DCE_SECURITY, Admin Intro, DCE$EXPORT
*Conan The Librarian (sorry for the slow response - running on an old VAX)
|
VMS Help DCE_SECURITY, Admin Intro, DCE$EXPORT *Conan The Librarian (sorry for the slow response - running on an old VAX) |
|
The DCE EXPORT utility allows you to create an OpenVMS authorization
file from an existing DCE registry.
The DCE registry entries (or a subset of the registry entries) are
converted into records in the OpenVMS SYSUAF file and rights database.
Conversions are essentially a reversal of those made with the IMPORT
function.
Passwords cannot be exported. Instead, the automatic synchronization
feature that occurs during integrated login is used to export user pass-
words.
The DCE EXPORT utility also creates and maintains an exclude list.
The exclude list contains the DCE names of users who do not
have, and do not require, an OpenVMS account. This feature allows
DCE EXPORT to skip over these users during EXPORT operations.
NOTE:
The DCE EXPORT utility described in this section cannot be satisfied
by the export function shipped with OSF DCE because of substantial
differences between OpenVMS and UNIX user registry data.
| 1 - File Info |
The DCE EXPORT utility is shipped as an OpenVMS executable image named DCE$EXPORT.EXE. The image resides in the SYS$SYSTEM directory. The DCE EXPORT exclude file is named by default DCE$EXPORT_EXCLUDE.DAT and also resides in SYS$SYSTEM. You can change the name or location, or both, of this file by defining the logical name DCE$EXPORT_EXCLUDE to point to the new filename and location.
| 2 - Running EXPORT |
The DCE EXPORT utility allows system administrators to create an
OpenVMS authorization file from an existing DCE registry.
Integrated Login provides two methods of running the DCE EXPORT
utility, as follows.
o By invoking the DCE EXPORT utility using a predefined symbol.
$ EXPORT
EXPORT>
You can also specify a single DCE EXPORT command on the command line.
Control returns to DCL after the command is executed.
$ EXPORT command
$
SYS$COMMON:[SYSMGR]DCE$DEFINE_REQUIRED_COMMANDS.COM defines the DCE
symbol EXPORT, which is used to invoke the DCE EXPORT utility. If this
symbol is not defined in your environment, you can define the symbol
as follows:
$ EXPORT :== $SYS$SYSTEM:DCE$EXPORT
o By issuing the RUN command.
$ RUN SYS$SYSTEM:DCE$EXPORT
EXPORT>
See the Digital DCE for OpenVMS VAX and OpenVMS Alpha Reference Guide
for detailed descriptions of the EXPORT commands.
| 3 - Messages |
3.1 - EXP_ACCEXISTS
OpenVMS account for <principal> already exists
Explanation:
Could not export <principal> because it has already been
exported.
User Action:
None.
3.2 - EXP_ADDDCEACC
account for <principal> successfully added to OpenVMS
Explanation:
An OpenVMS acount was successfully created for <principal>.
User Action:
Note directly preceding and following messages for warnings.
3.3 - EXP_ADDDCEUAF
principal <principal> successfully added to DCE$UAF
Explanation:
Principal <principal> successfully added to the DCE$UAF file
as part of the EXPORT operation. Message displayed only if /INFORM
is specified on the EXPORT command line.
User Action:
None.
3.4 - EXP_ADDUAF
principal <principal> successfully exported to OpenVMS
Explanation:
An OpenVMS account for successfully created for DCE
<principal>.
User Action:
Note directly preceding and following messages for warnings.
3.5 - EXP_BINDERR
error binding to DCE security registry
Explanation:
Cannot connect to the DCE security server.
User Action:
Note accompanying error message for more details.
3.6 - EXP_CREDCEUAF
created new DCE$UAF file
Explanation:
A new DCE$UAF file was created.
User Action:
None.
3.7 - EXP_DCEERR
<DCE error message>
Explanation:
Accompanying DCE error message.
User Action:
Use this message to solve the problem generating the error.
3.8 - EXP_DCELOGIN
error in DCE login
Explanation:
Could not perform a DCE login.
User Action:
Enter valid DCE principal and password combination.
3.9 - EXP_DCEUAFERR
error searching DCE$UAF
Explanation:
Error searching or reading DCE$UAF file.
