An entry in the Protection Database is one of the two required components of every AFS user account, along with an entry in the Authentication Database. It is best to create a Protection Database user entry only in the context of creating a complete user account, by using the uss add or uss bulk command as described in Creating and Deleting User Accounts with the uss Command Suite, or the pts createuser command as described in Creating AFS User Accounts.
You can also use the pts createuser command to create Protection Database machine entries, which can then be used to control access based on the machine from which the access request originates. After creating a machine entry, add it to a Protection Database group and place the group on ACLs ( a machine cannot appear on ACLs directly). Because all replicas of a volume share the same ACL (the one on the volume's root directory mount point), you can replicate the volume that houses a program's binary file while still complying with a machine-based license agreement as required by the program's manufacturer. If you do not place any other entries on the ACL, then only users working on the designated machines can access the file.
Keep in mind that creating an ACL entry for a group with machine entries in it extends access to both authenticated and unauthenticated users working on the machine. However, you can deny access to unauthenticated users by omitting an entry for the system:anyuser group from the ACLs of the parent directories in the file's pathname. Conversely, if you want to enable unauthenticated users on the machine to access a file, then the ACL on every directory leading to it must include an entry for either the system:anyuser group or a group to which the machine entry belongs. For more information on the system:anyuser group, see The System Groups.
Because a machine entry can include unauthenticated users, it is best not to add both machine entries and user entries to the same group. In general, it is easier to use and administer nonmixed groups. A machine entry can represent a single machine, or multiple machines with consecutive IP addresses (that is, all machines on a network or subnet) specified by a wildcard notation. See the instructions in To create machine entries in the Protection Database.
By default, the Protection Server assigns the next available AFS UID to a new user or machine entry. It is best to allow
this, especially for machine entries. For user entries, it makes sense to assign an AFS UID only if the user already has a UNIX
UID that the AFS UID needs to match (see Assigning AFS and UNIX UIDs that Match). When
automatically allocating an AFS UID, the Protection Server increments the
max user id counter
by one and assigns the result to the new entry. Use the pts listmax command to display the
counter, as described in Displaying and Setting the AFS UID and GID Counters.
Do not reuse the AFS UIDs of users who have left your cell permanently or machine entries you have removed, even though doing so seems to avoid the apparent waste of IDs. When you remove a user or machine entry from the Protection Database, the fs listacl command displays the AFS UID associated with the former entry, rather than the name. If you then assign the AFS UID to a new user or machine, the new user or machine automatically inherits permissions that were granted to the previous possessor of the ID. To remove obsolete AFS UIDs from ACLs, use the fs cleanacl command described in Removing Obsolete AFS IDs from ACLs.
In addition to the name and AFS UID, the Protection Server records the following values in the indicated fields of a new user or machine's entry. For more information and instructions on displaying an entry, see To display a Protection Database entry.
It sets the
owner field to the system:administrators group, indicating that the group's members administer the entry.
It sets the
creator field to the username of the user who issued the pts createuser command (or the uss add or uss bulk command).
It sets the
membership field to 0 (zero), because
the new entry does not yet belong to any groups.
It sets the
flags field to S----; for explanation,
see Setting the Privacy Flags on Database Entries.
It sets the
group quota field to 20, meaning that
the new user can create 20 groups. This field has no meaning for machine entries. For further discussion, see Setting Group-Creation Quota.
Verify that you belong to the system:administrators group. If necessary, issue the pts membership command, which is fully described in To display the members of the system:administrators group.
% pts membership system:administrators
Issue the pts createuser command to create one or more machine entries.
% pts createuser -name <
Is an alias for createuser (and createu is the shortest acceptable abbreviation).
Specifies an IP address in dotted-decimal notation for each machine entry. An entry can represent a single machine or a set of several machines with consecutive IP addresses, using the wildcard notation described in the following list. The letters W, X, Y, and Z each represent an actual number value in the field:
W.X.Y.Z represents a single machine, for example 188.8.131.52.
W.X.Y.0 matches all machines whose IP addresses start with the first three numbers. For example, 184.108.40.206 matches both 220.127.116.11 and 18.104.22.168, but does not match 22.214.171.124.
W.X.0.0 matches all machines whose IP addresses start with the first two numbers. For example, the address 126.96.36.199 matches both 188.8.131.52 and 184.108.40.206, but does not match 220.127.116.11.
W.0.0.0 matches all machines whose IP addresses start with the first number in the specified address. For example, the address 192.0.0.0 matches both 18.104.22.168 and 22.214.171.124, but does not match 126.96.36.199.
Do not define a machine entry with the name 0.0.0.0 to match every machine. The system:anyuser group is equivalent.
The following example creates a machine entry that includes all of the machines in the 192.12 network.
% pts cu 188.8.131.52