sec_salvage_db(1m) sec_salvage_db(1m)
NAME
sec_salvage_db - Recover a corrupted registry database The sec_salvage_db -check and -fix options are not currently available.
SYNOPSIS
sec_salvage_db -print [-dbpath db_pathname] [-prtpath print_pathname]
[print_options] [-verbose] [-sort] [-dce1.0.3]
sec_salvage_db -reconstruct [-dbpath db_pathname] [-prtpath print_pathname]
[reconstruct_options] [-verbose]
sec_salvage_db -check [-dbpath db_pathname] [db_options] [-verbose]
sec_salvage_db -fix [-dbpath db_pathname] [db_options] [-force] [-verbose]
OPTIONS
Check the database elements specified by db_options for inconsistencies. This option sends a list to standard output of all bad list
links, internal id references, and database keys and any detectable data inconsistencies. The -check option does not check fields for
legal values.
Specify the database elements to be acted on by the -check or -fix options. If no db_options are specified, all are selected. The
db_options are -princ -- Principals -group -- Groups
-org -- Organizations -acct -- Accounts
-acl -- ACLs -policy -- Policy -state -- Database State -replicas -- Replicas The .mkey.prt file and the princ.prt file contain unen-
crypted authentication keys. Ensure that only the privileged account can access these files and that they are never transferred over a
network for viewing or backup. Check the database for inconsistencies and prompt for whether to fix each inconsistency. After all incon-
sistencies have been processed, the option prompts for whether to save all fixes. Check the database for inconsistencies and fix each one
without prompting. After all inconsistencies have been processed, the option prompts for whether to save all fixes. This option is valid
only when used with the -fix option. Create files containing ASCII-formatted database records. These files are used by the -reconstruct
option as a source for recreating the database. You can also manually edit the files to change information or fix problems. A separate
file is created for each of the print_options specified.
By default the -print option stores the master key file in the current directory and the database files in the rgy_print directory in the
current directory. The -prtpath option lets you specify a different directory. Supports backwards conversion of a registry database from
DCE 1.1 to DCE 1.0.3. Specify the database elements to be acted on by the -print option. If the files exist, they are overwritten. If no
print_options are specified, all are selected. The print_options and the files they create are -princ -- Put principal records in the file
princ.prt and master key information in the file .mkey.prt. -group -- Put group records in the file group.prt.
-org -- Put organization records in the file org.prt. -policy -- Put policy records in the file policy.prt. -state -- Put information
about the state of the database in the file rgy_state.prt. -replicas -- Put replica information in the file replicas.prt. Reconstruct the
registry database from the ASCII-formatted print files created by the -print option. The reconstruct_options specify the print files to
use.
The reconstruct_options options are not available in Release 1.0.3. For this release, sec_salvage_db reconstructs all elements of the
registry database. Specifies which elements of the registry database to reconstruct. If no reconstruct_options are specified, all are
selected. The reconstruct_options are -pgo -- Use data in the princ.prt, group.prt, org.prt, and .mkey.prt files to reconstruct: Princi-
pals, groups, organizations Principal's accounts ACL's on database objects The master key file -policy -- Use data from the policy.prt file
to reconstruct registry policies. -state -- Use data from the rgy_state.prt file to reconstruct information about the state of the data-
base. -replicas -- Use data from the replicas.prt file to reconstruct the master replica list. For the -print and -check options, -dbpath
specifies the directory in which the registry database and the master key file are located. For the -reconstruct and -fix options, -dbpath
specifies the directory in which to store the reconstructed or salvaged database.
The -print and -check options expects to find the master key file, .mkey, in the directory above the directory that holds the database
files. For example, if db_pathname is dcelocal/var/security/new_rgy, the options look for the master key file in dcelocal/var/security and
the database files in dcelocal/var/security/new_rgy.
If this option is not specified, the default pathname is dcelocal/var/security/rgy_data.
db_pathname can be a global pathname or a cell-relative name.
For the print and -reconstruct options only, -prtpath specifies the directory in which to create (-print) the print files, or find (-recon-
struct) the print files from which to reconstruct the database.
By default the -print option creates and the -reconstruct option looks for the master key file in the current directory and the database
files in the rgy_print subdirectory of the current directory. -prtpath lets you specify the directory that should be used instead of the
current directory. For example, if you specify print_pathname as dcelocal/var/security/registry, the master key print file will be created
in that directory and the database print files in dcelocal/var/security/registry/rgy_print.
If any or all of the print files exist in print_pathname or the default directory, their contents are overwritten.
print_pathname can be a global pathname or a cell-relative name.
DESCRIPTION
The sec_salvage_db tool is an aid to database administration and troubleshooting. Although day-to-day administration is handled by the
rgy_edit command, sec_salvage_db can be useful for listing registry data, reconstructing databases, and salvaging corrupted databases.
The sec_salvage_db command supports two methods of operation: the check and fix method and the print and reconstruct method. These meth-
ods can be used in tandem.
