NAME

       pts - Introduction to the pts command suite

DESCRIPTION

       The commands in the pts command suite are the administrative interface to the Protection Server, which
       runs on each database server machine in a cell and maintains the Protection Database. The database stores
       the information that AFS uses to augment and refine the standard UNIX scheme for controlling access to
       files and directories.

       Instead of relying only on the mode bits that define access rights for individual files, AFS associates
       an access control list (ACL) with each directory. The ACL lists users and groups and specifies which of
       seven possible access permissions they have for the directory and the files it contains. (It is still
       possible to set a directory or file's mode bits, but AFS interprets them in its own way; see the chapter
       on protection in the OpenAFS Administration Guide for details.)

       AFS enables users to define groups in the Protection Database and place them on ACLs to extend a set of
       rights to multiple users simultaneously.  Groups simplify administration by making it possible to add
       someone to many ACLs by adding them to a group that already exists on those ACLs. Machines can also be
       members of a group, so that users logged into the machine automatically inherit the permissions granted
       to the group.

       There are several categories of commands in the pts command suite:

       •   Commands  to  create and remove Protection Database entries: pts creategroup, pts createuser, and pts
           delete.

       •   Commands to administer and display group membership: pts adduser, pts listowned, pts membership,  and
           pts removeuser.

       •   Commands  to  administer  and display properties of user and group entries other than membership: pts
           chown, pts examine, pts listentries, pts rename, and pts setfields.

       •   Commands to set and examine the counters used when assigning IDs to users and groups: pts listmax and
           pts setmax.

       •   Commands to run commands interactively: pts interactive, pts sleep, and pts quit.

       •   A command to run commands from a file: pts source.

       •   Commands to obtain help: pts apropos and pts help.

OPTIONS

       The following arguments and flags are available on many commands in the pts suite. The reference page for
       each command also lists them, but they are described here in greater detail.

       -cell <cell name>
           Names the cell in which to run the command. It is acceptable to  abbreviate  the  cell  name  to  the
           shortest form that distinguishes it from the other entries in the /etc/openafs/CellServDB file on the
           local  machine.  If the -cell argument is omitted, the command interpreter determines the name of the
           local cell by reading the following in order:

           •   The value of the AFSCELL environment variable.

           •   The local /etc/openafs/ThisCell file.

               Do not combine the -cell and -localauth options. A  command  on  which  the  -localauth  flag  is
               included   always   runs   in   the  local  cell  (as  defined  in  the  server  machine's  local
               /etc/openafs/server/ThisCell file), whereas a command on which the  -cell  argument  is  included
               runs in the specified foreign cell.

       -force
           Enables  the  command  to  continue executing as far as possible when errors or other problems occur,
           rather than halting execution immediately.  Without it, the command halts as soon as the first  error
           is encountered. In either case, the pts command interpreter reports errors at the command shell. This
           flag  is  especially useful if the issuer provides many values for a command line argument; if one of
           them is invalid, the command interpreter continues on to process the remaining arguments.

       -help
           Prints a command's online help message on the standard output stream. Do not combine this  flag  with
           any  of  the  command's other options; when it is provided, the command interpreter ignores all other
           options, and only prints the help message.

       -noauth
           Establishes an unauthenticated connection to the Protection Server, in which the  server  treats  the
           issuer  as  the  unprivileged  user  "anonymous".  It  is  useful only when authorization checking is
           disabled on the server machine (during the installation of a file server  machine  or  when  the  bos
           setauth  command  has  been  used  during  other unusual circumstances). In normal circumstances, the
           Protection Server allows only privileged users to issue commands that change the Protection Database,
           and refuses to perform such an action even if the -noauth flag is provided.

       -encrypt
           Establishes an authenticated, encrypted connection to the Protection Server.  It is useful when it is
           desired to obscure network traffic related to the transactions being done.

       -localauth
           Constructs a server ticket using the server encryption key with the highest key version number in the
           local /etc/openafs/server/KeyFile file. The pts command interpreter presents the ticket, which  never
           expires, to the BOS Server during mutual authentication.

           Use  this flag only when issuing a command on a server machine; client machines do not usually have a
           /etc/openafs/server/KeyFile file.  The issuer of a command that includes this flag must be logged  on
           to  the  server  machine as the local superuser "root". The flag is useful for commands invoked by an
           unattended application program, such as a process controlled by the UNIX cron  utility.  It  is  also
           useful  if  an administrator is unable to authenticate to AFS but is logged in as the local superuser
           "root".

           Do not combine the -cell and -localauth options. A command on which the -localauth flag  is  included
           always  runs in the local cell (as defined in the server machine's local /etc/openafs/server/ThisCell
           file), whereas a command on which the -cell argument is included runs in the specified foreign  cell.
           Also, do not combine the -localauth and -noauth flags.

PRIVILEGE REQUIRED

       Members  of  the  system:administrators  group  can issue all pts commands on any entry in the Protection
       Database.

       Users who do not belong to the system:administrators group can list information about their own entry and
       any group entries they own. The privacy flags set with  the  pts  setfields  command  control  access  to
       entries owned by other users.

SEE ALSO

       pts_adduser(1),   pts_apropos(1),  pts_chown(1),  pts_creategroup(1),  pts_createuser(1),  pts_delete(1),
       pts_examine(1), pts_help(1), pts_interactive(1),  pts_listentries(1),  pts_listmax(1),  pts_listowned(1),
       pts_membership(1),   pts_quit(1),   pts_removeuser(1),  pts_rename(1),  pts_setfields(1),  pts_setmax(1),
       pts_sleep(1), pts_source(1)

       The OpenAFS Administration Guide at <http://docs.openafs.org/AdminGuide/>.

COPYRIGHT

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted from HTML  to  POD
       by  software  written  by  Chas  Williams  and Russ Allbery, based on work by Alf Wachsmann and Elizabeth
       Cassell.

OpenAFS                                            2021-04-01                                             PTS(1)