sec_salvage_db(1m)sec_salvage_db(1m)NAMEsec_salvage_db - Recover a corrupted registry database The sec_sal‐
vage_db -check and -fix options are not currently available.
SYNOPSISsec_salvage_db-print [-dbpath db_pathname] [-prtpath print_pathname]
[print_options] [-verbose] [-sort] [-dce1.0.3]
sec_salvage_db-reconstruct [-dbpath db_pathname] [-prtpath print_path‐
name]
[reconstruct_options] [-verbose]
sec_salvage_db-check [-dbpath db_pathname] [db_options] [-verbose]
sec_salvage_db-fix [-dbpath db_pathname] [db_options] [-force] [-ver‐
bose]
OPTIONS
Check the database elements specified by db_options for inconsisten‐
cies. This option sends a list to standard output of all bad list
links, internal id references, and database keys and any detectable
data inconsistencies. The -check option does not check fields for
legal values.
Specify the database elements to be acted on by the -check or -fix
options. If no db_options are specified, all are selected. The
db_options are -princ — Principals -group — Groups
-org — Organizations -acct — Accounts
-acl — ACLs -policy — Policy -state — Database State -replicas —
Replicas The .mkey.prt file and the princ.prt file contain unencrypted
authentication keys. Ensure that only the privileged account can
access these files and that they are never transferred over a network
for viewing or backup. Check the database for inconsistencies and
prompt for whether to fix each inconsistency. After all inconsisten‐
cies have been processed, the option prompts for whether to save all
fixes. Check the database for inconsistencies and fix each one without
prompting. After all inconsistencies have been processed, the option
prompts for whether to save all fixes. This option is valid only when
used with the -fix option. Create files containing ASCII-formatted
database records. These files are used by the -reconstruct option as a
source for recreating the database. You can also manually edit the
files to change information or fix problems. A separate file is cre‐
ated for each of the print_options specified.
By default the -print option stores the master key file in the current
directory and the database files in the rgy_print directory in the cur‐
rent directory. The -prtpath option lets you specify a different
directory. Supports backwards conversion of a registry database from
DCE 1.1 to DCE 1.0.3. Specify the database elements to be acted on by
the -print option. If the files exist, they are overwritten. If no
print_options are specified, all are selected. The print_options and
the files they create are -princ — Put principal records in the file
princ.prt and master key information in the file .mkey.prt. -group —
Put group records in the file group.prt.
-org — Put organization records in the file org.prt. -policy — Put
policy records in the file policy.prt. -state — Put information about
the state of the database in the file rgy_state.prt. -replicas — Put
replica information in the file replicas.prt. Reconstruct the registry
database from the ASCII-formatted print files created by the -print
option. The reconstruct_options specify the print files to use.
The reconstruct_options options are not available in Release 1.0.3.
For this release, sec_salvage_db reconstructs all elements of the reg‐
istry database. Specifies which elements of the registry database to
reconstruct. If no reconstruct_options are specified, all are
selected. The reconstruct_options are -pgo — Use data in the
princ.prt, group.prt, org.prt, and .mkey.prt files to reconstruct:
Principals, groups, organizations Principal's accounts ACL's on data‐
base objects The master key file -policy — Use data from the policy.prt
file to reconstruct registry policies. -state — Use data from the
rgy_state.prt file to reconstruct information about the state of the
database. -replicas — Use data from the replicas.prt file to recon‐
struct the master replica list. For the -print and -check options,
-dbpath specifies the directory in which the registry database and the
master key file are located. For the -reconstruct and -fix options,
-dbpath specifies the directory in which to store the reconstructed or
salvaged database.
The -print and -check options expects to find the master key file,
.mkey, in the directory above the directory that holds the database
files. For example, if db_pathname is dcelocal/var/security/new_rgy,
the options look for the master key file in dcelocal/var/security and
the database files in dcelocal/var/security/new_rgy.
If this option is not specified, the default pathname is dcelo‐
cal/var/security/rgy_data.
db_pathname can be a global pathname or a cell-relative name.
For the print and -reconstruct options only, -prtpath specifies the
directory in which to create (-print) the print files, or find (-recon‐
struct) the print files from which to reconstruct the database.
By default the -print option creates and the -reconstruct option looks
for the master key file in the current directory and the database files
in the rgy_print subdirectory of the current directory. -prtpath lets
you specify the directory that should be used instead of the current
directory. For example, if you specify print_pathname as dcelo‐
cal/var/security/registry, the master key print file will be created in
that directory and the database print files in dcelocal/var/secu‐
rity/registry/rgy_print.
If any or all of the print files exist in print_pathname or the default
directory, their contents are overwritten.
print_pathname can be a global pathname or a cell-relative name.
DESCRIPTION
The sec_salvage_db tool is an aid to database administration and trou‐
bleshooting. Although day-to-day administration is handled by the
rgy_edit command, sec_salvage_db can be useful for listing registry
data, reconstructing databases, and salvaging corrupted databases.
The sec_salvage_db command supports two methods of operation: the check
and fix method and the print and reconstruct method. These methods
can be used in tandem.
