Displaying Information from the Protection Database

Displaying Information from the Protection Database
	Chapter 13. Administering the Protection Database

This section describes the commands you can use to display Protection Database entries and associated information. In addition to name and AFS ID, the Protection Database stores the following information about each user, machine, or group entry.

The entry's owner, which is the user or group of users who can administer the entry
The entry's creator, which serves mostly as an audit trail
A membership count, which indicates how many groups a user or machine belongs to, or how many members belong to a group
A set of privacy flags, which control which users can administer or display information about the entry
A group-creation quota, which defines how many groups a user can create
A list of the groups to which a user or machine belongs, or of the users and machines that belong to a group
A list of the groups that a user or group owns

To display a Protection Database entry

Verify that you belong to the system:administrators group, which enables you to display an entry regardless of the setting of its first (s) privacy flag. By default, any user can display a Protection Database entry. If necessary, issue the pts membership command, which is fully described in To display the members of the system:administrators group.
```
   % pts membership system:administrators
```
Issue the pts examine command to display one or more Protection Database entries.
```
   % pts examine <user or group name or id>+
```
where
e
Is the shortest acceptable abbreviation of examine (and check is an alias).
user or group name or id
Specifies the name or AFS ID of each entry to display. Precede any AFS GID with a hyphen (-) because it is a negative integer.

The output includes the following fields. Examples follow.

Name

Specifies the entry's name.

For a user, this is the name used when authenticating with AFS and the name that appears on ACL entries.
For a machine, this is the IP address of a single machine, or a wildcard notation that represents a group of machines with consecutive IP addresses, as described in Creating User and Machine Entries.
For a group, this is the name that appears on ACL entries and in the list of groups output by the pts membership command. The names of regular groups have two parts, separated by a colon (:). The part before the colon indicates the group's owner, and the part after is the unique name. A prefix-less group's name does not have the owner prefix; only members of the system:administrators group can create prefix-less groups. For further discussion of group names, see Creating Groups.

id

Specifies the entry's unique AFS identification number. For user and machine entries, the AFS user ID (AFS UID) is a positive integer; for groups, the AFS group ID (AFS GID) is a negative integer. AFS UIDs and GIDs have the same function as their counterparts in the UNIX file system, but are used by the AFS servers and the Cache Manager only.

Normally, the Protection Server assigns an AFS UID or GID automatically when you create Protection Database entries. Members of the system:administrators group can specify an ID if desired. For further discussion, see Creating User and Machine Entries and Creating Groups.

owner

Names the user or group who owns the entry and therefore can administer it (for more information about a group owning another group, see Using Groups Effectively). Other users possibly have administrative privileges, too, depending on the setting of the entry's privacy flags. For instructions on changing the owner, see Changing a Group's Owner.

creator

Names the user who created the entry, and serves as an audit trail. If the entry is deleted from the Protection Database, the creator's group creation quota increases by one, even if the creator no longer owns the entry; see Setting Group-Creation Quota.

The value anonymous in this field generally indicates that the entry was created when the Protection Server was running in no-authentication mode, probably during initial configuration of the cell's first file server machine. For a description of no-authentication mode, see Managing Authentication and Authorization Requirements.

membership

Specifies the number of groups to which the user or machine belongs, or the number of users or machines that belong to the group.

flags

Specifies who can display or change information in a Protection Database entry. The five flags, each representing a different capability, always appear in the same order.

For user entries, the default value is S----, which indicates that anyone can issue the pts examine command on the entry, but only the user and members of the system:administrators group can perform any other action.
For machine entries, the default value is S----, which indicates that anyone can issue the pts examine command on the entry, but only members of the system:administrators group can perform any other action.
For group entries, the default value is S-M--, which indicates that anyone can issue the pts examine and pts membership commands on the entry, but only the group's owner and members of the system:administrators group can perform any other action.

For a complete description of possible values for the flags, see Setting the Privacy Flags on Database Entries.

group quota

Specifies how many more groups a user can create in the Protection Database. The value for a newly created user entry is 20, but members of the system:administrators group can issue the pts setfields command at any time to change the value; see Setting Group-Creation Quota.

Group creation quota has no meaning for a machine or group entry: the Protection Server recognizes the issuer of the pts creategroup command only as an authenticated user or as the anonymous user, never as a machine or group. The default value for group entries is 0 (zero), and there is no reason to change it.