Check and Fix Method
The -check and -fix options are not currently available. The check and fix method recovers data from a corrupted database, fixing cor-
rupted data links, data retrieval keys, and other internal references. You can use it on a database so corrupted that it prevents the
Security Server (secd) from running or registry clients from operating correctly. The check and fix method repairs the database structure
so that secd can run. (Note that data may be lost if corrupted pointers in the registry data files irreversibly sever the links between
records.) The check and fix method uses the sec_salvage_db -check, -fix, and -force options.
The -check option accesses each record in the database and reports all errors, but makes no fixes. Although you can run it to see the
state of the database before you run the -fix option, it is not required to be run.
The -fix option also accesses each record in the database and reports all errors, but as it finds each error, it prompts for whether or not
to fix the error. When processing is complete, sec_salvage_db prompts for whether or not to save the changes.
The -force option can only be used with the -fix option. If you use it, sec_salvage_db does not prompt for confirmation before it fixes
each error it finds. sec_salvage_db will still prompt for confirmation before it saves the changes.
The Print and Reconstruct Method
The print and reconstruct method allows you to reconstruct a database. It first creates ASCII files, called print files, that contain all
accessible data in the database. Then, it reads the data in these files to construct a new database. If you cannot start a Security
Server on the database host machine, you cannot use the print and reconstruct method, but must use the check and fix method. (Note that
before you run sec_salvage_db with the -print and -reconstruct options, you must stop the Security Server.)
In addition to reconstructing the database, the print and reconstruct method has other uses. You can use it to Make changes to the data-
base by manually editing the print files created by the -print option and then reconstructing them from the changed print files. This can
be especially useful for changing many user passwords, which may be necessary if the master key file is corrupted. Obtain a listing of
database contents. Copy databases between different platforms. To use the print and reconstruct method run sec_salvage_db first with the
-print option and then with the -reconstruct option.
The -print option creates the ASCII print files from the registry database files. These files can be reviewed and edited to correct faulty
information, such as name-to-UNIX ID mismatches or missing data, or to update existing data. The -reconstruct option recreates the reg-
istry database files from the print files.
Because the -print option creates files containing all data in the database and the -reconstruct option recreates the database based on
these files, you can use this method to move a database to another machine or even another cell. For example, if you run sec_salvage_db
-print on an uncorrupted database, you can then run sec_salvage_db -reconstruct and specify a pathname on a different machine for where the
database should be created.
Converting a DCE 1.1 Registry Database to a DCE 1.0.3 Database
The sec_salvage_db -dce1.0.3 option supports backwards conversion of a registry database from DCE 1.1 to DCE 1.0.3. To convert a DCE 1.1
registry database to a DCE 1.0.3 database perform the following procedure: Stop all DCE 1.1 servers. Run the sec_salvage_db command with
the -print and -dce1.0.3 options (and any other options you need) to create ASCII print files of the Registry database.
Note that for polymorphous objects (that is, an object that can be both a directory and a person, group, or organization), sec_salvage_db
creates a print file entry for a directory as as default. It then stores the information related to the person, group, or organization in
a file named info.prt. To recreate a person, group, or organization instead of a directory, manually add the information in the info.prt
file to the appropriate ASCII print files. Clean up the remnants of the Registry database by deleting the /opt/dcelocal/var/rpc/rpcdep.dat
file and all files in the following directories: /opt/dcelocal/var/security/rgy_data /opt/dcelocal/var/security/rcache /opt/dcelo-
cal/var/security/creds Reload the DCE 1.0.3 bits. Run the sec_salvage_db command with the -reconstruct option (and any other options you
need) to create the database from the ASCII print files. Restart DCE 1.0.3 servers.
EDITING THE PRINT FILES
To edit the print files, your entries must be in the following format field_name optional_white_space=optional_white_space value Although
you can leave spaces between the field name, the equals sign, and the value, field names and values cannot contain white space.
A sample org.prt file follows.
Record_Number = 2 Object_Type = ORG Name = org/none UUID = 0000000C-D751-21CA-A002-08001E039D7D Unix_ID = 12 Is_Alias_Flag = false
Is_Required_Flag = false Fullname = Member_Name = nobody Member_Name = root Member_Name = daemon Member_Name = uucp Member_Name = bin Mem-
ber_Name = dce-ptgt Member_Name = dce-rgy Member_Name = krbtgt/abc.com Member_Name = hosts/zebra/self Obj_Acl_Def_Cell_Name = /.../abc.com
Obj_Acl_Entry = unauthenticated:r-t----- Obj_Acl_Entry = user:root:rctDnfmM Obj_Acl_Entry = other_obj:r-t----- Obj_Acl_Entry = any_other:r-
t-----
To update existing entries, simply supply a new value. For example, to update a principal's full name, the entry in the princ.prt file is
Fullname = fullname
The fullname variable is the principal's full name. The princ.prt file contains the following entry that allows you to update a princi-
pal's password in plain text: Plaintext_Passwd =
This field does not display the principal's password. To update the password, simply enter the new one in plain text after the equals
sign. When the database is reconstructed, the password is encrypted and any keys derived from that password are regenerated and used to
overwrite any existing encryption key entries.
