VMS Help
DCE_SECURITY, Admin Intro, sec_salvage_db

 *Conan The Librarian (sorry for the slow response - running on an old VAX)

 NAME
   sec_salvage_db - Recover a corrupted registry database.
                    The sec_salvage_db -check and -fix options are not
                    currently available.

 SYNOPSIS

   sec_salvage_db -print [-dbpath db_pathname] [-prtpath print_pathname]
                         [print_options] [-verbose]

   sec_salvage_db -reconstruct [-dbpath db_pathname]
                               [-prtpath print_pathname]
                               [reconstruct_options] [-verbose]

   sec_salvage_db -check [-dbpath db_pathname] [db_options] [-verbose]

   sec_salvage_db -fix [-dbpath db_pathname] [db_options] [-force]
                       [-verbose]

 OPTIONS

   -check    Check the database elements specified by db_options for incon-
             sistencies.  This option sends a list to standard output of
             all bad list links, internal id references, and  database keys
             and any detectable data inconsistencies. The -check option
             does not check fields for legal values.

   db_options
             Specify the database elements to be acted on by the -check or
             -fix options. If no db_options are specified, all are
             selected.  The db_options are

               +  -princ - Principals

               +  -group - Groups

               +  -org - Organizations

               +  -acct - Accounts

               +  -acl - ACLs

               +  -policy - Policy

               +  -state - Database State

               +  -replicas - Replicas

   The .mkey.prt file and the princ.prt file contain unencrypted
   authentication keys.  Ensure that only the privileged account can access
   these files and that they are never transferred over a network for
   viewing or backup.

   -fix      Check the database for inconsistencies and prompt for whether
             to fix each inconsistency. After all inconsistencies have been
             processed, the option prompts for whether to save all fixes.

   -force    Check the database for inconsistencies and fix each one with-
             out prompting.  After all inconsistencies have been processed,
             the option prompts for whether to save all fixes.   This
             option is valid only when used with the -fix option.

   -print    Create files containing ASCII-formatted database records.
             These files are used by the -reconstruct option as a source
             for recreating the database. You can also manually edit the
             files to change information or fix problems. A separate file
             is created for each  of the print_options specified.

             By default the -print option stores the master key file in
             the current directory and the database files in the rgy_print
             directory in the current directory. The -prtpath option lets
             you specify a different directory.

   print_options
             Specify the database elements to be acted on by the -print
             option. If the files exist, they are overwritten. If no
             print_options are specified, all are selected. The
             print_options and the files they create are

               +  -princ - Put principal records in the file princ.prt
                           and master key information in the file
                           .mkey.prt.

               +  -group - Put group records in the file group.prt.

               +  -org - Put organization records in the file org.prt.

               +  -policy - Put policy records in the file policy.prtt.

               +  -state - Put information about the state of the database
                           in the file rgy_state.prt.

               +  -replicas - Put replica information in the file
                              replicas.prt.

   -reconstruct
             Reconstruct the registry database from the ASCII-formatted
             print files created by the -print option.  The
             reconstruct_options specify the print files to use.

             Specifies which elements of the registry database to re-
             construct.  If no reconstruct_options are specified, all are
             selected. The reconstruct_options are

               +  -pgo - Use data in the princ.prt, group.prt, org.prt, and
                         .mkey.prt files to reconstruct:

                    -  Principals, groups, organizations

                    -  Principal's accounts

                    -  ACL's on database objects

                    -  The master key file

               +  -policy - Use data from the policy.prt file to re-
                            construct registry policies.

               +  -state - Use data from the rgy_state.prt file to re-
                           construct information about the state of the
                           database.

               +  -replicas - Use data from the replicas.prt file to
                              reconstruct the master replica list.

   -dbpath db_pathname
             For the -print and -check options, -dbpath specifies the
             directory in which the registry database and the master key
             file are located.  For the -reconstruct and -fix options,
             -dbpath specifies the directory in which to store the re-
             constructed or salvaged database.

             The -print and -check options expects to find the master key
             file, .mkey, in the directory above the directory that holds
             the database files. For example, if db_pathname is
             DCE$LOCAL:[VAR.SECURITY.NEW_RGY], the options look for the
             master key file in DCE$LOCAL:[VAR.SECURITY] and the database
             files in DCE$LOCAL:[VAR.SECURITY.NEW_RGY].

