Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ registry(8dce) — DCE 3.1

Media Vault

Software Library

Restoration Projects

Artifacts Sought

registry(8dce)  —  Maintenance

NAME

registry  — A dcecp object that manages a registry in the DCE Security Service

SYNOPSIS

registry catalog  [registry_replica_name]  [master ]

registry checkpoint registry_replica_name  [at hh:mm | cpi   {num | num | m | num | h } ]  [now ]

registry connect cell_name group local_group_name org local_org_name mypwd local_password fgroup foreign_group_name forg foreign_org_name facct foreign_account_name facctpwd foreign_account_password  [expdate ]  [acctvalid ]  [facctvalid ]

registry delete registry_replica_name  [force ]

registry designate registry_replica_name  [slave  | master  | force  ]

registry destroy registry_replica_name

registry disable  [registry_replica_name]

registry dump  [registry_replica_name]

registry enable  [registry_replica_name]

registry help  [operation | verbose  ]

registry modify  [registry_replica_name]  {change attribute_list | attribute value | key  }

registry operations

registry replace registry_replica_name address new_string_binding

registry show  [registry_replica_name]  [attributes  | policies  | master  | replica  | verbose  ]

registry stop registry_replica_name

registry synchronize registry_replica_name

registry verify  [registry_replica_name]

Arguments

cell_nameThe name of a cell to contact when processing the connect operation.  The name must be a fully qualified cell name, such as /.: or /.../cell_name. 

operationThe name of the registry  operation for which to display help information. 

registry_replica_name
The name of one registry replica to act on.  The replica can be a master or a slave replica.  The argument, which overrides a value in the _s(sec) convenience variable, can be one of the following:

   •A specific cell name to bind to any replica in the named cell, such as /.: or /.../gumby1. 

   •The global name of a replica to bind to that specific replica in that specific cell. such as /.../gumby1/subsys/dce/sec/oddball. 

   •The name of a replica as it appears on the replica list to bind to that replica in the local cell, such as subsys/dce/sec/oddball. 

   •A string binding to a specific replica, such as {ncadg_ip_udp 15.22.144.163}. 

This form is used primarily for debugging or if the Cell Directory Service (CDS) is not available. 

For those operations for which registry_replica_name is optional, the value of _s(sec) is used if no argument is given. If the variable is not set, the default argument of /.: is assumed. 

Description

The registry  object represents a DCE Security Service registry.  The registry is a replicated database: each instance of a registry server, secd , maintains a working copy of the database in virtual memory and on disk.  One server, called the master replica, accepts updates and handles the subsequent propagation of changes to all other replicas.  All other replicas are slave replicas, which accept only queries.  Each cell has one master replica and may have numerous slave replicas. 

Note that the registry  command cannot add, delete, or modify information in the registry database, such as names and accounts.  Use the appropriate account , principal , group , or organization  command to modify registry database entries. 

Two access control lists (ACLs) control access to registry  operations.  For operations dealing with replication, the replist object’s ACL (usually /.:/sec/replist) controls access.  For those that deal with registry attributes and policies, the policy object’s ACL (usually /.:/sec/policy) controls access. 

When this command executes, it attempts to bind to the registry server identified in the _s(sec) variable.  If that server cannot process the request or if the _s(sec) variable is not set, the command binds to either an available slave server or the master registry server, depending on the operation.  Upon completion, the command sets the _b(sec) convenience variable to the name of the registry server to which it bound. 

Attributes

The registry  object supports the following kinds of attributes:

   •Registry attributes—These modifiable attributes apply to principals, groups, organizations, and accounts.  The initial values for some of these attributes must be specified when the master Security Server is configured. 

   •Registry-wide policy attributes—These modifiable attributes apply to organizations and accounts.  The registry-wide organization and account policy overrides the policy set for individual accounts only if the registry-wide policy is more restrictive. 

   •Synchronization attributes—These read-only attributes are maintained by each replica about itself.  They cannot be directly modified.  These attributes have no default value, but are computed when the replica is configured. 

   •Replica-specific attributes—These read-only attributes are kept by the master replica for each slave replica.  They cannot be modified directly. These attributes have no default value, but are computed or assigned when the replica is configured. 

