specified foreign cell.

       -config <config directory>
           The location of the directory to use to obtain configuration information, including
           the CellServDB. This is primarily provided for testing purposes.

           Enables the command to continue executing as far as possible when errors or other
           problems occur, rather than halting execution immediately.  Without it, the command
           halts as soon as the first error is encountered. In either case, the pts command
           interpreter reports errors at the command shell. This flag is especially useful if the
           issuer provides many values for a command line argument; if one of them is invalid,
           the command interpreter continues on to process the remaining arguments.

           Prints a command's online help message on the standard output stream. Do not combine
           this flag with any of the command's other options; when it is provided, the command
           interpreter ignores all other options, and only prints the help message.

           Establishes an unauthenticated connection to the Protection Server, in which the
           server treats the issuer as the unprivileged user "anonymous". It is useful only when
           authorization checking is disabled on the server machine (during the installation of a
           file server machine or when the bos setauth command has been used during other unusual
           circumstances). In normal circumstances, the Protection Server allows only privileged
           users to issue commands that change the Protection Database, and refuses to perform
           such an action even if the -noauth flag is provided.

           Establishes an authenticated, encrypted connection to the Protection Server.  It is
           useful when it is desired to obscure network traffic related to the transactions being

           Constructs a server ticket using the server encryption key with the highest key
           version number in the local /etc/openafs/server/KeyFile file. The pts command
           interpreter presents the ticket, which never expires, to the BOS Server during mutual

           Use this flag only when issuing a command on a server machine; client machines do not
           usually have a /etc/openafs/server/KeyFile file.  The issuer of a command that
           includes this flag must be logged on to the server machine as the local superuser
           "root". The flag is useful for commands invoked by an unattended application program,
           such as a process controlled by the UNIX cron utility. It is also useful if an
           administrator is unable to authenticate to AFS but is logged in as the local superuser

           Do not combine the -cell and -localauth options. A command on which the -localauth
           flag is included always runs in the local cell (as defined in the server machine's
           local /etc/openafs/server/ThisCell file), whereas a command on which the -cell
           argument is included runs in the specified foreign cell. Also, do not combine the
           -localauth and -noauth flags.

           Use the calling user's tokens from the kernel to communicate with the ptserver (that
           is, the same tokens displayed by tokens(1). This is the default if neither -localauth
           nor -noauth is given.

           Since this option is the default, it is usually not useful for running single command
           line operations. However, it can be useful when running commands via
           pts_interactive(1), since otherwise it would be impossible to switch from, for
           example, -localauth back to using regular tokens during a bulk operation. See
           pts_interactive(1) for more details.


       Members of the system:administrators group can issue all pts commands on any entry in the
       Protection Database.

       Users who do not belong to the system:administrators group can list information about
       their own entry and any group entries they own. The privacy flags set with the pts
       setfields command control access to entries owned by other users.


       pts_adduser(1), pts_apropos(1), pts_chown(1), pts_creategroup(1), pts_createuser(1),
       pts_delete(1), pts_examine(1), pts_help(1), pts_interactive(1), pts_listentries(1),
       pts_listmax(1), pts_listowned(1), pts_membership(1), pts_quit(1), pts_removeuser(1),
       pts_rename(1), pts_setfields(1), pts_setmax(1), pts_sleep(1), pts_source(1)

       The OpenAFS Administration Guide at <>.


       IBM Corporation 2000. <> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted
       from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by
       Alf Wachsmann and Elizabeth Cassell.