.\" Automatically generated by Pod::Man 4.10 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "KLOG.KRB5 1"
.TH KLOG.KRB5 1 "2021-01-27" "OpenAFS" "AFS Command Reference"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
klog.krb5 \- Authenticates to Kerberos and obtains a token
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBklog.krb5\fR [\fB\-x\fR] [\fB\-principal\fR\ <\fIuser\ name\fR>]
    [\-password <\fIuser's password\fR>] [\fB\-cell\fR\ <\fIcell\ name\fR>]
    [\fB\-k\fR\ <\fIrealm\fR>] [\fB\-pipe\fR] [\fB\-silent\fR]
    [\fB\-lifetime\fR\ <\fIticket\ lifetime\ in\ hh[:mm[:ss]]\fR>]
    [\fB\-setpag\fR] [\fB\-tmp\fR] [\fB\-noprdb\fR] [\fB\-unwrap\fR] [\fB\-help\fR]
.PP
\&\fBklog.krb5\fR [\fB\-x\fR] [\fB\-pr\fR\ <\fIuser\ name\fR>]
    [\fB\-pa\fR\ <\fIuser's\ password\fR>]
    [\fB\-c\fR\ <\fIcell\ name\fR>]
    \fB[\fB\-k\fB <\f(BIrealm\fB>]\fR [\fB\-pi\fR] [\fB\-si\fR]
    [\fB\-l\fR\ <\fIticket\ lifetime\ in\ hh[:mm[:ss]]\fR>]
    [\fB\-se\fR] [\fB\-t\fR] [\fB\-n\fR] [\fB\-u\fR] [\fB\-h\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBklog.krb5\fR command obtains a Kerberos v5 ticket from a Kerberos
\&\s-1KDC\s0 and, from the ticket, an \s-1AFS\s0 token and then stores it in the Cache
Manager.  The Cache Manager keeps the token in kernel memory and uses it
when obtaining authenticated access to the \s-1AFS\s0 filespace.  This command
does not affect the issuer's identity (\s-1UNIX UID\s0) on the local file system.
.PP
By default, the command interpreter obtains a token for the \s-1AFS\s0 user name
that matches the issuer's local user name.  To specify an alternate user,
include the \fB\-principal\fR argument.  The user named by the \fB\-principal\fR
argument does not have to appear in the local password file (the
\&\fI/etc/passwd\fR file or equivalent).
.PP
By default, the command interpreter obtains a token for the local cell, as
defined by the \s-1AFSCELL\s0 environment variable set in the command shell or by
the \fI/etc/openafs/ThisCell\fR file on the local machine.  To specify an
alternate cell, include the \fB\-cell\fR argument.  A user can have tokens in
multiple cells simultaneously, but only one token per cell per connection
to the client machine.  If the user's credential structure already
contains a token for the requested cell, the token resulting from this
command replaces it.
.PP
By default, the command interpreter obtains a Kerberos ticket for the
local realm.  To specify a different Kerberos realm, include the \fB\-k\fR
argument.  The Kerberos realm name need not match the \s-1AFS\s0 cell name.
\&\fBklog.krb5\fR will request a ticket for the principal \f(CW\*(C`afs/\f(CIcell\f(CW\*(C'\fR where
\&\fIcell\fR is the cell name for which the user is requesting tokens, falling
back on the principal \f(CW\*(C`afs\*(C'\fR if that principal does not work.
.PP
The lifetime of the token resulting from this command is the smallest of
the following:
.IP "\(bu" 4
The lifetime specified by the issuer with the \fB\-lifetime\fR argument if
that argument was given.
.IP "\(bu" 4
The maximum ticket lifetime recorded for the \f(CW\*(C`afs/\f(CIcell\f(CW\*(C'\fR principal in
thet Kerberos database.
.IP "\(bu" 4
The maximum ticket lifetime recorded in the specified user's Kerberos
database entry.
.SH "CAUTIONS"
.IX Header "CAUTIONS"
By default, this command does not create a new process authentication
group (\s-1PAG\s0); see the description of the \fBpagsh\fR command to learn about
PAGs.  If a cell does not use an AFS-modified login utility, users must
include \fB\-setpag\fR option to this command, or issue the \fBpagsh\fR command
before this one, to have their tokens stored in a credential structure
that is identified by \s-1PAG\s0 rather than by local \s-1UID.\s0  Users should be aware
that \fB\-setpag\fR will not work on some systems, most notably recent Linux
systems, and using \fBpagsh\fR is preferrable and more reliable.
