Granting Privilege for kas Commands: the ADMIN Flag

Granting Privilege for kas Commands: the ADMIN Flag
	Chapter 15. Managing Administrative Privilege

Administrators who have the ADMIN flag on their Authentication Database entry can issue all kas commands, which enable them to administer the Authentication Database.

To check if the ADMIN flag is set

Issue the kas examine command to display an entry from the Authentication Database.
The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, it authenticates your local (UFS) identity, which possibly does not correspond to an AFS-privileged administrator. Include the -admin_username argument (here abbreviated to -admin) to name a user identity that has the ADMIN flag on its Authentication Database entry.
```
   % kas examine <name of user>   \
                 -admin  <admin principal to use for authentication>
   Administrator's (admin_user) password: <admin_password>
```
where
e
Is the shortest acceptable abbreviation of examine.
name of user
Names the entry to display.
-admin
Names an administrative account with the ADMIN flag on its Authentication Database entry, such as the admin account. The password prompt echoes it as admin_user. Enter the appropriate password as admin_password.

If the ADMIN flag is turned on, it appears on the first line, as in this example:

   % kas e terry -admin admin
   Administrator's (admin) password: <admin_password>
   User data for terry (ADMIN)
     key version is 0, etc...

To set or remove the ADMIN flag

Issue the kas setfields command to turn on the ADMIN flag in an Authentication Database entry.
The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. Include the -admin argument to name an identity that has the ADMIN flag on its Authentication Database entry. To verify that an entry has the flag, issue the kas examine command as described in To check if the ADMIN flag is set.
The following command appears on two lines only for legibility.
```
    % kas setfields <name of user>  {ADMIN |  NOADMIN} \  
                   -admin <admin principal to use for authentication>  
    Administrator's (admin_user) password: <admin_password>
```
where
sf
Is an alias for setfields (and setf is the shortest acceptable abbreviation).
name of user
Names the entry for which to set or remove the ADMIN flag.
ADMIN | NOADMIN
Sets or removes the ADMIN flag, respectively.
-admin
Names an administrative account with the ADMIN flag on its Authentication Database entry, such as the admin account. The password prompt echoes it as admin_user. Enter the appropriate password as admin_password.


Administering the system:administrators Group		Administering the UserList File