Registry Attributes

deftktlife relative_time
The default lifetime for tickets issued to principals in this cell’s registry. Specify the time by using the Distributed Time Service (DTS) relative time format ([-]DD-hh:mm:ss).  The default is

+0-10:00:00.000

hidepwd {yes | no}
Determines whether encrypted passwords are displayed.  If this attribute is set to yes, an asterisk is displayed in place of the encrypted password in command output and files where passwords are displayed.  The value is either yes or no.  The default is yes. 

maxuid integer
The highest number that can be supplied as a user identifier (uid) when principals are created.  This maximum applies to both the system-generated and user-entered uids.  The value is an integer; the initial value depends on the configuration of your system. 

mingid integer
The starting point for group identifiers (gids) automatically generated when a group is created.  You can explicitly enter a lower gid than this number; it applies only to automatically generated numbers.  The value is an integer; the initial value depends on the configuration of your system. 

minorgid integer
The starting point for organization identifiers (orgids) automatically generated when an organization is created.  This starting point applies only to automatically generated indentifiers.  You can manually specify an identifier lower than the minorgid.  The value is an integer; the initial value depends on the configuration of your system. 

mintktlife relative_time
The minimum amount of time before the principal’s ticket must be renewed.  The value is an integer.  This renewal is performed automatically with no intervention on the part of the user.  The shorter this time is, the greater the security of the system.  However, extremely frequent renewal can degrade system performance.  Both system performance and the level of security required by the cell should be taken into consideration when selecting the value of this attribute.  This is a registry-wide value only; it cannot be set for individual accounts. The default is

+0-00:05:00.000

minuid integer
The starting point for uids automatically generated when a principal is created.  This starting point applies only to automatically generated indentifiers.  You can manually specify an identifier lower than the minuid. The value is an integer; the initial value depends on the configuration of your system. 

versionThe version of the security server software.  The initial value depends on the configuration of your system. 

Registry-wide Policy Attributes

acctlife {relative_time | unlimited}
This registry-wide organization policy defines the lifespan of accounts.  Specify the time by using the DTS-relative time format ([-]DD-hh:mm:ss) or the string unlimited to define an unlimited lifespan for accounts.  The default is unlimited. 

maxtktlife relative_time
This registry-wide account policy defines the maximum amount of time that a ticket can be valid. Specify the time by using the DTS-relative time format ([-]DD-hh:mm:ss).  When a client requests a ticket to a server, the lifetime granted to the ticket takes into account the maxtktlife set for both the server and the client.  In other words, the lifetime cannot exceed the shorter of the server’s or client’s maxtktlife.  If you do not specify a maxtktlife for an account, the maxtktlife defined as registry authorization policy is used. The default is

+1-00:00:00.000

maxtktrenew relative_time
This registry-wide account policy defines the amount of time before a principal’s ticket-granting ticket expires and that principal must log in again to the system to reauthenticate and obtain another ticket-granting ticket. Specify the time by using the DTS-relative time format ([-]DD-hh:mm:ss).  The lifetime of the principal’s service tickets can never exceed the lifetime of the principal’s ticket-granting ticket.  The shorter you make ticket lifetimes, the greater the security of the system.  However, since principals must log in again to renew their ticket-granting ticket, the time specified needs to balance user convenience against the level of security required.  If you do not specify this attribute for an account, the maxtktrenew lifetime defined as registry authorization policy is used.  The default is

+28-00:00:00.000

This feature is not currently used by DCE; any use of this option is unsupported at the present time. 

pwdalpha {yes | no}
This registry-wide organization policy defines whether passwords can consist entirely of alphanumeric characters.  Its value is either yes or no.  The default is yes. 

pwdexpdate {ISO-timestamp | none}
This registry-wide organization policy defines a date on which a password expires.  The date is entered as an internationalized date string or the string none, in which case there is no expiration date for the password.  The default is none. 

pwdlife {relative_time| unlimited}
This registry-wide organization policy defines the lifespan of passwords.  Specify the time by using the DTS-relative time format ([-]DD-hh:mm:ss) or the string unlimited.  The default is unlimited. 

pwdminlen integer
This registry-wide organization policy defines the minimum number of characters in a password.  Its value is a positive integer or the integer 0, which means there is no minimum length.  The default is 0. 

pwdspaces  {yes | no}
This registry-wide organization policy defines whether passwords can consist entirely of spaces.  Its value is either yes or no.  The default is no. 