User Action:
Note accompanying error message for more details.
3.10 - EXP_DELDCEUAF
principal <principal> successfully deleted from DCE$UAF
Explanation:
Principal <principal> successfully deleted from DCE$UAF as part
of larger delete operation. Message is displayed only if /INFORM
is specified on the EXPORT command line.
User Action:
None.
3.11 - EXP_DISUSER
<username> remains DISUSER-ed
Explanation:
OpenVMS account for <username> was successfully created but
could not enable the account.
User Action:
Manually remove the DISUSER flag using the AUTHORIZE utility.
3.12 - EXP_ERRACCEXC
error accessing DCE EXPORT exclude file
Explanation:
Could not access DCE EXPORT exclude file.
User Action:
Note accompanying error message for more details.
3.13 - EXP_ERRADDEXC
error adding principal to DCE EXPORT exclude file
Explanation:
Could not add principal to DCE EXPORT exclude file.
User Action:
Note accompanying error message for more details.
3.14 - EXP_ERRADDUAF
error adding principal to DCE$UAF file
Explanation:
Could not add principal name to DCE$UAF file.
User Action:
Note accompanying error message for more details.
3.15 - EXP_ERRCRACC
error creating OpenVMS account for <username>
Explanation:
Could not create an OpenVMS account for <username>.
User Action:
See accompanying error message for more details.
3.16 - EXP_ERRCRDCEUAF
error creating DCE authorization file
Explanation:
An error occurred while attempting to create the DCE$UAF
file.
User Action:
See accompanying message for details.
3.17 - EXP_ERRCREUAF
error creating OpenVMS account for <username> - see following messages
Explanation:
Could not create the OpenVMS account for <username>.
User Action:
Note accompanying error messages for more details.
3.18 - EXP_ERRDCEUAF
error accessing DCE authorization file
Explanation:
An error occurred while attempting to access the
DCE$UAF file.
User Action:
See accompanying message for details.
3.19 - EXP_ERRDELEXC
error deleting principal from DCE EXPORT exclude file
Explanation:
Could not delete principal from DCE EXPORT exclude file.
User Action:
Note accompanying error message for more details.
3.20 - EXP_ERRDELUAF
error deleting principal from DCE$UAF file
Explanation:
Could not delete principal from DCE$UAF file.
User Action:
Note accompanying error message for more details.
3.21 - EXP_ERRENAUSR
error enabling user <username>
Explanation:
Could not remove DISUSER flag from <username>'s account.
User Action:
Manually remove the flag using the AUTHORIZE utility.
3.22 - EXP_ERRQUOTA
error assigning disk quota to username <username> - see following
messages
Explanation:
Error(s) occurred while attempting to set up disk
quota for <username>
User Action:
Note the messages following this message.
3.23 - EXP_ERRSETPW
error setting password for <username>
Explanation:
Could not set password for OpenVMS <username>.
User Action:
Manually set password using the AUTHORIZE utility.
3.24 - EXP_ERRSPAWN
error spawning subprocess
Explanation:
Error spawning subprocess with the SPAWN command.
User Action:
Check user runtime configuration. Refer to appropriate OpenVMS
documentation for more details.
3.25 - EXP_ERRSYSUAF
error accessing SYSUAF file
Explanation:
Could not access the SYSUAF file.
User Action:
Note accompanying error message for more details.
3.26 - EXP_ERRUAFGET
error getting SYSUAF information
Explanation:
Error accessing information in the SYSUAF file.
User Action:
Note accompanying error message for more information.
3.27 - EXP_EXCADD
principal <principal> added to DCE EXPORT exclude list
Explanation:
Principal <principal> successfully added to the DCE EXPORT
exclude list.
User Action:
None.
3.28 - EXP_EXCDEL
principal <principal> removed from DCE EXPORT exclude list
Explanation:
Principal <principal> successfully deleted from the
DCE EXPORT exclude list.
User Action:
None.
3.29 - EXP_EXCLUDED
principal <principal> has been excluded from OpenVMS
Explanation:
Unable to export <principal> because it is on the DCE EXPORT
exclude list. This message is displayed only if /INFORM is
specified on the EXPORT command line.
User Action:
If incorrectly excluded, use DELETE/EXCLUDE to remove it from
the DCE EXPORT exclude list and reexport.