To specify a NULL value, delete the existing value. For example, to specify a NULL value for a fullname in the princ.prt file, the entry
is Fullname =
PRINT FILE FIELDS AND VALUES
The fields in the princ.prt, group.prt, org.prt, .mkey.prt, policy.prt, rgy_state.prt and replicas.prt files are described in the following
tables.
+--------------------------+------------------------------------------+
|Field Name | Field Values |
+--------------------------+------------------------------------------+
|For all Records: | |
+--------------------------+------------------------------------------+
+--------------------------+------------------------------------------+
|Record_Number | The sequential number of the record in |
| | the database. |
+--------------------------+------------------------------------------+
|Object_Type | An indication of the type of object: |
| | PRINC=principal, DIR=directory. |
+--------------------------+------------------------------------------+
|Name | Name of the object. |
+--------------------------+------------------------------------------+
|UUID | Unique Identifier of the object. |
+--------------------------+------------------------------------------+
|For Principals: | |
+--------------------------+------------------------------------------+
+--------------------------+------------------------------------------+
|Unix_ID | The principal's Unix ID. |
+--------------------------+------------------------------------------+
|Is_Alias_Flag | An indication of whether or not the |
| | principal name is an alias or a primary |
| | name: true=alias, false=primary. |
+--------------------------+------------------------------------------+
|Is_Required_Flag | An indication of whether or not the |
| | principal is reserved: true=principal is |
| | reserved and cannot be deleted, |
| | false=principal is not reserved. |
+--------------------------+------------------------------------------+
|Quota | The principal's object creation quota: a |
| | non-negative integer or unlimited. |
+--------------------------+------------------------------------------+
|Fullname | The principal's fullname: a text string. |
+--------------------------+------------------------------------------+
|Member_Name* | The names of the groups to which the |
| | principal belongs. |
+--------------------------+------------------------------------------+
|Obj_Acl_Def_Cell_Name | The default cell name of this princi- |
| | pal's object ACL. |
+--------------------------+------------------------------------------+
|Num_Acl_Entries | The number of entries in the principals |
| | object ACL. |
+--------------------------+------------------------------------------+
|Obj_Acl_Entry*+ | The contents of the principal's object |
| | ACL. |
+--------------------------+------------------------------------------+
|Acct_Group_Name | The account's group name. |
+--------------------------+------------------------------------------+
|Acct_Org_Name | The account's organization name. |
+--------------------------+------------------------------------------+
|Acct_Creator_Name | The name of principal who created this |
| | account. |
+--------------------------+------------------------------------------+
|Acct_Creation_Time | The date and time the account was cre- |
| | ated in yyyy/mm/dd.hh:mm format. The |
| | first two digits of the year, the hours, |
| | and the minutes are optional. |
+--------------------------+------------------------------------------+
|Acct_Changer_Name | Name of principal who last changed the |
| | account. |
+--------------------------+------------------------------------------+
|Acct_Change_Time | The date and time the account was last |
| | changed in yyyy/mm/dd.hh:mm format. |
| | (The first two digits of the year, the |
| | hours and the minutes are optional.) |
+--------------------------+------------------------------------------+
|Acct_Expire_Time | The date and time the account expires or |
| | none for no expiration date. The date |
| | and time are in yyyy/mm/dd.hh:mm format. |
| | (The first two digits of the year, the |
| | hours and the minutes are optional.) |
+--------------------------+------------------------------------------+
|Acct_Good_Since_Time | The date and time the principal's |
| | account was last known to be in an |
| | uncompromised state in yyyy/mm/dd.hh:mm, |
| | format or no for current time and date. |
| | (The first two digits of the year, the |
| | hours and the minutes are optional.) |
+--------------------------+------------------------------------------+
|Acct_Valid_For_Login_Flag | An indication of whether or not the |
| | account can be logged into: true=account |
| | is valid for login, false=account cannot |
| | be logged into. |
+--------------------------+------------------------------------------+
+------------------------------+------------------------------------------+
|Acct_Valid_As_Server_Flag | Indicates whether or not the account is |
| | a server and can engage in authenticated |
| | communication: true=account is a server, |
| | false=account is not server. |
+------------------------------+------------------------------------------+
|Acct_Valid_As_Client_Flag | Indicates whether or not the account is |
| | a client and can log in, acquire tick- |
| | ets, and be authenticated: true=account |
| | is a client, false=account is not a |
| | client. |
| | |
+------------------------------+------------------------------------------+
|Acct_Post_Dated_Cert_Ok_Flag | Indicates whether or not tickets with a |
| | start time some time in the future can |
| | be issued to the account's principal: |
| | true=postdated tickets can be issued, |
| | false=postdated tickets cannot be |
| | issued. |
+------------------------------+------------------------------------------+
|Acct_Forwardable_Cert_Ok_Flag | Indicates whether or not a new ticket- |
| | granting ticket with a network address |
| | that differs from the present ticket- |
| | granting address can be issued to the |
| | account's principal: true=account can |
| | get forwardable certificates, |
| | false=account cannot. |
+------------------------------+------------------------------------------+
|Acct_TGT_Auth_Cert_Ok_Flag | Indicates whether or not tickets issued |
| | to the account's principal can use the |
| | ticket-granting-ticket authentication |
| | mechanism: true=tickets can use the |
| | ticket-granting-ticket authentication |
| | mechanism, false=they cannot. |
+------------------------------+------------------------------------------+
|Acct_Renewable_Cert_Ok_Flag | Indicates whether or not tickets issued |
