Command and Technical Reference, Volume 1

defhsd

Purpose

defhsd - Designates a node as either having or using a hashed shared disk.

Syntax

defhsd hsd_name {protect_lvcb | not_protect_lvcb} stripe_size vsd_name...

Flags

None.

Operands

protect_lvcb | not_protect_lvcb: Protects the logical volume control block information that is stored at the first block of a logical volume. If protect_lvcb is specified, the data striping device will skip the first stripe on each underlying virtual shared disk in an HSD. In this case, you should define each logical volume one stripe larger than necessary. If the virtual shared disk software and Logical Volume Manager (LVM) disk mirroring are both used, the logical volume control block information is critical.
hsd_name: Specifies a unique name for the new HSD. This name must be unique across the system partition and should be unique across the SP to avoid any naming conflicts during future system partitioning operations. The length of the name must be less than or equal to 31 characters.
stripe_size: Specifies the maximum size of data stored on a virtual shared disk at one time. The smallest stripe size is 4096 bytes. The stripe size must be a multiple of 4096 and less than or equal to 1GB.
vsd_name: Specifies the virtual shared disks that compose the HSD. All underlying virtual shared disks in the HSD must be defined before using this command.

Description

The defhsd command is used to specify the hsd_name, stripe size and underlying virtual shared disks for the new hashed shared disk.

You can use the System Management Interface Tool (SMIT) to run this command. To use SMIT, enter:

smit vsd_data

and select the Define a Hashed Shared Disk option.

Security

You must be in the AIX bin group and have write access to the SDR to run this command.

Prerequisite Information

PSSP: Managing Shared Disks

Location

/usr/lpp/csd/bin/defhsd

Related Information

Commands: hsdatalst, undefhsd, updatehsd

Refer to PSSP: Managing Shared Disks for information on tuning IBM Virtual Shared Disk performance and sequence numbers.

Examples

The following example adds SDR information indicating a stripe size of 32768, composed of vsd.vsdn101, vsd.vsdn201, and the name hsd1 is defined.

defhsd hsd1 protect_lvcb 32768 vsd.vsdn101 vsd.vsdn201

defvsd

Purpose

defvsd - Designates a node as either having or using a virtual shared disk.

Syntax

defvsd logical_volume_name global_group_name vsd_name [nocache | cache]

Flags

None.

Operands

logical_volume_name

Is the name of the logical volume you want to specify as a virtual shared disk. This logical volume must reside on the global volume group indicated. The length of the name must be less than or equal to 15 characters.

global_group_name

Is the name of the globally-accessible volume group previously defined by the vsdvg command where you want to specify a virtual shared disk. The length of the name must be less than or equal to 31 characters.

vsd_name

Specifies a unique name for the new virtual shared disk. This name must be unique across the system partition and should be unique across the SP, to avoid any naming conflicts during future system partitioning operations. The suggested naming convention is vsdnngvg_name. The length of the name must be less than or equal to 31 characters.

Note:: If you choose a vsd_name that is already the name of another device, the cfgvsd command will be unsuccessful for that virtual shared disk. This error ensures that the special device files created for the name do not overlay and destroy files of the same name representing some other device type (such as a logical volume).

|nocache | cache

|Affects how requests are processed at the server node. |nocache is the default. cache tells the IBM Virtual |Shared Disk software on the server node to use the cache for all 4KB requests |on 4KB boundaries. Otherwise, the cache is not used.

|The cache option should only be used if the using application |gains performance by avoiding a 4KB read immediately after a 4KB write. |Refer to PSSP: Managing Shared Disks for additional |information on IBM Virtual Shared Disk tuning.

|Note:: IBM Virtual Shared Disk caching is no longer supported. This |information will still be accepted for compatibility with previous releases, |but the IBM Virtual Shared Disk device driver will ignore the |information. |

Description

This command is run to specify logical volumes residing on globally accessible volume groups to be used as virtual shared disks.

You can use the System Management Interface Tool (SMIT) to run the defvsd command. To use SMIT, enter:

smit vsd_data

and select the Define a Virtual Shared Disk option.