3.30 - EXP_GRPUICFULL
no member UIC available in specified group
Explanation:
No more members available in the specified group.
User Action:
Use another group UIC if possible.
3.31 - EXP_INDCEUAF
principal <principal> already in DCE$UAF
Explanation:
Could not add already existing principal name to DCE$UAF.
User Action:
None.
3.32 - EXP_INEXCLUDE
principal <principal> already in DCE EXPORT exclude file
Explanation:
An attempt was made to add an already existing principal name
to the DCE EXPORT exclude file.
User Action:
None.
3.33 - EXP_INITERROR
initialization error
Explanation:
Error during initialization phase for DCE EXPORT.
User Action:
Note accompanying error message for more details.
3.34 - EXP_INITWAIT
initializing.....
Explanation:
DCE EXPORT in initialization phase.
User Action:
None.
3.35 - EXP_INPREQ
input required!
Explanation:
Input not entered where mandatory.
User Action:
Provide input.
3.36 - EXP_INTERROR
internal error
Explanation:
Internal error in DCE EXPORT.
User Action:
Note accompanying error message for more details or submit a
Quality Assurance Report (QAR).
3.37 - EXP_INTINPDEV
internal error opening input device
Explanation:
Error accessing SYS$INPUT.
User Action:
Check user runtime configuration. Refer to appropriate OpenVMS
documentation for more information.
3.38 - EXP_INVGRPUIC
invalid group UIC
Explanation:
Group UIC entered is invalid (format if value, name if
identifier).
User Action:
Enter valid group UIC.
3.39 - EXP_INVMEMUIC
invalid member UIC
Explanation:
Member UIC entered is out of range or of invalid format.
User Action:
Enter valid member UIC.
3.40 - EXP_INVMS
principal <principal> already exported to OpenVMS
Explanation:
A record for <principal> already exists in the DCE$UAF file
indicating that is has already been exported.
User Action:
None.
3.41 - EXP_INVPASSWD
password validation failed. Please retry
Explanation:
Password validation failed while entering password for the
OpenVMS account to be created.
User Action:
Enter valid password.
3.42 - EXP_INVPWDLEN
password length must be between <minimum> and <maximum> characters
Explanation:
The user specified password for the OpenVMS account is
outside of the defined range.
User Action:
Specify a password of length between <minimum> and <maximum>.
3.43 - EXP_NAMEINUSE
OpenVMS username <username> already mapped to another DCE principal
Explanation:
OpenVMS username specified is already associated with another
DCE principal in the DCE$UAF file.
User Action:
Specify a username that is not associated with a DCE principal.
Use the DCE$UAF utility to search the DCE$UAF file for usernames
and associated DCE principal names.
3.44 - EXP_NODCEUAF
unable to open DCE authorization file
Explanation:
Error occurred while attempting to open the
DCE$UAF file.
User Action:
See accompanying message for details.
3.45 - EXP_NOEXCUSR
no excluded users
Explanation:
No principal names listed in the DCE EXPORT exclude file.
User Action:
None.
3.46 - EXP_NOSCHUSR
no principal <principal> in DCE registry
Explanation:
Principal <principal> requested for export does not exist in the
DCE registry.
User Action:
Use valid DCE principal name. Use the DCE tool RGY_EDIT to view
DCE principal names.
3.47 - EXP_NOSUCHEXC
no such principal in DCE EXPORT exclude file
Explanation:
Requested principal does not exist in DCE EXPORT exclude file.
User Action:
Use the SHOW/EXCLUDE command to list names in the exclude
file.
3.48 - EXP_NOSUCHPR
no DCE account <principal>
Explanation:
An attempt was made to export a nonexistent DCE principal.
User Action:
Specify a valid DCE principal name. Use the DCE tool RGY_EDIT
to view the DCE principals.
3.49 - EXP_NOTINEXC
principal <principal> not in DCE EXPORT exclude file
Explanation:
An attempt was made to access a nonexistent record in the
DCE EXPORT file.
User Action:
Use SHOW/EXCLUDE to see the contents of the exclude file.
3.50 - EXP_NOVMSUSR
no OpenVMS user <username>
Explanation:
A nonexistent OpenVMS username was specified with the /LIKE
qualifier.