Synchronization Attributes

nameThe name of the replica.  It is in the form of a fully qualified CDS name. 

typeIndicates if the replica is a master or a slave. 

cellThe name of the cell that the replica is in.  It is a fully qualified cell name. 

uuidThe Universal Unique Identifier (UUID) of the replica. 

statusThe state of the replica.  One of the following:

becomingmaster
The replica is in the process of becoming a master.

becomingslave
The replica is a master in the process of becoming a slave.

changingkey
The replica is in the process of having its master key changed.

closedThe replica is in the process of stopping. 

copyingdb
The replica is in the process of initializing (copying its database to) another replica.

deletedThe replica is in the process of deleting itself. 

disabledThe replica is unavailable for updates, but will accept queries. 

dupmaster
Two masters have been found in the cell, and the replica is a duplicate of the real master.

enabledThe replica is available for use. 

initializing
The replica is in the process of being initialized by the master replica or another up-to-date replica.

savingdbThe replica is in the process of saving its database to disk. 

unavailable
The replica cannot be reached.

uninitialized
The database is a stub database that has not been initialized by the master replica or another up-to-date replica.

unknownThe replica is not known to the master. 

lastupdtime
The localized date and time that the master received the last replica’s last update.

lastupdseq
The sequence number of the last update the replica received.  A sequence number consists of two 32-bit integers separated by a dot (high.low).  The high integer increments when the low integer wraps.  An example of this attribute is
 {lastupdseq 0.178}. 

addressesA list of the network addresses of the replica.  There can be more than one for connectionless and connection-oriented protocols. 

masteraddrs
The network address of the master replica as determined by the replica.  The address is not necessarily correct.  More than one address may exist for connectionless and connection-oriented protocols for example.

masterseqnum
The master sequence number, which is the sequence number of the event that made the replica the master as determined by the replica. The number is not necessarily correct. A sequence number consists of 32-bit integers separated by a dot (high.low).  The high integer increments when the low integer wraps.  An example of this attribute is {masterseqnum 0.100}. 

masteruuid
The UUID of the master replica as determined by the replica.  This UUID is not necessarily correct.  The value is a UUID.

supportedversions
DCE registry version supported by the security service. Possible values at DCE Version 1.1 are secd.dce.1.0.2 (for DCE Version 1.0.2 and DCE version 1.0.3) and secd.dce.1.1.  Both versions may be supported (that is by a DCE Version 1.1 security server running in a cell with DCE version 1.0.3 replicas). 

updseqqueue
A list of two update sequence numbers that are still in the propagation queue and have yet to be propagated.  The first number is the base propagation sequence number (the last number known to have been received by all replicas).  The second number is the sequence number of the last update made on the master.  This attribute is present only in the master replica.  The sequence numbers consist of two 32-bit integers separated by a dot (high.low).  The high integer increments when the low integer wraps.  An example of this attribute is {updseqqueue {0.100 0.178}}. 

Replica-Specific Attributes

nameThe name of the replica.  It is in the form of a fully qualified CDS name. 

uuidThe UUID of the replica. 

typeIndicates if the replica is a master or a slave. 

addressesA list of the network addresses of the replica.  More than one address may exist for connectionless and connection-oriented protocols. 

propstatus
The status of the propagation.  Possible values are as follows:

deleteThe replica is marked for deletion. 

initmarked
The replica is marked for initialization.

initingThe replica is in the process of initialization, that is, getting an up-to-date copy of the registry. 

updateThe replica is ready to receive propagation updates. 

lastupdtime
The localized time of the last update sent to the replica.  This information is meaningful only if propstatus is update. 

lastupdseqsent
The sequence number of the last update sent to this replica. A sequence number consists of two 32-bit integers separated by a dot (high.low).  The high integer increments when the low integer wraps.  An example of this attribute is

{lastupdseqsent 0.175}

This information is meaningful only if propstatus is update. 

numupdtogo
The number of outstanding updates.  The value is an integer. This information is meaningful only if propstatus is update. 

commstate
The state of the last communication with the replica.

lastcommstatus
The status message of the last communication with the replica.

See the OSF DCE Administration Guide for more information about attributes, policies, and synchronizations. 

Errors

A representative list of errors that might be returned is not shown here.  Refer to the OSF DCE Problem Determination Guide for complete descriptions of all error messages. 

Operations

registry catalog

Returns a list of the names of the security servers running in the cell.  The syntax is as follows:

registry catalog [registry_replica_name] [master ]

 Option

masterReturns only the master security server name. 