Security

You must be in the AIX bin group and have write access to the SDR to run this command.

Prerequisite Information

PSSP: Managing Shared Disks

Related Information

Commands: vsdatalst, vsdvg, undefvsd

Refer to PSSP: Managing Shared Disks for information regarding IBM Virtual Shared Disk performance enhancements.

Examples

The following example adds SDR information indicating that on globally accessible volume group vg1n1, the logical volume known as lv1vg1n1 is used as a noncached virtual shared disk named vsd1vg1n1.
```
defvsd lv1vg1n1 vg1n1 vsd1vg1n1
```
The following example defines cachable virtual shared disk vsd1vg2n1 on the lv2vg1n1 logical volume on the vg1n1 globally accessible volume group
```
defvsd lv2vg1n1 vg1n1 vsd1vg2n1 cache
 
```

delnimclient

Purpose

delnimclient - Deletes a Network Installation Management (NIM) client definition from a NIM master.

Syntax

delnimclient -h | -l node_list | -s server_node_list

Flags

-h: Displays usage information. If the command is issued with the -h flag, the syntax description is displayed to standard output and no other action is taken (even if other valid flags are entered along with the -h flag).
-l node_list: Indicates by node_list the SP nodes to be unconfigured as NIM clients of their boot/install servers. The node_list is a comma-separated list of node numbers.
-s server_node_list: Indicates by server_node_list the SP boot/install server nodes on which to delete all NIM clients that are no longer defined as boot/install clients in the System Data Repository (SDR). Server node 0 (zero) signifies the control workstation.

Operands

None.

Description

Use this command to undefine a node as a NIM client. This is accomplished by determining the node's boot/install server and unconfiguring that client node as a NIM client on that server. When complete, the entry for the specified client is deleted from the NIM configuration database on the server. This command does not change the boot/install attributes for the nodes in the System Data Repository.

Note:: This command results in no processing on the client node.

|Environment Variables

|PSSP 3.4 provides the ability to run commands using secure remote |command and secure remote copy methods.

|To determine whether you are using either AIX rsh or rcp |or the secure remote command and copy method, the following environment |variables are used. |If no environment variables are set, the defaults are |/bin/rsh and /bin/rcp.

|You must be careful to keep these environment variables consistent. |If setting the variables, all three should be set. The DSH_REMOTE_CMD |and REMOTE_COPY_CMD executables should be kept consistent with the choice of |the remote command method in RCMD_PGM: |

|RCMD_PGM - remote command method, either rsh or |secrshell
|DSH_REMOTE_CMD - remote command executable
|REMOTE_COPY_CMD - remote copy executable |

|For example, if you want to run delnimclient using a secure remote |method, enter:

|export RCMD_PGM=secrshell
|export DSH_REMOTE_CMD=/bin/ssh
|export REMOTE_COPY_CMD=/bin/scp

Standard Error

This command writes error messages (as necessary) to standard error.

Exit Values

0: Indicates the successful completion of the command.
-1: Indicates that an error occurred.

Security

You must have root privilege to run this command.

Implementation Specifics

This command is part of the IBM Parallel System Support Programs (PSSP) Licensed Program (LP).

Location

/usr/lpp/ssp/bin/delnimclient

Related Information

Commands: mknimclient, setup_server

Examples

To delete the NIM client definition for nodes 1, 3, and 5 from the NIM database on their respective boot/install servers, enter:

delnimclient -l 1,3,5

delnimmast

Purpose

delnimmast - Unconfigures a node as a Network Installation Management (NIM) master.

Syntax

delnimmast -h | -l node_list

Flags

-h: Displays usage information. If the command is issued with the -h flag, the syntax description is displayed to standard output and no other action is taken (even if other valid flags are entered along with the -h flag).
-l node_list: Indicates by node_list the SP nodes to be unconfigured as NIM masters. The node_list is a comma-separated list of node numbers. Node number 0 (zero) signifies the control workstation.

Operands

None.

