Creating User and Machine Entries

An entry in the Protection Database is one of the two required components of every AFS user account, along with an entry in the Authentication Database. It is best to create a Protection Database user entry only in the context of creating a complete user account, by using the uss add or uss bulk command as described in Creating and Deleting User Accounts with the uss Command Suite, or the pts createuser command as described in Creating AFS User Accounts.

You can also use the pts createuser command to create Protection Database machine entries, which can then be used to control access based on the machine from which the access request originates. After creating a machine entry, add it to a Protection Database group and place the group on ACLs ( a machine cannot appear on ACLs directly). Because all replicas of a volume share the same ACL (the one on the volume's root directory mount point), you can replicate the volume that houses a program's binary file while still complying with a machine-based license agreement as required by the program's manufacturer. If you do not place any other entries on the ACL, then only users working on the designated machines can access the file.

Keep in mind that creating an ACL entry for a group with machine entries in it extends access to both authenticated and unauthenticated users working on the machine. However, you can deny access to unauthenticated users by omitting an entry for the system:anyuser group from the ACLs of the parent directories in the file's pathname. Conversely, if you want to enable unauthenticated users on the machine to access a file, then the ACL on every directory leading to it must include an entry for either the system:anyuser group or a group to which the machine entry belongs. For more information on the system:anyuser group, see The System Groups.

Because a machine entry can include unauthenticated users, it is best not to add both machine entries and user entries to the same group. In general, it is easier to use and administer nonmixed groups. A machine entry can represent a single machine, or multiple machines with consecutive IP addresses (that is, all machines on a network or subnet) specified by a wildcard notation. See the instructions in To create machine entries in the Protection Database.

By default, the Protection Server assigns the next available AFS UID to a new user or machine entry. It is best to allow this, especially for machine entries. For user entries, it makes sense to assign an AFS UID only if the user already has a UNIX UID that the AFS UID needs to match (see Assigning AFS and UNIX UIDs that Match). When automatically allocating an AFS UID, the Protection Server increments the max user id counter by one and assigns the result to the new entry. Use the pts listmax command to display the counter, as described in Displaying and Setting the AFS UID and GID Counters.

Do not reuse the AFS UIDs of users who have left your cell permanently or machine entries you have removed, even though doing so seems to avoid the apparent waste of IDs. When you remove a user or machine entry from the Protection Database, the fs listacl command displays the AFS UID associated with the former entry, rather than the name. If you then assign the AFS UID to a new user or machine, the new user or machine automatically inherits permissions that were granted to the previous possessor of the ID. To remove obsolete AFS UIDs from ACLs, use the fs cleanacl command described in Removing Obsolete AFS IDs from ACLs.

In addition to the name and AFS UID, the Protection Server records the following values in the indicated fields of a new user or machine's entry. For more information and instructions on displaying an entry, see To display a Protection Database entry.

To create machine entries in the Protection Database

  1. Verify that you belong to the system:administrators group. If necessary, issue the pts membership command, which is fully described in To display the members of the system:administrators group.

       % pts membership system:administrators
  2. Issue the pts createuser command to create one or more machine entries.

       % pts createuser -name <user name>+ 



    Is an alias for createuser (and createu is the shortest acceptable abbreviation).


    Specifies an IP address in dotted-decimal notation for each machine entry. An entry can represent a single machine or a set of several machines with consecutive IP addresses, using the wildcard notation described in the following list. The letters W, X, Y, and Z each represent an actual number value in the field:

    • W.X.Y.Z represents a single machine, for example

    • W.X.Y.0 matches all machines whose IP addresses start with the first three numbers. For example, matches both and, but does not match

    • W.X.0.0 matches all machines whose IP addresses start with the first two numbers. For example, the address matches both and, but does not match

    • W.0.0.0 matches all machines whose IP addresses start with the first number in the specified address. For example, the address matches both and, but does not match

    Do not define a machine entry with the name to match every machine. The system:anyuser group is equivalent.

The following example creates a machine entry that includes all of the machines in the 192.12 network.

   % pts cu