registry(1m)registry(1m)NAMEregistry - A dcecp object that manages a registry in the DCE Security
Service
SYNOPSISregistry catalog [registry_replica_name] [-master]
registry checkpoint registry_replica_name [-at hh:mm | -cpi {num | numm
| numh}] [-now]
registry connect cell_name -group local_group_name -org local_org_name
-mypwd local_password -fgroup foreign_group_name -forg foreign_org_name
-facct foreign_account_name -facctpwd foreign_account_password [-exp‐
date account_expiration_date] [-acctvalid] [-facctvalid]
registry delete registry_replica_name [-force]
registry designate registry_replica_name [-slave | -master [-force]]
registry destroy registry_replica_name
registry disable [registry_replica_name]
registry dump [registry_replica_name]
registry enable [registry_replica_name]
registry help [operation | -verbose]
registry modify [registry_replica_name] {-change attribute_list |
-attribute value | -key}
registry operations
registry replace registry_replica_name -address new_string_binding
registry show [registry_replica_name] [-attributes | -policies | -mas‐
ter | -replica [-verbose]]
registry stop registry_replica_name
registry synchronize registry_replica_name
registry verify [registry_replica_name]
ARGUMENTS
The name of a cell to contact when processing the connect operation.
The name must be a fully qualified cell name, such as /.../cell_name.
The name of the registry operation for which to display help informa‐
tion. The name of one registry replica to act on. The replica can be
a master or a slave replica. The argument, which overrides a value in
the _s(sec) convenience variable, can be one of the following: A spe‐
cific cell name to bind to any replica in the named cell, such as /.:
or /.../gumby1. The global name of a replica to bind to that specific
replica in that specific cell. such as /.../gumby1/subsys/dce/sec/odd‐
ball. The name of a replica as it appears on the replica list to bind
to that replica in the local cell, such as subsys/dce/sec/oddball. A
string binding to a specific replica, such as {ncadg_ip_udp
15.22.144.163}.
This form is used primarily for debugging or if the Cell Directory Ser‐
vice (CDS) is not available.
For those operations for which registry_replica_name is optional, the
value of _s(sec) is used if no argument is given. If the variable is
not set, the default argument of /.: is assumed.
DESCRIPTION
The registry object represents a DCE Security Service registry. The
registry is a replicated database: each instance of a registry server,
secd, maintains a working copy of the database in virtual memory and on
disk. One server, called the master replica, accepts updates and han‐
dles the subsequent propagation of changes to all other replicas. All
other replicas are slave replicas, which accept only queries. Each
cell has one master replica and may have numerous slave replicas.
Note that the registry command cannot add, delete, or modify informa‐
tion in the registry database, such as names and accounts. Use the
appropriate account, principal, group, or organization command to mod‐
ify registry database entries.
Two access control lists (ACLs) control access to registry operations.
For operations dealing with replication, the replist object's ACL (usu‐
ally /.:/sec/replist) controls access. For those that deal with reg‐
istry attributes and policies, the policy object's ACL (usually
/.:/sec/policy) controls access.
When this command executes, it attempts to bind to the registry server
identified in the _s(sec) variable. If that server cannot process the
request or if the _s(sec) variable is not set, the command binds to
either an available slave server or the master registry server, depend‐
ing on the operation. Upon completion, the command sets the _b(sec)
convenience variable to the name of the registry server to which it
bound.
ATTRIBUTES
The registry object supports the following kinds of attributes: Reg‐
istry attributes—These modifiable attributes apply to principals,
groups, organizations, and accounts. The initial values for some of
these attributes must be specified when the master Security Server is
configured. Registrywide policy attributes—These modifiable attributes
apply to organizations and accounts. The registrywide organization and
account policy overrides the policy set for individual accounts only if
the registrywide policy is more restrictive. Synchronization
attributes—These read-only attributes are maintained by each replica
about itself. They cannot be directly modified. These attributes have
no default value, but are computed when the replica is configured.
Replica-specific attributes—These read-only attributes are kept by the
master replica for each slave replica. They cannot be modified
directly. These attributes have no default value, but are computed or
assigned when the replica is configured.
