Provided by: openafs-client_1.8.10-2.1ubuntu3.4_amd64 
NAME
pts - Introduction to the pts command suite
DESCRIPTION
The commands in the pts command suite are the administrative interface to the Protection Server, which
runs on each database server machine in a cell and maintains the Protection Database. The database stores
the information that AFS uses to augment and refine the standard UNIX scheme for controlling access to
files and directories.
Instead of relying only on the mode bits that define access rights for individual files, AFS associates
an access control list (ACL) with each directory. The ACL lists users and groups and specifies which of
seven possible access permissions they have for the directory and the files it contains. (It is still
possible to set a directory or file's mode bits, but AFS interprets them in its own way; see the chapter
on protection in the OpenAFS Administration Guide for details.)
AFS enables users to define groups in the Protection Database and place them on ACLs to extend a set of
rights to multiple users simultaneously. Groups simplify administration by making it possible to add
someone to many ACLs by adding them to a group that already exists on those ACLs. Machines can also be
members of a group, so that users logged into the machine automatically inherit the permissions granted
to the group.
There are several categories of commands in the pts command suite:
• Commands to create and remove Protection Database entries: pts creategroup, pts createuser, and pts
delete.
• Commands to administer and display group membership: pts adduser, pts listowned, pts membership, and
pts removeuser.
• Commands to administer and display properties of user and group entries other than membership: pts
chown, pts examine, pts listentries, pts rename, and pts setfields.
• Commands to set and examine the counters used when assigning IDs to users and groups: pts listmax and
pts setmax.
• Commands to run commands interactively: pts interactive, pts sleep, and pts quit.
• A command to run commands from a file: pts source.
• Commands to obtain help: pts apropos and pts help.
• A command to display the OpenAFS command suite version: pts version.
OPTIONS
The following arguments and flags are available on many commands in the pts suite. The reference page for
each command also lists them, but they are described here in greater detail.
-cell <cell name>
Names the cell in which to run the command. It is acceptable to abbreviate the cell name to the
shortest form that distinguishes it from the other entries in the /etc/openafs/CellServDB file on the
local machine. If the -cell argument is omitted, the command interpreter determines the name of the
local cell by reading the following in order:
• The value of the AFSCELL environment variable.
• The local /etc/openafs/ThisCell file.
Do not combine the -cell and -localauth options. A command on which the -localauth flag is
included always runs in the local cell (as defined in the server machine's local
/etc/openafs/server/ThisCell file), whereas a command on which the -cell argument is included
runs in the specified foreign cell.
-config <config directory>
The location of the directory to use to obtain configuration information, including the CellServDB.
This is primarily provided for testing purposes.
-force
Enables the command to continue executing as far as possible when errors or other problems occur,
rather than halting execution immediately. Without it, the command halts as soon as the first error
is encountered. In either case, the pts command interpreter reports errors at the command shell. This
flag is especially useful if the issuer provides many values for a command line argument; if one of
them is invalid, the command interpreter continues on to process the remaining arguments.
-help
Prints a command's online help message on the standard output stream. Do not combine this flag with
any of the command's other options; when it is provided, the command interpreter ignores all other
options, and only prints the help message.
-noauth
Establishes an unauthenticated connection to the Protection Server, in which the server treats the
issuer as the unprivileged user "anonymous". It is useful only when authorization checking is
disabled on the server machine (during the installation of a file server machine or when the bos
setauth command has been used during other unusual circumstances). In normal circumstances, the
Protection Server allows only privileged users to issue commands that change the Protection Database,
and refuses to perform such an action even if the -noauth flag is provided.
-encrypt
Establishes an authenticated, encrypted connection to the Protection Server. It is useful when it is
desired to obscure network traffic related to the transactions being done.
-localauth
Constructs a server ticket using the server encryption key with the highest key version number in the
local /etc/openafs/server/KeyFile file. The pts command interpreter presents the ticket, which never
expires, to the BOS Server during mutual authentication.
Use this flag only when issuing a command on a server machine; client machines do not usually have a
/etc/openafs/server/KeyFile file. The issuer of a command that includes this flag must be logged on
to the server machine as the local superuser "root". The flag is useful for commands invoked by an
unattended application program, such as a process controlled by the UNIX cron utility. It is also
useful if an administrator is unable to authenticate to AFS but is logged in as the local superuser
"root".
Do not combine the -cell and -localauth options. A command on which the -localauth flag is included
always runs in the local cell (as defined in the server machine's local /etc/openafs/server/ThisCell
file), whereas a command on which the -cell argument is included runs in the specified foreign cell.
Also, do not combine the -localauth and -noauth flags.
-auth
Use the calling user's tokens from the kernel to communicate with the ptserver (that is, the same
tokens displayed by tokens(1). This is the default if neither -localauth nor -noauth is given.
Since this option is the default, it is usually not useful for running single command line
operations. However, it can be useful when running commands via pts_interactive(1), since otherwise
it would be impossible to switch from, for example, -localauth back to using regular tokens during a
bulk operation. See pts_interactive(1) for more details.
PRIVILEGE REQUIRED
Members of the system:administrators group can issue all pts commands on any entry in the Protection
Database.
Users who do not belong to the system:administrators group can list information about their own entry and
any group entries they own. The privacy flags set with the pts setfields command control access to
entries owned by other users.
SEE ALSO
pts_adduser(1), pts_apropos(1), pts_chown(1), pts_creategroup(1), pts_createuser(1), pts_delete(1),
pts_examine(1), pts_help(1), pts_interactive(1), pts_listentries(1), pts_listmax(1), pts_listowned(1),
pts_membership(1), pts_quit(1), pts_removeuser(1), pts_rename(1), pts_setfields(1), pts_setmax(1),
pts_sleep(1), pts_source(1)
The OpenAFS Administration Guide at <http://docs.openafs.org/AdminGuide/>.
COPYRIGHT
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD
by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth
Cassell.
OpenAFS 2025-05-19 PTS(1)