             If this option is not specified, the default pathname is
             DCE$LOCAL:[VAR.SECURITY.RGY_DATA].

             db_pathname can be a global pathname or a cell-relative name.

   -prtpath print_pathname
             For the print and -reconstruct options only, -prtpath
             specifies the directory in which to create (-print) the print
             files, or find (-reconstruct) the print files from which to
             reconstruct the database.

             By default the -print option creates and the -reconstruct
             option looks for the master key file in the current directory
             and the database files in the rgy_print subdirectory of the
             current directory. The -prtpath option lets you specify the
             directory that should be used instead of the current directory.
             For example, if you specify print_pathname as
             DCE$LOCAL:[VAR.SECURITY.REGISTRY], the master key print file
             will be created in that directory and the database print files
             in DCE$LOCAL:[VAR.SECURITY.REGISTRY.RGY_PRINT].

             If any or all of the print files exist in print_pathname or
             the default directory, their contents are overwritten.

             print_pathname can be a global pathname or a cell-relative
             name.

 DESCRIPTION

   The sec_salvage_db tool is an aid to database administration and troub-
   leshooting.  Although day-to-day administration is handled by the
   rgy_edit command, sec_salvage_db can be useful for listing registry
   data, reconstructing databases, and salvaging corrupted databases.

   The sec_salvage_db command supports two methods of operation: the check
   and fix method and the print and reconstruct method.   These methods can
   be used in tandem.

   CHECK AND FIX METHOD

   The -check and -fix options are not currently available.  The check and
   fix method recovers data from a corrupted database, fixing corrupted
   data links, data retrieval keys, and other internal references. You can
   use it on a database so corrupted that it prevents the Security Server
   (secd) from running or registry clients from operating correctly.  The
   check and fix method repairs the database structure so that secd can
   run.  (Note that data may be lost if corrupted pointers in the registry
   data files irreversibly sever the links between records.) The check and
   fix method uses the sec_salvage_db -check, -fix, and -force options.

   The -check option accesses each record in the database and reports all
   errors, but makes no fixes. Although you can run it to see the state of
   the database before you run the -fix option, it is not required to be
   run.

   The -fix option also accesses each record in the database and reports
   all errors, but as it finds each error, it prompts for whether or not to
   fix the error.  When processing is complete, sec_salvage_db prompts for
   whether or not to save the changes.

   The -force option can only be used with the -fix option. If you use it,
   sec_salvage_db does not prompt for confirmation before it fixes each
   error it finds.  sec_salvage_db will still prompt for confirmation
   before it saves the changes.

   THE PRINT AND RECONSTRUCT METHOD

   The print and reconstruct method allows you to reconstruct a database.
   It first creates ASCII files, called print files, that contain all
   accessible data in the database.  Then, it reads the data in these
   files to construct a new database. If you cannot start a Security
   Server on the database host machine, you cannot use the print and re-
   construct method, but must use the check and fix method. (Note that
   before you run sec_salvage_db with the -print and -reconstruct options,
   you must stop the Security Server.)

   In addition to reconstructing the database, the print and reconstruct
   method has other uses.  You can use it to

     +  Make changes to the database by manually editing the print files
        created by the -print option and then reconstructing them from the
        changed print files. This can be especially useful for changing
        many user passwords, which may be necessary if the master key file
        is corrupted.

     +  Obtain a listing of database contents.

     +  Copy databases between different platforms.

   To use the print and reconstruct method run sec_salvage_db first with
   the -print option and then with the -reconstruct option.

   The -print option creates the ASCII print files from the registry data-
   base files.  These files can be reviewed and edited to correct faulty
   information, such as name-to-UNIX ID mismatches or missing data, or to
   update existing data. The -reconstruct option recreates the registry
   database files from the print files.

   Because the -print option creates files containing all data in the data-
   base and the -reconstruct option recreates the database based on these
   files, you can use this method to move a database to another machine or
   even another cell. For example, if you run sec_salvage_db -print on an
   uncorrupted database, you can then run sec_salvage_db -reconstruct and
   specify a pathname on a different machine for where the database should
   be created.