The catalog  operation returns a list of the names of the security servers (that is, each copy of the registry) running in the cell.  This is also known as the replica list.  The order of elements returned is arbitrary.  The optional registry_replica_name argument can specify the name of one other cell or a single string binding.  If you specify the master option, the operation returns only the name of the master. 

This operation sets the _b(sec) variable to the name of the replica to which it binds. 

Privileges Required

No special privileges are needed to use the registry catalog  command. 

Examples

dcecp> registry catalog
/.../dcecp.cell.osf.org/subsys/dce/sec/snow
/.../dcecp.cell.osf.org/subsys/dce/sec/ice
dcecp>  

registry checkpoint

Specifies when registry checkpoints should be performed.  The syntax is as follows:

registry checkpoint registry_replica_name  [at  hh:mm | cpi  {num | numm | numh}]
[now ]

 Options

at  hh:mmSpecifies the the hours and minutes of the day (in UTC time) to perform the checkpoint. 

-cpi {num | numm | numh}
Specifies an interval at which to perform checkpoints.

nowSpecifies an immediate checkpoint.  This is the default. 

The checkpoint operation lets you set the times when the registry database should be saved to disk (checkpointed).  You must supply the name of a replica for the operation to bind to. 

If you use the at  option, the checkpoint is performed at the specified time.  The time is in UTC format.  For example, to specify 3:30 p.m., the entry is 15:30.  The checkpoint interval then reverts to the default or to the interval specified by the cpi  option. 

If you use the cpi  option, the checkpoint is performed at the interval you specify until you specify another interval.  This option takes an argument that specifies the interval time as seconds, minutes, or hours:

   •To specify seconds, supply only a number. For example, -cpi 101 specifies an interval of 101 seconds. 

   •To specify minutes enter the number and m.  For example, -cpi 101m specifies an interval of 101 minutes. 

   •To specify hours, enter the number and h.  For example, -cpi 101h specifies an interval of 101 hours. 

If you use the now  option, a checkpoint is performed immediately.  The checkpoint interval then reverts to the default or to the interval specified by the cpi  option.  This operation returns an empty string on success and sets the _b(sec) variable to the replica to which it binds. 

Privileges Required

You must have ad (auth_info, delete ) permission to the replist object. 

Examples

dcecp> registry checkpoint /.../gumby_cell/subsys/dce/sec/oddball -at 05:30
dcecp>  

registry connect

Connects the local (that is, default) cell of the local host to the foreign cell specified by the argument.  The syntax is as follows:

registry connect cell_name
group  local_group_name org  local_org_name mypwd  local_password
fgroup  foreign_group_name forg  foreign_org_name
facct  foreign_account_name facctpwd  foreign_account_password
[expdate ] [ acctvalid ] [facctvalid ]

 Options

group  local_group_name
Specifies the group for the local account.

org  local_org_name
Specifies the organization for the local account.

mypwd  local_password
Specifies the password for the administrator in the local cell.

fgroup  foreign_group_name
Specifies the group for the foreign account.

forg  foreign_org_name
Specifies the organization for the foreign account.

facct  foreign_account_name
Specifies the name for the foreign account.

facctpwd  foreign_account_password
Specifies the password for the administrator in the foreign cell.

expdate  account_expiration_date
Sets an expiration date for both local and foreign accounts.

acctvalidMarks the local account as a valid account.  A valid local account allows users from the foreign cell to log in to nodes in the local cell.  The default is invalid. 

facctvalidMarks the foreign account as a valid account.  A valid foreign account allows users from the local cell to log in to nodes in the foreign cell.  The default is invalid. 

The connect operation creates an account in the local cell for the specified foreign cell (/.:/local_cell/sec/principal/krbtgt/foreign_account) and also creates an account in the foreign cell for the local cell (/.:/foreign_cell/sec/principal/krbtgt/local_account).  Both accounts have the same key.  The argument must be the fully qualified name of a single cell.  It cannot be a list or a string binding. 

The group , org , mypwd , and acctvalid  options supply the account information for the local cell.  The fgroup , forg , facct , facctpwd , and facctvalid  options supply the account information for the foreign cell. 

This operation creates the group and organization, specified as the values of the relevant options, if necessary, and puts the relevant principal in them, if necessary. 

If the operation fails, it removes any organization, group, or both that it has created and removes the relevant principals.  To protect the password being entered, the registry connect  command can be entered only from within dcecp .  You cannot enter it from the operating system prompt by using dcecp  with the c  option. 

