unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Page:
Section:
Apropos / Subsearch:
optional field



 registry(1m)		  Open Software Foundation		registry(1m)




 NAME
      registry - A dcecp object that manages a registry in the DCE Security
      Service

 SYNOPSIS
      registry catalog [registry_replica_name] [-master]

      registry checkpoint registry_replica_name
      [-at hh:mm | -cpi {num | numm | numh}]  [-now]

      registry connect cell_name
      -group local_group_name -org local_org_name -mypwd local_password
      -fgroup foreign_group_name -forg foreign_org_name
      -facct foreign_account_name -facctpwd foreign_account_password
      [-expdate account_expiration_date] [-acctvalid] [-facctvalid]

      registry delete registry_replica_name [-force]

      registry designate registry_replica_name
      [-slave | -master [-force]]

      registry destroy registry_replica_name

      registry disable [registry_replica_name]

      registry dump [registry_replica_name]

      registry enable [registry_replica_name]

      registry help [operation | -verbose]

      registry modify [registry_replica_name]
      {-change attribute_list | -attribute value | -key}

      registry operations

      registry replace registry_replica_name -address new_string_binding

      registry show [registry_replica_name]
      [-attributes | -policies | -master | -replica [-verbose]]

      registry stop registry_replica_name

      registry synchronize registry_replica_name

      registry verify [registry_replica_name]


 ARGUMENTS
      cell_name The name of a cell to contact when processing the connect
		operation. The name must be a fully qualified cell name,



 Hewlett-Packard Company	    - 1 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




		such as /.../cell_name.

      operation The name of the registry operation for which to display help
		information.

      registry_replica_name
		The name of one registry replica to act on.  The replica can
		be a master or a slave replica.	 The argument, which
		overrides a value in the _s(sec) convenience variable, can
		be one of the following:


		  +  A specific cell name to bind to any replica in the
		     named cell, such as /.: or /.../gumby1.

		  +  The global name of a replica to bind to that specific
		     replica in that specific cell. such as
		     /.../gumby1/subsys/dce/sec/oddball.

		  +  The name of a replica as it appears on the replica list
		     to bind to that replica in the local cell, such as
		     subsys/dce/sec/oddball.

		  +  A string binding to a specific replica, such as
		     {ncadg_ip_udp 15.22.144.163}.

		     This form is used primarily for debugging or if the
		     Cell Directory Service (CDS) is not available.


		For those operations for which registry_replica_name is
		optional, the value of _s(sec) is used if no argument is
		given. If the variable is not set, the default argument of
		/.: is assumed.


 DESCRIPTION
      The registry object represents a DCE Security Service registry. The
      registry is a replicated database: each instance of a registry server,
      secd, maintains a working copy of the database in virtual memory and
      on disk.	One server, called the master replica, accepts updates and
      handles the subsequent propagation of changes to all other replicas.
      All other replicas are slave replicas, which accept only queries.
      Each cell has one master replica and may have numerous slave replicas.

      Note that the registry command cannot add, delete, or modify
      information in the registry database, such as names and accounts.	 Use
      the appropriate account, principal, group, or organization command to
      modify registry database entries.





 Hewlett-Packard Company	    - 2 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      Two access control lists (ACLs) control access to registry operations.
      For operations dealing with replication, the replist object's ACL
      (usually /.:/sec/replist) controls access.  For those that deal with
      registry attributes and policies, the policy object's ACL (usually
      /.:/sec/policy) controls access.

      When this command executes, it attempts to bind to the registry server
      identified in the _s(sec) variable. If that server cannot process the
      request or if the _s(sec) variable is not set, the command binds to
      either an available slave server or the master registry server,
      depending on the operation. Upon completion, the command sets the
      _b(sec) convenience variable to the name of the registry server to
      which it bound.

 ATTRIBUTES
      The registry object supports the following kinds of attributes:


	+  Registry attributes-These modifiable attributes apply to
	   principals, groups, organizations, and accounts.  The initial
	   values for some of these attributes must be specified when the
	   master Security Server is configured.

	+  Registrywide policy attributes-These modifiable attributes apply
	   to organizations and accounts.  The registrywide organization and
	   account policy overrides the policy set for individual accounts
	   only if the registrywide policy is more restrictive.

	+  Synchronization attributes-These read-only attributes are
	   maintained by each replica about itself.  They cannot be directly
	   modified.  These attributes have no default value, but are
	   computed when the replica is configured.

	+  Replica-specific attributes-These read-only attributes are kept
	   by the master replica for each slave replica.  They cannot be
	   modified directly. These attributes have no default value, but
	   are computed or assigned when the replica is configured.