Registry Attributes
The default lifetime for tickets issued to principals in this cell's
registry. Specify the relative time by using the Distributed Time Ser‐
vice (DTS) relative time format ([-]DD-hh:mm:ss). The default is
+0-10:00:00.000 Determines whether encrypted passwords are displayed.
If this attribute is set to yes, an asterisk is displayed in place of
the encrypted password in command output and files where passwords are
displayed. The value is either yes or no. The default is yes. The
highest number that can be supplied as a user identifier (uid) when
principals are created. This maximum applies to both the system-gener‐
ated and user-entered uids. The value is an integer; the initial value
depends on the configuration of your system. The starting point for
group identifiers (gids) automatically generated when a group is cre‐
ated. You can explicitly enter a lower gid than this number; it
applies only to automatically generated numbers. The value is an inte‐
ger; the initial value depends on the configuration of your system.
The starting point for organization identifiers (orgids) automatically
generated when an organization is created. This starting point applies
only to automatically generated indentifiers. You can manually specify
an identifier lower than the minorgid. The value is an integer; the
initial value depends on the configuration of your system. The minimum
amount of time before the principal's ticket must be renewed. The
value is in DTS relative time format (see deftktlife). This renewal is
performed automatically with no intervention on the part of the user.
The shorter this time is, the greater the security of the system. How‐
ever, extremely frequent renewal can degrade system performance. Both
system performance and the level of security required by the cell
should be taken into consideration when selecting the value of this
attribute. This is a registrywide value only; it cannot be set for
individual accounts. The default is +0-00:05:00.000 The starting point
for uids automatically generated when a principal is created. This
starting point applies only to automatically generated indentifiers.
You can manually specify an identifier lower than the minuid. The value
is an integer; the initial value depends on the configuration of your
system. The version of the security server software. The initial
value depends on the configuration of your system.
Registrywide Policy Attributes
This registrywide organization policy defines the lifespan of accounts.
Specify the time by using the DTS relative time format ([-]DD-hh:mm:ss)
or the string unlimited to define an unlimited lifespan for accounts.
The default is unlimited. This registrywide account policy defines the
maximum amount of time that a ticket can be valid. Specify the rela‐
tive time by using the DTS relative time format ([-]DD-hh:mm:ss). When
a client requests a ticket to a server, the lifetime granted to the
ticket takes into account the maxtktlife set for both the server and
the client. In other words, the lifetime cannot exceed the shorter of
the server's or client's maxtktlife. If you do not specify a maxtk‐
tlife for an account, the maxtktlife defined as registry authorization
policy is used. The default is +1-00:00:00.000 This registrywide
account policy defines the amount of time before a principal's ticket-
granting ticket expires and that principal must log in again to the
system to reauthenticate and obtain another ticket-granting ticket.
Specify the time by using the DTS relative time format ([-]DD-
hh:mm:ss). The lifetime of the principal's service tickets can never
exceed the lifetime of the principal's ticket-granting ticket. The
shorter you make ticket lifetimes, the greater the security of the sys‐
tem. However, since principals must log in again to renew their
ticket-granting ticket, the time specified needs to balance user conve‐
nience against the level of security required. If you do not specify
this attribute for an account, the maxtktrenew lifetime defined as reg‐
istry authorization policy is used. The default is +28-00:00:00.000
This feature is not currently used by DCE; any use of this option is
unsupported at the present time. This registrywide organization policy
defines whether passwords can consist entirely of alphanumeric charac‐
ters. Its value is either yes or no. The default is yes. This reg‐
istrywide organization policy defines a date on which a password
expires. The date is entered as an internationalized date string or
the string none, in which case there is no expiration date for the
password. The default is none. This registrywide organization policy
defines the lifespan of passwords. Specify the time by using the DTS
relative time format ([-]DD-hh:mm:ss) or the string unlimited. The
default is unlimited. This registrywide organization policy defines
the minimum number of characters in a password. Its value is a posi‐
tive integer or the integer 0, which means there is no minimum length.
The default is 0. This registrywide organization policy defines
whether passwords can consist entirely of spaces. Its value is either
yes or no. The default is no.
Synchronization Attributes
The name of the replica. It is in the form of a fully qualified CDS
name. Indicates if the replica is a master or a slave. The name of
the cell that the replica is in. It is a fully qualified cell name.