Description

Use this command to undefine a node as a NIM master. This command does not change the boot/install attributes for the nodes in the System Data Repository.

|Environment Variables

|PSSP 3.4 provides the ability to run commands using secure remote |command and secure remote copy methods.

|RCMD_PGM - remote command method, either rsh or |secrshell
|DSH_REMOTE_CMD - remote command executable
|REMOTE_COPY_CMD - remote copy executable |

|For example, if you want to run delnimmast using a secure remote |method, enter:

|export RCMD_PGM=secrshell
|export DSH_REMOTE_CMD=/bin/ssh
|export REMOTE_COPY_CMD=/bin/scp

Standard Error

This command writes error messages (as necessary) to standard error.

Exit Values

0: Indicates the successful completion of the command.
-1: Indicates that an error occurred.

Security

You must have root privilege to run this command.

Implementation Specifics

This command is part of the IBM Parallel System Support Programs (PSSP) Licensed Program (LP).

Location

/usr/lpp/ssp/bin/delnimmast

Related Information

Commands: mknimmast, setup_server

Examples

To unconfigure nodes 1, 3, and 5 as NIM masters and delete the NIM file sets, enter:

delnimmast -l 1,3,5

dsh

Purpose

dsh - Issues commands to a group of hosts in parallel.

Syntax

dsh: [-q]

dsh: [-h]

|dsh: |[-i] [-v] |[-c] [-a] |[-t] [-G] |[-d] [-D] |[-l login_name]
|: |[-N node_group,node_group,... |[-w |{host_name[,host_name...] | -}
|: |[-f fanout_value] |[-o "flags_and_parms"] |[command]

Flags

-q: Displays a list of hosts in the current working collective file. The WCOLL environment variable is examined to find the name of the file containing the host names in a working collective, and host names from that file are displayed. In addition, the value of the FANOUT environment variable is displayed.
-h: Displays usage information.
-i: Contains information about the working collective and commands. If this flag is set, the working collective and the command is displayed as each command is issued.
-v: Verifies hosts before adding to the working collective. If this flag is set, each host to be added to the working collective is checked before it is added to the collective. If a host is not responding, it is not included in the working collective. In command line mode, you will be prompted to include any host which is not responding. Anything other than "Y" or "y" will result in the host being excluded from the working collective.
-c: Indicates that dsh continues to send commands to hosts for which previous rsh runs have returned a nonzero return code. If this flag is not set, the host is removed from the working collective for the duration of this dsh command. |
|-a: |Specifies that the System Data Repository (SDR) initial_hostname |or reliable_hostname field for all nodes in the current system |partition be added to the working collective. If -G is |specified, all nodes in the SP system are included. By default, the |initial_hostname field is used. If the HN_METHOD=reliable |environment variable is specified, the reliable_hostname field will |be used. |
|-t: |Specifies the target shell syntax. This flag is used to create the |syntax of the internal environment variables passed with the command. |Supported shells are ksh and csh. The default is |ksh.
-G: Changes the scope of the -a and -N arguments from the current system partition to the SP system. |
|-d: |Forwards the DCE credentials for authentication by using the |-f flag on the rsh command. If this flag is not |set, the dsh command will not forward DCE credentials. This |option is relevant only for use with rsh. |
|-D: |Recursively forwards the DCE credentials for authentication by using the |-F flag on the rsh command. If this flag is not |set, the dsh command will not forward DCE credentials. This |option is relevant only for use with rsh.
-l login_name: Specifies a remote user name under which to execute the commands. If l is not used, the remote user name is the same as your local user name. (This is lowercase l, as in list.) |
|-w {host_name[,host_name...] | |-}: |Specifies one or more host names, separated by commas (and not containing |spaces between commas and host names), to include in the working |collective. Both this flag and the -a flag can be |included on the same command line.
|If -w - is specified, host names are added to the |working collective from standard input by entering host names one line at a |time from standard input. To signal that all host names have been |entered and to exit from standard input, an end-of-file character must be |specified (for example, <Ctrl-d>). When |<Ctrl-d> is pressed, you will be placed into dsh |command line mode (for example, a dsh> prompt) where the commands to be run |on host names are entered. Duplicate host names are included only once |in the working collective.
-f: Specifies a fanout value. The default value is 64. It indicates the maximum number of concurrent remote shell runs to execute. Sequential execution can be specified by indicating a fanout value of 1. The fanout value is taken from the FANOUT environment variable if the -f flag is not specified, otherwise the default is used. |
|-o flags_and_parms: |Specifies flags and parameters to be passed to the remote command. |You must surround the set of flags and parameters with either single or double |quotes. The flags and parameters must be passed to your remote command |program and their use will be defined by your remote command program.
|The -o "keyword_value" option input to the secure |remote command is not supported by PSSP dsh. For example, |dsh -w host_name -o "-o |'BatchMode yes'" while running a secure remote command |method is not supported. The ability to use the -o |"keyword_value" secure remote command option is provided in the AIX |5L 5.1 dsh located in /opt/bin/dsh.
-N: Specifies a list of node groups. Each node group is resolved into nodes and these nodes are added to the working collective. If -G is supplied, a global node group is used. Otherwise, a partitioned-bound node group is used.