Check and Fix Method
The -check and -fix options are not currently available. The check and
fix method recovers data from a corrupted database, fixing corrupted
data links, data retrieval keys, and other internal references. You
can use it on a database so corrupted that it prevents the Security
Server (secd) from running or registry clients from operating cor‐
rectly. The check and fix method repairs the database structure so
that secd can run. (Note that data may be lost if corrupted pointers
in the registry data files irreversibly sever the links between
records.) The check and fix method uses the sec_salvage_db-check,
-fix, and -force options.
The -check option accesses each record in the database and reports all
errors, but makes no fixes. Although you can run it to see the state
of the database before you run the -fix option, it is not required to
be run.
The -fix option also accesses each record in the database and reports
all errors, but as it finds each error, it prompts for whether or not
to fix the error. When processing is complete, sec_salvage_db prompts
for whether or not to save the changes.
The -force option can only be used with the -fix option. If you use
it, sec_salvage_db does not prompt for confirmation before it fixes
each error it finds. sec_salvage_db will still prompt for confirmation
before it saves the changes.
The Print and Reconstruct Method
The print and reconstruct method allows you to reconstruct a database.
It first creates ASCII files, called print files, that contain all
accessible data in the database. Then, it reads the data in these
files to construct a new database. If you cannot start a Security
Server on the database host machine, you cannot use the print and
reconstruct method, but must use the check and fix method. (Note that
before you run sec_salvage_db with the -print and -reconstruct options,
you must stop the Security Server.)
In addition to reconstructing the database, the print and reconstruct
method has other uses. You can use it to Make changes to the database
by manually editing the print files created by the -print option and
then reconstructing them from the changed print files. This can be
especially useful for changing many user passwords, which may be neces‐
sary if the master key file is corrupted. Obtain a listing of database
contents. Copy databases between different platforms. To use the
print and reconstruct method run sec_salvage_db first with the -print
option and then with the -reconstruct option.
The -print option creates the ASCII print files from the registry data‐
base files. These files can be reviewed and edited to correct faulty
information, such as name-to-UNIX ID mismatches or missing data, or to
update existing data. The -reconstruct option recreates the registry
database files from the print files.
Because the -print option creates files containing all data in the
database and the -reconstruct option recreates the database based on
these files, you can use this method to move a database to another
machine or even another cell. For example, if you run sec_salvage_db-print on an uncorrupted database, you can then run sec_salvage_db-reconstruct and specify a pathname on a different machine for where
the database should be created.
Converting a DCE 1.1 Registry Database to a DCE 1.0.3 Database
The sec_salvage_db-dce1.0.3 option supports backwards conversion of a
registry database from DCE 1.1 to DCE 1.0.3. To convert a DCE 1.1 reg‐
istry database to a DCE 1.0.3 database perform the following procedure:
Stop all DCE 1.1 servers. Run the sec_salvage_db command with the
-print and -dce1.0.3 options (and any other options you need) to create
ASCII print files of the Registry database.
Note that for polymorphous objects (that is, an object that can be both
a directory and a person, group, or organization), sec_salvage_db cre‐
ates a print file entry for a directory as as default. It then stores
the information related to the person, group, or organization in a file
named info.prt. To recreate a person, group, or organization instead
of a directory, manually add the information in the info.prt file to
the appropriate ASCII print files. Clean up the remnants of the Reg‐
istry database by deleting the /opt/dcelocal/var/rpc/rpcdep.dat file
and all files in the following directories: /opt/dcelocal/var/secu‐
rity/rgy_data /opt/dcelocal/var/security/rcache /opt/dcelocal/var/secu‐
rity/creds Reload the DCE 1.0.3 bits. Run the sec_salvage_db command
with the -reconstruct option (and any other options you need) to create
the database from the ASCII print files. Restart DCE 1.0.3 servers.
EDITING THE PRINT FILES
To edit the print files, your entries must be in the following format
field_name optional_white_space=optional_white_space value Although you
can leave spaces between the field name, the equals sign, and the
value, field names and values cannot contain white space.
A sample org.prt file follows.
Record_Number = 2 Object_Type = ORG Name = org/none UUID = 0000000C-
D751-21CA-A002-08001E039D7D Unix_ID = 12 Is_Alias_Flag = false
Is_Required_Flag = false Fullname = Member_Name = nobody Member_Name =
root Member_Name = daemon Member_Name = uucp Member_Name = bin Mem‐
ber_Name = dce-ptgt Member_Name = dce-rgy Member_Name = krbtgt/abc.com
Member_Name = hosts/zebra/self Obj_Acl_Def_Cell_Name = /.../abc.com
Obj_Acl_Entry = unauthenticated:r-t----- Obj_Acl_Entry =
user:root:rctDnfmM Obj_Acl_Entry = other_obj:r-t----- Obj_Acl_Entry =
any_other:r-t-----
To update existing entries, simply supply a new value. For example, to
update a principal's full name, the entry in the princ.prt file is
Fullname = fullname
The fullname variable is the principal's full name. The princ.prt file
contains the following entry that allows you to update a principal's
password in plain text: Plaintext_Passwd =
This field does not display the principal's password. To update the
password, simply enter the new one in plain text after the equals sign.