    Registry Attributes
      deftktlife relative_time
		The default lifetime for tickets issued to principals in
		this cell's registry. Specify the relative time by using the
		Distributed Time Service (DTS) relative time format ([-]DD-
		hh:mm:ss). The default is

		+0-10:00:00.000


      hidepwd {yes | no}
		Determines whether encrypted passwords are displayed.  If



 Hewlett-Packard Company	    - 3 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




		this attribute is set to yes, an asterisk is displayed in
		place of the encrypted password in command output and files
		where passwords are displayed.	The value is either yes or
		no.  The default is yes.

      maxuid integer
		The highest number that can be supplied as a user identifier
		(uid) when principals are created.  This maximum applies to
		both the system-generated and user-entered uids.  The value
		is an integer; the initial value depends on the
		configuration of your system.

      mingid integer
		The starting point for group identifiers (gids)
		automatically generated when a group is created.  You can
		explicitly enter a lower gid than this number; it applies
		only to automatically generated numbers. The value is an
		integer; the initial value depends on the configuration of
		your system.

      minorgid integer
		The starting point for organization identifiers (orgids)
		automatically generated when an organization is created.
		This starting point applies only to automatically generated
		indentifiers. You can manually specify an identifier lower
		than the minorgid. The value is an integer; the initial
		value depends on the configuration of your system.

      mintktlife relative_time
		The minimum amount of time before the principal's ticket
		must be renewed.  The value is in DTS relative time format
		(see deftktlife).  This renewal is performed automatically
		with no intervention on the part of the user.  The shorter
		this time is, the greater the security of the system.
		However, extremely frequent renewal can degrade system
		performance.  Both system performance and the level of
		security required by the cell should be taken into
		consideration when selecting the value of this attribute.
		This is a registrywide value only; it cannot be set for
		individual accounts. The default is

		+0-00:05:00.000


      minuid integer
		The starting point for uids automatically generated when a
		principal is created.  This starting point applies only to
		automatically generated indentifiers. You can manually
		specify an identifier lower than the minuid. The value is an
		integer; the initial value depends on the configuration of
		your system.



 Hewlett-Packard Company	    - 4 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      version string
		The version of the security server software.  The initial
		value depends on the configuration of your system.


    Registrywide Policy Attributes
      acctlife {relative_time | unlimited}
		This registrywide organization policy defines the lifespan
		of accounts.  Specify the time by using the DTS relative
		time format ([-]DD-hh:mm:ss) or the string unlimited to
		define an unlimited lifespan for accounts. The default is
		unlimited.

      maxtktlife relative_time
		This registrywide account policy defines the maximum amount
		of time that a ticket can be valid. Specify the relative
		time by using the DTS relative time format ([-]DD-hh:mm:ss).
		When a client requests a ticket to a server, the lifetime
		granted to the ticket takes into account the maxtktlife set
		for both the server and the client.  In other words, the
		lifetime cannot exceed the shorter of the server's or
		client's maxtktlife.  If you do not specify a maxtktlife for
		an account, the maxtktlife defined as registry authorization
		policy is used. The default is

		+1-00:00:00.000


      maxtktrenew relative_time
		This registrywide account policy defines the amount of time
		before a principal's ticket-granting ticket expires and that
		principal must log in again to the system to reauthenticate
		and obtain another ticket-granting ticket. Specify the time
		by using the DTS relative time format ([-]DD-hh:mm:ss). The
		lifetime of the principal's service tickets can never exceed
		the lifetime of the principal's ticket-granting ticket.	 The
		shorter you make ticket lifetimes, the greater the security
		of the system.	However, since principals must log in again
		to renew their ticket-granting ticket, the time specified
		needs to balance user convenience against the level of
		security required.  If you do not specify this attribute for
		an account, the maxtktrenew lifetime defined as registry
		authorization policy is used.  The default is

		+28-00:00:00.000

		This feature is not currently used by DCE; any use of this
		option is unsupported at the present time.

      pwdalpha {yes | no}
		This registrywide organization policy defines whether



 Hewlett-Packard Company	    - 5 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




		passwords can consist entirely of alphanumeric characters.
		Its value is either yes or no.	The default is yes.

      pwdexpdate {ISO-timestamp | none}
		This registrywide organization policy defines a date on
		which a password expires.  The date is entered as an
		internationalized date string or the string none, in which
		case there is no expiration date for the password.  The
		default is none.

      pwdlife {relative_time| unlimited}
		This registrywide organization policy defines the lifespan
		of passwords.  Specify the time by using the DTS relative
		time format ([-]DD-hh:mm:ss) or the string unlimited.  The
		default is unlimited.

      pwdminlen integer
		This registrywide organization policy defines the minimum
		number of characters in a password.  Its value is a positive
		integer or the integer 0, which means there is no minimum
		length. The default is 0.

      pwdspaces	 {yes | no}
		This registrywide organization policy defines whether
		passwords can consist entirely of spaces.  Its value is
		either yes or no. The default is no.


    Synchronization Attributes
      name	The name of the replica.  It is in the form of a fully
		qualified CDS name.

      type	Indicates if the replica is a master or a slave.

      cell	The name of the cell that the replica is in.  It is a fully
		qualified cell name.

      uuid	The Universal Unique Identifier (UUID) of the replica.

      status	The state of the replica.  One of the following:


		becomingmaster
			  The replica is in the process of becoming a
			  master.

		becomingslave
			  The replica is a master in the process of becoming
			  a slave.