The Universal Unique Identifier (UUID) of the replica. The state of
the replica. One of the following: The replica is in the process of
becoming a master. The replica is a master in the process of becoming
a slave. The replica is in the process of having its master key
changed. The replica is in the process of stopping. The replica is in
the process of initializing (copying its database to) another replica.
The replica is in the process of deleting itself. The replica is
unavailable for updates, but will accept queries. Two masters have
been found in the cell, and the replica is a duplicate of the real mas‐
ter. The replica is available for use. The replica is in the process
of being initialized by the master replica or another up-to-date
replica. The replica is in the process of saving its database to disk.
The replica cannot be reached. The database is a stub database that
has not been initialized by the master replica or another up-to-date
replica. The replica is not known to the master. The localized date
and time that the master received the replica's last update. The
sequence number of the last update the replica received. A sequence
number consists of two 32-bit integers separated by a dot (high.low).
The high integer increments when the low integer wraps. An example of
this attribute is {lastupdseq 0.178}. A list of the network addresses
of the replica. There can be more than one for connectionless and con‐
nection-oriented protocols. The network address of the master replica
as determined by the replica. The address is not necessarily correct.
More than one address may exist for connectionless and connection-ori‐
ented protocols for example. The master sequence number, which is the
sequence number of the event that made the replica the master as deter‐
mined by the replica. The number is not necessarily correct. A
sequence number consists of 32-bit integers separated by a dot
(high.low). The high integer increments when the low integer wraps.
An example of this attribute is {masterseqnum 0.100}. The UUID of the
master replica as determined by the replica. This UUID is not neces‐
sarily correct. The value is a UUID. DCE registry version supported
by the security service. Possible values at DCE Version 1.1 are
secd.dce.1.0.2 (for DCE Version 1.0.2 and DCE version 1.0.3) and
secd.dce.1.1. Both versions may be supported (that is by a DCE Version
1.1 security server running in a cell with DCE version 1.0.3 replicas).
A list of two update sequence numbers that are still in the propagation
queue and have yet to be propagated. The first number is the base
propagation sequence number (the last number known to have been
received by all replicas). The second number is the sequence number of
the last update made on the master. This attribute is present only in
the master replica. The sequence numbers consist of two 32-bit inte‐
gers separated by a dot (high.low). The high integer increments when
the low integer wraps. An example of this attribute is {updseqqueue
{0.100 0.178}}.
Replica-Specific Attributes
The name of the replica. It is in the form of a fully qualified CDS
name. The UUID of the replica. Indicates if the replica is a master
or a slave. A list of the network addresses of the replica. More than
one address may exist for connectionless and connection-oriented proto‐
cols. The status of the propagation. Possible values are as follows:
The replica is marked for deletion. The replica is marked for initial‐
ization. The replica is in the process of initialization, that is,
getting an up-to-date copy of the registry. The replica is ready to
receive propagation updates. The localized time of the last update
sent to the replica. This information is meaningful only if propstatus
is update. The sequence number of the last update sent to this
replica. A sequence number consists of two 32-bit integers separated
by a dot (high.low). The high integer increments when the low integer
wraps. An example of this attribute is {lastupdseqsent 0.175} This
information is meaningful only if propstatus is update. The number of
outstanding updates. The value is an integer. This information is
meaningful only if propstatus is update. The state of the last commu‐
nication with the replica. The status message of the last communica‐
tion with the replica. See the OSF DCE Administration Guide for more
information about attributes, policies, and synchronizations.
OPERATIONSregistry catalog
Returns a list of the names of the security servers running in the
cell. The syntax is as follows: registry catalog [reg‐
istry_replica_name] [-master]
Option Returns only the master security server name. The catalog
operation returns a list of the names of the security servers (that is,
each copy of the registry) running in the cell. This is also known as
the replica list. The order of elements returned is arbitrary. The
optional registry_replica_name argument can specify the name of one
other cell or a single string binding. If you specify the -master
option, the operation returns only the name of the master.
This operation sets the _b(sec) variable to the name of the replica to
which it binds.
Privileges Required
No special privileges are needed to use the registry catalog command.
