AKLOG(1) | AFS Command Reference | AKLOG(1) |
aklog - Obtain tokens for authentication to AFS
aklog [-d] [-hosts] [-zsubs]
[-noprdb] [-noauth] [-linked]
[-force] [-524] [-setpag] [-insecure_des]
[[-cell | -c] <cell> [-k <Kerberos realm>]]+
aklog [-d] [-hosts] [-zsubs]
[-noprdb] [-noauth] [-linked]
[-force] [-524] [-setpag] [-insecure_des]
[-path | -p] <path>+
The aklog program authenticates to a cell in AFS by obtaining AFS tokens using a Kerberos 5 ticket. If aklog is invoked with no command-line arguments, it will obtain tokens for the workstation's local cell. It may be invoked with an arbitrary number of cells and pathnames to obtain tokens for multiple cells. aklog knows how to expand cell name abbreviations, so cells can be referred to by enough letters to make the cell name unique among the cells the workstation knows about.
aklog obtains tokens by obtaining a Kerberos service ticket for the AFS service and then storing it as a token. By default, it obtains that ticket from the realm corresponding to that cell (the uppercase version of the cell name), but a different realm for a particular cell can be specified with -k. -k cannot be used in -path mode (see below).
When a Kerberos 5 cross-realm trust is used, aklog looks up the AFS ID corresponding to the name (Kerberos principal) of the person invoking the command, and if the user doesn't exist and the "system:authuser@FOREIGN.REALM" PTS group exists, then it attempts automatic registration of the user with the foreign cell. The user is then added to the "system:authuser@FOREIGN.REALM" PTS group if registration is successful. Automatic registration in the foreign cell will fail if the group quota for the "system:authuser@FOREIGN.REALM" group is less than one. Each automatic registration decrements the group quota by one.
When using aklog, be aware that AFS uses the Kerberos v4 principal naming format, not the Kerberos v5 format, when referring to principals in PTS ACLs, UserList, and similar locations. AFS will internally map Kerberos v5 principal names to the Kerberos v4 syntax by removing any portion of the instance after the first period (generally the domain name of a host principal), changing any "/" to ".", and changing an initial principal part of "host" to "rcmd". In other words, to create a PTS entry for the Kerberos v5 principal "user/admin", refer to it as "user.admin", and for the principal "host/shell.example.com", refer to it as "rcmd.shell".
The aklog mapping of Kerberos v5 principal to Kerberos v4 principal and the determination that a Kerberos realm is foreign is performed in the absence of the actual AFS server configuration. If the aklog mapping of Kerberos v5 principal to Kerberos v4 principal or the foreign realm determination is wrong, the PTS name-to-id lookup will produce the wrong AFS ID for the user. The AFS ID is only used for display purposes and should not be trusted. Use the -noprdb switch to disable the PTS name-to-id lookup.
host: <ip-address>
This option is only useful in combination with paths as arguments rather than cells.
-item -insecure_des
Configure libkrb5 to allow the use of the (insecure) single-DES encryption types. When rxkad-k5 is in use, this is not needed.
zsub: <instance>
where <instance> is the instance of a class "filsrv" Zephyr subscription.
The exit status of aklog will be one of the following:
To get tokens for the local cell:
% aklog
To get tokens for the "prod.example.org" cell:
% aklog prod.example.org
or
% aklog prod
The latter will work if you local cache manager already knows about the "prod" cell.
To get tokens adequate to read /afs/prod.example.org/user/p/potato:
% aklog /afs/prod.example.org/user/p/potato
To get tokens for "testcell.example.org" that is in a test Kerberos realm:
% aklog testcell.example.org -k TESTREALM.EXAMPLE.ORG
Manpage originally written by Emanuel Jay Berkenbilt (MIT-Project Athena). Extensively modified by Russ Allbery <rra@stanford.edu>.
Original manpage is copyright 1990, 1991 Massachusetts Institute of Technology. All rights reserved.
Copyright 2006 Russ Allbery <rra@stanford.edu>.
Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original MIT software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
2021-01-14 | OpenAFS |