 Hewlett-Packard Company	    - 6 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




		changingkey
			  The replica is in the process of having its master
			  key changed.

		closed	  The replica is in the process of stopping.

		copyingdb The replica is in the process of initializing
			  (copying its database to) another replica.

		deleted	  The replica is in the process of deleting itself.

		disabled  The replica is unavailable for updates, but will
			  accept queries.

		dupmaster Two masters have been found in the cell, and the
			  replica is a duplicate of the real master.

		enabled	  The replica is available for use.

		initializing
			  The replica is in the process of being initialized
			  by the master replica or another up-to-date
			  replica.

		savingdb  The replica is in the process of saving its
			  database to disk.

		unavailable
			  The replica cannot be reached.

		uninitialized
			  The database is a stub database that has not been
			  initialized by the master replica or another up-
			  to-date replica.

		unknown	  The replica is not known to the master.


      lastupdtime
		The localized date and time that the master received the
		replica's last update.

      lastupdseq
		The sequence number of the last update the replica received.
		A sequence number consists of two 32-bit integers separated
		by a dot (high.low).  The high integer increments when the
		low integer wraps.  An example of this attribute is
		{lastupdseq 0.178}.

      addresses A list of the network addresses of the replica.	 There can
		be more than one for connectionless and connection-oriented



 Hewlett-Packard Company	    - 7 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




		protocols.

      masteraddrs
		The network address of the master replica as determined by
		the replica.  The address is not necessarily correct.  More
		than one address may exist for connectionless and
		connection-oriented protocols for example.

      masterseqnum
		The master sequence number, which is the sequence number of
		the event that made the replica the master as determined by
		the replica. The number is not necessarily correct.  A
		sequence number consists of 32-bit integers separated by a
		dot (high.low). The high integer increments when the low
		integer wraps.	An example of this attribute is
		{masterseqnum 0.100}.

      masteruuid
		The UUID of the master replica as determined by the replica.
		This UUID is not necessarily correct.  The value is a UUID.

      supportedversions
		DCE registry version supported by the security service.
		Possible values at DCE Version 1.1 are secd.dce.1.0.2 (for
		DCE Version 1.0.2 and DCE version 1.0.3) and secd.dce.1.1.
		Both versions may be supported (that is by a DCE Version 1.1
		security server running in a cell with DCE version 1.0.3
		replicas).

      updseqqueue
		A list of two update sequence numbers that are still in the
		propagation queue and have yet to be propagated.  The first
		number is the base propagation sequence number (the last
		number known to have been received by all replicas).  The
		second number is the sequence number of the last update made
		on the master.	This attribute is present only in the master
		replica.  The sequence numbers consist of two 32-bit
		integers separated by a dot (high.low).	 The high integer
		increments when the low integer wraps.	An example of this
		attribute is {updseqqueue {0.100 0.178}}.


    Replica-Specific Attributes
      name	The name of the replica.  It is in the form of a fully
		qualified CDS name.

      uuid	The UUID of the replica.

      type	Indicates if the replica is a master or a slave.





 Hewlett-Packard Company	    - 8 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      addresses A list of the network addresses of the replica.	 More than
		one address may exist for connectionless and connection-
		oriented protocols.

      propstatus
		The status of the propagation.	Possible values are as
		follows:


		delete	  The replica is marked for deletion.

		initmarked
			  The replica is marked for initialization.

		initing	  The replica is in the process of initialization,
			  that is, getting an up-to-date copy of the
			  registry.

		update	  The replica is ready to receive propagation
			  updates.


      lastupdtime
		The localized time of the last update sent to the replica.
		This information is meaningful only if propstatus is update.

      lastupdseqsent
		The sequence number of the last update sent to this replica.
		A sequence number consists of two 32-bit integers separated
		by a dot (high.low).  The high integer increments when the
		low integer wraps.  An example of this attribute is

		{lastupdseqsent 0.175}

		This information is meaningful only if propstatus is update.

      numupdtogo
		The number of outstanding updates.  The value is an integer.
		This information is meaningful only if propstatus is update.

      commstate The state of the last communication with the replica.

      lastcommstatus
		The status message of the last communication with the
		replica.

      See the OSF DCE Administration Guide for more information about
      attributes, policies, and synchronizations.

 OPERATIONS




 Hewlett-Packard Company	    - 9 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




    registry catalog
      Returns a list of the names of the security servers running in the
      cell. The syntax is as follows:

      registry catalog [registry_replica_name] [-master]


       Option


      -master	Returns only the master security server name.

      The catalog operation returns a list of the names of the security
      servers (that is, each copy of the registry) running in the cell.
      This is also known as the replica list. The order of elements returned
      is arbitrary.  The optional registry_replica_name argument can specify
      the name of one other cell or a single string binding. If you specify
      the -master option, the operation returns only the name of the master.