When the database is reconstructed, the password is encrypted and any
keys derived from that password are regenerated and used to overwrite
any existing encryption key entries.
To specify a NULL value, delete the existing value. For example, to
specify a NULL value for a fullname in the princ.prt file, the entry is
Fullname =
PRINT FILE FIELDS AND VALUES
The fields in the princ.prt, group.prt, org.prt, .mkey.prt, policy.prt,
rgy_state.prt and replicas.prt files are described in the following
tables.
┌──────────────────────────┬──────────────────────────────────────────┐
│Field Name │ Field Values │
├──────────────────────────┼──────────────────────────────────────────┤
│For all Records: │ │
├──────────────────────────┼──────────────────────────────────────────┤
├──────────────────────────┼──────────────────────────────────────────┤
│Record_Number │ The sequential number of the record in │
│ │ the database. │
├──────────────────────────┼──────────────────────────────────────────┤
│Object_Type │ An indication of the type of object: │
│ │ PRINC=principal, DIR=directory. │
├──────────────────────────┼──────────────────────────────────────────┤
│Name │ Name of the object. │
├──────────────────────────┼──────────────────────────────────────────┤
│UUID │ Unique Identifier of the object. │
└──────────────────────────┴──────────────────────────────────────────┘
│For Principals: │ │
├──────────────────────────┼──────────────────────────────────────────┤
├──────────────────────────┼──────────────────────────────────────────┤
│Unix_ID │ The principal's Unix ID. │
├──────────────────────────┼──────────────────────────────────────────┤
│Is_Alias_Flag │ An indication of whether or not the │
│ │ principal name is an alias or a primary │
│ │ name: true=alias, false=primary. │
├──────────────────────────┼──────────────────────────────────────────┤
│Is_Required_Flag │ An indication of whether or not the │
│ │ principal is reserved: true=principal is │
│ │ reserved and cannot be deleted, │
│ │ false=principal is not reserved. │
├──────────────────────────┼──────────────────────────────────────────┤
│Quota │ The principal's object creation quota: a │
│ │ non-negative integer or unlimited. │
├──────────────────────────┼──────────────────────────────────────────┤
│Fullname │ The principal's fullname: a text string. │
├──────────────────────────┼──────────────────────────────────────────┤
│Member_Name* │ The names of the groups to which the │
│ │ principal belongs. │
├──────────────────────────┼──────────────────────────────────────────┤
│Obj_Acl_Def_Cell_Name │ The default cell name of this princi‐ │
│ │ pal's object ACL. │
├──────────────────────────┼──────────────────────────────────────────┤
│Num_Acl_Entries │ The number of entries in the principals │
│ │ object ACL. │
├──────────────────────────┼──────────────────────────────────────────┤
│Obj_Acl_Entry*+ │ The contents of the principal's object │
│ │ ACL. │
├──────────────────────────┼──────────────────────────────────────────┤
│Acct_Group_Name │ The account's group name. │
├──────────────────────────┼──────────────────────────────────────────┤
│Acct_Org_Name │ The account's organization name. │
├──────────────────────────┼──────────────────────────────────────────┤
│Acct_Creator_Name │ The name of principal who created this │
│ │ account. │
├──────────────────────────┼──────────────────────────────────────────┤
│Acct_Creation_Time │ The date and time the account was cre‐ │
│ │ ated in yyyy/mm/dd.hh:mm format. The │
│ │ first two digits of the year, the hours, │
│ │ and the minutes are optional. │
├──────────────────────────┼──────────────────────────────────────────┤
│Acct_Changer_Name │ Name of principal who last changed the │
│ │ account. │
├──────────────────────────┼──────────────────────────────────────────┤
│Acct_Change_Time │ The date and time the account was last │
│ │ changed in yyyy/mm/dd.hh:mm format. │
│ │ (The first two digits of the year, the │
│ │ hours and the minutes are optional.) │
├──────────────────────────┼──────────────────────────────────────────┤
│Acct_Expire_Time │ The date and time the account expires or │
│ │ none for no expiration date. The date │
│ │ and time are in yyyy/mm/dd.hh:mm format. │
│ │ (The first two digits of the year, the │
│ │ hours and the minutes are optional.) │
├──────────────────────────┼──────────────────────────────────────────┤
│Acct_Good_Since_Time │ The date and time the principal's │
│ │ account was last known to be in an │
│ │ uncompromised state in yyyy/mm/dd.hh:mm, │
│ │ format or no for current time and date. │
│ │ (The first two digits of the year, the │
│ │ hours and the minutes are optional.) │
└──────────────────────────┴──────────────────────────────────────────┘
│Acct_Valid_For_Login_Flag │ An indication of whether or not the │
│ │ account can be logged into: true=account │
│ │ is valid for login, false=account cannot │
│ │ be logged into. │
└──────────────────────────┴──────────────────────────────────────────┘
┌──────────────────────────────┬──────────────────────────────────────────┐
│Acct_Valid_As_Server_Flag │ Indicates whether or not the account is │
│ │ a server and can engage in authenticated │
│ │ communication: true=account is a server, │
│ │ false=account is not server. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Acct_Valid_As_Client_Flag │ Indicates whether or not the account is │
│ │ a client and can log in, acquire tick‐ │
│ │ ets, and be authenticated: true=account │
│ │ is a client, false=account is not a │
│ │ client. │
│ │ │
├──────────────────────────────┼──────────────────────────────────────────┤
│Acct_Post_Dated_Cert_Ok_Flag │ Indicates whether or not tickets with a │
│ │ start time some time in the future can │
│ │ be issued to the account's principal: │
│ │ true=postdated tickets can be issued, │
│ │ false=postdated tickets cannot be │
│ │ issued. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Acct_Forwardable_Cert_Ok_Flag │ Indicates whether or not a new ticket- │
│ │ granting ticket with a network address │
│ │ that differs from the present ticket- │
│ │ granting address can be issued to the │
│ │ account's principal: true=account can │
│ │ get forwardable certificates, │
│ │ false=account cannot. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Acct_TGT_Auth_Cert_Ok_Flag │ Indicates whether or not tickets issued │