| | to the principal's ticket-granting |
| | ticket to be renewed: true=tickets can |
| | be renewed, false=tickets cannot be |
| | renewed. |
+------------------------------+------------------------------------------+
|Acct_Proxiable_Cert_Ok_Flag | Indicates whether or not a new ticket |
| | with a different network address than |
| | the present ticket can be issued to the |
| | account's principal: true=such a ticket |
| | can be issued, false=such a ticket can- |
| | not be issued. |
+------------------------------+------------------------------------------+
|Acct_Dup_Session_Key_Ok_Flag | Indicates whether or not tickets issued |
| | to the account's principal can have |
| | duplicate keys: true=account can have |
| | duplicate session keys, false=account |
| | cannot. |
+------------------------------+------------------------------------------+
|Unix_Key | The account principal's encrypted UNIX |
| | password: ASCII string. |
+------------------------------+------------------------------------------+
|Plaintext_Passwd | Stores the principal's password in plain |
| | text. This field is provided to allow |
| | principal's passwords to be changed. |
| | When the princ.prt file is processed by |
| | the sec_salvage_db -reconstruct option, |
| | this password is encrypted using UNIX |
| | system encryption. This encrypted pass- |
| | word is then stored as the principal's |
| | encrypted UNIX password in the Unix_Key |
| | field. |
+------------------------------+------------------------------------------+
|Home_Dir | The account principal's home directory: |
| | text string. |
+------------------------------+------------------------------------------+
|Shell | The account principal's login shell: |
| | text string. |
+------------------------------+------------------------------------------+
|Gecos | The account's GECOS information: text |
| | string. |
+------------------------------+------------------------------------------+
|Passwd_Valid_Flag | Indicates whether or not the account |
| | principal's password is valid: |
| | true=password is valid, false=password |
| | not valid. |
+------------------------------+------------------------------------------+
+-----------------------------+------------------------------------------+
|Passwd_Change_Time | The date and time the account princi- |
| | pal's password was last changed in |
| | yyyy/mm/dd.hh:mm format or now for the |
| | current date and time. The first two |
| | digits of the year, the hours and the |
| | minutes are optional. |
+-----------------------------+------------------------------------------+
|Max_Certificate_Lifetime | The number of hours before the Authenti- |
| | cation Service must renew the account |
| | principal's service certificates: an |
| | integer indicating the time in hours or |
| | default-policy to use the registry |
| | default. |
+-----------------------------+------------------------------------------+
|Max_Renewable_Lifetime | The number of hours before a session |
| | with the account principal's identity |
| | expires and the principal must log in |
| | again to reauthenticate: an integer |
| | indicating the time in hours or default- |
| | policy to use the registry default. |
+-----------------------------+------------------------------------------+
|Master_Key_Version | The version of the master key used to |
| | encrypt the account principal's key. |
+-----------------------------+------------------------------------------+
|Num_Auth_Keys | The number of the account principal's |
| | authentication keys. |
+-----------------------------+------------------------------------------+
|Auth_Key_Version* | A list of the version numbers of the |
| | account principal's authentication key. |
| | The first version number on the list |
| | represents the current authentication |
| | key. |
+-----------------------------+------------------------------------------+
|Auth_Key_Pepper* | The pepper algorithm used for the |
| | account principal's key: a text string |
| | or blank to use the default pepper algo- |
| | rithm. |
+-----------------------------+------------------------------------------+
|Auth_Key_Len* | The length in bytes of the account prin- |
| | cipal's authentication key. |
+-----------------------------+------------------------------------------+
|Auth_Key* | The account principal's authentication |
| | key: hex string. |
+-----------------------------+------------------------------------------+
|Auth_Key_Expire_Time* | The date and time the account princi- |
| | pal's authentication key expires or none |
| | for no expiration. Date and time are in |
| | yyyy/mm/dd.hh:mm format. (The first |
| | two digits of the year, the hours and |
| | the minutes are optional.) |
+-----------------------------+------------------------------------------+
+-----------------------------+------------------------------------------+
|For Directories: | |
+-----------------------------+------------------------------------------+
+-----------------------------+------------------------------------------+
|Obj_Acl_Def_Cell_Name+ | The default cell name of the directory's |
| | object ACL. |
+-----------------------------+------------------------------------------+
|Num_Acl_Entries | The number of entries in the directory's |
| | object ACL. |
+-----------------------------+------------------------------------------+
|Obj_Acl_Entry*+ | The contents of the directory's object |
| | ACL. |
+-----------------------------+------------------------------------------+
|Init_Obj_Acl_Def_Cell_Name+ | The default cell name of the directory's |
| | initial object ACL. |
+-----------------------------+------------------------------------------+
|Num_Acl_Entries | The number of entries in the directory's |
| | initial object ACL. |
+-----------------------------+------------------------------------------+
|Init_Obj_Acl_Entry*+ | The contents of the directory's initial |
| | object ACL. |
+-----------------------------+------------------------------------------+
|Init_Cont_Acl_Def_Cell_Name+ | The default cell name of the directory's |
| | initial container ACL. |
+-----------------------------+------------------------------------------+
|Num_Acl_Entries | The number of entries in the directory's |
| | initial container ACL. |
+-----------------------------+------------------------------------------+
|Init_Cont_Acl_Entry*+ | The contents of the directory's initial |
| | container ACL. |
+-----------------------------+------------------------------------------+
* These segments/fields may appear multiple times in succession.
