KASERVER(8) AFS Command Reference KASERVER(8)NAMEkaserver - Initializes the Authentication Server
SYNOPSISkaserver [-noAuth] [-database <dbpath>]
[-auditlog <log path>] [-audit-interface (file | sysvmq)]
[-localfiles <lclpath>] [-minhours <n>]
[-servers <serverlist>] [-enable_peer_stats]
[-enable_process_stats] [-help]
DESCRIPTION
The kaserver command initializes the Authentication Server, an obsolete
way of providing authentication services to an AFS cell. It should no
longer be used; instead, it should be replaced with a Kerberos version
5 KDC. It is provided only for support of sites already running the
Authentication Server and that have not yet migrated to Kerberos
version 5.
For a cell using the Authentication Server, it runs on every database
server machine. In the conventional configuration, its binary file is
located in the /usr/afs/bin directory on a file server machine.
The kaserver command is not normally issued at the command shell prompt
but rather placed into a file server machine's /usr/afs/local/BosConfig
file with the bos create command. If it is ever issued at the command
shell prompt, the issuer must be logged onto a database server machine
as the local superuser "root".
As it initializes, the Authentication Server process creates the two
files that constitute the Authentication Database, kaserver.DB0 and
kaserver.DBSYS1, in the /usr/afs/db directory if they do not already
exist. Use the commands in the kas suite to administer the database.
The Authentication Server is responsible for several aspects of AFS
security, including:
· Maintenance of all AFS server encryption keys and user passwords in
the Authentication Database.
· Creation of the tickets and tokens that users and servers use to
establish secure connections. Its Ticket Granting Service (TGS)
component performs this function.
The Authentication Server records a trace of its activity in the
/usr/afs/logs/AuthLog file. Use the bos getlog command to display the
contents of the file. Use the kdb command to read the protected files
associated with the AuthLog file, AuthLog.dir and AuthLog.pag.
This command does not use the syntax conventions of the AFS command
suites. Provide the command name and all option names in full.
CAUTIONS
The Authentication Server provides only Kerberos version 4, which is no
longer considered sufficiently secure. It can only use DES encryption
for user keys, is vulnerable to known flaws in the Kerberos version 4
protocol, and is based on protocols that are obsolete and no longer
developed. The Authentication Server is also not widely tested and is
known to have problems on some platforms OpenAFS otherwise supports.
The Authentication Server should not be used for any new deployment. It
is provided only for sites that need to use it while preparing for a
migration to Kerberos KDC. No significant updates to the Authentication
Server will be developed, and it will be removed from a future version
of OpenAFS.
OPTIONS-noAuth
Assigns the unprivileged identity "anonymous" to the issuer. Thus,
it establishes an unauthenticated connection between the issuer and
the Authentication Server. It is useful only when authorization
checking is disabled on the database server machine. In normal
circumstances, the Authentication Server allows only authorized
(privileged) users to issue commands that affect or contact the
Authentication Database and will refuse to perform such an action
even if the -noAuth flag is used.
-database <dbpath>
Specifies the pathname of an alternate directory in which the
Authentication Database files reside. Provide the complete
pathname, ending in the base filename to which the ".DB0" and
".DBSYS1" extensions are appended. For example, the appropriate
value for the default database files is /usr/afs/db/kaserver.
Provide the -localfiles argument along with this one; otherwise,
the -localfiles argument is also set to the value of this argument,
which is probably inappropriate.
-auditlog <log path>
Turns on audit logging, and sets the path for the audit log. The
audit log records information about RPC calls, including the name
of the RPC call, the host that submitted the call, the
authenticated entity (user) that issued the call, the parameters
for the call, and if the call succeeded or failed.
-audit-interface (file | sysvmq)
Specifies what audit interface to use. Defaults to "file". See
fileserver(8) for an explanation of each interface.
-localfiles <lclpath>
Specifies the pathname of an alternate directory in which the
auxiliary Authentication Database file resides. Provide the
complete pathname, ending in the base filename to which the "auxdb"
suffix is appended. For example, the appropriate value for the
default auxiliary database file is /usr/afs/local/kaserver.
-minhours <n>
Specifies the minimum number of hours that must pass between
password changes made by any regular user. System administrators
(with the "ADMIN" flag in their Authentication Database entry) can
change passwords as often as desired. Setting a minimum time
between password changes is not recommended.
-servers <authentication servers>+
Names each database server machine running an Authentication Server
with which the local Authentication Server is to synchronize its
copy of the Authentication Database, rather than with the machines
listed in the local /usr/afs/etc/CellServDB file.
-enable_peer_stats
Activates the collection of Rx statistics and allocates memory for
their storage. For each connection with a specific UDP port on
another machine, a separate record is kept for each type of RPC
(FetchFile, GetStatus, and so on) sent or received. To display or
otherwise access the records, use the Rx Monitoring API.
-enable_process_stats
Activates the collection of Rx statistics and allocates memory for
their storage. A separate record is kept for each type of RPC
(FetchFile, GetStatus, and so on) sent or received, aggregated over
all connections to other machines. To display or otherwise access
the records, use the Rx Monitoring API.
-help
Prints the online help for this command. All other valid options
are ignored.
EXAMPLES
The following bos create command creates a "kaserver" process on
"fs3.abc.com" (the command appears on two lines here only for
legibility):
% bos create -server fs3.abc.com -instancekaserver \
-type simple -cmd /usr/afs/bin/kaserver
PRIVILEGE REQUIRED
The issuer must be logged in as the superuser "root" on a file server
machine to issue the command at a command shell prompt. It is
conventional instead to create and start the process by issuing the bos
create command.
SEE ALSOAuthLog(5), BosConfig(5), CellServDB(5), kaserver.DB0(5),
kaserverauxdb(5), bos(8), bos_create(8), bos_getlog(8), kas(8), kdb(8)COPYRIGHT
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0.
It was converted from HTML to POD by software written by Chas Williams
and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
OpenAFS 2013-10-09 KASERVER(8)