│ │ to the account's principal can use the │
│ │ ticket-granting-ticket authentication │
│ │ mechanism: true=tickets can use the │
│ │ ticket-granting-ticket authentication │
│ │ mechanism, false=they cannot. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Acct_Renewable_Cert_Ok_Flag │ Indicates whether or not tickets issued │
│ │ to the principal's ticket-granting │
│ │ ticket to be renewed: true=tickets can │
│ │ be renewed, false=tickets cannot be │
│ │ renewed. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Acct_Proxiable_Cert_Ok_Flag │ Indicates whether or not a new ticket │
│ │ with a different network address than │
│ │ the present ticket can be issued to the │
│ │ account's principal: true=such a ticket │
│ │ can be issued, false=such a ticket can‐ │
│ │ not be issued. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Acct_Dup_Session_Key_Ok_Flag │ Indicates whether or not tickets issued │
│ │ to the account's principal can have │
│ │ duplicate keys: true=account can have │
│ │ duplicate session keys, false=account │
│ │ cannot. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Unix_Key │ The account principal's encrypted UNIX │
│ │ password: ASCII string. │
└──────────────────────────────┴──────────────────────────────────────────┘
│Plaintext_Passwd │ Stores the principal's password in plain │
│ │ text. This field is provided to allow │
│ │ principal's passwords to be changed. │
│ │ When the princ.prt file is processed by │
│ │ the sec_salvage_db-reconstruct option, │
│ │ this password is encrypted using UNIX │
│ │ system encryption. This encrypted pass‐ │
│ │ word is then stored as the principal's │
│ │ encrypted UNIX password in the Unix_Key │
│ │ field. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Home_Dir │ The account principal's home directory: │
│ │ text string. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Shell │ The account principal's login shell: │
│ │ text string. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Gecos │ The account's GECOS information: text │
│ │ string. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Passwd_Valid_Flag │ Indicates whether or not the account │
│ │ principal's password is valid: │
│ │ true=password is valid, false=password │
│ │ not valid. │
└──────────────────────────────┴──────────────────────────────────────────┘
┌─────────────────────────────┬──────────────────────────────────────────┐
│Passwd_Change_Time │ The date and time the account princi‐ │
│ │ pal's password was last changed in │
│ │ yyyy/mm/dd.hh:mm format or now for the │
│ │ current date and time. The first two │
│ │ digits of the year, the hours and the │
│ │ minutes are optional. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Max_Certificate_Lifetime │ The number of hours before the Authenti‐ │
│ │ cation Service must renew the account │
│ │ principal's service certificates: an │
│ │ integer indicating the time in hours or │
│ │ default-policy to use the registry │
│ │ default. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Max_Renewable_Lifetime │ The number of hours before a session │
│ │ with the account principal's identity │
│ │ expires and the principal must log in │
│ │ again to reauthenticate: an integer │
│ │ indicating the time in hours or default- │
│ │ policy to use the registry default. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Master_Key_Version │ The version of the master key used to │
│ │ encrypt the account principal's key. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Num_Auth_Keys │ The number of the account principal's │
│ │ authentication keys. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Auth_Key_Version* │ A list of the version numbers of the │
│ │ account principal's authentication key. │
│ │ The first version number on the list │
│ │ represents the current authentication │
│ │ key. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Auth_Key_Pepper* │ The pepper algorithm used for the │
│ │ account principal's key: a text string │
│ │ or blank to use the default pepper algo‐ │
│ │ rithm. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Auth_Key_Len* │ The length in bytes of the account prin‐ │
│ │ cipal's authentication key. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Auth_Key* │ The account principal's authentication │
│ │ key: hex string. │
└─────────────────────────────┴──────────────────────────────────────────┘
│Auth_Key_Expire_Time* │ The date and time the account princi‐ │
│ │ pal's authentication key expires or none │
│ │ for no expiration. Date and time are in │
│ │ yyyy/mm/dd.hh:mm format. (The first │
│ │ two digits of the year, the hours and │
│ │ the minutes are optional.) │
├─────────────────────────────┼──────────────────────────────────────────┤
├─────────────────────────────┼──────────────────────────────────────────┤
│For Directories: │ │
├─────────────────────────────┼──────────────────────────────────────────┤
├─────────────────────────────┼──────────────────────────────────────────┤
│Obj_Acl_Def_Cell_Name+ │ The default cell name of the directory's │
│ │ object ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Num_Acl_Entries │ The number of entries in the directory's │
│ │ object ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Obj_Acl_Entry*+ │ The contents of the directory's object │
│ │ ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Init_Obj_Acl_Def_Cell_Name+ │ The default cell name of the directory's │
│ │ initial object ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Num_Acl_Entries │ The number of entries in the directory's │
│ │ initial object ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Init_Obj_Acl_Entry*+ │ The contents of the directory's initial │
│ │ object ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Init_Cont_Acl_Def_Cell_Name+ │ The default cell name of the directory's │
│ │ initial container ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Num_Acl_Entries │ The number of entries in the directory's │
│ │ initial container ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Init_Cont_Acl_Entry*+ │ The contents of the directory's initial │
│ │ container ACL. │
└─────────────────────────────┴──────────────────────────────────────────┘
* These segments/fields may appear multiple times in succession.