+ If a stored UUID doesn't map to a name required for this field, the UUID will be displayed.
+-----------------------------+------------------------------------------+
|Field Name | Field Values |
+-----------------------------+------------------------------------------+
|For all Records: | |
+-----------------------------+------------------------------------------+
+-----------------------------+------------------------------------------+
|Record_Number | The sequential number of the record in |
| | the database. |
+-----------------------------+------------------------------------------+
|Object_Type | An indication of the type of object: |
| | GROUP=group, DIR=directory. |
+-----------------------------+------------------------------------------+
|Name | Name of the object. |
+-----------------------------+------------------------------------------+
|UUID | Unique Identifier of the object. |
+-----------------------------+------------------------------------------+
|For Groups: | |
+-----------------------------+------------------------------------------+
+-----------------------------+------------------------------------------+
|Unix_ID | Unix ID of the group. |
+-----------------------------+------------------------------------------+
|Is_Alias_Flag | An indication of whether or not the |
| | group name is an alias or a primary |
| | name: true=alias, false=primary . |
+-----------------------------+------------------------------------------+
|Is_Required_Flag | An indication of whether or not the |
| | group is reserved: true=group is |
| | reserved and cannot be deleted, |
| | false=group is not reserved. |
+-----------------------------+------------------------------------------+
|Projlist_Ok_Flag | An indication of whether or not the |
| | group can be included in project lists: |
| | true=group can be included on project |
| | lists, false=group cannot be included. |
+-----------------------------+------------------------------------------+
|Fullname | The group's fullname: a text string. |
+-----------------------------+------------------------------------------+
|Member_Name* | The names of the group's members. |
+-----------------------------+------------------------------------------+
|Obj_Acl_Def_Cell_Name+ | The default cell name of this group's |
| | object ACL. |
+-----------------------------+------------------------------------------+
|Num_Acl_Entries | The number of entries in the group's |
| | object ACL. |
+-----------------------------+------------------------------------------+
|Obj_Acl_Entry* | The contents of the group's object ACL. |
+-----------------------------+------------------------------------------+
|For Directories: | |
+-----------------------------+------------------------------------------+
+-----------------------------+------------------------------------------+
|Obj_Acl_Def_Cell_Name+ | The default cell name of this direc- |
| | tory's object ACL. |
+-----------------------------+------------------------------------------+
|Num_Acl_Entries | The number of entries in the directory's |
| | object ACL. |
+-----------------------------+------------------------------------------+
|Obj_Acl_Entry* | The contents of the directory's object |
| | ACL. |
+-----------------------------+------------------------------------------+
|Init_Obj_Acl_Def_Cell_Name+ | The default cell name of the directory's |
| | initial object ACL. |
+-----------------------------+------------------------------------------+
|Num_Acl_Entries | The number of entries in the directory's |
| | initial object ACL. |
+-----------------------------+------------------------------------------+
| | |
|Init_Obj_Acl_Entry*+ | The contents of the directory's initial |
| | object ACL. |
+-----------------------------+------------------------------------------+
|Init_Cont_Acl_Def_Cell_Name+ | The default cell name of the directory's |
| | initial container ACL. |
+-----------------------------+------------------------------------------+
|Num_Acl_Entries | The number of entries in the directory's |
| | initial container ACL. |
+-----------------------------+------------------------------------------+
|Init_Cont_Acl_Entry*+ | The contents of the directory's initial |
| | container ACL. |
+-----------------------------+------------------------------------------+
* These fields may appear multiple times in succession.
+ If a stored UUID doesn't map to a name required for this field, the UUID will be displayed.