Examples
dcecp> registry catalog /.../dcecp.cell.osf.org/subsys/dce/sec/snow
/.../dcecp.cell.osf.org/subsys/dce/sec/ice dcecp>
registry checkpoint
Specifies when registry checkpoints should be performed. The syntax is
as follows: registry checkpoint registry_replica_name
[-at hh:mm | -cpi {num | numm | numh}] [-now]
Options Specifies the the hours and minutes of the day (in UTC time)
to perform the checkpoint.
Specifies an interval at which to perform checkpoints. Specifies an
immediate checkpoint. This is the default.
The checkpoint operation lets you set the times when the registry data‐
base should be saved to disk (checkpointed). You must supply the name
of a replica for the operation to bind to.
If you use the -at option, the checkpoint is performed at the specified
time. The time is in UTC format. For example, to specify 3:30 p.m.,
the entry is 15:30. The checkpoint interval then reverts to the
default or to the interval specified by the -cpi option.
If you use the -cpi option, the checkpoint is performed at the interval
you specify until you specify another interval. This option takes an
argument that specifies the interval time as seconds, minutes, or
hours: To specify seconds, supply only a number. For example, -cpi 101
specifies an interval of 101 seconds. To specify minutes enter the
number and m. For example, -cpi 101m specifies an interval of 101 min‐
utes. To specify hours, enter the number and h. For example, -cpi
101h specifies an interval of 101 hours.
If you use the -now option, a checkpoint is performed immediately. The
checkpoint interval then reverts to the default or to the interval
specified by the -cpi option. This operation returns an empty string
on success and sets the _b(sec) variable to the replica to which it
binds.
Privileges Required
You must have ad (auth_info, delete) permission to the replist object.
Examples
dcecp> registry checkpoint /.../gumby_cell/subsys/dce/sec/oddball -at
05:30 dcecp>
registry connect
Connects the local (that is, default) cell of the local host to the
foreign cell specified by the argument. The syntax is as follows: reg‐
istry connect cell_name -group local_group_name -org local_org_name
-mypwd local_password -fgroup foreign_group_name -forg foreign_org_name
-facct foreign_account_name -facctpwd foreign_account_password [-exp‐
date account_expiration_date] [ -acctvalid] [-facctvalid]
Options Specifies the group for the local account. Specifies the
organization for the local account. Specifies the password for the
administrator in the local cell. Specifies the group for the foreign
account. Specifies the organization for the foreign account. Speci‐
fies the name for the foreign account. Specifies the password for the
administrator in the foreign cell. Sets an expiration date for both
local and foreign accounts. Marks the local account as a valid
account. A valid local account allows users from the foreign cell to
log in to nodes in the local cell. The default is invalid. Marks the
foreign account as a valid account. A valid foreign account allows
users from the local cell to log in to nodes in the foreign cell. The
default is invalid.
The connect operation creates an account in the local cell for the
specified foreign cell (/.:/local_cell/sec/principal/krbtgt/for‐
eign_account) and also creates an account in the foreign cell for the
local cell (/.:/foreign_cell/sec/principal/krbtgt/local_account). Both
accounts have the same key. The argument must be the fully qualified
name of a single cell. It cannot be a list or a string binding.
The -group, -org, -mypwd, and -acctvalid options supply the account
information for the local cell. The -fgroup, -forg, -facct, -facctpwd,
and -facctvalid options supply the account information for the foreign
cell.
This operation creates the group and organization, specified as the
values of the relevant options, if necessary, and puts the relevant
principal in them, if necessary.
If the operation fails, it removes any organizations or groups that it
has created and removes the relevant principals. To protect the pass‐
word being entered, the registry connect command can be entered only
from within dcecp. You cannot enter it from the operating system
prompt by using dcecp with the -c option.
If you do not use the -acctvalid and -facctvalid options, you must mark
the accounts as valid (using the dcecp account command) before inter‐
cell access is allowed. This operation returns an empty string on suc‐
cess.
Privileges Required
You must have a (auth_info) permission to the replist object and the
permissions required to create principals, groups, organizations, and
accounts in the local and foreign cells.