+ If a stored UUID doesn't map to a name required for this field, the
UUID will be displayed.
┌─────────────────────────────┬──────────────────────────────────────────┐
│Field Name │ Field Values │
├─────────────────────────────┼──────────────────────────────────────────┤
│For all Records: │ │
├─────────────────────────────┼──────────────────────────────────────────┤
├─────────────────────────────┼──────────────────────────────────────────┤
│Record_Number │ The sequential number of the record in │
│ │ the database. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Object_Type │ An indication of the type of object: │
│ │ GROUP=group, DIR=directory. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Name │ Name of the object. │
├─────────────────────────────┼──────────────────────────────────────────┤
│UUID │ Unique Identifier of the object. │
├─────────────────────────────┼──────────────────────────────────────────┤
│For Groups: │ │
├─────────────────────────────┼──────────────────────────────────────────┤
├─────────────────────────────┼──────────────────────────────────────────┤
│Unix_ID │ Unix ID of the group. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Is_Alias_Flag │ An indication of whether or not the │
│ │ group name is an alias or a primary │
│ │ name: true=alias, false=primary . │
├─────────────────────────────┼──────────────────────────────────────────┤
│Is_Required_Flag │ An indication of whether or not the │
│ │ group is reserved: true=group is │
│ │ reserved and cannot be deleted, │
│ │ false=group is not reserved. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Projlist_Ok_Flag │ An indication of whether or not the │
│ │ group can be included in project lists: │
│ │ true=group can be included on project │
│ │ lists, false=group cannot be included. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Fullname │ The group's fullname: a text string. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Member_Name* │ The names of the group's members. │
└─────────────────────────────┴──────────────────────────────────────────┘
│Obj_Acl_Def_Cell_Name+ │ The default cell name of this group's │
│ │ object ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Num_Acl_Entries │ The number of entries in the group's │
│ │ object ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Obj_Acl_Entry* │ The contents of the group's object ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│For Directories: │ │
├─────────────────────────────┼──────────────────────────────────────────┤
├─────────────────────────────┼──────────────────────────────────────────┤
│Obj_Acl_Def_Cell_Name+ │ The default cell name of this direc‐ │
│ │ tory's object ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Num_Acl_Entries │ The number of entries in the directory's │
│ │ object ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Obj_Acl_Entry* │ The contents of the directory's object │
│ │ ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Init_Obj_Acl_Def_Cell_Name+ │ The default cell name of the directory's │
│ │ initial object ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Num_Acl_Entries │ The number of entries in the directory's │
│ │ initial object ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│ │ │
│Init_Obj_Acl_Entry*+ │ The contents of the directory's initial │
│ │ object ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Init_Cont_Acl_Def_Cell_Name+ │ The default cell name of the directory's │
│ │ initial container ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Num_Acl_Entries │ The number of entries in the directory's │
│ │ initial container ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Init_Cont_Acl_Entry*+ │ The contents of the directory's initial │
│ │ container ACL. │
└─────────────────────────────┴──────────────────────────────────────────┘
* These fields may appear multiple times in succession.
+ If a stored UUID doesn't map to a name required for this field, the
UUID will be displayed.