+-------------------------------+------------------------------------------+
|Field Name | Field Values |
+-------------------------------+------------------------------------------+
|For all Records: | |
+-------------------------------+------------------------------------------+
+-------------------------------+------------------------------------------+
|Record_Number | The sequential number of the record in |
| | the database. |
+-------------------------------+------------------------------------------+
|Object_Type | An indication of the type of object: |
| | ORG=organization, DIR=directory. |
+-------------------------------+------------------------------------------+
|Name | Name of the object. |
+-------------------------------+------------------------------------------+
|UUID | Unique Identifier of the object. |
+-------------------------------+------------------------------------------+
|For Organizations: | |
+-------------------------------+------------------------------------------+
+-------------------------------+------------------------------------------+
|Unix_ID | Unix Id of the organization. |
+-------------------------------+------------------------------------------+
|Is_Alias_Flag | An indication of whether or not the |
| | organization is an alias or a primary |
| | name: true=alias, false=primary. |
+-------------------------------+------------------------------------------+
|Is_Required_Flag | An indication of whether or not the |
| | organization is reserved: true=organiza- |
| | tion is reserved and cannot be deleted, |
| | false=organization is not reserved. |
+-------------------------------+------------------------------------------+
|Fullname | The organization's fullname: a text |
| | string. |
+-------------------------------+------------------------------------------+
|Member_Name* | The names of the organization's members. |
+-------------------------------+------------------------------------------+
|Obj_Acl_Def_Cell_Name | The default cell name of this organiza- |
| | tion's object ACL. |
+-------------------------------+------------------------------------------+
|Num_Acl_Entries | The number of entries in the organiza- |
| | tion's object ACL. |
+-------------------------------+------------------------------------------+
|Obj_Acl_Entry*+ | The contents of the organization's |
| | object ACL. |
+-------------------------------+------------------------------------------+
|For Organizations with Policy: | |
+-------------------------------+------------------------------------------+
+-------------------------------+------------------------------------------+
|Acct_Lifetime | The period during which accounts for the |
| | organization are valid: a integer number |
| | representing days or forever. |
+-------------------------------+------------------------------------------+
|Passwd_Min_Len | The minimum length of the organization's |
| | password: a non-negative integer. |
+-------------------------------+------------------------------------------+
|Passwd_Lifetime | The span in days of the lifetime of the |
| | organization's password: an integer or |
| | forever. |
+-------------------------------+------------------------------------------+
|Passwd_Expire_Time | The date and time the organization's |
| | password expires in yyyy/mm/dd.hh:mm |
| | format. (The first two digits of the |
| | year, the hours and the minutes are |
| | optional.) |
+-------------------------------+------------------------------------------+
|Passwd_All_Spaces_Ok | An indication of whether or not the |
| | organization's password can consist of |
| | all spaces: true=can consist of spaces, |
| | false=cannot. |
+-------------------------------+------------------------------------------+
|Passwd_All_Alphanumeric_Ok | An indication of whether or not the |
| | organization's password can consist of |
| | all alphanumeric characters: true=can be |
| | all alphanumeric, false=cannot. |
+-------------------------------+------------------------------------------+
|For Directories: | |
+-------------------------------+------------------------------------------+
+-------------------------------+------------------------------------------+
|Obj_Acl_Def_Cell_Name+ | The default cell name of the directory's |
| | object ACL. |
+-------------------------------+------------------------------------------+
|Num_Acl_Entries | The number of entries in the directory's |
| | object ACL. |
+-------------------------------+------------------------------------------+
|Obj_Acl_Entry*+ | The contents of the directory's object |
| | ACL. |
+-------------------------------+------------------------------------------+
|Init_Obj_Acl_Def_Cell_Name+ | The default cell name of the directory's |
| | initial object ACL. |
+-------------------------------+------------------------------------------+
|Num_Acl_Entries | The number of entries in the directory's |
| | initial object ACL. |
+-------------------------------+------------------------------------------+
+-----------------------------+------------------------------------------+
|Init_Obj_Acl_Entry*+ | The contents of the directory's initial |
| | object ACL. |
+-----------------------------+------------------------------------------+
|Init_Cont_Acl_Def_Cell_Name+ | The default cell name of the directory's |
| | initial container ACL. |
+-----------------------------+------------------------------------------+
|Num_Acl_Entries | The number of entries in the directory's |
| | initial container ACL. |
+-----------------------------+------------------------------------------+
|Init_Cont_Acl_Entry*+ | The contents of the directory's initial |
| | container ACL. |
+-----------------------------+------------------------------------------+
* These fields may appear multiple times in succession.
+ If a stored UUID doesn't map to a name required for this field, the UUID will be displayed.