.PP
When a credential structure is identified by local \s-1UID,\s0 the potential
security exposure is that the local superuser \f(CW\*(C`root\*(C'\fR can use the \s-1UNIX\s0
\&\fBsu\fR command to assume any other identity and automatically inherit the
tokens associated with that \s-1UID.\s0  Identifying the credential structure by
\&\s-1PAG\s0 makes it more difficult (but not impossible) for the local superuser
to obtain tokens of other users.
.PP
If the \fB\-password\fR argument is used, the specified password cannot begin
with a hyphen, because it is interpreted as another option name.  Use of
the \fB\-password\fR argument is not recommended in any case.
.PP
By default, it is possible to issue this command on a properly configured
\&\s-1NFS\s0 client machine that is accessing \s-1AFS\s0 via the \s-1NFS/AFS\s0 Translator,
assuming that the \s-1NFS\s0 client machine is a supported system type. However,
if the translator machine's administrator has enabled \s-1UID\s0 checking by
including the \fB\-uidcheck on\fR argument to the \fBfs exportafs\fR command, the
command fails with an error message similar to the following:
.PP
.Vb 2
\&   Warning: Remote pioctl to <translator_machine> has failed (err=8). . .
\&   Unable to authenticate to AFS because a pioctl failed.
.Ve
.PP
Enabling \s-1UID\s0 checking means that the credential structure in which tokens
are stored on the translator machine must be identified by a \s-1UID\s0 that
matches the local \s-1UID\s0 of the process that is placing the tokens in the
credential structure.  After the \fBklog.krb5\fR command interpreter obtains
the token on the \s-1NFS\s0 client, it passes it to the remote executor daemon on
the translator machine, which makes the system call that stores the token
in a credential structure on the translator machine.  The remote executor
generally runs as the local superuser \f(CW\*(C`root\*(C'\fR, so in most cases its local
\&\s-1UID\s0 (normally zero) does not match the local \s-1UID\s0 of the user who issued
the \fBklog.krb5\fR command on the \s-1NFS\s0 client machine.
.PP
Issuing the \fBklog.krb5\fR command on an \s-1NFS\s0 client machine creates a
security exposure: the command interpreter passes the token across the
network to the remote executor daemon in clear text mode.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-x\fR" 4
.IX Item "-x"
Appears only for backwards compatibility.  Its former function is now the
default behavior of this command.
.IP "\fB\-principal\fR <\fIuser name\fR>" 4
.IX Item "-principal <user name>"
Specifies the user name to authenticate.  If this argument is omitted, the
default value is the local user name.
.IP "\fB\-password\fR <\fIuser's password\fR>" 4
.IX Item "-password <user's password>"
Specifies the issuer's password (or that of the alternate user identified
by the \fB\-principal\fR argument).  Omit this argument to have the command
interpreter prompt for the password, in which case it does not echo
visibly in the command shell.
.IP "\fB\-cell\fR <\fIcell name\fR>" 4
.IX Item "-cell <cell name>"
Specifies the cell for which to obtain a token.  During a single login
session on a given machine, a user can be authenticated in multiple cells
simultaneously, but can have only one token at a time for each of them
(that is, can only authenticate under one identity per cell per session on
a machine).  It is acceptable to abbreviate the cell name to the shortest
form that distinguishes it from the other cells listed in the
\&\fI/etc/openafs/CellServDB\fR file on the client machine on which the
command is issued.
.Sp
If this argument is omitted, the command is executed in the local cell, as
defined
.RS 4
.IP "\(bu" 4
First, by the value of the environment variable \s-1AFSCELL.\s0
.IP "\(bu" 4
Second, in the \fI/etc/openafs/ThisCell\fR file on the client machine on
which the command is issued.
.RE
.RS 4
.RE
.IP "\fB\-k\fR <\fIrealm\fR>" 4
.IX Item "-k <realm>"
Obtain tickets and tokens from the <\fIrealm\fR> Kerberos realm.  If this
option is not given, \fBklog.krb5\fR defaults to using the default local
realm.  The Kerberos realm name need not match the \s-1AFS\s0 cell name.