If you do not use the acctvalid  and facctvalid  options, you must mark the accounts as valid (using the dcecp account  command) before intercell access is allowed.  This operation returns an empty string on success. 

Privileges Required

You must have a (auth_info) permission to the replist object and the permissions required to create principals, groups, organizations, and accounts in the local and foreign cells. 

Examples

dcecp> getcellname
/.../my_cell.com
dcecp>
 dcecp> registry connect /.../your_cell.com -group none -org none \fP
> -mypwd -dce- -fgroup none -forg none -facct cell_admin \fP
> -facctpwd -dce-
dcecp>

registry delete

Deletes a registry replica from the cell.  The syntax is as follows:

registry delete registry_replica_name [force ]

 Option

forceUsed when the target replica is not available, the force  option removes the replica name from the master replica’s replica list and propagates the deletion to other replicas that remain on the list. 

The registry delete  operation, when called with no options, performs an orderly deletion of a security replica specified as the registry_replica_name argument.  To do so, the operation binds binds to the master replica.  The master replica then performs the following tasks:

   1.Marks the specified replica as deleted

   2.Propagates this deletion to the other replicas on its replica list

   3.Delivers the delete request to the specified replica

   4.Removes the replica from its replica list

Note that the dcecp  command returns before the deletion is complete because it simply tells the master to perform the delete procedure. 

The force  option causes a more drastic deletion.  It causes the master to first delete the specified replica from its replica list and then propagate the deletion to the replicas that remain on its list.  Since this operation never communicates with the deleted replica, you should use force only when the replica has died and cannot be restarted.  If you use force while the specified replica is still running, you should then use the registry destroy  command to eliminate the deleted replica. 

This operation returns an empty string on success and sets the _b(sec) variable to the master. 

Privileges Required

You must have d (delete ) permission to the replist object. 

Examples

dcecp> registry delete /.:/subsys/dce/sec/oddball
dcecp>  

registry designate

Changes which replica is the master.  The syntax is as follows:

registry designate registry_replica_name [slave  | master  [force ]]

Options

slaveMakes the specified replica a slave.  The registry_replica_name argument must identify the master replica. 

masterMakes the specified replica the master.  The registry_replica_name argument must identify a slave replica. 

forceForces registry_replica_name to become the master, even if other slave replicas are more up to date.  Used only with the master  option. 

The preferred method of creating a new master is to use this command with no options in this form:

registry designate registry_replica_name 

This command changes the slave replica named in registry_replica_name to the master by performing an orderly transition.  To do so, it binds to the current master and instructs the master to:

   1.Apply all updates to the replica named in registry_replica_name

   2.Become a slave

   3.Tell the replica named in registry_replica_name to become the master

The slave  or master  options can also be used to change the master to a slave and a slave to a master.  However, using these options is not recommended because updates can be lost.   You should use them only if you must because the master replica is irrevocably damaged and is unable to perform the steps in the orderly transition.  To use these options, enter the command as shown in the following list:

   •To make the master a slave:

registry designate registry_replica_name slave  

The registry_replica_name is the name of the replica to make a slave. 

   •To make a slave the master:

registry designate registry_replica_name master   

The registry_replica_name is the name of a slave to make a master.  If a master exists, the command fails.  Also, if there are more up-to-date slaves than the one specified by registry_replica_name, the command fails unless you specify force  to override this default action. 

This operation  returns the empty string on success and sets the _b(sec) variable as follows:

   •If called with the force  or master  option, it sets _b(sec) to the replica to which it binds. 

   •If called with no options, it sets _b(sec) to the master. 

Privileges Required

You must have a (auth_info) permission to the replist object. 

Examples

dcecp> registry designate /.../my_cell/subsys/dce/sec/oddball
dcecp>  

registry destroy

Deletes a registry replica.  The syntax is as follows:

registry destroy registry_replica_name 

The destroy  operation causes the replica named in registry_replica_name to delete its copy of the registry database and to stop running. 

The preferred way to delete replicas is to use the delete operation.  However, the destroy  operation can be used if delete  is unusable because the master is unreachable or the replica is not on the master’s replica list. 

This operation returns an empty string on success and sets the _b(sec) variable to the replica to which it binds. 

Privileges Required

You must have d (delete ) permission to the replist object. 