      This operation sets the _b(sec) variable to the name of the replica to
      which it binds.

      Privileges Required

      No special privileges are needed to use the registry catalog command.

      Examples

      dcecp> registry catalog
      /.../dcecp.cell.osf.org/subsys/dce/sec/snow
      /.../dcecp.cell.osf.org/subsys/dce/sec/ice
      dcecp>


    registry checkpoint
      Specifies when registry checkpoints should be performed. The syntax is
      as follows:

      registry checkpoint registry_replica_name
	[-at hh:mm | -cpi {num | numm | numh}]	[-now]


       Options


      -at hh:mm Specifies the the hours and minutes of the day (in UTC time)
		to perform the checkpoint.


      -cpi {num | numm | numh}
		Specifies an interval at which to perform checkpoints.



 Hewlett-Packard Company	   - 10 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      -now	Specifies an immediate checkpoint.  This is the default.


      The checkpoint operation lets you set the times when the registry
      database should be saved to disk (checkpointed).	You must supply the
      name of a replica for the operation to bind to.

      If you use the -at option, the checkpoint is performed at the
      specified time. The time is in UTC format.  For example, to specify
      3:30 p.m., the entry is 15:30. The checkpoint interval then reverts to
      the default or to the interval specified by the -cpi option.

      If you use the -cpi option, the checkpoint is performed at the
      interval you specify until you specify another interval.	This option
      takes an argument that specifies the interval time as seconds,
      minutes, or hours:


	+  To specify seconds, supply only a number. For example, -cpi 101
	   specifies an interval of 101 seconds.

	+  To specify minutes enter the number and m.  For example, -cpi
	   101m specifies an interval of 101 minutes.

	+  To specify hours, enter the number and h.  For example, -cpi 101h
	   specifies an interval of 101 hours.


      If you use the -now option, a checkpoint is performed immediately. The
      checkpoint interval then reverts to the default or to the interval
      specified by the -cpi option.  This operation returns an empty string
      on success and sets the _b(sec) variable to the replica to which it
      binds.


      Privileges Required

      You must have ad (auth_info, delete) permission to the replist object.

      Examples

      dcecp> registry checkpoint /.../gumby_cell/subsys/dce/sec/oddball -at 05:30
      dcecp>


    registry connect
      Connects the local (that is, default) cell of the local host to the
      foreign cell specified by the argument.  The syntax is as follows:

      registry connect cell_name
      -group local_group_name -org local_org_name -mypwd local_password



 Hewlett-Packard Company	   - 11 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      -fgroup foreign_group_name -forg foreign_org_name
      -facct foreign_account_name -facctpwd foreign_account_password
      [-expdate account_expiration_date] [ -acctvalid] [-facctvalid]


       Options


      -group local_group_name
		Specifies the group for the local account.

      -org local_org_name
		Specifies the organization for the local account.

      -mypwd local_password
		Specifies the password for the administrator in the local
		cell.

      -fgroup foreign_group_name
		Specifies the group for the foreign account.

      -forg foreign_org_name
		Specifies the organization for the foreign account.

      -facct foreign_account_name
		Specifies the name for the foreign account.

      -facctpwd foreign_account_password
		Specifies the password for the administrator in the foreign
		cell.

      -expdate account_expiration_date
		Sets an expiration date for both local and foreign accounts.

      -acctvalid
		Marks the local account as a valid account.  A valid local
		account allows users from the foreign cell to log in to
		nodes in the local cell.  The default is invalid.

      -facctvalid
		Marks the foreign account as a valid account.  A valid
		foreign account allows users from the local cell to log in
		to nodes in the foreign cell.  The default is invalid.


      The connect operation creates an account in the local cell for the
      specified foreign cell
      (/.:/local_cell/sec/principal/krbtgt/foreign_account) and also creates
      an account in the foreign cell for the local cell
      (/.:/foreign_cell/sec/principal/krbtgt/local_account). Both accounts
      have the same key.  The argument must be the fully qualified name of a



 Hewlett-Packard Company	   - 12 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      single cell.  It cannot be a list or a string binding.

      The -group, -org, -mypwd, and -acctvalid options supply the account
      information for the local cell.  The -fgroup, -forg, -facct,
      -facctpwd, and -facctvalid options supply the account information for
      the foreign cell.

      This operation creates the group and organization, specified as the
      values of the relevant options, if necessary, and puts the relevant
      principal in them, if necessary.

      If the operation fails, it removes any organizations or groups that it
      has created and removes the relevant principals. To protect the
      password being entered, the registry connect command can be entered
      only from within dcecp. You cannot enter it from the operating system
      prompt by using dcecp with the -c option.

      If you do not use the -acctvalid and -facctvalid options, you must
      mark the accounts as valid (using the dcecp account command) before
      intercell access is allowed.  This operation returns an empty string
      on success.