User Action:
Specify a valid OpenVMS username.
3.51 - EXP_NXTMEMUIC
error finding next available member UIC
Explanation:
Could not find the next available member UIC in the group
specified.
User Action:
Note the accompanying error message for more details.
3.52 - EXP_OUTOPNERR
error opening alternate output
Explanation:
Could not access file name specified with /OUTPUT qualifier.
User Action:
Note accompanying error message for more details.
3.53 - EXP_SEEFILE
see file <file name> for error messages
Explanation:
Error(s) occurred while creating the OpenVMS
account but EXPORT was unable to display the error
messages. The user is asked to read the file <file name>
for the error messages.
User Action:
Read the file <file name> for error messages.
3.54 - EXP_TIMERR
DCE time configuration error
Explanation:
Time configuration is incorrect on the DCE system.
User Action:
Refer to the Troubleshooting chapter in the Digital
DCE for OpenVMS VAX and OpenVMS Alpha Product Guide.
3.55 - EXP_TOOLONG
input for <qualifier> too long
Explanation:
Value of <qualifer> is longer than expected maximum size of
value.
User Action:
Enter a value that is within the valid size range.
3.56 - EXP_USERERR
error getting input from user
Explanation:
User entered invalid input.
User Action:
Enter valid input.
| 4 - ADD |
Adds DCE principal names. The ADD command can only be used
with the following qualifier:
o ADD/EXCLUDE Adds a DCE principal name to the EXPORT
exclude list (see /EXCLUDE).
4.1 - /EXCLUDE
Adds a DCE principal name to the EXPORT exclude list.
Format:
ADD/EXCLUDE PRINCIPAL
4. 1.1 - Parameters
principal
Specifies the DCE principal name to be added to the EXPORT
exclude list.
If the principal name contains lowercase characters,
spaces, or other special characters, enclose the entire
string in quotes.
| 5 - DELETE |
Deletes DCE principal names. The DELETE command can only be used
with the following qualifier:
o DELETE/EXCLUDE Deletes a DCE principal name from the EXPORT
exclude list (see /EXCLUDE).
5.1 - /EXCLUDE
Deletes a DCE principal name from the EXPORT exclude list.
Format:
DELETE/EXCLUDE PRINCIPAL
5. 1.1 - Parameters
principal
Specifies the DCE principal name to be deleted from the
EXPORT exclude list.
If the principal name contains lowercase characters,
spaces, or other special characters, enclose the entire
string is quotes.
| 6 - EXIT |
Exits the EXPORT utility. You can also exit EXPORT by
pressing the Ctrl/Z key.
Format:
EXIT
| 7 - EXPORT |
The EXPORT command is used to create OpenVMS accounts
in the OpenVMS system authorization file (SYSUAF) based on
existing accounts in the DCE registry.
Format:
EXPORT DCE-ACCOUNT-NAME
Qualifiers Defaults
/[NO]ADD_IDENTIFIERS /ADD_IDENTIFIERS
/[NO]CONFIRM
/DCE_LOGIN=(keyword=value[,...])
/[NO]EXCLUDE /NOEXCLUDE
/[NO]INFORM /INFORM
/[NO]INTERACTIVE /INTERACTIVE
/OUTPUT[=output] /OUTPUT=SYS$OUTPUT:
/[NO]RECAP /NORECAP
/[NO]TEST_ONLY /NOTEST_ONLY
/[NO]WILD /WILD
Data Qualifiers Defaults
/[NO]ACCOUNT=account /ACCOUNT=dce-group-name
/DEVICE=device Taken from /LIKE account
/DIRECTORY=directory /DIRECTORY=vms-username
/GROUP_UIC=group_uic
/LIKE=vms-account /LIKE=DEFAULT
/MEMBER_UIC=member_uic Next available within UIC group
/[NO]OWNER=owner /OWNER=dce-principal-name
/PASSWORD=passwd None
/[NO]QUOTA=n /QUOTA=1000
/USERNAME=username /USERNAME=dce-principal-name
7.1 - Parameters
dce-account-name
Specifies the name of the DCE account that is to be
exported. If the DCE account name contains lowercase
characters, spaces or other special characters then
enclose the name in quotes.
If an asterisk is specified in place of the dce-account-
name then all accounts from the registry are selected.
