The commands in the kas command suite are the administrative interface
to the Authentication Server, which runs on each database server machine
in a cell, maintains the Authentication Database, and provides the
authentication tickets that client applications must present to AFS
servers in order to obtain access to AFS data and other services.
There are several categories of commands in the kas command suite:
Commands to create, modify, examine and delete entries in the
Authentication Database, including passwords: kas create, kas
delete, kas examine, kas list, kas setfields, kas setkey,
kas setpassword, and kas unlock.
Commands to create, delete, and examine tokens and server tickets: kas
forgetticket, kas listtickets, kas noauthentication, and kas
A command to enter interactive mode: kas interactive.
A command to trace Authentication Server operations: kas statistics.
Commands to obtain help: kas apropos and kas help.
Because of the sensitivity of information in the Authentication Database,
the Authentication Server authenticates issuers of kas commands
directly, rather than accepting the standard token generated by the Ticket
Granting Service. Any kas command that requires administrative
privilege prompts the issuer for a password. The resulting ticket is valid
for six hours unless the maximum ticket lifetime for the issuer or the
Authentication Server's Ticket Granting Service is shorter.
To avoid having to provide a password repeatedly when issuing a sequence
of kas commands, enter interactive mode by issuing the kas
interactive command, typing kas without any operation code, or typing
kas followed by a user and cell name, separated by an at-sign ("@"; an
example is "kas firstname.lastname@example.org"). After prompting once for a
password, the Authentication Server accepts the resulting token for every
command issued during the interactive session. See kas_interactive(8)
for a discussion of when to use each method for entering interactive mode
and of the effects of entering a session.
The Authentication Server maintains two databases on the local disk of the
machine where it runs:
The Authentication Database (/var/lib/openafs/db/kaserver.DB0) stores the
information used to provide AFS authentication services to users and
servers, including the password scrambled as an encryption key. The
reference page for the kas examine command describes the information in
a database entry.
An auxiliary file (/var/lib/openafs/local/kaauxdb by default) that tracks how
often the user has provided an incorrect password to the local
Authentication Server. The reference page for the kas setfields command
describes how the Authentication Server uses this file to enforce the
limit on consecutive authentication failures. To designate an alternate
directory for the file, use the kaserver command's -localfiles
The following arguments and flags are available on many commands in the
kas suite. (Some of them are unavailable on commands entered in
interactive mode, because the information they specify is established when
entering interactive mode and cannot be changed except by leaving
interactive mode.) The reference page for each command also lists them,
but they are described here in greater detail.
-admin_username <user name>
Specifies the user identity under which to authenticate with the
Authentication Server for execution of the command. If this argument is
omitted, the kas command interpreter requests authentication for the
identity under which the issuer is logged onto the local machine. Do not
combine this argument with the -noauth flag.
-cell <cell name>
Names the cell in which to run the command. It is acceptable to abbreviate
the cell name to the shortest form that distinguishes it from the other
entries in the /etc/openafs/CellServDB file on the local machine. If
the -cell argument is omitted, the command interpreter determines the
name of the local cell by reading the following in order:
The value of the AFSCELL environment variable.
The local /etc/openafs/ThisCell file.
The -cell argument is not available on commands issued in interactive
mode. The cell defined when the kas command interpreter enters
interactive mode applies to all commands issued during the interactive
Prints a command's online help message on the standard output stream. Do
not combine this flag with any of the command's other options; when it is
provided, the command interpreter ignores all other options, and only
prints the help message.
Establishes an unauthenticated connection to the Authentication Server, in
which the Authentication Server treats the issuer as the unprivileged user
"anonymous". It is useful only when authorization checking is disabled on
the server machine (during the installation of a server machine or when
the bos setauth command has been used during other unusual
circumstances). In normal circumstances, the Authentication Server allows
only privileged users to issue most kas commands, and refuses to
perform such an action even if the -noauth flag is provided. Do not
combine this flag with the -admin_username and -password_for_admin
Specifies the password of the command's issuer. It is best to omit this
argument, which echoes the password visibly in the command shell, instead
enter the password at the prompt. Do not combine this argument with the
-servers <machine name>+
Establishes a connection with the Authentication Server running on each
specified database server machine, instead of on each machine listed in
the local /etc/openafs/CellServDB file. In either case, the kas
command interpreter then chooses one of the machines at random to contact
for execution of each subsequent command. The issuer can abbreviate the
machine name to the shortest form that allows the local name service to
identify it uniquely.
To issue most kas commands, the issuer must have the "ADMIN" flag set in
his or her Authentication Database entry (use the kas setfields command
to turn the flag on).
This documentation is covered by the IBM Public License Version 1.0. It was
converted from HTML to POD by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.