.IP "\fB\-pipe\fR" 4
.IX Item "-pipe"
Suppresses all output to the standard output stream, including prompts and
error messages. The \fBklog.krb5\fR command interpreter expects to receive
the password from the standard input stream. Do not use this argument; it
is designed for use by application programs rather than human users.
.IP "\fB\-silent\fR" 4
.IX Item "-silent"
Suppresses some of the trace messages that the \fBklog.krb5\fR command
produces on the standard output stream by default.  It still reports on
major problems encountered.
.IP "\fB\-lifetime\fR <\fIticket lifetime\fR" 4
.IX Item "-lifetime <ticket lifetime"
Requests a specific lifetime for the token.  Provide a number of hours and
optionally minutes and seconds in the format \fIhh\fR[\fB:\fR\fImm\fR[\fB:\fR\fIss\fR]].
.IP "\fB\-setpag\fR" 4
.IX Item "-setpag"
Creates a process authentication group (\s-1PAG\s0) prior to requesting
authentication. The token is associated with the newly created \s-1PAG.\s0
.IP "\fB\-tmp\fR" 4
.IX Item "-tmp"
Creates a Kerberos-style ticket file rather than only obtaining tokens.
The ticket file will be stored in the default Kerberos ticket cache
location, which is usually in the \fI/tmp\fR directory of the local machine
(but depends on the Kerberos implementation used).
.IP "\fB\-noprdb\fR" 4
.IX Item "-noprdb"
By default, \fBklog.krb5\fR looks up the user's \s-1AFS ID\s0 in the Protection
Server and associates the token with that \s-1AFS ID.\s0  This is helpful when
looking at the output of commands like \fBtokens\fR but is not required.  If
this option is given, this behavior is suppressed and \fBklog.krb5\fR will
store the token under a generic name.  You may wish this if, for example,
you have problems contacting the Protection Server for an \s-1AFS\s0 cell for
some reason.
.IP "\fB\-unwrap\fR" 4
.IX Item "-unwrap"
Normally, \fBklog.krb5\fR uses the Kerberos service ticket for the \s-1AFS\s0
principal as the \s-1AFS\s0 token.  If this option is given, \fBklog.krb5\fR creates
a different, simplified \s-1AFS\s0 token form based on the service ticket (the
so-called \*(L"rxkad 2b\*(R" token).  Normally, this is not necessary.  However,
if you are using older OpenAFS software that cannot handle large ticket
sizes in conjunction with Active Directory as the Kerberos server, using
\&\fB\-unwrap\fR can shrink the \s-1AFS\s0 token size so that older software can handle
it more easily.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Prints the online help for this command. All other valid options are
ignored.
.SH "OUTPUT"
.IX Header "OUTPUT"
If the \fB\-tmp\fR flag is included, the following message confirms that a
Kerberos ticket cache was created:
.PP
.Vb 1
\&   Wrote ticket file to /tmp/krb5cc_1000_rENJoZ
.Ve
.PP
The path to the cache will vary, of course.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Most often, this command is issued without arguments. The appropriate
password is for the person currently logged into the local system.  The
ticket's lifetime is calculated as described in \*(L"\s-1DESCRIPTION\*(R"\s0.
.PP
.Vb 2
\&   % klog.krb5
\&   Password for user@EXAMPLE.ORG:
.Ve
.PP
The following example authenticates the user as admin in the Example
Corporation's test cell:
.PP
.Vb 2
\&   % klog.krb5 \-principal admin \-cell test.example.com
\&   Password for admin@EXAMPLE.COM:
.Ve
.PP
In the following, the issuer requests a ticket lifetime of 104 hours 30
minutes (4 days 8 hours 30 minutes).
.PP
.Vb 2
\&   % klog.krb5 \-lifetime 104:30
\&   Password for user@EXAMPLE.ORG:
.Ve
.SH "PRIVILEGE REQUIRED"
.IX Header "PRIVILEGE REQUIRED"
None
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBaklog\fR\|(1),
\&\fBfs_exportafs\fR\|(1),
\&\fBpagsh\fR\|(1),
\&\fBtokens\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
\&\s-1IBM\s0 Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
.PP
This documentation is covered by the \s-1IBM\s0 Public License Version 1.0.  It
was converted from \s-1HTML\s0 to \s-1POD\s0 by software written by Chas Williams and
Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.