7.2 - Qualifiers
/CONFIRM
/CONFIRM
/NOCONFIRM
Controls whether the EXPORT command asks for confirmation
before creating the OpenVMS account.
In interactive mode the default is /CONFIRM. In noninteractive
mode the default is /NOCONFIRM.
/DCE_LOGIN=(keyword=value[,...])
/DCE_LOGIN=(keyword=value[,...])
Provides DCE account details for accounts that are authorized to
read pricipals and accounts from the DCE registry. Valid keywords
for the DCE_LOGIN qualifier are as follows:
Keyword Description
PRINCIPAL The principal name to be used for authentication
purposes when reading accounts and/or
principals from the DCE registry.
If you do not specify a principal with this
qualifier you are prompted for one interactively.
PASSWORD The password associated with the principal
name that was specified by the PRINCIPAL keyword.
If you do not specify a password with this
qualifier you are prompted for one interactively.
If you do not specify a principal or password with this qualifier,
you are prompted for them interactively, regardless of whether or
not you are running in interactive mode. This information need be
entered only once per session, on the first EXPORT command.
Subsequent EXPORT commands within the same session do not require
that you to reenter this information.
If you are an interactive user and you do not specify the PASSWORD
keyword, EXPORT prompts you for your password. The advantage in
this is the password is not echoed and therefore does not appear on
your terminal.
/EXCLUDE
/EXCLUDE
/NOEXCLUDE (default)
Determines whether the DCE account is exported to OpenVMS.
If the DCE account is not exported, the OpenVMS account is not
created and an entry is created in the EXPORT exclude file for the
specified DCE account.
/INFORM
/INFORM (default)
/NOINFORM
Determines whether the user is informed of DCE accounts that
would have been selected for export, but are not selected.
(The reasons that accounts are not selected for export are that
they have already been exported (for example, they have an entry
in the DCE$UAF) or that they exist in the EXPORT exclude file.)
/INTERACTIVE (default)
/INTERACTIVE (default)
/NOINTERACTIVE
Controls whether an interactive or noninteractive export is
performed.
In interactive mode, a series of questions is asked and the user's
responses are used to determine the account details. This mode is
well suited to interactive users.
In noninteractive mode, all input is supplied through the data
qualifiers, and any missing or conflicting data causes the OpenVMS
account to not be created. This mode is well suited to command
files and batch jobs.
Data qualifiers can be specified in interactive mode. In this
case the data they provide is used to provide the default answers
to the relevant questions. All questions are still asked.
/OUTPUT[=output]
/OUTPUT[=output]
Defines where all program output should be written.
The default is SYS$OUTPUT:.
/RECAP
/RECAP
/NORECAP (default)
If /RECAP is specified details of the OpenVMS account are displayed
before it is actually created. When /CONFIRM is also specified the
account details are displayed immediately before the confirmation
request.
/TEST_ONLY
/TEST_ONLY
/NOTEST_ONLY (default)
If /TEST_ONLY is specified, OpenVMS accounts, identifiers, and
DCE$UAF entries are not created. All other functions operate
normally.
/WILD
/WILD (default)
/NOWILD
Specifies whether or not standard VMS wildcarding is to be applied
to dce-account-name. The default is /WILD which means a
dce-account-name of "SM*" is interpreted as meaning "export any
account starting SM".
If /NOWILD is specified the dce-account-name "SM*" is exported.
7.3 - Data Qualifiers
7. 3.1 - /ACCOUNT=account
/ACCOUNT=account (default)
[NO]ACCOUNT
Specifies the account string for the OpenVMS account (same as
/ACCOUNT in AUTHORIZE). The account is a string of 1 to 8
alphanumeric characters.
If this qualifier is not specified, the DCE account's group name
is used (truncated to 8 characters if necessary).
If no account field is required then specify /NOACCOUNT.
7. 3.2 - /DEVICE=device
/DEVICE=device
Specifies the name of the OpenVMS account's default
device at login. The device-name is a string of 1 to 31
alphanumeric characters. If you omit the colon from the
device-name value, a colon is automatically appended.
The default device is copy the device field from the
account specified by the /LIKE qualifier.