      Privileges Required

      You must have a (auth_info) permission to the replist object and the
      permissions required to create principals, groups, organizations, and
      accounts in the local and foreign cells.

      Examples

      dcecp> getcellname
      /.../my_cell.com
      dcecp>

      dcecp> registry connect /.../your_cell.com -group none -org none \
      > -mypwd -dce- -fgroup none -forg none -facct cell_admin -facctpwd -dce-
      dcecp>


    registry delete
      Deletes a registry replica from the cell.	 The syntax is as follows:

      registry delete registry_replica_name [-force]


       Option


      -force	Used when the target replica is not available, the -force
		option removes the replica name from the master replica's
		replica list and propagates the deletion to other replicas



 Hewlett-Packard Company	   - 13 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




		that remain on the list.


      The registry delete operation, when called with no options, performs
      an orderly deletion of a security replica specified as the
      registry_replica_name argument.  To do so, the operation binds to the
      master replica. The master replica then performs the following tasks:


       1.  Marks the specified replica as deleted.

       2.  Propagates this deletion to the other replicas on its replica
	   list.

       3.  Delivers the delete request to the specified replica.

       4.  Removes the replica from its replica list.

      Note that the dcecp command returns before the deletion is complete
      because it simply tells the master to perform the delete procedure.

      The -force option causes a more drastic deletion. It causes the master
      to first delete the specified replica from its replica list and then
      propagate the deletion to the replicas that remain on its list. Since
      this operation never communicates with the deleted replica, you should
      use -force only when the replica has died and cannot be restarted.  If
      you use -force while the specified replica is still running, you
      should then use the registry destroy command to eliminate the deleted
      replica.

      This operation returns an empty string on success and sets the _b(sec)
      variable to the master.

      Privileges Required

      You must have d (delete) permission to the replist object.

      Examples

      dcecp> registry delete /.:/subsys/dce/sec/oddball
      dcecp>&gt&gt>


    registry designate
      Changes which replica is the master.  The syntax is as follows:

      registry designate registry_replica_name
      [-slave | -master [-force]]






 Hewlett-Packard Company	   - 14 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      Options


      -slave	Makes the specified replica a slave. The
		registry_replica_name argument must identify the master
		replica.

      -master	Makes the specified replica the master. The
		registry_replica_name argument must identify a slave
		replica.

      -force	Forces registry_replica_name to become the master, even if
		other slave replicas are more up to date. Used only with the
		-master option.


      The preferred method of creating a new master is to use this command
      with no options in this form:

      registry designate registry_replica_name

      This command changes the slave replica named in registry_replica_name
      to the master by performing an orderly transition.  To do so, it binds
      to the current master and instructs the master to:


       1.  Apply all updates to the replica named in registry_replica_name.

       2.  Become a slave.

       3.  Tell the replica named in registry_replica_name to become the
	   master.


      The -slave or -master options can also be used to change the master to
      a slave and a slave to a master. However, using these options is not
      recommended because updates can be lost.	 You should use them only if
      the master replica is irrevocably damaged and is unable to perform the
      steps in the orderly transition. To use these options, enter the
      command as shown in the following list:


	+  To make the master a slave:

	   registry designate registry_replica_name -slave

	   The registry_replica_name is the name of the master replica to
	   make a slave.

	+  To make a slave the master:




 Hewlett-Packard Company	   - 15 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




	   registry designate registry_replica_name -master

	   The registry_replica_name is the name of a slave to make a
	   master. If a master exists, the command fails. Also, if there are
	   more up-to-date slaves than the one specified by
	   registry_replica_name, the command fails unless you specify -
	   force to override this default action.


      Using the -force option will cause the re-initialization of all other
      security replicas in the cell, regardless of whether the other
      security replicas are more up-to-date than the security replica being
      designated as the new master.

      This operation returns an empty string on success and sets the _b(sec)
      variable as follows:


	+  If called with the -force or -master option, it sets _b(sec) to
	   the replica to which it binds.

	+  If called with no options, it sets _b(sec) to the master.


      Privileges Required

      You must have a (auth_info) permission to the replist object.

      Examples

      dcecp> registry designate /.../my_cell/subsys/dce/sec/oddball
      dcecp>


    registry destroy
      Deletes a registry replica.  The syntax is as follows:

      registry destroy registry_replica_name


      The destroy operation causes the replica named in
      registry_replica_name to delete its copy of the registry database and
      to stop running.

      The preferred way to delete replicas is to use the delete operation.
      However, the destroy operation can be used if delete is unusable
      because the master is unreachable or the replica is not on the
      master's replica list.

      This operation returns an empty string on success and sets the _b(sec)
      variable to the replica to which it binds.



 Hewlett-Packard Company	   - 16 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      Privileges Required

      You must have d (delete) permission to the replist object.

