NAME

       pts_createuser - Creates a user or machine entry in the Protection Database

SYNOPSIS

       pts createuser -name <user name>+ [-id <user id>+]
           [-cell <cell name>] [-noauth] [-localauth] [-force]
           [-help] [-auth] [-encrypt] [-config <config directory>]

       pts createu -na <user name>+ [-i <user id>+]
           [-c <cell name>] [-no] [-l] [-f] [-h]
           [-a] [-e] [-co <config directory>]

       pts cu -na <user name>+ [-i <user id>+]
           [-c <cell name>] [-no] [-l] [-f] [-h]
           [-a] [-e] [-co <config directory>]

DESCRIPTION

       The pts createuser command creates an entry in the Protection Database for each user or machine specified
       by the -name argument. A user entry name becomes the user's AFS username (the one to provide when
       authenticating with the AFS Authentication Server).  A machine entry's name is the machine's IP address
       or a wildcard notation that represents a range of consecutive IP addresses (a group of machines on the
       same network). It is not possible to authenticate as a machine, but a group to which a machine entry
       belongs can appear on a directory's access control list (ACL), thereby granting the indicated permissions
       to any user logged on to the machine.

       AFS user IDs (AFS UIDs) are positive integers and by default the Protection Server assigns an AFS UID
       that is one greater than the current value of the "max user id" counter in the Protection Database,
       incrementing the counter by one for each user. To assign a specific AFS UID, use the -id argument. If any
       of the specified AFS UIDs is greater than the current value of the "max user id" counter, the counter is
       reset to that value. It is acceptable to specify an AFS UID smaller than the current value of the
       counter, but the creation operation fails if an existing user or machine entry already has it. To display
       or set the value of the "max user id" counter, use the pts listmax or pts setmax command, respectively.

       The issuer of the pts createuser command is recorded as the entry's creator and the group
       system:administrators as its owner.

CAUTIONS

       The Protection Server reserves several AFS UIDs, including 0 (zero) and 32766 (anonymous) for internal
       use, and returns an error if the -id argument has a reserved value.

OPTIONS

       -name <user name>+
           Specifies either a username for a user entry, or an IP address (complete or wildcarded) for a machine
           entry:

           •   A  username can include up to 63 numbers and lowercase letters, but it is best to make it shorter
               than eight characters, because many application programs cannot handle longer names. Also, it  is
               best  not  to  include  shell metacharacters or other punctuation marks. In particular, the colon
               (":") and at-sign ("@") characters are not acceptable. The  period  is  generally  used  only  in
               special  administrative  names,  to  separate  the  username  and  an instance, as in the example
               "pat.admin".

           •   A machine identifier is its IP address in dotted decimal notation (for example,  192.12.108.240),
               or  a  wildcard  notation  that represents a set of IP addresses (a group of machines on the same
               network). The following are acceptable wildcard formats. The letters "W", "X", "Y" and  "Z"  each
               represent an actual number from the range 1 through 255.

               •   W.X.Y.Z represents a single machine, for example 192.12.108.240.

               •   W.X.Y.0  matches  all  machines  whose  IP  addresses start with the first three numbers. For
                   example, 192.12.108.0 matches both 192.12.108.119 and  192.12.108.120,  but  does  not  match
                   192.12.105.144.

               •   W.X.0.0  matches  all  machines  whose  IP  addresses  start  with the first two numbers. For
                   example, the address 192.12.0.0 matches both 192.12.106.23 and 192.12.108.120, but  does  not
                   match 192.5.30.95.

               •   W.0.0.0  matches all machines whose IP addresses start with the first number in the specified
                   address. For example, the address 192.0.0.0 matches both 192.5.30.95 and 192.12.108.120,  but
                   does not match 138.255.63.52.

               Do  not  define  a machine entry with the name 0.0.0.0 to match every machine. The system:anyuser
               group is equivalent.

       -id <user id>+
           Specifies an AFS UID for each user or machine entry, rather than allowing the  Protection  Server  to
           assign it. Provide a positive integer.

           If  this argument is used and the -name argument names multiple new entries, it is best to provide an
           equivalent number of AFS UIDs.  The first UID is assigned to the  first  entry,  the  second  to  the
           second  entry, and so on. If there are fewer UIDs than entries, the Protection Server assigns UIDs to
           the unmatched entries based on the "max user id" counter. If there are more UIDs  than  entries,  the
           excess  UIDs  are  ignored. If any of the UIDs is greater than the current value of the "max user id"
           counter, the counter is reset to that value.

       -auth
           Use the calling user's tokens to communicate with  the  Protection  Server.  For  more  details,  see
           pts(1).

       -cell <cell name>
           Names the cell in which to run the command. For more details, see pts(1).

       -config <config directory>
           Use an alternate config directory. For more details, see pts(1).

       -encrypt
           Encrypts any communication with the Protection Server. For more details, see pts(1).

       -force
           Enables  the  command  to  continue executing as far as possible when errors or other problems occur,
           rather than halting execution at the first error.

       -help
           Prints the online help for this command. All other valid options are ignored.

       -localauth
           Constructs a server ticket using a key  from  the  local  /etc/openafs/server/KeyFile  file.  Do  not
           combine this flag with the -cell or -noauth options. For more details, see pts(1).

       -noauth
           Assigns the unprivileged identity anonymous to the issuer. For more details, see pts(1).

OUTPUT

       The command generates the following string to confirm creation of each user:

          User <name> has id <id>

EXAMPLES

       The following example creates a Protection Database entry for the user "johnson".

          % pts createuser -name johnson

       The following example creates three wildcarded machine entries in the Example Corporation cell. The three
       entries  encompass  all  of  the  machines  on the company's networks without including machines on other
       networks:

          % pts createuser -name 138.255.0.0 192.12.105.0 192.12.106.0

PRIVILEGE REQUIRED

       The issuer must belong to the system:administrators group.

SEE ALSO

       pts(1), pts_listmax(1), pts_setmax(1)

COPYRIGHT

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted from HTML  to  POD
       by  software  written  by  Chas  Williams  and Russ Allbery, based on work by Alf Wachsmann and Elizabeth
       Cassell.

OpenAFS                                            2025-05-19                                  PTS_CREATEUSER(1)