Examples
dcecp> getcellname /.../my_cell.com dcecp>
dcecp> registry connect /.../your_cell.com -group none -org none \ >
-mypwd-dce- -fgroup none -forg none -facct cell_admin -facctpwd -dce-
dcecp>
registry delete
Deletes a registry replica from the cell. The syntax is as follows:
registry delete registry_replica_name [-force]
Option Used when the target replica is not available, the -force
option removes the replica name from the master replica's replica list
and propagates the deletion to other replicas that remain on the list.
The registry delete operation, when called with no options, performs an
orderly deletion of a security replica specified as the reg‐
istry_replica_name argument. To do so, the operation binds to the mas‐
ter replica. The master replica then performs the following tasks:
Marks the specified replica as deleted. Propagates this deletion to
the other replicas on its replica list. Delivers the delete request to
the specified replica. Removes the replica from its replica list.
Note that the dcecp command returns before the deletion is complete
because it simply tells the master to perform the delete procedure.
The -force option causes a more drastic deletion. It causes the master
to first delete the specified replica from its replica list and then
propagate the deletion to the replicas that remain on its list. Since
this operation never communicates with the deleted replica, you should
use -force only when the replica has died and cannot be restarted. If
you use -force while the specified replica is still running, you should
then use the registry destroy command to eliminate the deleted replica.
This operation returns an empty string on success and sets the _b(sec)
variable to the master.
Privileges Required
You must have d (delete) permission to the replist object.
Examples
dcecp> registry delete /.:/subsys/dce/sec/oddball dcecp>
registry designate
Changes which replica is the master. The syntax is as follows: reg‐
istry designate registry_replica_name [-slave | -master [-force]]
Options Makes the specified replica a slave. The registry_replica_name
argument must identify the master replica. Makes the specified replica
the master. The registry_replica_name argument must identify a slave
replica. Forces registry_replica_name to become the master, even if
other slave replicas are more up to date. Used only with the -master
option.
The preferred method of creating a new master is to use this command
with no options in this form: registry designate registry_replica_name
This command changes the slave replica named in registry_replica_name
to the master by performing an orderly transition. To do so, it binds
to the current master and instructs the master to: Apply all updates to
the replica named in registry_replica_name. Become a slave. Tell the
replica named in registry_replica_name to become the master.
The -slave or -master options can also be used to change the master to
a slave and a slave to a master. However, using these options is not
recommended because updates can be lost. You should use them only if
the master replica is irrevocably damaged and is unable to perform the
steps in the orderly transition. To use these options, enter the com‐
mand as shown in the following list: To make the master a slave: reg‐
istry designate registry_replica_name -slave The registry_replica_name
is the name of the master replica to make a slave. To make a slave the
master: registry designate registry_replica_name -master The reg‐
istry_replica_name is the name of a slave to make a master. If a mas‐
ter exists, the command fails. Also, if there are more up-to-date
slaves than the one specified by registry_replica_name, the command
fails unless you specify -force to override this default action.
Using the -force option will cause the re-initialization of all other
security replicas in the cell, regardless of whether the other security
replicas are more up-to-date than the security replica being designated
as the new master.
This operation returns an empty string on success and sets the _b(sec)
variable as follows: If called with the -force or -master option, it
sets _b(sec) to the replica to which it binds. If called with no
options, it sets _b(sec) to the master.
Privileges Required
You must have a (auth_info) permission to the replist object.
Examples
dcecp> registry designate /.../my_cell/subsys/dce/sec/oddball dcecp>
registry destroy
Deletes a registry replica. The syntax is as follows: registry destroy
registry_replica_name
The destroy operation causes the replica named in registry_replica_name
to delete its copy of the registry database and to stop running.
The preferred way to delete replicas is to use the delete operation.
However, the destroy operation can be used if delete is unusable
because the master is unreachable or the replica is not on the master's
replica list.
This operation returns an empty string on success and sets the _b(sec)
variable to the replica to which it binds.
Privileges Required
You must have d (delete) permission to the replist object.
Examples
dcecp> registry destroy /.:/subsys/dce/sec/oddball dcecp>
registry disable
Disables the master registry for updates. The syntax is as follows:
registry disable [registry_replica_name]
The disable operation disables the master registry for updates. Gen‐
erally, use this mode for maintenance purposes. The argument is a sin‐
gle name of a master registry to be disabled. If no argument is given,
the operation uses the name in the _s(sec) convenience variable. If
the _s(sec) variable is not set, the operation defaults to the master
in the local cell.
