| Deleting Individual Accounts with the uss delete Command | ||
|---|---|---|
 | Chapter 11. Creating and Deleting User Accounts with the uss Command Suite |  |
| Deleting Individual Accounts with the uss delete Command | ||
|---|---|---|
| | Chapter 11. Creating and Deleting User Accounts with the uss Command Suite | |
The uss delete command deletes an AFS user account according to the arguments you provide on the command line; unlike the uss add command, it does not use a template file. When you issue the command, the uss command interpreter contacts various AFS servers to perform the following actions:
Remove the mount point for the user's home volume
Remove the user's home volume and delete the associated VLDB entry, unless you include the -savevolume flag
Delete the user's Authentication Database entry
Delete the user's Protection Database entry
Before issuing the uss delete command, you can also perform the following optional tasks:
Copy the user's home volume to tape or another permanent medium and record the username and UID on a reserved list. This information enables you to restore the user's account easily if he or she returns to your cell. For information about using the AFS Backup System to back up volumes, see Configuring the AFS Backup System and Backing Up and Restoring AFS Data.
If the user has exclusive use of any other volumes (such as a volume for storing project-related data), make a backup copy of each one and then remove it and its mount point as instructed in Removing Volumes and their Mount Points.
Use the pts listowned command to display any groups that the user owns; instructions appear in To list the groups that a user or group owns. Decide whether to use the pts delete command to remove the groups or the pts chown command to transfer ownership to another user or group. Instructions appear in To delete Protection Database entries and To change a group's owner. Alternatively, you can have the user remove or transfer ownership of the groups before leaving. A group that remains in the Protection Database after its owner is removed is considered orphaned, and only members of the system:administrators group can administer it.
You can automate some of these tasks by including exec instructions in the bulk input file and using the uss bulk command to delete the account. See Creating and Deleting Multiple Accounts with the uss bulk Command.
Authenticate as an AFS identity with all of the following privileges. In the conventional configuration, the admin user account has them, or you possibly have a personal administrative account. (To increase cell security, it is best to create special privileged accounts for use only while performing administrative procedures; for further discussion, see An Overview of Administrative Privilege.) If necessary, issue the klog command to authenticate.
% klog admin_user
Password: <admin_password>
The following list specifies the necessary privileges and indicates how to check that you have them.
Membership in the system:administrators group. If necessary, issue the pts membership command, which is fully described in To display the members of the system:administrators group.
% pts membership system:administrators
Inclusion in the /usr/afs/etc/UserList file. If necessary, issue the bos listusers command, which is fully described in To display the users in the UserList file.
% bos listusers <machine name>
The ADMIN flag on the Authentication Database entry. However, the
Authentication Server always prompts you for a password in order to perform its own authentication. The following
instructions direct you to specify the administrative identity on the uss command
line itself.
The d (delete) permission on the ACL of the directory that houses the user's home directory. If necessary, issue the fs listacl command, which is fully described in Displaying ACLs.
% fs listacl [<dir/file path>]
Members of the system:administrators group always implicitly have the a (administer) and by default also the l (lookup) permission on every ACL and can use the fs setacl command to grant other rights as necessary.
Consider and resolve the issues discussed in the introduction to this section concerning the continued maintenance of a deleted user's account information, owned groups, and volumes.
(Optional) Run the uss delete command with the -dryrun flag to preview the deletion of the account. Note any error messages and correct the cause before reissuing the command without the -dryrun flag. The next step describes the uss delete command's syntax.
Issue the uss delete command to delete the account. Enter the command on a single line; it appears here on multiple lines only for legibility.
The delete operation always removes the user's entry from the Authentication Database. The Authentication Server
performs its own authentication rather than accepting your existing AFS token. By default, it authenticates your local
(UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. Include the -admin argument to name an identity that has the ADMIN flag on its
Authentication Database entry. To verify that an entry has the flag, issue the kas
examine command as described in To check if the ADMIN flag is set.
% uss delete -user <login name> \ -mountpoint <mountpoint for user's volume> \ [-savevolume] -admin <administrator to authenticate> \ [-dryrun] Administrator's (admin_user) password: <admin_password>
where
Is the shortest acceptable abbreviation of delete.
Names the entry to delete from the Protection and Authentication Databases.
Specifies the pathname of the mount point to delete (the user's home directory). Unless the -savevolume argument is included, the volume mounted there is also deleted from the file server machine where it resides, as is its record from the VLDB. Partial pathnames are interpreted relative to the current working directory.
Specify the read/write path to the mount point, to avoid the failure that results when you attempt to delete a mount point from a read-only volume. By convention, you indicate the read/write path by placing a period before the cell name at the pathname's second level (for example, /afs/.example.com). For further discussion of the concept of read/write and read-only paths through the filespace, see Mounting Volumes.
Retains the user's volume and VLDB entry.
Names an administrative account that has the ADMIN flag on its
Authentication Database entry, such as admin. The password prompt echoes it as
admin_user. Enter the appropriate password as admin_password.
Reports actions that the command interpreter needs to perform to run the command, without actually performing them.
If the deleted user home directory resided in a replicated volume, use the vos release command to release the volume, as described in To replicate a read/write volume (create a read-only volume).
% vos release <volume name or ID>
This step can be necessary even if the home directory's parent directory is not itself a mount point for a replicated volume (and is easier to overlook in that case). For example, the Example Corporation template puts the mount points for user volumes in the /afs/example.com/usr directory. Because that is a regular directory rather than a mount point, it resides in the root.cell volume mounted at the /afs/example.com directory. That volume is replicated, so after changing it by deleting a mount point the administrator must issue the vos release command.
Delete the user's entry from the local password file (/etc/passwd or equivalent) of each client machine. If you intend to reactivate the user's account in the future, it is simpler to comment out the entry or place an asterisk (*) in the password field.
| |  | |
| Creating Individual Accounts with the uss add Command |  | Creating and Deleting Multiple Accounts with the uss bulk Command |