 EDITING THE PRINT FILES

   To edit the print files, your entries must be in the following format:

        field_name optional_white_space=optional_white_space value

   Although you can leave spaces between the field name, the equals sign,
   and the value, field names and values cannot contain white space.

   A sample org.prt file follows:

        Record_Number = 2
        Object_Type = ORG
        Name = org/none
        UUID = 0000000C-D751-21CA-A002-08001E039D7D
        Unix_ID = 12
        Is_Alias_Flag = false
        Is_Required_Flag = false
        Fullname =
        Member_Name = nobody
        Member_Name = root
        Member_Name = daemon
        Member_Name = uucp
        Member_Name = bin
        Member_Name = dce-ptgt
        Member_Name = dce-rgy
        Member_Name = krbtgt/abc.com
        Member_Name = hosts/zebra/self
        Obj_Acl_Def_Cell_Name = /.../abc.com
        Obj_Acl_Entry = unauthenticated:r-t-----
        Obj_Acl_Entry = user:root:rctDnfmM
        Obj_Acl_Entry = other_obj:r-t-----
        Obj_Acl_Entry = any_other:r-t-----

   To update existing entries, simply supply a new value. For example, to
   update a principal's full name, the entry in the princ.prt file is

        Fullname = fullname

   The fullname variable is the principal's full name. The princ.prt file
   contains the following entry that allows you to update a principal's
   password in plain text:

        Plaintext_Passwd =

   This field does not display the principal's password. To update the
   password, simply enter the new one in plain text after the equals sign.
   When the database is reconstructed, the password is encrypted and any
   keys derived from that password are regenerated and used to overwrite
   any existing encryption key entries.

   To specify a NULL value, delete the existing value. For example, to
   specify a NULL value for a fullname in the princ.prt file, the entry is

        Fullname =

 PRINT FILE FIELDS AND VALUES

   The following lists describe the fields in the princ.prt, group.prt,
   org.prt, .mkey.prt, policy.prt, rgy_state.prt, and replicas.prt files.
   In the lists, an * (asterisk) indicates a segment or field that can
   appear multiple times in succession; a + (plus sign) indicates that if
   a stored UUID does not map to a name required for the field, the UUID
   is displayed.

   THE PRINC.PRT FILE

   The fields in the princ.prt file follow:

     +  For all records:

        Record_Number  The sequential number of the record in the database.

        Object_Type    An indication of the type of object:
                       PRINC=principal, DIR=directory.

        Name           Name of the object.

        UUID           Unique Identifier of the object.

     +  For principals:

        Unix_ID        The principal's Unix ID.

        Is_Alias_Flag  An indication of whether or not the principal name
                       is an alias or a primary name: true=alias,
                       false=primary.

        Is_Required_Flag
                       An indication of whether or not the principal is
                       reserved: true=principal is reserved and cannot be
                       deleted, false=principal is not reserved.

        Quota          The principal's object creation quota: a non-
                       negative integer or unlimited.

        Fullname       The principal's fullname: a text string.

        Member_Name*   The names of the groups to which the principal
                       belongs.

        Obj_Acl_Def_Cell_Name
                       The default cell name of this principal's object
                       ACL.

        Num_Acl_Entries
                       The number of entries in the principals object ACL.

        Obj_Acl_Entry*+
                       The contents of the principal's object ACL.

        Acct_Group_Name
                       The account's group name.

        Acct_Org_Name  The account's organization name.

        Acct_Creator_Name
                       The name of principal who created this account.

        Acct_Creation_Time
                       The date and time the account was created in
                       yyyy/mm/dd.hh:mm format.  The first two digits of
                       the year, the hours, and the minutes are optional.

        Acct_Changer_Name
                       Name of principal who last changed the account.

        Acct_Change_Time
                       The date and time the account was last changed in
                       yyyy/mm/dd.hh:mm format. (The first two digits of
                       the year, the hours and the minutes are optional.)

        Acct_Expire_Time
                       The date and time the account expires or none for no
                       expiration date.  The date and time are in
                       yyyy/mm/dd.hh:mm format. (The first two digits of
                       the year, the hours and the minutes are optional.)