This operation returns an empty string on success and sets _b(sec) to
the name of the replica to which it binds.
Privileges Required
You must have A (admin) permission to the replist object.
Examples
dcecp> registry disable /.../my_cell.goodcompany.com/sub‐
sys/dce/sec/snow dcecp>
registry dump
Returns the replica information for each replica in the cell. The syn‐
tax is as follows: registry dump [registry_replica_name]
The dump operation returns the replica information for each replica in
the cell. Replicas are displayed with a blank line between them.
The registry dump command is the same as the following script: foreach
i [registry catalog] {
lappend r [registry show $i -replica]
append r } return r
This operation sets the _b(sec) variable to the last replica listed in
the display.
Privileges Required
You must have A (admin) permission to the replist object.
Examples
dcecp> registry dump {name /.../dcecp.cell.osf.org/subsys/dce/sec/snow}
{type master} {cell /.../dcecp.cell.osf.org} {uuid a1248a5e-e1e6-11cd-
aa0c-0800092734a4} {status enabled} {lastupdtime
1994-10-13-14:44:48.000-04:00I-----} {lastupdseq 0.271} {addresses
{ncacn_ip_tcp 130.105.5.121}
{ncadg_ip_udp 130.105.5.121}} {masteraddrs
{ncacn_ip_tcp 130.105.5.121}
{ncadg_ip_udp 130.105.5.121}} {masterseqnum 0.100} {masteruuid
a1248a5e-e1e6-11cd-aa0c-0800092734a4} {version secd.dce.1.1} {updse‐
qqueue {0.204 0.271}}
{name /.../dcecp.cell.osf.org/subsys/dce/sec/ice} {type slave} {cell
/.../dcecp.cell.osf.org} {uuid c772f46a-e1ec-11cd-9a16-0000c0239a70}
{status enabled} {lastupdtime 1994-10-13-14:44:48.000-04:00I-----}
{lastupdseq 0.271} {addresses
{ncacn_ip_tcp 130.105.5.45}
{ncacn_ip_tcp 130.105.5.45}
{ncadg_ip_udp 130.105.5.45}} {masteraddrs
{ncacn_ip_tcp 130.105.5.121}
{ncadg_ip_udp 130.105.5.121}} {masterseqnum 0.100} {masteruuid
a1248a5e-e1e6-11cd-aa0c-0800092734a4} {version secd.dce.1.1} dcecp>
registry enable
Enables the master registry for updates. The syntax is as follows:
registry enable [registry_replica_name]
The enable operation enables the master registry for updates. The
argument is a single name of a master registry to be enabled. If no
argument is given, the operation uses the name in the _s(sec) conve‐
nience variable. If the _s(sec) variable is not set, the operation
defaults to the master in the local cell.
This operation returns an empty string on success and sets the _b(sec)
variable to the replica to which it binds.
Privileges Required
You must have A (admin) permission to the replist object.
Examples
dcecp> registry enable /.../my_cell.goodcompany.com/subsys/dce/sec/snow
dcecp>
registry help
Returns help information about the registry object and its operations.
The syntax is as follows: registry help [operation | -verbose]
Options Displays information about the registry object.
Used without an argument or option, the registry help command returns
brief information about each registry operation. The optional opera‐
tion argument is the name of an operation about which you want detailed
information. Alternatively, you can use the -verbose option for more
detailed information about the registry object itself.
Privileges Required
No special privileges are needed to use the registry help command.
Examples
dcecp> registry help catalog Returns a list of all replicas
running in the cell. checkpoint Resets registry checkpoint
interval dynamically. connect Creates local and foreign
cross-cell authenticated accounts. delete Deletes a
replica and removes from master replica list. designate
Changes which replica is the master. destroy Destroys the
specified replica and its registry database. disable Dis‐
ables the specified master registry for updates. dump
Returns replica information for each replica in the cell. enable
Enables the specified master registry for updates. modify
Modifies the master registry or replica. replace Replaces
replica information on master replica list. show
Returns attributes of the registry and its replicas. stop
Stops the specified security server process. synchronize
Reinitializes replica with up-to-date copy of the registry. verify
Returns a list of replicas not up-to-date with the master. help
Prints a summary of command-line options. operations Returns
a list of the valid operations for this command. dcecp>
registry modify
Changes attributes of the registry. The syntax is as follows: registry
modify [registry_replica_name] {-change attribute_list | -attribute
value | -key}
Options As an alternative to using the -change option with an attribute
list, you can specify individual attribute options by prepending a
hyphen (-) to any attributes listed in the ATTRIBUTES section of this
reference page. Allows you to modify attributes by using an attribute
list rather than individual attribute options. The format of an
attribute list is as follows: {{attribute value}...{attribute value}}
The -change option cannot be used with the -key option. Generates a
new master key for the replicas listed as the argument. Cannot be used
with the -change option.