+-------------------+------------------------------------------+
|Field Name | Field Values |
+-------------------+------------------------------------------+
|Master_Key_Version | The integer version of the master key. |
+-------------------+------------------------------------------+
|Master_Key_Keytype | Always des. |
+-------------------+------------------------------------------+
|Master_Key_Length | The length of the master key in bytes. |
+-------------------+------------------------------------------+
|Master_Key | The master key in hex string format. |
+-------------------+------------------------------------------+
+------------------------------+------------------------------------------+
|Field Name | Field Values |
+------------------------------+------------------------------------------+
|Rgy_Policy_File_Version | An integer representing the version of |
| | the policy information. |
+------------------------------+------------------------------------------+
|Prop_Read_Version | A number indicating the property |
| | record's read version. |
+------------------------------+------------------------------------------+
|Prop_Write_Version | A number indicating the property |
| | record's write version. |
+------------------------------+------------------------------------------+
|Min_Certificate_Lifetime | The minimum amount of time before the |
| | principal's ticket must be renewed in |
| | weekswdaysdhourshminutesm format. |
+------------------------------+------------------------------------------+
|Default_Certificate_Lifetime | The the default lifetime for tickets |
| | issued to principals in this cell's reg- |
| | istry in weekswdaysdhourshminutesm for- |
| | mat. |
+------------------------------+------------------------------------------+
|Low_Unix_ID_Principal | The starting point for principal UNIX |
| | IDs automatically generated by the Secu- |
| | rity Service when a principal is added: |
| | an integer, which must be less than |
| | Max_Unix_ID. |
+------------------------------+------------------------------------------+
|Low_Unix_ID_Group | The the starting point for UNIX IDs |
| | automatically generated by the Security |
| | Service when a group is added: an inte- |
| | ger, which must be less than |
| | Max_Unix_ID. |
+------------------------------+------------------------------------------+
|Low_Unix_ID_Org | The starting point for UNIX IDs automat- |
| | ically generated by the Security Service |
| | when an organization is added using: an |
| | integer, which must be less than |
| | Max_Unix_ID. |
+------------------------------+------------------------------------------+
|Max_Unix_ID | The highest number that can be supplied |
| | as a UNIX ID when principals are cre- |
| | ated: an integer. |
+------------------------------+------------------------------------------+
|Rgy_Readonly_Flag | An indication of whether or not the reg- |
| | istry is read-only: true=read only, |
| | false=updateable. |
+------------------------------+------------------------------------------+
|Auth_Certificate_Unbound_Flag | An indication of whether or not certifi- |
| | cates are generated for use on any |
| | machine: true=yes, false=no. |
+------------------------------+------------------------------------------+
|Shadow_Passwd_Flag | Determines whether encrypted passwords |
| | are sent over the network: |
| | true=encrypted passwords are not sent |
| | over the network, false=encrypted pass- |
| | words are sent over the network. |
+------------------------------+------------------------------------------+
|Embedded_Unix_ID_Flag | Determines if UNIX IDs are embedded in |
| | person, group, and organization UUIDs: |
| | true=UNIX IDs are embedded, false=UNIX |
| | IDs are not embedded. |
+------------------------------+------------------------------------------+
+---------------------------+------------------------------------------+
|Realm_Name | The name of the full global pathname of |
| | realm running the secd. |
+---------------------------+------------------------------------------+
|Realm_UUID | The UUID of the realm running the secd. |
+---------------------------+------------------------------------------+
|Unauthenticated_Quota | The quota of unauthenticated users: a |
| | number or unlimited. |
+---------------------------+------------------------------------------+
|Acct_Lifetime | The period during which accounts are |
| | valid: a integer number representing |
| | days or forever. |
+---------------------------+------------------------------------------+
|Passwd_Min_Len | The minimum length of passwords: a non- |
| | negative integer. |
+---------------------------+------------------------------------------+
|Passwd_Lifetime | The span in days of the password life- |
| | times: an integer or forever. |
+---------------------------+------------------------------------------+
|Passwd_Expire_Time | The date and time the passwords expire |
| | in yyyy/mm/dd.hh:mm format. (The first |
| | two digits of the year, the hours and |
| | the minutes are optional.) |
+---------------------------+------------------------------------------+
|Passwd_All_Spaces_Ok | An indication of whether or not pass- |
| | words can consist of all spaces: |
| | true=can consist of spaces, false=can- |
| | not. |
+---------------------------+------------------------------------------+
|Passwd_All_Alphanumeric_Ok | Am indication of whether or not pass- |
| | words can consist of all alphanumeric |
| | characters: true=can be all alphanu- |
| | meric, false=cannot. |
+---------------------------+------------------------------------------+
|Max_Certificate_Lifetime | The number of hours before the Authenti- |
| | cation Service must renew service cer- |
| | tificates: an integer indicating the |
| | time in hours or default-policy to use |
| | the registry default. |
+---------------------------+------------------------------------------+
|Max_Renewable_Lifetime | The number of hours before sessions |
| | expire and the session principal must |
| | log in again to reauthenticate: an inte- |
| | ger indicating the time in hours or |
| | default-policy to use the registry |
| | default. |
+---------------------------+------------------------------------------+
