Changing Usernames

By convention, many components of a user account incorporate the username, including the Protection and Authentication Database entries, the volume name and the home directory name. When changing a username, it is best to maintain consistency by changing the names of all components, so the procedure for changing a username has almost as many steps as the procedure for creating a new user account.

To change a username

  1. Authenticate as an AFS identity with all of the following privileges. In the conventional configuration, the admin user account has them, or you possibly have a personal administrative account. (To increase cell security, it is best to create special privileged accounts for use only while performing administrative procedures; for further discussion, see An Overview of Administrative Privilege.) If necessary, issue the klog command to authenticate.

       % klog admin_user
       Password: <admin_password>

    The following list specifies the necessary privileges and indicates how to check that you have them.

    • Membership in the system:administrators group. If necessary, issue the pts membership command, which is fully described in To display the members of the system:administrators group.

         % pts membership system:administrators
    • Inclusion in the /usr/afs/etc/UserList file. If necessary, issue the bos listusers command, which is fully described in To display the users in the UserList file.

         % bos listusers <machine name>
    • The ADMIN flag on the Authentication Database entry. However, the Authentication Server performs its own authentication, so the following instructions direct you to specify an administrative identity on the kas command line itself.

    • The a (administer), d (delete), and i (insert) permissions on the ACL of the directory where you are removing the current mount point and creating a new one. If necessary, issue the fs listacl command, which is fully described in Displaying ACLs.

         % fs listacl [<dir/file path>]

      Members of the system:administrators group always implicitly have the a (administer) and by default also the l (lookup) permission on every ACL and can use the fs setacl command to grant other rights as necessary.

  2. Issue the pts listowned command to display the names of the groups the user owns. After you change the username in the Protection Database in Step 3, you must issue the pts rename command to change each group's owner prefix to match the new name, because the Protection Server does not automatically make this change. For a complete description of the pts listowned command, see Displaying Information from the Protection Database.

       % pts listowned <user or group name or id>
  3. Issue the pts rename command to change the user's name in the Protection Database.

       % pts rename <old name> <new name>
  4. Issue the pts rename command to change the group names you noted in Step 2, so that their owner prefix (the part of the group name before the colon) accurately reflects the owner's new name.

    Repeat the command for each group. Step 3 details its syntax.

       % pts rename <old name> <new name>
  5. Issue the kas command to enter interactive mode.

    The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. Include the -admin argument to name an identity that has the ADMIN flag on its Authentication Database entry. To verify that an entry has the flag, issue the kas examine command as described in To check if the ADMIN flag is set.

       % kas -admin <admin principal to use for authentication>  
       Administrator's (admin_user) password: <admin_password>

    where -admin names an administrative account that has the ADMIN flag on its Authentication Database entry, such as admin. The password prompt echoes it as admin_user. Enter the appropriate password as admin_password.

  6. Issue the (kas) delete command to delete the user's existing Authentication Database entry.

       ka> delete <name of user>



    Is the shortest acceptable abbreviation for delete, or you can use the alias rm.

    name of user

    Names the Authentication Database entry to delete.

  7. Issue the (kas) create command to create an Authentication Database entry for the new username. To avoid having the user's password echo visibly on the screen, do not include the -initial_password argument; instead enter the password at the prompts that appear in that case, as shown in the following syntax specification.

       ka> create  <name of user>
       initial_password: <password>
       Verifying, please re-enter initial_password: <password>



    Is the shortest acceptable abbreviation for create.

    name of user

    Specifies the new username.


    Specifies the password for the new user account. If the user is willing to tell you his or her current password, you can retain it. Otherwise, provide a string of eight characters or less to comply with the length restriction that some applications impose. Possible choices for an initial password include the username, a string of digits from a personal identification number such as the Social Security number, or a standard string such as changeme. Instruct the user to change the string to a truly secret password as soon as possible by using the kpasswd command as instructed in the OpenAFS User Guide.

  8. Issue the quit command to leave interactive mode.

       ka> quit

  9. Issue the vos rename command to change the name of the user's volume. For complete syntax, see To rename a volume.

       % vos rename  <old volume name>  <new volume name>

  10. Issue the fs rmmount command to remove the existing mount point. For the directory argument, specify the read/write path to the mount point, to avoid the failure that results when you attempt to delete a mount point from a read-only volume.

       % fs rmmount <directory>

  11. Issue the fs mkmount command to create a mount point for the volume's new name. Specify the read/write path to the mount point for the directory argument, as in the previous step. For complete syntax, see Step 6 in To create one user account with individual commands.

       % fs mkmount <directory> <volume name>
  12. If the changes you made in Step 10 and Step 11 are to a mount point that resides in a replicated volume, use the vos release command to release the volume, as described in To replicate a read/write volume (create a read-only volume).

       % vos release <volume name or ID>


    This step can be necessary even if the home directory's parent directory is not itself a mount point for a replicated volume (and is easier to overlook in that case). For example, the Example Corporation template puts the mount points for user volumes in the /afs/ directory. Because that is a regular directory rather than a mount point, it resides in the root.cell volume mounted at the /afs/ directory. That volume is replicated, so after changing it the administrator must issue the vos release command.