The following examples show the output for a user called pat, a machine with IP address 192.12.108.133 and a group called terry:friends:

   % pts examine pat
   Name: pat, id: 1020, owner: system:administrators, creator: admin,
     membership: 12, flags: S----, group quota: 15.
   % pts ex 192.12.108.133
   Name: 192.12.108.133, id: 5151, owner: system:administrators, creator: admin,
     membership: 1, flags: S----, group quota: 20.
   % pts examine terry:friends
   Name: terry:friends, id: -567, owner: terry, creator: terry,
     membership: 12, flags: SOm--, group quota: 0.

To display group membership

Verify that you belong to the system:administrators group, which enables you to display an entry's group membership information regardless of the setting of its third (m) privacy flag. By default the owner and the user can display group membership for a user entry, the owner for a machine entry, and anyone for a group entry. If necessary, issue the pts membership command, which is fully described in To display the members of the system:administrators group.
```
   % pts membership system:administrators
```
Issue the pts membership command to display the list of groups to which a user or machine belongs, or the list of users and machines that belong to a group.
```
   % pts membership <user or group name or id>+
```
where
m
Is the shortest acceptable abbreviation of membership.
user or group name or id
Specifies the name or AFS UID of each user or machine for which to list the groups it belongs to, or the name or AFS GID of each group for which to list the members.

For user and machine entries, the output begins with the following string, and then each group appears on its own line:

   Groups user_or_machine (id: AFS_UID) is a member of:

For group entries, the output begins with the following string, and then each member appears on its own line:

   Members of group (id: AFS_GID) are:

For the system groups system:anyuser and system:authuser, the output includes the initial header string only, because these groups do not have a stable membership listed in their Protection Database entry. See The System Groups.

The following examples show the output for a user called terry and a group called terry:friends:

   % pts mem terry
   Groups terry (id: 5347) is a member of:
     pat:friends
     sales
     acctg:general
   % pts mem terry:friends
   Members of terry:friends (id: -567) are:
     pat
     smith
     johnson

To list the groups that a user or group owns

Verify that you belong to the system:administrators group, which enables you to display an entry's group ownership information regardless of the setting of its second (o) privacy flag. By default the owner can list the groups owned by group, and a user the groups he or she owns. If necessary, issue the pts membership command, which is fully described in To display the members of the system:administrators group.
```
   % pts membership system:administrators
```
Issue the pts listowned command to list the groups owned by each user or group.
```
   % pts listowned <user or group name or id>+
```
where
listo
Is the shortest acceptable abbreviation of listowned.
user or group name or id
Specifies the name or AFS UID of each user, or the name or AFS GID or each group, for which to list the groups owned.

The output begins with the following string, and then each group appears on its own line:

   Groups owned by user_or_group (id: AFS_ID) are:

The following examples show the output for a user called terry and a group called terry:friends:

   % pts listo terry 
   Groups owned by terry (id: 5347) are:  
     terry:friends   
     terry:co-workers
   % pts listo terry:friends
   Groups owned by terry:friends (id: -567) are:
     terry:pals
     terry:buddies

To display all Protection Database entries

Verify that you belong to the system:administrators group. If necessary, issue the pts membership command, which is fully described in To display the members of the system:administrators group.
```
   % pts membership system:administrators
```
Issue the pts listentries command to display all Protection Database entries.
```
   % pts listentries [-users] [-groups]
```
where
liste
Is the shortest acceptable abbreviation of listentries.
-users
Displays user and machine entries. The same output results if you omit both this flag and the -groups flag.
-groups
Displays group entries.

The output is a table that includes the following columns. Examples follow.

Name: Specifies the entry's name.
ID: Specifies the entry's AFS identification number. For user and machine entries, the AFS user ID (AFS UID) is a positive integer; for groups, the AFS group ID (AFS GID) is a negative integer.
Owner: Specifies the AFS ID of the user or group who owns the entry and therefore can administer it.
Creator: Specifies the AFS UID of the user who created the entry.

The following example is from the Example Corporation cell. The issuer provides no options, so the output includes user and machine entries.

   % pts listentries
   Name                          ID  Owner Creator
   anonymous                  32766   -204    -204 
   admin                          1   -204   32766 
   pat                         1000   -204       1 
   terry                       1001   -204       1 
   smith                       1003   -204       1 
   jones                       1004   -204       1 
   192.12.105.33               2000   -204       1 
   192.12.105.46               2001   -204       1


About the Protection Database		Creating User and Machine Entries