|Princ_Cache_State | The timestamp of the principal cache. |
+---------------------------+------------------------------------------+
|Group_Cache_State | The timestamp of the group cache. |
+---------------------------+------------------------------------------+
|Org_Cache_State | The timestamp of the organization cache. |
+---------------------------+------------------------------------------+
|My_Name | The cell-relative name of the security |
| | server. |
+---------------------------+------------------------------------------+
|Master_Key_Version | The integer version of current master |
| | key. |
+---------------------------+------------------------------------------+
|Master_Key_Keytype | Always des. |
+---------------------------+------------------------------------------+
|Master_Key_Length | The length of the master key in bytes. |
+---------------------------+------------------------------------------+
|Master_Key | The master key in hex string format. |
+---------------------------+------------------------------------------+
|Old_Master_Key_Version | The version of the previous master key. |
+---------------------------+------------------------------------------+
|Old_Master_Key_Keytype | Always des. |
+---------------------------+------------------------------------------+
|Old_Master_Key_Length | The length of the previous master key in |
| | bytes. |
+---------------------------+------------------------------------------+
|Old_Master_Key | The previous master key in hex string |
| | format. |
+---------------------------+------------------------------------------+
|Obj_Acl_Def_Cell_Name | The default cell name of the policy |
| | object ACL. |
+---------------------------+------------------------------------------+
|Num_Acl_Entries | The number of entries in the policy |
| | object ACL. |
+---------------------------+------------------------------------------+
|Obj_Acl_Entry*+ | The contents of the policy object ACL. |
+---------------------------+------------------------------------------+
* These fields may appear multiple times in succession.
+ If a stored UUID doesn't map to a name required for this field, the UUID will be displayed.
+-----------------------+------------------------------------------+
|Field Name | Field Values |
+-----------------------+------------------------------------------+
|Rgy_State_File_Version | The integer version number of the format |
| | of the rgy_state file. |
+-----------------------+------------------------------------------+
|Replica_State | The state of the master registry: |
| | unknown_to_master, uninitialized, |
| | in_service, in_maintenance, closed, |
| | deleted, or initializing. |
+-----------------------+------------------------------------------+
|Cell_UUID | The UUID of cell in which the secd |
| | resides. |
+-----------------------+------------------------------------------+
|Server_UUID | The UUID of this secd. |
+-----------------------+------------------------------------------+
|Initialization_UUID | The UUID of the last initialization |
| | event. |
+-----------------------+------------------------------------------+
|Master_File_Version | The version number of the master |
| | replica. |
+-----------------------+------------------------------------------+
|Master_Known_Flag | An indicate of whether or not the master |
| | replica is know to this replica: |
| | true=known, false=not known. Only if |
| | this field is true do the other master |
| | field contain valid information. |
+-----------------------+------------------------------------------+
|Master_UUID | The UUID of the master replica. |
+-----------------------+------------------------------------------+
|Master_Seqno | The 2-digit sequence number of the event |
| | when the master became the master in n.n |
| | format. |
+-----------------------+------------------------------------------+
+--------------------+------------------------------------------+
|Field Name | Field Values |
+--------------------+------------------------------------------+
|Record_Number | The sequential number of the record in |
| | the database. |
+--------------------+------------------------------------------+
|Replica_UUID | The UUID listed for the replica in the |
| | replica list. |
+--------------------+------------------------------------------+
|Replica_Name | The name of the replica as known to the |
| | Cell Directory Service. |
|_ | |
|Num_Towers | The number of towers. |
+--------------------+------------------------------------------+
|Tower_Length* | The Length of the next tower (in bytes). |
+--------------------+------------------------------------------+
|Tower* | The tower used to communicate with the |
| | replica (a byte stream that can be bro- |
| | ken on word boundaries). |
+--------------------+------------------------------------------+
|Propagation_Type | An indication of whether the replica is |
| | initialized, initializing, in the |
| | process of being updated, or in the |
| | process of being deleted. |
+--------------------+------------------------------------------+
|Initialization_UUID | UUID of the last initialization. |
+--------------------+------------------------------------------+
* These fields may appear multiple times in succession.
NOTES
This reference page is the version that was included in the DCE 1.0.3 Command Reference, updated with information about the -dce1.0.3
option. It is not guaranteed to correspond exactly to the DCE 1.1 usage.
ERROR CONDITIONS
You will receive the following error message if the default rgy_data directory is being used and there is an advisory lock on the rgy_state
data file: Registry: Error - database is locked. Put secd into maintenance mode
or clear advisory lock on rgy_state file in db_pathname
The existence of the advisory lock implies that secd is in service. Use the sec_admin command to put secd in maintenance mode. If secd is
not running, the advisory lock may be the result of an ungraceful shutdown of secd. To remove the advisory lock, use mv to rename the dce-
local/var/security/rgy_data/rgy_state file, change it back to the original name. Then, re-run the sec_salvage_db command.
sec_salvage_db(1m)