        Acct_Good_Since_Time
                       The date and time the principal's account was last
                       known to be in an uncompromised state in
                       yyyy/mm/dd.hh:mm, format or no for current time and
                       date. (The first two digits of the year, the hours
                       and the minutes are optional.)

        Acct_Valid_For_Login_Flag
                       An indication of whether or not the account can be
                       logged into: true=account is valid for login,
                       false=account cannot be logged into.

        Acct_Valid_As_Server_Flag
                       Indicates whether or not the account is a server and
                       can engage in authenticated communication:
                       true=account is a server, false=account is not
                       server.

        Acct_Valid_As_Client_Flag
                       Indicates whether or not the account is a client and
                       can log in, acquire tickets, and be authenticated:
                       true=account is a client, false=account is not a
                       client.

        Acct_Post_Dated_Cert_Ok_Flag
                       Indicates whether or not tickets with a start time
                       some time in the future can be issued to the
                       account's principal: true=postdated tickets can be
                       issued, false=postdated tickets cannot be issued.

        Acct_Forwardable_Cert_Ok_Flag
                       Indicates whether or not a new ticket-granting
                       ticket with a network address that differs from
                       the present ticket-granting address can be issued
                       to the account's principal: true=account can get
                       forwardable certificates, false=account cannot.

        Acct_TGT_Auth_Cert_Ok_Flag
                       Indicates whether or not tickets issued to the
                       account's principal can use the ticket-granting-
                       ticket authentication mechanism: true=tickets can
                       use the ticket-granting-ticket authentication
                       mechanism, false=they cannot.

        Acct_Renewable_Cert_Ok_Flag
                       Indicates whether or not tickets issued to the
                       principal's ticket-granting ticket to be renewed:
                       true=tickets can be renewed, false=tickets cannot be
                       renewed.

        Acct_Proxiable_Cert_Ok_Flag
                       Indicates whether or not a new ticket with a
                       different network address than the present ticket
                       can be issued to the account's principal: true=such
                       a ticket can be issued, false=such a ticket cannot
                       be issued.

        Acct_Dup_Session_Key_Ok_Flag
                       Indicates whether or not tickets issued to the
                       account's principal can have duplicate keys:
                       true=account can have duplicate session keys,
                       false=account cannot.

        Unix_Key       The account principal's encrypted UNIX password:
                       ASCII string.

        Plaintext_Passwd
                       Stores the principal's password in plain text.  This
                       field is provided to allow principal's passwords to
                       be changed.  When the princ.prt file is processed by
                       the sec_salvage_db -reconstruct option, this pass-
                       word is encrypted using UNIX system encryption. This
                       encrypted password is then stored as the principal's
                       encrypted UNIX password in the Unix_Key field.

        Home_Dir       The account principal's home directory: text string.

        Shell          The account principal's login shell: text string.

        Gecos          The account's GECOS information: text string.

        Passwd_Valid_Flag
                       Indicates whether or not the account principal's
                       password is valid: true=password is valid,
                       false=password not valid.

        Passwd_Change_Time
                       The date and time the account principal's password
                       was last changed in yyyy/mm/dd.hh:mm format or now
                       for the current date and time. The first two digits
                       of the year, the hours and the minutes are optional.

        Max_Certificate_Lifetime
                       The number of hours before the Authentication
                       Service must renew the account principal's service
                       certificates: an integer indicating the time in
                       hours or default-policy to use the registry default.

        Max_Renewable_Lifetime
                       The number of hours before a session with the
                       account principal's identity expires and the
                       principal must log in again to reauthenticate:
                       an integer indicating the time in hours or
                       default-policy to use the registry default.

        Master_Key_Version
                       The version of the master key used to encrypt the
                       account principal's key.

        Num_Auth_Keys  The number of the account principal's authentication
                       keys.

        Auth_Key_Version*
                       A list of the version numbers of the account
                       principal's authentication key.  The first version
                       number on the list represents the current authenti-
                       cation key.

        Auth_Key_Pepper*
                       The pepper algorithm used for the account
                       principal's key: a text string or blank to use
                       the default pepper algorithm.

        Auth_Key_Len*  The length in bytes of the account principal's
                       authentication key.

        Auth_Key*      The account principal's authentication key: hex
                       string.