The modify operation changes attributes of the registry. The argument
is required for the -key option but optional for all other options. If
an argument is not supplied and the _s(sec) variable is not set, the
operation defaults to the master in the local cell. This operation
returns an empty string on success.
Use the -change option to modify the value of any one of the standard
registry attributes.
The operation also accepts the -key option to generate a new master key
for a single replica named in the argument and to reencrypt that reg‐
istry's account keys using the new master key. The new master key is
randomly generated. Each replica (master and slaves) maintains its own
master key, which is used to access the data in its copy of the data‐
base. If you use the -key option, you must specify the reg‐
istry_replica_name argument.
The -change option and the -key option cannot be used together.
This operation sets the _b(sec) variable to the replica to which it
binds.
Privileges Required
You must have A (admin) permission to the replist object.
Examples
dcecp> registry modify -version secd.dce.1.1 dcecp>
dcecp> registry modify -change {deftktlife +0-08:00:00.000I-----}
dcecp>
registry operations
Returns a list of the operations supported by the registry object. The
syntax is as follows: registry operations
The list of available operations is in alphabetical order except for
help and operations, which are listed last.
Privileges Required
No special privileges are needed to use the registry operations com‐
mand.
Examples dcecp> registry operations catalog checkpoint connect delete
designate destroy disable dump enable modify replace show stop synchro‐
nize verify help operations dcecp>
registry replace
Replaces the network address of a replica. The syntax is as follows:
registry replace registry_replica_name -address new_string_binding
Options The new address for the replica in RPC string-binding format
(without the object UUID). The string binding contains an RPC protocol
and a network address in the form: rpc_prot_seq:network_addr
The replace operation replaces the network address of the specified
replica. The new address is used by the master and other replicas to
contact the replica. This operation binds to the master, sets the
_b(sec) variable to the master, and returns an empty string on success.
Privileges Required
You must have m (mgmt_info) permission to the replist object.
Examples
dcecp> registry replace /.:/subsys/dce/sec/oddball -address
ncadg_ip_udp:15.22.4.93 dcecp>
registry show
Returns information about the registry and its replicas. The syntax is
as follows: registry show [registry_replica_name] [-attributes | -poli‐
cies | -master | -replica [-verbose]]
Options Returns an attribute list of the registrywide attributes.
Returns only the registrywide polices. Returns the synchronization
information the master keeps for each slave. Returns the synchroniza‐
tion information for the specified replica. Returns the synchroniza‐
tion information kept by the replica.
The show operation returns information about the registry and its
replicas. An optional registry_replica_name argument specifies a sin‐
gle registry replica to contact. The operation returns a variety of
different information based on the option given.
If called with no options or with the -attributes option, the operation
returns an attribute list of all the registrywide attributes.
If called with the -policies option, the operation returns an attribute
list of all the registrywide polices.
If called with the -master option, the operation returns the propaga‐
tion information that is kept by the master for each slave. If you
specify this option and the optional registry_replica_name, argument,
registry_replica_name must specify the name of the master or the local
cell name.
If called with the -replica option, the operation returns the propaga‐
tion information that is kept by the specified replica. Use the -ver‐
bose option along with the -replica option to return the full propaga‐
tion information that is kept by the replica.
This operation sets the _b(sec) variable to the replica to which it
binds.
Privileges Required
You must have A (admin) permission to the replist object.