      Examples

      dcecp> registry destroy /.:/subsys/dce/sec/oddball
      dcecp>


    registry disable
      Disables the master registry for updates. The syntax is as follows:

      registry disable [registry_replica_name]


      The disable  operation disables the master registry for updates.
      Generally, use this mode for maintenance purposes.  The argument is a
      single name of a master registry to be disabled.	If no argument is
      given, the operation uses the name in the _s(sec) convenience
      variable.	 If the _s(sec) variable is not set, the operation defaults
      to the master in the local cell.

      This operation returns an empty string on success and sets _b(sec) to
      the name of the replica to which it binds.

      Privileges Required

      You must have A (admin) permission to the replist object.

      Examples

      dcecp> registry disable /.../my_cell.goodcompany.com/subsys/dce/sec/snow
      dcecp>


    registry dump
      Returns the replica information for each replica in the cell. The
      syntax is as follows:

      registry dump [registry_replica_name]


      The dump operation returns the replica information for each replica in
      the cell. Replicas are displayed with a blank line between them.

      The registry dump command is the same as the following script:

      foreach i [registry catalog] {
	 lappend r [registry show $i -replica]
	 append r



 Hewlett-Packard Company	   - 17 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      }
      return r


      This operation sets the _b(sec) variable to the last replica listed in
      the display.

      Privileges Required

      You must have A (admin) permission to the replist object.

      Examples

      dcecp> registry dump
      {name /.../dcecp.cell.osf.org/subsys/dce/sec/snow}
      {type master}
      {cell /.../dcecp.cell.osf.org}
      {uuid a1248a5e-e1e6-11cd-aa0c-0800092734a4}
      {status enabled}
      {lastupdtime 1994-10-13-14:44:48.000-04:00I-----}
      {lastupdseq 0.271}
      {addresses
       {ncacn_ip_tcp 130.105.5.121}
       {ncadg_ip_udp 130.105.5.121}}
      {masteraddrs
       {ncacn_ip_tcp 130.105.5.121}
       {ncadg_ip_udp 130.105.5.121}}
      {masterseqnum 0.100}
      {masteruuid a1248a5e-e1e6-11cd-aa0c-0800092734a4}
      {version secd.dce.1.1}
      {updseqqueue {0.204 0.271}}

      {name /.../dcecp.cell.osf.org/subsys/dce/sec/ice}
      {type slave}
      {cell /.../dcecp.cell.osf.org}
      {uuid c772f46a-e1ec-11cd-9a16-0000c0239a70}
      {status enabled}
      {lastupdtime 1994-10-13-14:44:48.000-04:00I-----}
      {lastupdseq 0.271}
      {addresses
       {ncacn_ip_tcp 130.105.5.45}
       {ncacn_ip_tcp 130.105.5.45}
       {ncadg_ip_udp 130.105.5.45}}
      {masteraddrs
       {ncacn_ip_tcp 130.105.5.121}
       {ncadg_ip_udp 130.105.5.121}}
      {masterseqnum 0.100}
      {masteruuid a1248a5e-e1e6-11cd-aa0c-0800092734a4}
      {version secd.dce.1.1}
      dcecp>




 Hewlett-Packard Company	   - 18 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




    registry enable
      Enables the master registry for updates. The syntax is as follows:

      registry enable [registry_replica_name]


      The enable operation enables the master registry for updates.  The
      argument is a single name of a master registry to be enabled.  If no
      argument is given, the operation uses the name in the _s(sec)
      convenience variable.  If the _s(sec) variable is not set, the
      operation defaults to the master in the local cell.

      This operation returns an empty string on success and sets the _b(sec)
      variable to the replica to which it binds.

      Privileges Required

      You must have A (admin) permission to the replist object.

      Examples

      dcecp> registry enable /.../my_cell.goodcompany.com/subsys/dce/sec/snow
      dcecp>


    registry help
      Returns help information about the registry object and its operations.
      The syntax is as follows:

      registry help [operation | -verbose]


      Options


      -verbose	Displays information about the registry object.


      Used without an argument or option, the registry help command returns
      brief information about each registry operation. The optional
      operation argument is the name of an operation about which you want
      detailed information. Alternatively, you can use the -verbose option
      for more detailed information about the registry object itself.

      Privileges Required

      No special privileges are needed to use the registry help command.

      Examples





 Hewlett-Packard Company	   - 19 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      dcecp> registry help
      catalog		  Returns a list of all replicas running in the cell.
      checkpoint	  Resets registry checkpoint interval dynamically.
      connect		  Creates local and foreign cross-cell authenticated accounts.
      delete		  Deletes a replica and removes from master replica list.
      designate		  Changes which replica is the master.
      destroy		  Destroys the specified replica and its registry database.
      disable		  Disables the specified master registry for updates.
      dump		  Returns replica information for each replica in the cell.
      enable		  Enables the specified master registry for updates.
      modify		  Modifies the master registry or replica.
      replace		  Replaces replica information on master replica list.
      show		  Returns attributes of the registry and its replicas.
      stop		  Stops the specified security server process.
      synchronize	  Reinitializes replica with up-to-date copy of the registry.
      verify		  Returns a list of replicas not up-to-date with the master.
      help		  Prints a summary of command-line options.
      operations	  Returns a list of the valid operations for this command.
      dcecp>


    registry modify
      Changes attributes of the registry.  The syntax is as follows:

      registry modify [registry_replica_name]
      {-change attribute_list | -attribute value | -key}


      Options


      -attribute value
		As an alternative to using the -change option with an
		attribute list, you can specify individual attribute options
		by prepending a hyphen (-) to any attributes listed in the
		ATTRIBUTES section of this reference page.