Examples

dcecp> registry destroy /.:/subsys/dce/sec/oddball
dcecp>  

registry disable

Disables the master registry for updates.  The syntax is as follows:

registry disable  [registry_replica_name]

The disable   operation disables the master registry for updates.  Generally, use this mode for maintenance purposes.  The registry_replica_name argument is a single name of a master registry to be disabled.  If no argument is given, the operation uses the name in the _s(sec) convenience variable.  If the _s(sec) variable is not set, the operation defaults to the master in the local cell. 

This operation returns an empty string on success and sets _b(sec) to the name of the replica to which it binds. 

Privileges Required

You must have A (admin) permission to the replist object. 

Examples

dcecp> registry disable /.../my_cell.goodcompany.com/subsys/dce/sec/snow
dcecp>  

registry dump

Returns the replica information for each replica in the cell.  The syntax is as follows:

registry dump  [registry_replica_name]

The dump  operation returns the replica information for each replica in the cell.  Replicas are displayed with a blank line between them. 

The registry dump  command is the same as the following script:

foreach i [registry catalog] {
 lappend r [registry show $i -replica]
 append r
}
return r 

This operation sets the _b(sec) variable to the last replica listed in the display. 

Privileges Required

You must have A (admin) permission to the replist object. 

Examples

dcecp> registry dump
{name /.../dcecp.cell.osf.org/subsys/dce/sec/snow}
{type master}
{cell /.../dcecp.cell.osf.org}
{uuid a1248a5e-e1e6-11cd-aa0c-0800092734a4}
{status enabled}
{lastupdtime 1994-10-13-14:44:48.000-04:00I-----}
{lastupdseq 0.271}
{addresses
 {ncacn_ip_tcp 130.105.5.121}
 {ncadg_ip_udp 130.105.5.121}}
{masteraddrs
 {ncacn_ip_tcp 130.105.5.121}
 {ncadg_ip_udp 130.105.5.121}}
{masterseqnum 0.100}
{masteruuid a1248a5e-e1e6-11cd-aa0c-0800092734a4}
{version secd.dce.1.1}
{updseqqueue {0.204 0.271}}
  {name /.../dcecp.cell.osf.org/subsys/dce/sec/ice}
{type slave}
{cell /.../dcecp.cell.osf.org}
{uuid c772f46a-e1ec-11cd-9a16-0000c0239a70}
{status enabled}
{lastupdtime 1994-10-13-14:44:48.000-04:00I-----}
{lastupdseq 0.271}
{addresses
 {ncacn_ip_tcp 130.105.5.45}
 {ncacn_ip_tcp 130.105.5.45}
 {ncadg_ip_udp 130.105.5.45}}
{masteraddrs
 {ncacn_ip_tcp 130.105.5.121}
 {ncadg_ip_udp 130.105.5.121}}
{masterseqnum 0.100}
{masteruuid a1248a5e-e1e6-11cd-aa0c-0800092734a4}
{version secd.dce.1.1}
dcecp>

registry enable

Enables the master registry for updates.  The syntax is as follows:

registry enable  [registry_replica_name]

The enable operation enables the master registry for updates.  The registry_replica_name argument is a single name of a master registry to be enabled.  If no argument is given, the operation uses the name in the _s(sec) convenience variable.  If the _s(sec) variable is not set, the operation defaults to the master in the local cell. 

This operation returns an empty string on success and sets the _b(sec) variable to the replica to which it binds. 

Privileges Required

You must have A (admin) permission to the replist object. 

Examples

dcecp> registry enable /.../my_cell.goodcompany.com/subsys/dce/sec/snow
dcecp> 

registry help

Returns help information about the registry  object and its operations.  The syntax is as follows:

registry help [operation | verbose ]

Options

verboseDisplays information about the registry  object. 

Used without an argument or option, the registry help  command returns brief information about each registry  operation.  The optional operation argument is the name of an operation about which you want detailed information.  Alternatively, you can use the verbose  option for more detailed information about the registry  object itself. 

Privileges Required

No special privileges are needed to use the registry help command. 