7. 3.3 - /DIRECTORY=directory
/DIRECTORY=directory
Specifies the default directory name for the DIRECTORY field of
the OpenVMS SYSUAF record. The directory name can be 1 to 63
alphanumeric characters. If you do not enclose the directory name
in brackets, EXPORT adds the brackets for you.
The default directory name is [username] where username is the
OpenVMS account's username.
7. 3.4 - /GROUP_UIC=group_uic
/GROUP_UIC=group_uic
Specifies the group part of the UIC for the OpenVMS
account. GROUP_UIC can be specified as an octal
group UIC code or as an existing group UIC identifier.
If specified as an octal number, it must be in the
range 1 to 37776 (octal).
The default is to take the OpenVMS account's ACCOUNT
field, convert it to uppercase, and interpret this as a group
UIC identifier. If such an identifier does not exist then
a similar translation is attempted for the DCE account's
group name. If neither identifiers exist, the group
UIC is derived from the OpenVMS account specified by the
/LIKE qualifier.
7. 3.5 - /LIKE=vms-account
/LIKE=vms-account
Specifies an existing OpenVMS account that is to be used
as the basis for the OpenVMS account that is being
created. Any fields not specified on the EXPORT command line, as
well as all quotas, privileges, etc, are inherited from
the /LIKE account.
The default is DEFAULT (as it is in AUTHORIZE).
7. 3.6 - /MEMBER_UIC=member_uic
/MEMBER_UIC=member_uic
Specifies the member part of the UIC for the OpenVMS
account. MEMBER_UIC should be specified as an octal
number within the range 0 to 177776 (octal).
The default is to use the first available member UIC
within the group UIC (as specified by /GROUP_UIC). For example,
if the selected group is 150 and that group has members 1,
2, 5 and 6 already defined, then the new uic would be
[150,3].
7. 3.7 - /OWNER=owner (default)
/OWNER=owner (default)
/NOOWNER
Specifies the owner string for the OpenVMS account (same
as /OWNER in AUTHORIZE). The owner is a string of 1 to 31
characters.
If this qualifier is not specified, the DCE account's principal
name is used (truncated to 31 characters if necessary).
If no owner field is required, specify /NOOWNER.
7. 3.8 - /PASSWORD=passwd
/PASSWORD=passwd
Specifies the password for the OpenVMS account. Passwords
contain from 0 to 32 characters and can include
alphanumeric characters, dollar signs, and underscores.
Passwords are not case-sensitive.
If you do not specify a password, the account is
created without a valid OpenVMS password.
7. 3.9 - /QUOTA=quota
/QUOTA=quota (default)
/NOQUOTA
Specifies the disk quota for the device specified by
/DEVICE to be given to the OpenVMS account (if quotas
are enabled on that volume).
The default is 1000 blocks. If quotas are not enabled
on the device specified by /DEVICE, or if /NOQUOTA is
specified, then no quota is given.
7. 3.10 - /USERNAME=username
/USERNAME=username
Specifies the username for the OpenVMS account. The
username is a string of 1 to 12 alphanumeric characters
and can contain underscores.
If this qualifier is not specified, the DCE account's principal
name is used (truncated to 12 characters and uppercased).
| 8 - SHOW |
Displays DCE principal names. The SHOW command can only be used
with the following qualifier:
o SHOW/EXCLUDE Displays DCE principal names in the EXPORT
exclude list (see /EXCLUDE).
8.1 - /EXCLUDE
Displays DCE principal names in the EXPORT exclude list.
Format:
SHOW/EXCLUDE [PRINCIPAL]
Qualifiers Defaults
/ALL
/OUTPUT=output /OUTPUT=SYS$OUTPUT:
8. 1.1 - Parameters
principal
Specifies the name of the DCE principal to be displayed
from the EXPORT exclude list. Full OpenVMS wildcarding
is allowed.
If the principal name contains lowercase characters,
spaces, or other special characters, enclose the entire
string is quotes.
If /ALL is on the command line, do not specify a principal name.
8. 1.2 - Qualifiers
8. 1. 2.1 - /ALL
/ALL
Specifies that all EXPORT exclude entries are to be
displayed. If you do not specify principal, then /ALL is
assumed.
8. 1. 2.2 - /OUTPUT=output
/OUTPUT=output
Determines where the output is written.
The default is SYS$OUTPUT:.
|
|