┌───────────────────────────────┬──────────────────────────────────────────┐
│Field Name │ Field Values │
├───────────────────────────────┼──────────────────────────────────────────┤
│For all Records: │ │
├───────────────────────────────┼──────────────────────────────────────────┤
├───────────────────────────────┼──────────────────────────────────────────┤
│Record_Number │ The sequential number of the record in │
│ │ the database. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Object_Type │ An indication of the type of object: │
│ │ ORG=organization, DIR=directory. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Name │ Name of the object. │
├───────────────────────────────┼──────────────────────────────────────────┤
│UUID │ Unique Identifier of the object. │
├───────────────────────────────┼──────────────────────────────────────────┤
│For Organizations: │ │
├───────────────────────────────┼──────────────────────────────────────────┤
├───────────────────────────────┼──────────────────────────────────────────┤
│Unix_ID │ Unix Id of the organization. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Is_Alias_Flag │ An indication of whether or not the │
│ │ organization is an alias or a primary │
│ │ name: true=alias, false=primary. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Is_Required_Flag │ An indication of whether or not the │
│ │ organization is reserved: true=organiza‐ │
│ │ tion is reserved and cannot be deleted, │
│ │ false=organization is not reserved. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Fullname │ The organization's fullname: a text │
│ │ string. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Member_Name* │ The names of the organization's members. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Obj_Acl_Def_Cell_Name │ The default cell name of this organiza‐ │
│ │ tion's object ACL. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Num_Acl_Entries │ The number of entries in the organiza‐ │
│ │ tion's object ACL. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Obj_Acl_Entry*+ │ The contents of the organization's │
│ │ object ACL. │
├───────────────────────────────┼──────────────────────────────────────────┤
│For Organizations with Policy: │ │
└───────────────────────────────┴──────────────────────────────────────────┘
├───────────────────────────────┼──────────────────────────────────────────┤
│Acct_Lifetime │ The period during which accounts for the │
│ │ organization are valid: a integer number │
│ │ representing days or forever. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Passwd_Min_Len │ The minimum length of the organization's │
│ │ password: a non-negative integer. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Passwd_Lifetime │ The span in days of the lifetime of the │
│ │ organization's password: an integer or │
│ │ forever. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Passwd_Expire_Time │ The date and time the organization's │
│ │ password expires in yyyy/mm/dd.hh:mm │
│ │ format. (The first two digits of the │
│ │ year, the hours and the minutes are │
│ │ optional.) │
├───────────────────────────────┼──────────────────────────────────────────┤
│Passwd_All_Spaces_Ok │ An indication of whether or not the │
│ │ organization's password can consist of │
│ │ all spaces: true=can consist of spaces, │
│ │ false=cannot. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Passwd_All_Alphanumeric_Ok │ An indication of whether or not the │
│ │ organization's password can consist of │
│ │ all alphanumeric characters: true=can be │
│ │ all alphanumeric, false=cannot. │
├───────────────────────────────┼──────────────────────────────────────────┤
│For Directories: │ │
├───────────────────────────────┼──────────────────────────────────────────┤
├───────────────────────────────┼──────────────────────────────────────────┤
│Obj_Acl_Def_Cell_Name+ │ The default cell name of the directory's │
│ │ object ACL. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Num_Acl_Entries │ The number of entries in the directory's │
│ │ object ACL. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Obj_Acl_Entry*+ │ The contents of the directory's object │
│ │ ACL. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Init_Obj_Acl_Def_Cell_Name+ │ The default cell name of the directory's │
│ │ initial object ACL. │
├───────────────────────────────┼──────────────────────────────────────────┤
│Num_Acl_Entries │ The number of entries in the directory's │
│ │ initial object ACL. │
└───────────────────────────────┴──────────────────────────────────────────┘
┌─────────────────────────────┬──────────────────────────────────────────┐
│Init_Obj_Acl_Entry*+ │ The contents of the directory's initial │
│ │ object ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Init_Cont_Acl_Def_Cell_Name+ │ The default cell name of the directory's │
│ │ initial container ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Num_Acl_Entries │ The number of entries in the directory's │
│ │ initial container ACL. │
├─────────────────────────────┼──────────────────────────────────────────┤
│Init_Cont_Acl_Entry*+ │ The contents of the directory's initial │
│ │ container ACL. │
└─────────────────────────────┴──────────────────────────────────────────┘
* These fields may appear multiple times in succession.
+ If a stored UUID doesn't map to a name required for this field, the
UUID will be displayed.