If the -a, -w, or -N flags are not specified, the WCOLL environment variable contains the name of a file containing host names for the working collective.

Operands

|command: |Specifies a command to execute on the working collective. It is |passed to the remote command.

Description

The dsh executes commands against all or any subset of the hosts in a network. If the command operand is not specified, it reads lines from the command line or standard input and executes each as a command on a set of network-connected hosts. To exit the dsh command line mode, type "exit" or press enter at the dsh prompt. Alternatively, a single command in remote command syntax can be specified on the dsh command line.

As each command is read, it is interpreted by passing it to each host in a group called the working collective.

The working collective is obtained from the first existence of one of the following:

A list of host names specified on the command line and the members of the cluster as listed in the SDR.
The contents of a file named by the WCOLL environment variable.

If neither of these exist, an error has occurred and no commands are issued.

The working collective file should have one host name per line. Blank lines and comment lines beginning with # are ignored.

|The path used when resolving the dsh command on the target |nodes is the path set by the user with the DSHPATH environment |variable. If DSHPATH is not set, the path used is the rsh or |dsh default path, |/usr/ucb:/bin:/usr/bin:. The DSHPATH |environment variable only works when the user's remote login shell is the |Bourne or Korn shell. An example would be to set DSHPATH to the path |set on the source machine (for example, DSHPATH=$PATH).

|The maximum number of concurrent remote command runs can be |specified with the fanout (-f) flag or via the FANOUT |environment variable. If desired, sequential execution can be obtained |by specifying a fanout value of 1. Results are displayed as remote |commands complete. All remote shell runs in a fanout must complete |before the next set of remote commands runs is started. If fanout is |not specified via FANOUT or the -f flag, runs to 64 hosts are |issued concurrently. Each remote command that dsh runs |requires a reserved TCP/IP port and only 512 such ports are available per |host. With large fanouts, it is possible to exhaust all of the ports on |a host, causing commands that use these ports to be unsuccessful.

|Exit values for the commands are displayed in messages from |dsh if nonzero. (A nonzero return code from the remote command |indicates that the remote command was unsuccessful.) If the remote |command is unsuccessful, that host is removed from the current working |collective (not the current working collective file), unless the |-c flag was set.

|The dsh exit value is 0 if no errors occurred in the |dsh command and all remote commands finished with exit codes of |0. The dsh exit value is more than 0 if internal errors occur |or the remote commands return an error. The exit value is increased by |1 for each remote command error.

No particular error recovery for command errors on remote hosts is provided. The application or user can examine the command results in dsh's standard error and standard output, and take appropriate action.

The dsh command waits until results are in for each command for all hosts and displays those results before reading more input commands.

|The dsh command does not work with interactive commands, |including those that read from standard input. You must ensure that the |interactive commands can run their remote command method without prompts |before using dsh.

The dsh command output consists of the output (standard error and standard output) of the remotely executed commands. The dsh standard output is the standard output of the remote command. The dsh standard error is the standard error of the remote command. Each line is prefixed with the host name of the host from which that output came. The host name is followed by ":" and a line of the command output.