Examples
dcecp> registry show -attributes {mingid 31000} {minorgid 100} {minuid
30000} {maxuid 32767} {version secd.dce.1.0.2} dcecp>
dcecp> registry show -policies {deftktlife +0-10:00:00.000I-----}
{mintktlife +0-00:05:00.000I-----} {hidepwd yes} dcecp>
dcecp> registry show /.../absolut_cell/subsys/dce/sec/ice -replica
{name /.../absolut_cell/subsys/dce/sec/ice} {type slave} {cell
/.../absolut_cell} {uuid 91259b6c-9415-11cd-a7b5-080009251352} {status
enabled} {lastupdtime 1994-07-05-14:38:15.000-04:00I-----} {lastupdseq
0.191} {addresses
{ncacn_ip_tcp 130.105.5.93}
{ncadg_ip_udp 130.105.5.93}} {masteraddrs
{ncacn_ip_tcp 130.105.5.93}
{ncadg_ip_udp 130.105.5.93}} {masterseqnum 0.100} {masteruuid
91259b6c-9415-11cd-a7b5-080009251352} {supportedversions
secd.dce.1.0.2} {updseqqueue {0.187 0.191}} dcecp>
dcecp> registry show /.../dcecp.cell.osf.org/subsys/dce/sec/snow -mas‐
ter {name /.../dcecp.cell.osf.org/subsys/dce/sec/snow} {uuid
91259b6c-9415-11cd-a7b5-080009251352} {type master} {addresses
{ncacn_ip_tcp 130.105.5.93}
{ncadg_ip_udp 130.105.5.93}}
{name /.../dcecp.cell.osf.org/subsys/dce/sec/ice} {uuid
91259b6c-9415-11cd-a7b5-080009251352} {type slave} {addresses
{ncacn_ip_tcp 130.105.5.93}
{ncadg_ip_udp 130.105.5.93}} {propstatus update} {lastupdtime
1994-10-13-14:58:28.000-04:00I-----} {lastupdseqsent 0.528} {numupdtogo
0} {commstate ok} {lastcommstatus {successful completion}} dcecp>
registry stop
Stops the specified security server process. The syntax is as follows:
registry stop registry_replica_name
The stop operation stops the security server specified in the argument.
The registry_replica_name argument is required and must explicitly name
one replica. (A cell name is not valid because more than one replica
can operate in a cell.) This operation returns an empty string on suc‐
cess and sets the _b(sec) variable to the replica to which it binds.
Privileges Required
You must have A (admin) permission to the replist object.
Examples
dcecp> registry stop /.:/subsys/dce/sec/snow dcecp>
registry synchronize
Causes the specified replica to reinitialize itself with an up-to-date
copy of the database. The syntax is as follows: registry synchronize
registry_replica_name
The synchronize operation reinitializes a slave replica with an up-to-
date copy of the database. registry_replica_name is the name of the
slave replica to operate on.
This operation binds to the master and tells the master to: Mark the
specified replica named in registry_replica_name for reinitialization.
Send a message to the replica informing it to reinitialize itself.
Gives the replica a list of other replicas with up-to-date copies of
the registry.
The replica to be initialized then selects a replica from the list pro‐
vided by the master and asks for a copy of the database. Note that the
dcecp command returns before the synchronization is complete because it
simply tells the master to perform the synchronize procedure.
Normally, you do not need to use the registry synchronize command
because registries remain synchronized automatically. This operation
returns an empty string on success.
This operation sets the _b(sec) variable to the master in the local
cell.
Privileges Required
You must have A (admin) permission to the replist object.
Examples
dcecp> registry synchronize /.:/subsys/dce/sec/oddball dcecp>
registry verify
Checks whether all registry replicas are up to date. The syntax is as
follows: registry verify [registry_replica_name]
Checks whether all registry replicas are up to date. If they are, it
returns an empty string.
This operation sets the _b(sec) variable to the last replica to which
it binds.
Privileges Required
You must have a (auth_info) permission to the replist object.
Examples
If the replicas are up to date, the command returns an empty string, as
in the following: dcecp> registry verify dcecp>
If a replica is not up to date, the command returns the fully qualified
replica name, as in the following: dcecp> registry verify
/.../cell/subsys/dce/sec/oddball dcecp>
RELATED INFORMATION
Commands: dcecp(1m), dcecp_group(1m), dcecp_organization(1m),
dcecp_principal(1m), secd(1m).
registry(1m)