        Auth_Key_Expire_Time*
                       The date and time the account principal's authenti-
                       cation key expires or none for no expiration. Date
                       and time are in  yyyy/mm/dd.hh:mm format. (The first
                       two digits of the year, the hours and the minutes
                       are optional.)

     +  For directories:

        Obj_Acl_Def_Cell_Name+
                       The default cell name of the directory's object ACL.

        Num_Acl_Entries
                       The number of entries in the directory's object ACL.

        Obj_Acl_Entry*+
                       The contents of the directory's object ACL.

        Init_Obj_Acl_Def_Cell_Name+
                       The default cell name of the directory's initial
                       object ACL.

        Num_Acl_Entries
                       The number of entries in the directory's initial
                       object ACL.

        Init_Obj_Acl_Entry*+
                       The contents of the directory's initial object ACL.

        Init_Cont_Acl_Def_Cell_Name+
                       The default cell name of the directory's initial
                       container ACL.

        Num_Acl_Entries
                       The number of entries in the directory's initial
                       container ACL.

        Init_Cont_Acl_Entry*+
                       The contents of the directory's initial container
                       ACL.

   THE GROUP.PRT FILE

   The fields in the group.prt file follow:

     +  For all records:

        Record_Number  The sequential number of the record in the database.

        Object_Type    An indication of the type of object: GROUP=group,
                       DIR=directory.

        Name           Name of the object.

        UUID           Unique Identifier of the object.

     +  For groups:

        Unix_ID        Unix ID of the group.

        Is_Alias_Flag  An indication of whether or not the group name is an
                       alias or a primary name: true=alias, false=primary.

        Is_Required_Flag
                       An indication of whether or not the group is
                       reserved:  true=group is reserved and cannot be
                       deleted, false=group is not reserved.

        Projlist_Ok_Flag
                       An indication of whether or not the group can be
                       included in project lists: true=group can be
                       included on project lists, false=group cannot be
                       included.

        Fullname       The group's fullname: a text string.

        Member_Name*   The names of the group's members.

        Obj_Acl_Def_Cell_Name+
                       The default cell name of this group's object ACL.

        Num_Acl_Entries
                       The number of entries in the group's object ACL.

        Obj_Acl_Entry*:
                       The contents of the group's object ACL.

     +  For directories:

        Obj_Acl_Def_Cell_Name+
                       The default cell name of this directory's object
                       ACL.

        Num_Acl_Entries
                       The number of entries in the directory's object ACL.

        Obj_Acl_Entry* The contents of the directory's object ACL.

        Init_Obj_Acl_Def_Cell_Name+
                       The default cell name of the directory's initial
                       object ACL.

        Num_Acl_Entries
                       The number of entries in the directory's initial
                       object ACL.

        Init_Obj_Acl_Entry*+
                       The contents of the directory's initial object ACL.

        Init_Cont_Acl_Def_Cell_Name+
                       The default cell name of the directory's initial
                       container ACL.

        Num_Acl_Entries
                       The number of entries in the directory's initial
                       container ACL.

        Init_Cont_Acl_Entry*+
                       The contents of the directory's initial container
                       ACL.

   THE ORG.PRT FILE

   The fields in the org.prt file follow:

     +  For all records:

        Record_Number  The sequential number of the record in the database.

        Object_Type    An indication of the type of object:
                       ORG=organization, DIR=directory.

        Name           Name of the object.

        UUID           Unique Identifier of the object.

     +  For organizations:

        Unix_ID        Unix ID of the organization.

        Is_Alias_Flag  An indication of whether or not the organization
                       is an alias or a primary name: true=alias,
                       false=primary.

        Is_Required_Flag
                       An indication of whether or not the organization is
                       reserved: true=organization is reserved and cannot
                       be deleted, false=organization is not reserved.

        Fullname       The organization's fullname: a text string.

        Member_Name*   The names of the organization's members.

        Obj_Acl_Def_Cell_Name
                       The default cell name of this organization's object
                       ACL.

        Num_Acl_Entries
                       The number of entries in the organization's object
                       ACL.

        Obj_Acl_Entry*+
                       The contents of the organization's object ACL.

     +  For organizations with policy:

        Acct_Lifetime  The period during which accounts for the organiza-
                       tion are valid: a integer number representing days
                       or forever.