┌───────────────────┬──────────────────────────────────────────┐
│Field Name │ Field Values │
├───────────────────┼──────────────────────────────────────────┤
│Master_Key_Version │ The integer version of the master key. │
├───────────────────┼──────────────────────────────────────────┤
│Master_Key_Keytype │ Always des. │
├───────────────────┼──────────────────────────────────────────┤
│Master_Key_Length │ The length of the master key in bytes. │
├───────────────────┼──────────────────────────────────────────┤
│Master_Key │ The master key in hex string format. │
└───────────────────┴──────────────────────────────────────────┘
┌──────────────────────────────┬──────────────────────────────────────────┐
│Field Name │ Field Values │
├──────────────────────────────┼──────────────────────────────────────────┤
│Rgy_Policy_File_Version │ An integer representing the version of │
│ │ the policy information. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Prop_Read_Version │ A number indicating the property │
│ │ record's read version. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Prop_Write_Version │ A number indicating the property │
│ │ record's write version. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Min_Certificate_Lifetime │ The minimum amount of time before the │
│ │ principal's ticket must be renewed in │
│ │ weekswdaysdhourshminutesm format. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Default_Certificate_Lifetime │ The the default lifetime for tickets │
│ │ issued to principals in this cell's reg‐ │
│ │ istry in weekswdaysdhourshminutesm for‐ │
│ │ mat. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Low_Unix_ID_Principal │ The starting point for principal UNIX │
│ │ IDs automatically generated by the Secu‐ │
│ │ rity Service when a principal is added: │
│ │ an integer, which must be less than │
│ │ Max_Unix_ID. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Low_Unix_ID_Group │ The the starting point for UNIX IDs │
│ │ automatically generated by the Security │
│ │ Service when a group is added: an inte‐ │
│ │ ger, which must be less than │
│ │ Max_Unix_ID. │
└──────────────────────────────┴──────────────────────────────────────────┘
│Low_Unix_ID_Org │ The starting point for UNIX IDs automat‐ │
│ │ ically generated by the Security Service │
│ │ when an organization is added using: an │
│ │ integer, which must be less than │
│ │ Max_Unix_ID. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Max_Unix_ID │ The highest number that can be supplied │
│ │ as a UNIX ID when principals are cre‐ │
│ │ ated: an integer. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Rgy_Readonly_Flag │ An indication of whether or not the reg‐ │
│ │ istry is read-only: true=read only, │
│ │ false=updateable. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Auth_Certificate_Unbound_Flag │ An indication of whether or not certifi‐ │
│ │ cates are generated for use on any │
│ │ machine: true=yes, false=no. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Shadow_Passwd_Flag │ Determines whether encrypted passwords │
│ │ are sent over the network: │
│ │ true=encrypted passwords are not sent │
│ │ over the network, false=encrypted pass‐ │
│ │ words are sent over the network. │
├──────────────────────────────┼──────────────────────────────────────────┤
│Embedded_Unix_ID_Flag │ Determines if UNIX IDs are embedded in │
│ │ person, group, and organization UUIDs: │
│ │ true=UNIX IDs are embedded, false=UNIX │
│ │ IDs are not embedded. │
└──────────────────────────────┴──────────────────────────────────────────┘
┌───────────────────────────┬──────────────────────────────────────────┐
│Realm_Name │ The name of the full global pathname of │
│ │ realm running the secd. │
├───────────────────────────┼──────────────────────────────────────────┤
│Realm_UUID │ The UUID of the realm running the secd. │
├───────────────────────────┼──────────────────────────────────────────┤
│Unauthenticated_Quota │ The quota of unauthenticated users: a │
│ │ number or unlimited. │
├───────────────────────────┼──────────────────────────────────────────┤
│Acct_Lifetime │ The period during which accounts are │
│ │ valid: a integer number representing │
│ │ days or forever. │
├───────────────────────────┼──────────────────────────────────────────┤
│Passwd_Min_Len │ The minimum length of passwords: a non- │
│ │ negative integer. │
├───────────────────────────┼──────────────────────────────────────────┤
│Passwd_Lifetime │ The span in days of the password life‐ │
│ │ times: an integer or forever. │
├───────────────────────────┼──────────────────────────────────────────┤
│Passwd_Expire_Time │ The date and time the passwords expire │
│ │ in yyyy/mm/dd.hh:mm format. (The first │
│ │ two digits of the year, the hours and │
│ │ the minutes are optional.) │
├───────────────────────────┼──────────────────────────────────────────┤
│Passwd_All_Spaces_Ok │ An indication of whether or not pass‐ │
│ │ words can consist of all spaces: │
│ │ true=can consist of spaces, false=can‐ │
│ │ not. │
├───────────────────────────┼──────────────────────────────────────────┤
│Passwd_All_Alphanumeric_Ok │ Am indication of whether or not pass‐ │
│ │ words can consist of all alphanumeric │
│ │ characters: true=can be all alphanu‐ │
│ │ meric, false=cannot. │
├───────────────────────────┼──────────────────────────────────────────┤
│Max_Certificate_Lifetime │ The number of hours before the Authenti‐ │
│ │ cation Service must renew service cer‐ │
│ │ tificates: an integer indicating the │
│ │ time in hours or default-policy to use │
│ │ the registry default. │
├───────────────────────────┼──────────────────────────────────────────┤
│Max_Renewable_Lifetime │ The number of hours before sessions │
│ │ expire and the session principal must │
│ │ log in again to reauthenticate: an inte‐ │
│ │ ger indicating the time in hours or │
│ │ default-policy to use the registry │
│ │ default. │
├───────────────────────────┼──────────────────────────────────────────┤
│Princ_Cache_State │ The timestamp of the principal cache. │
├───────────────────────────┼──────────────────────────────────────────┤
│Group_Cache_State │ The timestamp of the group cache. │
├───────────────────────────┼──────────────────────────────────────────┤
│Org_Cache_State │ The timestamp of the organization cache. │
├───────────────────────────┼──────────────────────────────────────────┤
│My_Name │ The cell-relative name of the security │
│ │ server. │
├───────────────────────────┼──────────────────────────────────────────┤
│Master_Key_Version │ The integer version of current master │
│ │ key. │
├───────────────────────────┼──────────────────────────────────────────┤
│Master_Key_Keytype │ Always des. │
├───────────────────────────┼──────────────────────────────────────────┤
│Master_Key_Length │ The length of the master key in bytes. │
├───────────────────────────┼──────────────────────────────────────────┤
│Master_Key │ The master key in hex string format. │
├───────────────────────────┼──────────────────────────────────────────┤
│Old_Master_Key_Version │ The version of the previous master key. │
├───────────────────────────┼──────────────────────────────────────────┤
│Old_Master_Key_Keytype │ Always des. │
├───────────────────────────┼──────────────────────────────────────────┤
│Old_Master_Key_Length │ The length of the previous master key in │
│ │ bytes. │
├───────────────────────────┼──────────────────────────────────────────┤
│Old_Master_Key │ The previous master key in hex string │
│ │ format. │
├───────────────────────────┼──────────────────────────────────────────┤
│Obj_Acl_Def_Cell_Name │ The default cell name of the policy │
│ │ object ACL. │
├───────────────────────────┼──────────────────────────────────────────┤
│Num_Acl_Entries │ The number of entries in the policy │
│ │ object ACL. │
└───────────────────────────┴──────────────────────────────────────────┘
│Obj_Acl_Entry*+ │ The contents of the policy object ACL. │
└───────────────────────────┴──────────────────────────────────────────┘
* These fields may appear multiple times in succession.