      -change attribute_list
		Allows you to modify attributes by using an attribute list
		rather than individual attribute options.  The format of an
		attribute list is as follows:

		{{attribute value}...{attribute value}}


		The -change option cannot be used with the -key option.

      -key	Generates a new master key for the replicas listed as the
		argument. Cannot be used with the -change option.





 Hewlett-Packard Company	   - 20 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      The modify operation changes attributes of the registry.	The argument
      is required for the -key option but optional for all other options.
      If an argument is not supplied and the _s(sec) variable is not set,
      the operation defaults to the master in the local cell. This operation
      returns an empty string on success.

      Use the -change option to modify the value of any one of the standard
      registry attributes.

      The operation also accepts the -key option to generate a new master
      key for a single replica named in the argument and to reencrypt that
      registry's account keys using the new master key. The new master key
      is randomly generated.  Each replica (master and slaves) maintains its
      own master key, which is used to access the data in its copy of the
      database.	 If you use the -key option, you must specify the
      registry_replica_name argument.

      The -change option and the -key option cannot be used together.

      This operation sets the _b(sec) variable to the replica to which it
      binds.

      Privileges Required

      You must have A (admin) permission to the replist object.

      Examples

      dcecp> registry modify -version secd.dce.1.1
      dcecp>

      dcecp> registry modify -change {deftktlife +0-08:00:00.000I-----}
      dcecp>


    registry operations
      Returns a list of the operations supported by the registry object. The
      syntax is as follows:

      registry operations


      The list of available operations is in alphabetical order except for
      help and operations, which are listed last.

      Privileges Required

      No special privileges are needed to use the registry operations
      command.





 Hewlett-Packard Company	   - 21 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      Examples

      dcecp>&gt&gt> registry operations
      catalog checkpoint connect delete designate destroy disable dump enable
      modify replace show stop synchronize verify help operations
      dcecp>&gt&gt>


    registry replace
      Replaces the network address of a replica.  The syntax is as follows:

      registry replace registry_replica_name -address new_string_binding


      Options


      -address	The new address for the replica in RPC string-binding format
		(without the object UUID). The string binding contains an
		RPC protocol and a network address in the form:

		rpc_prot_seq:network_addr


      The replace operation replaces the network address of the specified
      replica.	The new address is used by the master and other replicas to
      contact the replica. This operation binds to the master, sets the
      _b(sec) variable to the master, and returns an empty string on
      success.

      Privileges Required

      You must have m (mgmt_info) permission to the replist object.

      Examples

      dcecp> registry replace /.:/subsys/dce/sec/oddball -address ncadg_ip_udp:15.22.4.93
      dcecp>


    registry show
      Returns information about the registry and its replicas. The syntax is
      as follows:

      registry show [registry_replica_name]
      [-attributes | -policies | -master | -replica [-verbose]]


      Options





 Hewlett-Packard Company	   - 22 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      -attributes
		Returns an attribute list of the registrywide attributes.

      -policies Returns only the registrywide polices.

      -master	Returns the synchronization information the master keeps for
		each slave.

      -replica	Returns the synchronization information for the specified
		replica.

      -verbose	Returns the synchronization information kept by the replica.


      The show operation returns information about the registry and its
      replicas.	 An optional registry_replica_name argument specifies a
      single registry replica to contact.  The operation returns a variety
      of different information based on the option given.

      If called with no options or with the -attributes option, the
      operation returns an attribute list of all the registrywide
      attributes.

      If called with the -policies option, the operation returns an
      attribute list of all the registrywide polices.

      If called with the -master option, the operation returns the
      propagation information that is kept by the master for each slave. If
      you specify this option and the optional registry_replica_name,
      argument, registry_replica_name must specify the name of the master or
      the local cell name.

      If called with the -replica option, the operation returns the
      propagation information that is kept by the specified replica.  Use
      the -verbose option along with the -replica option to return the full
      propagation information that is kept by the replica.

      This operation sets the _b(sec) variable to the replica to which it
      binds.

      Privileges Required

      You must have A (admin) permission to the replist object.