        Passwd_Min_Len The minimum length of the organization's password: a
                       non-negative integer.

        Passwd_Lifetime
                       The span in days of the lifetime of the organiza-
                       tion's password: an integer or forever.

        Passwd_Expire_Time
                       The date and time the organization's password
                       expires in yyyy/mm/dd.hh:mm format.   (The first
                       two digits of the year, the hours and the minutes
                       are optional.)

        Passwd_All_Spaces_Ok
                       An indication of whether or not the organization's
                       password can consist of all spaces: true=can consist
                       of spaces, false=cannot.

        Passwd_All_Alphanumeric_Ok
                       An indication of whether or not the organization's
                       password can consist of all alphanumeric characters:
                       true=can be all alphanumeric, false=cannot.

     +  For directories:

        Obj_Acl_Def_Cell_Name+
                       The default cell name of the directory's object ACL.

        Num_Acl_Entries
                       The number of entries in the directory's object ACL.

        Obj_Acl_Entry*+
                       The contents of the directory's object ACL.

        Init_Obj_Acl_Def_Cell_Name+
                       The default cell name of the directory's initial
                       object ACL.

        Num_Acl_Entries
                       The number of entries in the directory's initial
                       object ACL.

        Init_Obj_Acl_Entry*+
                       The contents of the directory's initial object ACL.

        Init_Cont_Acl_Def_Cell_Name+
                       The default cell name of the directory's initial
                       container ACL.

        Num_Acl_Entries
                       The number of entries in the directory's initial
                       container ACL.

        Init_Cont_Acl_Entry*+
                       The contents of the directory's initial container
                       ACL.

   THE .MKEY.PRT FILE

   The fields in the .mkey.prt file follow:

   Master_Key_Version
                  The integer version of the master key.

   Master_Key_Keytype
                  Always des.

   Master_Key_Length
                  The length of the master key in bytes.

   Master_Key     The master key in hex string format.

   The policy.prt File

   The fields in the policy.prt file follow:

   Rgy_Policy_File_Version
                  An integer representing the version of the policy
                  information.

   Prop_Read_Version
                  A number indicating the property record's read version.

   Prop_Write_Version
                  A number indicating the property record's write version.

   Min_Certificate_Lifetime
                  The minimum amount of time before the principal's ticket
                  must be renewed in weekswdaysdhourshminutesm format.

   Default_Certificate_Lifetime
                  The the default lifetime for tickets issued to principals
                  in this cell's registry in weekswdaysdhourshminutesm
                  format.

   Low_Unix_ID_Principal
                  The starting point for principal UNIX IDs automatically
                  generated by the Security Service when a principal is
                  added: an integer, which must be less than Max_Unix_ID.

   Low_Unix_ID_Group
                  The the starting point for UNIX IDs automatically
                  generated by the Security Service when a group is
                  added: an integer, which must be less than Max_Unix_ID.

   Low_Unix_ID_Org
                  The starting point for UNIX IDs automatically generated
                  by the Security Service when an organization is added
                  using: an integer, which must be less than Max_Unix_ID.

   Max_Unix_ID    The highest number that can be supplied as a UNIX ID when
                  principals are created: an integer.

   Rgy_Readonly_Flag
                  An indication of whether or not the registry is
                  read-only: true=read only, false=updateable.

   Auth_Certificate_Unbound_Flag
                  An indication of whether or not certificates are
                  generated for use on any machine: true=yes, false=no.

   Shadow_Passwd_Flag
                  Determines whether encrypted passwords are sent over the
                  network: true=encrypted passwords are not sent over the
                  network, false=encrypted passwords are sent over the
                  network.

   Embedded_Unix_ID_Flag
                  Determines if UNIX IDs are embedded in person, group,
                  and organization UUIDs: true=UNIX IDs are embedded,
                  false=UNIX IDs are not embedded.

   Realm_Name     The name of the full global pathname of realm running the
                  secd.

   Realm_UUID     The UUID of the realm running the secd.

   Unauthenticated_Quota
                  The quota of unauthenticated users: a number or
                  unlimited.

   Acct_Lifetime  The period during which accounts are valid: a integer
                  number representing days or forever.

   Passwd_Min_Len The minimum length of passwords: a non-negative integer.