For example, let's say that a command |date was issued to a working collective of host1, host2, and host3. When the command was issued on each of the hosts, the following lines were written by the remote commands:

|For host1 stdout:
|Thur Mar 29 07:05:40 EST 2001
| 
|For host2 stdout:
|Thur Mar 29 07:05:40 EST 2001
| 
|For host3 stdout:
|Thur Mar 29 07:05:40 EST 2001
| 
|For host3 stderr:
|date: not found
| 
|dsh stdout will be
|host1: Thur Mar 29 07:05:40 EST 2001
|host2: Thur Mar 29 07:05:40 EST 2001
|host3: Thur Mar 29 07:05:40 EST 2001
| 
|dsh stderr will be
|host3: date: not found

A filter to display the output lines by the host is provided separately. See the dshbak command.

If a host is detected as down (for example, a |remote command returns a nonzero return code), subsequent commands are not sent to it on this invocation of dsh, unless the -c (continue) option is specified on the command line.

An exclamation point at the beginning of a command line causes the command to be passed directly to the local host in the current environment. The command is not sent to the working collective.

Signals 2 (INT), 3 (QUIT), and 15 (TERM) are propagated to the remote commands.

Signals 19 (CONT), 17 (STOP), and 18 (TSTP) are defaulted. This means that the dsh command responds normally to these signals, but they do not have an effect on the remotely running commands. Other signals are caught by dsh and have their default effects on the dsh command. In the case of these other signals, all current children, and via propagation their remotely running commands, are terminated (SIGTERM).

Files

/usr/sbin/dshbak: The supplied backend formatting filter.
working collective file: A file containing host names, one per line, that defines a working collective.

|Environment Variables

|The dsh command uses either the AIX rsh command or a |secure remote command of your choice to function depending on the setting of |the DSH_REMOTE_CMD and the RCMD_PGM environment variables. If the |environment variables are not set, the default is DSH_REMOTE_CMD=/bin/rsh and |RCMD_PGM=rsh. If RCMD_PGM=secrshell and DSH_REMOTE_CMD is not |specified, the default is DSH_REMOTE_CMD=/bin/ssh. |

|DSH_REMOTE_CMD - remote command executable
|RCMD_PGM - remote command method, either rsh or |secrshell
|HN_METHOD=reliable or initial
|This environment variable will be used with the dsh -a or |dsh -a -v options to determine whether to use the |reliable_hostname or initial_hostname when building the |working collective. The default is the |initial_hostname.
|DSHPATH=PATH to the command on the remote node
|The path used when resolving the dsh command on the target |nodes. |

Security

With AIX 4.3.1, rsh has the capability of supporting Kerberos Version 5 in addition to Kerberos Version 4 on the SP. DCE credentials may be required depending on the authentication method set on the host. The AIX command lsauthent or the SP command lsauthpar can be used to find the authentication method currently in use.

|You must have access to the AIX remote commands or the secure remote |commands to run this command.

Restrictions

The command attempts to execute the command string on the remote node, using the current operating locale of the process on the local node from which the command was issued. If this locale is not installed on the remote node, default AIX behavior is used, such that the remote command executes in the default locale defined to AIX on that node.

Location

|/usr/lpp/ssp/bin/dsh

Related Information

PSSP commands: dshbak, sysctl

AIX commands: rsh

|Secure remote commands

Examples

|To issue the ps command on each host listed in the |wchosts file, enter:
```
|export WCOLL=/wchosts
|dsh ps
```
To list the current working collective file as specified by the WCOLL environment variable, enter:
```
dsh -q
```
To set the working collective to three hosts and start reading commands from standard input, enter:
```
dsh -w otherhost1,otherhost2,otherhost3
```
To set the current working collective to three hosts, plus the members of the cluster, and issue a command on those hosts formatting the output, enter:
```
dsh -w host1,host2,host3 -a cat /etc/passwd | dshbak
```
To append the file remotefile on otherhost to otherremotefile, which is on otherhost, enter:
```
dsh -w otherhost cat remotefile '>>' otherremotefile
 
