Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
DLOG(1)			     AFS Command Reference		       DLOG(1)

       dlog - Authenticates to the DCE Security	Service

       dlog [-principal	<user name>] [-cell <cell name>]
	   [-password <user's password>]
	   [-servers <explicit list of servers>+]
	   [-lifetime <ticket lifetime in hh[:mm[:ss]]>]
	   [-setpag] [-pipe] [-help]

       dlog [-pr <user name>] [-c <cell	name>]
	   [-pw	<user's	password>]
	   [-ser <explicit list	of servers>+]
	   [-l <ticket lifetime	in hh[:mm[:ss]]>]
	   [-set] [-pi]	[-h]

       The dlog	command	obtains	DCE credentials	for the	issuer from the	DCE
       Security	Service	in the cell named by the -cell argument, and stores
       them on the AFS client machine on which the user	issues the command.
       The AFS/DFS Migration Toolkit Protocol Translator processes running on
       machines	in the DCE cell	accept the credentials,	which enables the user
       to access the DCE cell's	filespace from the AFS client. The user's
       identity	in the local file system is unchanged.

       If the issuer does not provide the -principal argument, the dlog
       command interpreter uses	the user name under which the issuer is	logged
       into the	local file system. Provide the DCE password for	the
       appropriate user	name. As with the klog command,	the password does not
       cross the network in clear text (unless the issuer is logged into the
       AFS client from a remote	machine).

       The credentials are valid for a lifetime	equivalent to the smallest of
       the following, all but the last of which	is defined by the DCE cell's
       Security	Server:

       o   The maximum certificate lifetime for	the issuer's DCE account.

       o   The maximum certificate lifetime for	the AFS	principal's DCE

       o   The registry-wide maximum certificate lifetime.

       o   The registry-wide default certificate lifetime.

       o   The lifetime	requested using	the -lifetime argument.

       If the previous maximum certificate lifetime values are set to
       "default-policy", the maximum possible ticket lifetime is defined by
       the default certificate lifetime. Refer to the DCE vendor's
       administration guide for	more information before	setting	any of these

       The AFS Cache Manager stores the	ticket in a credential structure
       associated with the name	of the issuer (or the user named by the
       -principal argument. If the user	already	has a ticket for the DCE cell,
       the ticket resulting from this command replaces it in the credential

       The AFS tokens command displays the ticket obtained by the dlog command
       for the server principal	"afs", regardless of the principal to which it
       is actually granted. Note that the tokens command does not distinguish
       tickets for a DFSTM File	Server from tickets for	an AFS File Server.

       -principal <user	name>
	   Specifies the DCE user name for which to obtain DCE credentials. If
	   this	option is omitted, the dlog command interpreter	uses the name
	   under which the issuer is logged into the local file	system.

       -cell <cell name>
	   Specifies the DCE cell in which to authenticate. During a single
	   login session on a given machine, a user can	authenticate in
	   multiple cells simultaneously, but can have only one	ticket at a
	   time	for each cell (that is,	it is possible to authenticate under
	   only	one identity per cell per machine). It is legal	to abbreviate
	   the cell name to the	shortest form that distinguishes it from the
	   other cells listed in the /usr/local/etc/openafs/CellServDB file on
	   the local client machine.

	   If the issuer does not provide the -cell argument, the dlog command
	   attempts to authenticate with the DCE Security Server for the cell
	   defined by

	   o   The value of the	environment variable AFSCELL on	the local AFS
	       client machine, if defined. The issuer can set the AFSCELL
	       environment variable to name the	desired	DCE cell.

	   o   The cell	name in	the /usr/local/etc/openafs/ThisCell file on
	       the local AFS client machine. The machine's administrator can
	       place the desired DCE cell's name in the	file.

       -password <user's password>
	   Specifies the password for the issuer (or for the user named	by the
	   -principal argument). Using this argument is	not recommended,
	   because it makes the	password visible on the	command	line.  If this
	   argument is omitted,	the command prompts for	the password and does
	   not echo it visibly.

       -servers	<list of servers>+
	   Specifies a list of DFS database server machines running the
	   Translator Server through which the AFS client machine can attempt
	   to authenticate. Specify each server	by hostname, shortened machine
	   name, or IP address.	If this	argument is omitted, the dlog command
	   interpreter randomly	selects	a machine from the list	of DFS Fileset
	   Location (FL) Servers in the	/usr/local/etc/openafs/CellServDB file
	   for the DCE cell specified by the -cell argument. This argument is
	   useful for testing when authentication seems	to be failing on
	   certain server machines.

       -lifetime <ticket lifetime>
	   Requests a ticket lifetime using the	format hh:mm[:ss] (hours,
	   minutes, and	optionally a number seconds between 00 and 59).	 For
	   example, the	value "168:30" requests	a ticket lifetime of 7 days
	   and 30 minutes, and "96:00" requests	a lifetime of 4	days.
	   Acceptable values range from	"00:05"	(5 minutes) to "720:00"	(30
	   days). If this argument is not provided and no other	determinants
	   of ticket lifetime have been	changed	from their defaults, ticket
	   lifetime is 10 hours.

	   The requested lifetime must be smaller than any of the DCE cell's
	   determinants	for ticket lifetime; see the discussion	in the
	   preceding Description section.

	   Creates a process authentication group (PAG)	in which the newly
	   created ticket is placed. If	this flag is omitted, the ticket is
	   instead associated with the issuers'	local user ID (UID).

	   Suppresses any prompts that the command interpreter otherwise
	   produces, including the prompt for the issuer's password. Instead,
	   the command interpreter accepts the password	via the	standard input

	   Prints the online help for this command. All	other valid options
	   are ignored.

       If the dlog command interpreter cannot contact a	Translator Server, it
       produces	a message similar to the following:

	  dlog:	server or network not responding -- failed to contact
	  authentication service

       The following command authenticates the issuer as cell_admin in the
       "" cell.

	  % dlog -principal cell_admin -cell
	  Password: <cell_admin's password>

       In the following	example, the issuer authenticates as cell_admin	to the
       "" cell and request a	ticket lifetime	of 100 hours. The
       tokens command confirms that the	user obtained DCE credentials as the
       user "cell_admin": the AFS ID is	equivalent to the UNIX ID of 1
       assigned	to "cell_admin"	in "" cell's	DCE registry.

	  % dlog -principal cell_admin -cell -lifetime 100
	  Password: <cell_admin's password>

	  % tokens
	  Tokens held by the Cache Manager:

	  User's (AFS ID 1) tokens for [Expires	Jul 6 14:12]
	  User's (AFS ID 4758) tokens for [Expires Jul 2 13:14]

	     --End of list--


       dpass(1), klog(1), tokens(1), unlog(1)

       IBM Corporation 2000. <> All Rights Reserved.

       This documentation is covered by	the IBM	Public License Version 1.0.
       It was converted	from HTML to POD by software written by	Chas Williams
       and Russ	Allbery, based on work by Alf Wachsmann	and Elizabeth Cassell.

OpenAFS				  2016-12-14			       DLOG(1)


Want to link to this manual page? Use this URL:

home | help