   Passwd_Lifetime
                  The span in days of the password lifetimes: an integer or
                  forever.

   Passwd_Expire_Time
                  The date and time the passwords expire in
                  yyyy/mm/dd.hh:mm format. (The first two digits of
                  the year, the hours and the minutes are optional.)

   Passwd_All_Spaces_Ok
                  An indication of whether or not passwords can consist of
                  all spaces: true=can consist of spaces, false=cannot.

   Passwd_All_Alphanumeric_Ok
                  Am indication of whether or not passwords can consist of
                  all alphanumeric characters: true=can be all alpha-
                  numeric, false=cannot.

   Max_Certificate_Lifetime
                  The number of hours before the Authentication Service
                  must renew service certificates: an integer indicating
                  the time in hours or default-policy to use the registry
                  default.

   Max_Renewable_Lifetime
                  The number of hours before sessions expire and the
                  session principal must log in again to reauthenticate:
                  an integer indicating the time in hours or default-
                  policy to use the registry default.

   Princ_Cache_State
                  The timestamp of the principal cache.

   Group_Cache_State
                  The timestamp of the group cache.

   Org_Cache_State
                  The timestamp of the organization cache.

   My_Name        The cell-relative name of the security server.

   Master_Key_Version
                  The integer version of current master key.

   Master_Key_Keytype
                  Always des.

   Master_Key_Length
                  The length of the master key in bytes.

   Master_Key     The master key in hex string format.

   Old_Master_Key_Version
                  The version of the previous master key.

   Old_Master_Key_Keytype
                  Always des.

   Old_Master_Key_Length:
                  The length of the previous master key in bytes.

   Old_Master_Key:
                  The previous master key in hex string format.

   Obj_Acl_Def_Cell_Name:
                  The default cell name of the policy object ACL.

   Num_Acl_Entries:
                  The number of entries in the policy object ACL.

   Obj_Acl_Entry*+
                  The contents of the policy object ACL.

   The rgy_state.prt File

   The fields in the rgy_state.prt file follow:

   Rgy_State_File_Version
                  The integer version number of the format of the rgy_state
                  file.

   Replica_State  The state of the master registry: unknown_to_master,
                  uninitialized, in_service, in_maintenance, closed,
                  deleted, or initializing.

   Cell_UUID      The UUID of cell in which the secd resides.

   Server_UUID    The UUID of this secd.

   Initialization_UUID
                  The UUID of the last initialization event.

   Master_File_Version
                  The version number of the master replica.

   Master_Known_Flag
                  An indicate of whether or not the master replica is known
                  to this replica: true=known, false=not known.  Only if
                  this field is true do the other master field contain
                  valid information.

   Master_UUID    The UUID of the master replica.

   Master_Seqno:  The 2-digit sequence number of the event when the master
                  became the master in n.n format.

   The replicas.prt File

   The fields in the replicas.prt file follow:

   Record_Number  The sequential number of the record in the database.

   Replica_UUID   The UUID listed for the replica in the replica list.

   Replica_Name   The name of the replica as known to the Cell Directory
                  Service.

   Num_Towers     The number of towers.

   Tower_Length*  The Length of the next tower (in bytes).

   Tower*         The tower used to communicate with the replica (a byte
                  stream that can be broken on word boundaries).

   Propagation_Type
                  An indication of whether the replica is initialized,
                  initializing, in the process of being updated, or in
                  the process of being deleted.

   Initialization_UUID
                  UUID of the last initialization.

 ERROR CONDITIONS

   You receive the following error message if the default rgy_data
   directory is being used and there is an advisory lock on the rgy_state
   data file:

        Registry: Error - database is locked.  Put secd into maintenance
            mode or clear advisory lock on rgy_state file in db_pathname

   The existence of the advisory lock implies that secd is in service.  Use
   the sec_admin command to put secd in maintenance mode. If secd is not
   running, the advisory lock may be the result of an ungraceful shutdown
   of secd. To remove the advisory lock, use the rename command to rename
   the DCE$LOCAL:[VAR.SECURITY.RGY_DATA]RGY_STATE.; file, and then change
   it back to its original name.  Then rerun the sec_salvage_db command.
  Close     HLB-list     TLB-list     Help  

[legal] [privacy] [GNU] [policy] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.