```
To run a file of commands sequentially on all the members of the current system partition and save the results in a file, including the collective and the working collective for each command, enter:
```
dsh -if 1 -a < commands_file > results 2>&1
```
To run the ps command on the working collective and filter results locally, enter:
```
dsh ps -ef | grep root
```
To run the ps command and filter results on the working collective hosts (this can improve performance considerably), enter:
```
dsh 'ps -ef | grep root'
```
or
```
dsh ps -ef "|" grep root
```
To cat a file from host1 to the local system stripping off the preceding host name to preserve the file, enter:
```
dsh -w host1 cat /etc/passwd | cut -d: -f2- | cut -c2- > myetcpasswd
```
To run the ps command on each node in the node group my_nodes, enter:
```
dsh -N my_nodes ps
```
|To enter a list of host names using standard input (for example, |-w - and then request the date from the specified hosts, |enter:
```
|dsh -w -
```
|You will know that you are in standard input because a new line is |provided that has no prompt. When you complete the list of host names, |press <Ctrl-d> to drop into dsh command line mode (for |example, dsh>. At the dsh> prompt, specify the |command you want run on the target hosts, in this case date.
|The output will be similar to the following:
```
|#dsh -w -
|host1
|host2
|host3
|Ctrl-d
|dsh> date
|host1: Fri Mar 23 08:46:59 EST 2001
|host2: Fri Mar 23 08:46:59 EST 2001
|host3: Fri Mar 23 08:46:59 EST 2001
|dsh> exit
|#
```
To run the rm command to remove /tmp/error.log on otherhost using the DCE credentials of this user, enter:
```
 dsh -D otherhost /bin/rm /tmp/error.log
 
```
|To set -t timeout value for the rsh command |on host1, enter:
```
|dsh -w host1 -o "-t5" date
```
|To run dsh using a secure remote command and issue the date |command with verbose turned on in the secure remote command program, |enter:
```
|export RCMD_PGM=secrshell
| 
|export DSH_REMOTE_CMD=/usr/local/bin/ssh
| 
|dsh -o "-v" date
```
|To run dsh on all hosts using the reliable hostname, |enter:
```
|export HN_METHOD=reliable
|dsh -a date
```
|To use a target shell of cshell instead of Korn shell, use the |dsh -t flag:
```
|dsh -t csh date
```
|To use a target shell as cshell and pass a timeout value into |rsh, enter:
```
|dsh -t csh -o "-t5" date
```

dshbak

Purpose

dshbak - Presents formatted output from the dsh and sysctl commands.

Syntax

dshbak [-c]

Flags

-c: Collapses identical output from more than one host so that it is displayed only once.

Operands

None.

Description

The dshbak command takes lines in the following format:

 host_name: line of output from remote command

The dshbak command formats them as follows and writes them to standard output. Assume that the output from host_name3 and host_name4 is identical and the c option was specified:

HOSTS -----------------------------------------------------------------
host_name1
-----------------------------------------------------------------------
.
.
lines from dsh or sysctl with host_names stripped off
.
.
HOSTS -----------------------------------------------------------------
host_name2
-----------------------------------------------------------------------
.
.
lines from dsh or sysctl with host_names stripped off
.
.
HOSTS -----------------------------------------------------------------
host_name3             host_name4
-----------------------------------------------------------------------
.
.
lines from dsh or sysctl with host_names stripped off
.
.

When output is displayed from more than one host in collapsed form, the host names are displayed alphabetically.

When output is not collapsed, output is displayed sorted alphabetically by host name.

The dshbak command writes "." for each 1000 lines of output filtered.

Standard Error

|When the dshbak filter is used, and standard error messages |are generated, all error messages (on standard error) will appear before all |standard output messages. This is true with and without |-c specified. For example:

[k7s][/]> dsh -w k7n01,k7n08 lsauthent | dshbak -c
k7n08: rshd: Kerberos 5 Authentication Failed: User hosts/k7cw.ppd.pok.
ibm.com/self@k7dcecell is not authorized to login to account root.
k7n08: rshd: Kerberos Authentication Failed: Access denied because of
improper credentials.
k7n08: spk4rsh: 0041-004 Kerberos rcmd failed: rcmd protocol failure.
HOSTS -----------------------------------------------------------------
k7n01              k7n08
-----------------------------------------------------------------------
Kerberos 5
Kerberos 4
Standard Aix

