Provided by: openafs-client_1.8.12.1-1_amd64 
NAME
pts_creategroup - Creates an (empty) Protection Database group entry
SYNOPSIS
pts creategroup -name <group name>+
[-owner <owner of the group>]
[-id <id (negated) for the group>+] [-cell <cell name>]
[-noauth] [-localauth] [-force] [-help]
[-auth] [-encrypt] [-config <config directory>]
pts createg -na <group name>+ [-o <owner of the group>]
[-i <id (negated) for the group>+] [-c <cell name>]
[-no] [-l] [-f] [-h]
[-a] [-e] [-co <config directory>]
pts cg -na <group name>+ [-o <owner of the group>]
[-i <id (negated) for the group>+] [-c <cell name>]
[-no] [-l] [-f] [-h]
[-a] [-e] [-co <config directory>]
DESCRIPTION
The pts creategroup command creates an entry in the Protection Database for each group specified by the
-name argument. The entry records the issuer of the command as the group's creator, and as the group's
owner unless the -owner argument names an alternate user or group as the owner.
There are two types of groups:
• regular, the names of which have two parts separated by a colon. The part before the colon names the
group's owner. Any user can create such groups.
• prefix-less, which do not have an owner prefix. Only members of the system:administrators group can
create prefix-less groups.
Creating a group lowers the issuer's group-creation quota by one. This is true even if the -owner
argument is used to assign ownership to an alternate user or group. To display a user's group-creation
quota, use the pts examine command; to set it, use the pts setfields command.
AFS group ID (AFS GID) numbers are negative integers and by default the Protection Server assigns a GID
that is one less (more negative) than the current value of the "max group id" counter in the Protection
Database, decrementing the counter by one for each group. Members of the system:administrators group can
use the -id argument to assign specific AFS GID numbers. If any of the specified GIDs is lower (more
negative) than the current value of the "max group id" counter, the counter is reset to that value. It is
acceptable to specify a GID greater (less negative) than the current value of the counter, but the
creation operation fails if an existing group already has it. To display or set the value of the "max
group id" counter, use the pts listmax or pts setmax command, respectively.
OUTPUT
The command generates the following string to confirm creation of each group:
group <name> has id <AFS GID>
CAUTIONS
Although using the -owner argument to designate a machine entry as a group's owner does not generate an
error, it is not recommended. The Protection Server does not extend the usual privileges of group
ownership to users logged onto the machine.
OPTIONS
-name <group name>
Specifies the name of each group to create. Provide a string of up to 63 characters, which can
include lowercase (but not uppercase) letters, numbers, and punctuation marks. A regular name
includes a single colon (":") to separate the two parts of the name; the colon cannot appear in a
prefix-less group name.
A regular group's name must have the following format:
<owner_name>:<group_name>
and the <owner_name> field must reflect the actual owner of the group, as follows:
• If the optional -owner argument is not included, the field must match the AFS username under
which the issuer is currently authenticated.
• If the -owner argument names an alternate AFS user, the field must match that AFS username.
• If the -owner argument names another regular group, the field must match the owning group's owner
field (the part of its name before the colon). If the -owner argument names a prefix-less group,
the field must match the owning group's complete name.
-owner <owner of the group>
Specifies a user or group as the owner for each group, rather than the issuer of the command. Provide
either an AFS username or the name of a regular or prefix-less group. An owning group must already
have at least one member. This requirement prevents assignment of self-ownership to a group during
its creation; use the pts chown command after issuing this command, if desired.
-id <id for the group>
Specifies a negative integer AFS GID number for each group, rather than allowing the Protection
Server to assign it. Precede the integer with a hyphen ("-") to indicate that it is negative.
If this argument is used and the -name argument names multiple new groups, it is best to provide an
equivalent number of AFS GIDs. The first GID is assigned to the first group, the second to the second
group, and so on. If there are fewer GIDs than groups, the Protection Server assigns GIDs to the
unmatched groups based on the "max group id" counter. If there are more GIDs than groups, the excess
GIDs are ignored. If any of the GIDs is lower (more negative) than the current value of the "max
group id" counter, the counter is reset to that value.
-auth
Use the calling user's tokens to communicate with the Protection Server. For more details, see
pts(1).
-cell <cell name>
Names the cell in which to run the command. For more details, see pts(1).
-config <config directory>
Use an alternate config directory. For more details, see pts(1).
-encrypt
Encrypts any communication with the Protection Server. For more details, see pts(1).
-force
Enables the command to continue executing as far as possible when errors or other problems occur,
rather than halting execution at the first error.
-help
Prints the online help for this command. All other valid options are ignored.
-localauth
Constructs a server ticket using a key from the local /etc/openafs/server/KeyFile file. Do not
combine this flag with the -cell or -noauth options. For more details, see pts(1).
-noauth
Assigns the unprivileged identity anonymous to the issuer. For more details, see pts(1).
EXAMPLES
In the following example, the user pat creates groups called "pat:friends" and "pat:colleagues".
% pts creategroup -name pat:friends pat:colleagues
The following example shows a member of the system:administrators group creating the prefix-less group
"staff" and assigning its ownership to the system:administrators group rather than to herself.
% pts creategroup -name staff -owner system:administrators
In the following example, the user pat creates a group called "smith:team-members", which is allowed
because the -owner argument specifies the required value ("smith").
% pts creategroup -name smith:team-members -owner smith
PRIVILEGE REQUIRED
The issuer must belong to the system:administrators group to create prefix-less groups or include the -id
argument.
To create a regular group, the issuer must
• Be authenticated. The command fails if the -noauth flag is provided.
• Have a group-creation quota greater than zero. The pts examine command displays this quota.
SEE ALSO
pts(1), pts_examine(1), pts_listmax(1), pts_setfields(1), pts_setmax(1)
COPYRIGHT
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD
by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth
Cassell.
OpenAFS 2024-08-22 PTS_CREATEGROUP(1)