+ If a stored UUID doesn't map to a name required for this field, the
UUID will be displayed.
┌───────────────────────┬──────────────────────────────────────────┐
│Field Name │ Field Values │
├───────────────────────┼──────────────────────────────────────────┤
│Rgy_State_File_Version │ The integer version number of the format │
│ │ of the rgy_state file. │
├───────────────────────┼──────────────────────────────────────────┤
│Replica_State │ The state of the master registry: │
│ │ unknown_to_master, uninitialized, │
│ │ in_service, in_maintenance, closed, │
│ │ deleted, or initializing. │
├───────────────────────┼──────────────────────────────────────────┤
│Cell_UUID │ The UUID of cell in which the secd │
│ │ resides. │
├───────────────────────┼──────────────────────────────────────────┤
│Server_UUID │ The UUID of this secd. │
├───────────────────────┼──────────────────────────────────────────┤
│Initialization_UUID │ The UUID of the last initialization │
│ │ event. │
├───────────────────────┼──────────────────────────────────────────┤
│Master_File_Version │ The version number of the master │
│ │ replica. │
├───────────────────────┼──────────────────────────────────────────┤
│Master_Known_Flag │ An indicate of whether or not the master │
│ │ replica is know to this replica: │
│ │ true=known, false=not known. Only if │
│ │ this field is true do the other master │
│ │ field contain valid information. │
├───────────────────────┼──────────────────────────────────────────┤
│Master_UUID │ The UUID of the master replica. │
├───────────────────────┼──────────────────────────────────────────┤
│Master_Seqno │ The 2-digit sequence number of the event │
│ │ when the master became the master in n.n │
│ │ format. │
└───────────────────────┴──────────────────────────────────────────┘
┌────────────────────┬──────────────────────────────────────────┐
│Field Name │ Field Values │
├────────────────────┼──────────────────────────────────────────┤
│Record_Number │ The sequential number of the record in │
│ │ the database. │
├────────────────────┼──────────────────────────────────────────┤
│Replica_UUID │ The UUID listed for the replica in the │
│ │ replica list. │
├────────────────────┼──────────────────────────────────────────┤
│Replica_Name │ The name of the replica as known to the │
│ │ Cell Directory Service. │
│_ │ │
│Num_Towers │ The number of towers. │
├────────────────────┼──────────────────────────────────────────┤
│Tower_Length* │ The Length of the next tower (in bytes). │
├────────────────────┼──────────────────────────────────────────┤
│Tower* │ The tower used to communicate with the │
│ │ replica (a byte stream that can be bro‐ │
│ │ ken on word boundaries). │
├────────────────────┼──────────────────────────────────────────┤
│Propagation_Type │ An indication of whether the replica is │
│ │ initialized, initializing, in the │
│ │ process of being updated, or in the │
│ │ process of being deleted. │
├────────────────────┼──────────────────────────────────────────┤
│Initialization_UUID │ UUID of the last initialization. │
└────────────────────┴──────────────────────────────────────────┘
* These fields may appear multiple times in succession.
NOTES
This reference page is the version that was included in the DCE 1.0.3
Command Reference, updated with information about the -dce1.0.3 option.
It is not guaranteed to correspond exactly to the DCE 1.1 usage.
ERROR CONDITIONS
You will receive the following error message if the default rgy_data
directory is being used and there is an advisory lock on the rgy_state
data file: Registry: Error - database is locked. Put secd into mainte‐
nance mode
or clear advisory lock on rgy_state file in db_pathname
The existence of the advisory lock implies that secd is in service.
Use the sec_admin command to put secd in maintenance mode. If secd is
not running, the advisory lock may be the result of an ungraceful shut‐
down of secd. To remove the advisory lock, use mv to rename the dcelo‐
cal/var/security/rgy_data/rgy_state file, change it back to the origi‐
nal name. Then, re-run the sec_salvage_db command.
sec_salvage_db(1m)