Location

/usr/sbin/dshbak

Related Information

Commands: dsh, sysctl

Examples

To display the results of a command executed on several hosts in the format described previously, enter:
```
dsh -w host1,host2,host3 cat /etc/passwd | dshbak
```
To display the results of a command executed on several hosts with identical output displayed only once, enter:
```
dsh -w host1,host2,host3 pwd | dshbak -c
```

dsrvtgt

Purpose

dsrvtgt - Gets DCE credentials as a service principal, or as a user using a keyfile.

Syntax

dsrvtgt {-h | [-f] service-name | user-principal keytab-path}

Flags

-h: Specifies that the command syntax is to be listed. When this flag is specified, any operands are ignored.
-f: Specifies that the credentials that can be forwarded should be obtained, if possible.

Operands

service-name: The predefined name of a service listed in the spsec_defaults file, if the client will be a service principal.
user-principal: The DCE principal name of the user, whose identity will be used to get credentials.
keytab-path: The full pathname of the keytab file to use when specifying a user principal name. This operand is not used when a service-name is specified.

Description

The dsrvtgt command uses the private key of a principal stored in a keytab file to obtain credentials as a DCE principal, rather than a password. It prints to standard output the value that must be assigned to the KRB5CCNAME environment variable to allow the credentials to be used by the invoking process. It is the responsibility of the calling process to remove the credentials using the kdestroy command.

If Kerberos 5 is not an active authentication method for AIX remote commands and DCE is not an active authentication method for SP trusted services, this command performs no function and generates no output, but returns successfully.

Files

The credentials cache file created by DCE in /opt/dcelocal/var/security/creds.

The spsec_defaults configuration file located in /usr/lpp/ssp/config.

The spsec_overrides configuration file located in /spdata/sys1/spsec.

A keytab file. For a service principal, it will be named /spdata/sys1/keyfiles/principal.

Standard Output

If DCE credentials are obtained, this command writes the name of the credentials cache file that was created prefixed by "FILE:".

Standard Error

Output consists of error messages, when the command cannot complete successfully.

There are no unique consequences of command errors.

Exit Values

0: Indicates successful completion of the command.
1: Indicates that an error occurred.

Security

The dsrvtgt command can be used by any user who owns a keytab file. When the operand is a service-name, the command must be run by the AIX userid under which the server daemon runs. For example, to log in as a service principal whose keyfile is owned by root, you must be root.

Implementation Specifics

This command is part of the IBM Parallel System Support Programs (PSSP) Licensed Program (LP) (file set ssp.clients).

Prerequisite Information

The online AIX DCE publications for administrators and users.

The chapters on security in the PSSP: Administration Guide.

Location

/usr/lpp/ssp/bin/dsrvtgt

Related Information

Commands: spmankey

Examples

This ksh fragment shows the use of dsrvtgt in a script to obtain credentials using the identity of the generic background root service:

# Get DCE credentials and set KRB5CCNAME, if required
nkrb5=$(/bin/dsrvtgt ssp/spbgroot 2>&1)
if [[ $? -ne 0 ]] then
print ''$nkrb5''
nkrb5=''''
fi
if [[ `''$nkrb5'' != '''' ]] then
okrb5=$KRB5CCNAME
export KRB5CCNAME=$nkrb5
fi
# Use the credentials to access the SDR
SDRChangeAttrValues ..
# Get rid of DCE credentials after use
if [[ ''$nkrb5'' != ```` ]] then
/bin/kdestroy >/dev/null 2>&1
if [[ ''$okrb5'' != ```` ]] then
export KRB5CCNAME=$okrb5
else
unset KRB5CCNAME
fi
fi

Obtaining credentials as an ordinary user principal to invoke a trusted service client interface from a background script; in this case the DCE principal ralph must have previously created the keytab file using his current DCE password:
```
export KRB5CCNAME=$(/bin/dsrvtgt ralph /home/ralph/keyfile)
```

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]