Examples


dcecp> registry help
catalog             Returns a list of all replicas running in the cell.
checkpoint          Resets registry checkpoint interval dynamically.
connect             Creates local and foreign cross-cell authenticated accounts.
delete              Deletes a replica and removes from master replica list.
designate           Changes which replica is the master.
destroy             Destroys the specified replica and its registry database.
disable             Disables the specified master registry for updates.
dump                Returns replica information for each replica in the cell.
enable              Enables the specified master registry for updates.
modify              Modifies the master registry or replica.
replace             Replaces replica information on master replica list.
set                 Changes which replica is the master.
show                Returns attributes of the registry and its replicas.
stop                Stops the specified security server process.
synchronize         Reinitializes replica with up-to-date copy of the registry.
verify              Returns a list of replicas not up-to-date with the master.
help                Prints a summary of command-line options.
operations          Returns a list of the valid operations for this command.
dcecp> 

registry modify

Changes attributes of the registry.  The syntax is as follows:

registry modify [registry_replica_name] {change  attribute_list | -attribute value |
key }

Options

-attribute value
As an alternative to using options with an attribute list, you can change individual attribute options by prepending a hyphen (-) to any attributes listed in ATTRIBUTES. 

change  attribute_list
Allows you to modify attributes by using an attribute list rather than using individual attribute options.  The format of an attribute list is as follows:

{{attribute value}...{attribute value}}

The change  option cannot be used with the key  option. 

keyGenerates a new master key for the replicas listed as the argument.  Cannot be used with the change  option. 

The modify operation changes attributes of the registry.  The registry_replica_name is required for the key  option but optional for all other options.  If an argument is not supplied and the _s(sec) variable is not set, the operation defaults to master in the local cell.  This operation returns an empty string on success. 

Use the change  option to modify the value of any one of the attributes. 

The operation also accepts the key  option to generate a new master key for a single replica named in the argument and to reencrypt that registry’s account keys using the new master key.  The new master key is randomly generated.  Each replica (master and slaves) maintains its own master key, which is used to access the data in its copy of the database.  If you use the key  option, you must specify registry_replica_name. 

The change  option and the key  option cannot be used together. 

This operation sets the _b(sec) variable to the replica to which it binds. 

Privileges Required

You must have A (admin) permission to the replist object. 

Examples

dcecp> registry modify -version secd.dce.1.1
dcecp>
 dcecp> registry modify -change {deftktlife +0-08:00:00.000I-----}
dcecp>  

registry operations

Returns a list of the operations supported by the registry object.  The syntax is as follows:

registry operations

The list of available operations is in alphabetical order except for help  and operations, which are listed last. 

Privileges Required

No special privileges are needed to use the registry operations command. 

Examples

dcecp> registry operations
catalog checkpoint connect delete designate destroy disable dump
enable modify replace show stop synchronize verify help operations
dcecp>  

registry replace

Replaces the network address of a replica.  The syntax is as follows:

registry replace  registry_replica_name address  new_string_binding

Options

addressThe new address for the replica in RPC string-binding format (without the object UUID).  The string binding contains an RPC protocol and a network address in the form:

rpc_prot_seq:network_addr 

The replace operation replaces the network address of the specified replica.  The new address is used by the master and other replicas to contact the replica.  This operation binds to the master, sets the _b(sec) variable to the master, and returns an empty string on success. 

Privileges Required

You must have m (mgmt_info) permission to the replist object. 

Examples

dcecp> registry replace /.:/susbys/dce/sec/maria -address ncadg_ip_udp:15.22.4.93
dcecp>  

registry show

Returns information about the registry and its replicas.  The syntax is as follows:

registry show [registry_replica_name] [attributes  | policies  | master  | replica
[verbose ]]

Options

attributesReturns an attribute list of the registry-wide attributes. 

policiesReturns only the registry-wide polices. 

replicaReturns the synchronization information for the specified replica. 

masterReturns the synchronization information kept by the master keeps for each slave. 

verboseReturns the synchronization information kept by the replica. 

The show  operation returns information about the registry and its replicas.  An optional registry_replica_name argument specifies a single registry replica to contact.  The operation returns a variety of different information based on the option given. 

If called with no options or with the attributes  option, the operation returns an attribute list of all the registry-wide attributes. 

If called with the policies  option, the operation returns an attribute list of all the registry-wide polices. 

If called with the replica  option, the operation returns the propagation information that is kept by the replica specified. 

If called with the master  option, the operation returns the propagation information that is kept by the master for each slave.  Use the  verbose  option to return the propagation information that is kept by the replica.  If you specify this option and the optional registry_replica_name, registry_replica_name must specify the name of the master or the local cell name. 

This operation sets the _b(sec) variable to the replica to which it binds. 

Privileges Required

You must have A (admin) permission to the replist object. 

