Provided by: openafs-client_1.8.10-2.1ubuntu3.4_amd64 
NAME
pts_examine - Displays a Protection Database entry
SYNOPSIS
pts examine -nameorid <user or group name or id>+
[-cell <cell name>] [-noauth] [-localauth]
[-force] [-auth] [-help]
[-encrypt] [-config <config directory>]
pts e -na <user or group name or id>+ [-c <cell name>]
[-no] [-l] [-f] [-a] [-h]
[-e] [-co <config directory>]
pts check -na <user or group name or id>+ [-c <cell name>]
[-no] [-l] [-f] [-a] [-h]
[-e] [-co <config directory>]
pts che -na <user or group name or id>+ [-c <cell name>]
[-no] [-l] [-f] [-a] [-h]
[-e] [-co <config directory>]
DESCRIPTION
The pts examine command displays information from the Protection Database entry of each user, machine or
group specified by the -nameorid argument.
OPTIONS
-nameorid <user or group name or id>+
Specifies the name or AFS UID of each user, the name or AFS GID of each group, or the IP address
(complete or wildcard-style) or AFS UID of each machine for which to display the Protection Database
entry. It is acceptable to mix users, machines, and groups on the same command line, as well as names
(IP addresses for machines) and IDs. Precede the GID of each group with a hyphen to indicate that it
is negative.
-auth
Use the calling user's tokens to communicate with the Protection Server. For more details, see
pts(1).
-cell <cell name>
Names the cell in which to run the command. For more details, see pts(1).
-config <config directory>
Use an alternate config directory. For more details, see pts(1).
-encrypt
Encrypts any communication with the Protection Server. For more details, see pts(1).
-force
Enables the command to continue executing as far as possible when errors or other problems occur,
rather than halting execution at the first error.
-help
Prints the online help for this command. All other valid options are ignored.
-localauth
Constructs a server ticket using a key from the local /etc/openafs/server/KeyFile file. Do not
combine this flag with the -cell or -noauth options. For more details, see pts(1).
-noauth
Assigns the unprivileged identity anonymous to the issuer. For more details, see pts(1).
OUTPUT
The output for each entry consists of two lines that include the following fields:
Name
The contents of this field depend on the type of entry:
• For a user entry, it is the username that the user types when authenticating with AFS.
• For a machine entry, it is either the IP address of a single machine in dotted decimal format, or
a wildcard notation that represents a group of machines on the same network. See the pts
createuser reference page for an explanation of the wildcard notation.
• For a group entry, it is one of two types of group name. If the name has a colon between the two
parts, it represents a regular group and the part before the prefix reflects the group's owner. A
prefix-less group does not have the owner field or the colon. For more details on group names,
see the pts creategroup reference page.
id A unique number that the AFS server processes use to identify AFS users, machines and groups. AFS
UIDs for user and machine entries are positive integers, and AFS GIDs for group entries are negative
integers. AFS UIDs and GIDs are similar in function to the UIDs and GIDs used in local file systems
such as UFS, but apply only to AFS operations.
owner
The user or group that owns the entry and thus can administer it (change the values in most of the
fields displayed in the output of this command), or delete it entirely. The Protection Server
automatically records the system:administrators group in this field for user and machine entries at
creation time.
creator
The user who issued the pts createuser or pts creategroup command to create the entry. This field
serves as an audit trail, and cannot be changed.
membership
An integer that for users and machines represents the number of groups to which the user or machine
belongs. For groups, it represents the number of group members.
flags
A string of five characters, referred to as privacy flags, which indicate who can display or
administer certain aspects of the entry.
s Controls who can issue the pts examine command to display the entry.
o Controls who can issue the pts listowned command to display the groups that a user or group owns.
m Controls who can issue the pts membership command to display the groups a user or machine belongs
to, or which users or machines belong to a group.
a Controls who can issue the pts adduser command to add a user or machine to a group. It is
meaningful only for groups, but a value must always be set for it even on user and machine
entries.
r Controls who can issue the pts removeuser command to remove a user or machine from a group. It is
meaningful only for groups, but a value must always be set for it even on user and machine
entries.
Each flag can take three possible types of values to enable a different set of users to issue the
corresponding command:
• A hyphen (-) designates the members of the system:administrators group and the entry's owner. For
user entries, it designates the user in addition.
• The lowercase version of the letter applies meaningfully to groups only, and designates members
of the group in addition to the individuals designated by the hyphen.
• The uppercase version of the letter designates everyone.
For example, the flags "SOmar" on a group entry indicate that anyone can examine the group's entry
and display the groups that it owns, and that only the group's members can display, add, or remove
its members.
The default privacy flags for user and machine entries are "S----", meaning that anyone can display
the entry. The ability to perform any other functions is restricted to members of the
system:administrators group and the entry's owner (as well as the user for a user entry).
The default privacy flags for group entries are "S-M--", meaning that all users can display the entry
and the members of the group, but only the entry owner and members of the system:administrators group
can perform other functions. The defaults for the privacy flags may be changed by running ptserver
with the -default_access option. See ptserver(8) for more discussion of the -default_access option.
group quota
The number of additional groups the user is allowed to create. The pts createuser command sets it to
20 for both users and machines, but it has no meaningful interpretation for a machine, because it is
not possible to authenticate as a machine. Similarly, it has no meaning in group entries that only
deal with the local cell and the pts creategroup command sets it to 0 (zero); do not change this
value.
When using cross-realm authentication, a special group of the form system:authuser@FOREIGN.REALM is
created by an administrator and used. If the group quota for this special group is greater than
zero, then aklog will automatically register foreign users in the local PTS database, add the foreign
user to the system:authuser@FOREIGN.REALM, and decrement the group quota by one.
EXAMPLES
The following example displays the user entry for "terry" and the machine entry 158.12.105.44.
% pts examine terry 158.12.105.44
Name: terry, id: 1045, owner: system:administrators, creator: admin,
membership: 9, flags: S----, group quota: 15.
Name: 158.12.105.44, id: 5151, owner: system:administrators,
creator: byu, membership: 1, flags: S----, group quota: 20.
The following example displays the entries for the AFS groups with GIDs -673 and -674.
% pts examine -673 -674
Name: terry:friends, id: -673, owner: terry, creator: terry,
membership: 5, flags: S-M--, group quota: 0.
Name: smith:colleagues, id: -674, owner: smith, creator: smith,
membership: 14, flags: SOM--, group quota: 0.
PRIVILEGE REQUIRED
The required privilege depends on the setting of the first privacy flag in the Protection Database entry
of each entry specified by the -nameorid argument:
• If it is lowercase "s", members of the system:administrators group and the user associated with a
user entry can examine it, and only members of the system:administrators group can examine a machine
or group entry.
• If it is uppercase "S", anyone who can access the cell's database server machines can examine the
entry.
SEE ALSO
pts(1), pts_adduser(1), pts_chown(1), pts_creategroup(1), pts_createuser(1), pts_listowned(1),
pts_membership(1), pts_removeuser(1), pts_rename(1), pts_setfields(1)
COPYRIGHT
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD
by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth
Cassell.
OpenAFS 2025-05-19 PTS_EXAMINE(1)