      Examples

      dcecp> registry show -attributes
      {mingid 31000}
      {minorgid 100}
      {minuid 30000}
      {maxuid 32767}



 Hewlett-Packard Company	   - 23 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      {version secd.dce.1.0.2}
      dcecp>

      dcecp> registry show -policies
      {deftktlife +0-10:00:00.000I-----}
      {mintktlife +0-00:05:00.000I-----}
      {hidepwd yes}
      dcecp>

      dcecp> registry show /.../absolut_cell/subsys/dce/sec/ice -replica
      {name /.../absolut_cell/subsys/dce/sec/ice}
      {type slave}
      {cell /.../absolut_cell}
      {uuid 91259b6c-9415-11cd-a7b5-080009251352}
      {status enabled}
      {lastupdtime 1994-07-05-14:38:15.000-04:00I-----}
      {lastupdseq 0.191}
      {addresses
       {ncacn_ip_tcp 130.105.5.93}
       {ncadg_ip_udp 130.105.5.93}}
      {masteraddrs
       {ncacn_ip_tcp 130.105.5.93}
       {ncadg_ip_udp 130.105.5.93}}
      {masterseqnum 0.100}
      {masteruuid 91259b6c-9415-11cd-a7b5-080009251352}
      {supportedversions secd.dce.1.0.2}
      {updseqqueue {0.187 0.191}}
      dcecp>

      dcecp> registry show /.../dcecp.cell.osf.org/subsys/dce/sec/snow -master
      {name /.../dcecp.cell.osf.org/subsys/dce/sec/snow}
      {uuid 91259b6c-9415-11cd-a7b5-080009251352}
      {type master}
      {addresses
       {ncacn_ip_tcp 130.105.5.93}
       {ncadg_ip_udp 130.105.5.93}}

      {name /.../dcecp.cell.osf.org/subsys/dce/sec/ice}
      {uuid 91259b6c-9415-11cd-a7b5-080009251352}
      {type slave}
      {addresses
       {ncacn_ip_tcp 130.105.5.93}
       {ncadg_ip_udp 130.105.5.93}}
      {propstatus update}
      {lastupdtime 1994-10-13-14:58:28.000-04:00I-----}
      {lastupdseqsent 0.528}
      {numupdtogo 0}
      {commstate ok}
      {lastcommstatus {successful completion}}
      dcecp>




 Hewlett-Packard Company	   - 24 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




    registry stop
      Stops the specified security server process. The syntax is as follows:

      registry stop registry_replica_name


      The stop operation stops the security server specified in the
      argument.	 The registry_replica_name argument is required and must
      explicitly name one replica.  (A cell name is not valid because more
      than one replica can operate in a cell.) This operation returns an
      empty string on success and sets the _b(sec) variable to the replica
      to which it binds.

      Privileges Required

      You must have A (admin) permission to the replist object.

      Examples

      dcecp> registry stop /.:/subsys/dce/sec/snow
      dcecp>


    registry synchronize
      Causes the specified replica to reinitialize itself with an up-to-date
      copy of the database.  The syntax is as follows:

      registry synchronize registry_replica_name


      The synchronize operation reinitializes a slave replica with an up-
      to-date copy of the database. registry_replica_name is the name of the
      slave replica to operate on.

      This operation binds to the master and tells the master to:


       1.  Mark the specified replica named in registry_replica_name for
	   reinitialization.

       2.  Send a message to the replica informing it to reinitialize
	   itself.

       3.  Gives the replica a list of other replicas with up-to-date copies
	   of the registry.


      The replica to be initialized then selects a replica from the list
      provided by the master and asks for a copy of the database.  Note that
      the dcecp command returns before the synchronization is complete
      because it simply tells the master to perform the synchronize



 Hewlett-Packard Company	   - 25 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




      procedure.

      Normally, you do not need to use the registry synchronize command
      because registries remain synchronized automatically. This operation
      returns an empty string on success.

      This operation sets the _b(sec) variable to the master in the local
      cell.

      Privileges Required

      You must have A (admin) permission to the replist object.

      Examples

      dcecp> registry synchronize /.:/subsys/dce/sec/oddball
      dcecp>


    registry verify
      Checks whether all registry replicas are up to date.  The syntax is as
      follows:

      registry verify [registry_replica_name]


      Checks whether all registry replicas are up to date.  If they are, it
      returns an empty string.

      This operation sets the _b(sec) variable to the last replica to which
      it binds.

      Privileges Required

      You must have a (auth_info) permission to the replist object.

      Examples

      If the replicas are up to date, the command returns an empty string,
      as in the following:

      dcecp> registry verify
      dcecp>


      If a replica is not up to date, the command returns the fully
      qualified replica name, as in the following:

      dcecp> registry verify
      /.../cell/subsys/dce/sec/oddball
      dcecp>



 Hewlett-Packard Company	   - 26 -	      OSF DCE 1.1/HP DCE 1.8






 registry(1m)		  Open Software Foundation		registry(1m)




 RELATED INFORMATION
      Commands: dcecp(1m), dcecp_group(1m), dcecp_organization(1m),
      dcecp_principal(1m), secd(1m).



















































 Hewlett-Packard Company	   - 27 -	      OSF DCE 1.1/HP DCE 1.8