Examples

dcecp> registry show -attributes
{mingid 31000}
{minorgid 100}
{minuid 30000}
{maxuid 32767}
{version secd.dce.1.0.2}
dcecp>
 dcecp> registry show -policies
{deftktlife +0-10:00:00.000I-----}
{mintktlife +0-00:05:00.000I-----}
{hidepwd yes}
dcecp>
 dcecp> registry show /.../absolut_cell/subsys/dce/sec/ice -replica
{name /.../absolut_cell/subsys/dce/sec/ice}
{type slave}
{cell /.../absolut_cell}
{uuid 91259b6c-9415-11cd-a7b5-080009251352}
{status enabled}
{lastupdtime 1994-07-05-14:38:15.000-04:00I-----}
{lastupdseq 0.191}
{addresses
 {ncacn_ip_tcp 130.105.5.93}
 {ncadg_ip_udp 130.105.5.93}}
{masteraddrs
 {ncacn_ip_tcp 130.105.5.93}
 {ncadg_ip_udp 130.105.5.93}}
{masterseqnum 0.100}
{masteruuid 91259b6c-9415-11cd-a7b5-080009251352}
{supportedversions secd.dce.1.0.2}
{updseqqueue {0.187 0.191}}
dcecp>
dcecp> registry show /.../dcecp.cell.osf.org/subsys/dce/sec/snow -master
{name /.../dcecp.cell.osf.org/subsys/dce/sec/snow}
{uuid 91259b6c-9415-11cd-a7b5-080009251352}
{type master}
{addresses
 {ncacn_ip_tcp 130.105.5.93}
 {ncadg_ip_udp 130.105.5.93}}
{name /.../dcecp.cell.osf.org/subsys/dce/sec/ice}
{uuid 91259b6c-9415-11cd-a7b5-080009251352}
{type slave}
{addresses
 {ncacn_ip_tcp 130.105.5.93}
 {ncadg_ip_udp 130.105.5.93}}
{propstatus update}
{lastupdtime 1994-10-13-14:58:28.000-04:00I-----}
{lastupdseqsent 0.528}
{numupdtogo 0}
{commstate ok}
{lastcommstatus {successful completion}}
dcecp>

registry stop

Stops the specified security server process.  The syntax is as follows:

registry stop registry_replica_name

The stop operation stops the security server specified in the argument.  The registry_replica_name argument is required and must explicitly name one replica.  (A cell name is not valid because more than one replica can operate in a cell.) This operation returns an empty string on success and sets the _b(sec) variable to the replica to which it binds. 

Privileges Required

You must have A (admin) permission to the replist object. 

Examples

dcecp> registry stop /.:/subsys/dce/sec/snow
dcecp> 

registry synchronize

Causes the specified replica to reinitialize itself with an up-to-date copy of the database.  The syntax is as follows:

registry synchronize registry_replica_name

The synchronize  operation reinitializes a slave replica with an up-to-date copy of the database.  registry_replica_name is the name of the slave replica to operate on. 

This operation binds to the master and tells the master to:

   1.Mark the specified replica named in registry_replica_name for reinitialization. 

   2.Send a message to the replica informing it to reinitialize itself. 

   3.Gives the replica a list of other replicas with up-to-date copies of the registry. 

The replica to be initialized then selects a replica from the list provided by the master and asks for a copy of the database.  Note that the dcecp  command returns before the synchronization is complete because it simply tells the master to perform the synchronize procedure. 

Normally, you do not need to use the registry synchronize command because registries remain synchronized automatically.  This operation returns an empty string on success. 

This operation sets the _b(sec) variable to the master in the local cell. 

Privileges Required

You must have A (admin) permission to the replist object. 

Examples

dcecp> registry synchronize /.:/subsys/dce/sec/oddball
dcecp>  

registry verify

Checks whether all registry replicas are up to date.  The syntax is as follows:

registry verify  [registry_replica_name]

Checks whether all registry replicas are up to date.  If they are, it returns an empty string. 

This operation sets the _b(sec) variable to the last replica to which it binds. 

Privileges Required

You must have a (auth_info) permission to the replist object. 

Examples

If the replicas are up to date, the command returns an empty string, as in the following:

dcecp> registry verify
dcecp> 

If a replica is not up to date, the command returns the fully qualified replica name, as in the following:

dcecp> registry verify
/.../cell/subsys/dce/sec/oddball
dcecp> 

Related Information

Commands: dcecp(8dce), group(8dce), organization(8dce), principal(8dce), secd(8sec). 

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026