About the creds utility

Technote (FAQ)


Question

How is the IBM Rational ClearCase creds utility used on Microsoft Windows to determine user credentials for the logged in account, what information is cached and how do I display (and flush) that cached information?

Answer

Note: The information in this technote has been incorporated into the 8.0 version of the IBM Rational ClearCase Information Center.



About the creds utility

Refer to the creds command in the ClearCase Information Center for details about this command.

Note: The creds utility is located, by default, in:

7.1.x: C:\Program Files\IBM\RationalSDLC\ClearCase\etc\utils\creds.exe

7.0.1 and earlier: C:\Program Files\Rational\ClearCase\etc\utils

This path is not included in the system PATH environment variable. You can add the path to the system PATH EV, or you will need to change directory (cd) into the directory where creds is located.

The available options for creds usage can be listed out using creds -h.

Usage
Description
creds [-w] Display current user's SID credentials.
creds {-a|-A} Display all information in current user's access token.
creds -u [-w] Display current user's UNIX style credentials.
creds -r Display current user's credentials in raw SID form.
creds {-p|-P} <pid> Display all information in the target process's access token.
creds [-u|-r] <user> Display information about specified user; user can be given as a name, integer UID, NT SID ("S-..."), or ClearCase SID ("NT:S-...","UNIX:10...","SID:01..."). Optional machine name causes lookup to be done on the specified machine.
creds [-u|-r] -g <group> Display information about specified group; group can be given as a name, integer GID, NT SID ("S-..."), or ClearCase SID ("NT:S-...","UNIX:10...","SID:01..."). Optional machine name causes lookup to be done on the specified machine.
creds -s <pid> Set the primary group in the target process's access token based on CLEARCASE_PRIMARY_GROUP.
creds -t Update and print the cached trusted POSIX offset table.
creds -e Display standard SIDs.
creds -d <host> Display whether named host is in same domain as current host.
creds -x <ID> Convert the ID, which can be a SID or an integer UID/GID to an integer
UID/GID or SID (the other kind of ID) without regard to the validity of the ID.
creds -c <user> Display credentials of specified user; user can be given as a fully-qualified name.
creds -D Dump the cached pwd/grp tables.

Example of most basic creds output used for troubleshooting a user account:

    > creds
    Login name :    DOMAIN\User1
    USID:          NT:S-1-5-21-14...
    Primary group : DOMAIN\CC_USERS_GROUP (NT:S-1-5-21-14...)
    Groups : (10)
        Everyone (NT:S-1...)
        BUILTIN\Administrators (NT:S-1...)
        BUILTIN\Remote Desktop Users (NT:S-1...)
        BUILTIN\Users (NT:S-1...)
        NT AUTHORITY\REMOTE INTERACTIVE LOGON (NT:S-1...)
        NT AUTHORITY\INTERACTIVE (NT:S-1...)
        NT AUTHORITY\Authenticated Users (NT:S-1...)
        LOCAL (NT:S-1...)
        DOMAIN\Domain Users (NT:S-1-5-21-14...)
        DOMAIN\clearcase  (NT:S-1-5-21-14...)

You have ClearCase administrative privileges.
  • The Login name identifies the user account that is logged in to the local Windows client, and in most networks, this will be a domain account. However, this can be a local account if the network configuration is either a stand-alone ClearCase configuration or if this is a workgroup environment and the VOBs are stored on UNIX. See the IBM Rational ClearCase Administrator Guide for details on supported network configurations.

  • The Primary group identifies what the primary group is set to for ClearCase use. This group can be set on the domain controller or it can be set locally using the CLEARCASE_PRIMARY_GROUP environment variable. See technote 1135509 for more information.

  • Groups list the additional group membership of the user account (minus the Primary group) and it is limited to displaying up to 32 groups by default. Use creds -w to display all additional groups. See technote 1124574 for more information.

  • The DOMAIN\clearcase group and the statement at the end of the output indicates that the logged in user account has ClearCase administrative privileges. Likewise, if you did not have ClearCase administrative privileges, there would be a statement indicating that. See technote 1146253 for more information.

For more information on the creds utility, from command line, use cleartool man creds, or see the IBM Rational ClearCase Command Reference.


Creds output showing group names twice

Sometimes creds output lists the domain groups twice with separate SIDs.

*************************
C:\Rational\clearcase\etc\utils>creds
Login name:    DOMAIN1\xjrb7751
USID:          NT:S-1-5-21-2025429265-1303643608-1417001333-20032
Primary group: DOMAIN1\cmccs (NT:S-1-5-21-2091331072-1406801349-277364198-33363)
Groups: (32)
DOMAIN1\clearusers (NT:S-1-5-21-2091331072-1406801349-277364198-32837)
DOMAIN1\clearusers (NT:S-1-5-21-2025429265-1303643608-1417001333-1275)
DOMAIN1\SMS_CDG_TechSup (NT:S-1-5-21-2025429265-1303643608-1417001333-2182)
DOMAIN1\CMU (NT:S-1-5-21-2025429265-1303643608-1417001333-1283)
DOMAIN1\S3USER (NT:S-1-5-21-2025429265-1303643608-1417001333-2163)
DOMAIN1\S3USER (NT:S-1-5-21-2091331072-1406801349-277364198-1558)
DOMAIN1\SMS_CDG_TechSup (NT:S-1-5-21-2091331072-1406801349-277364198-32804)
DOMAIN1\CMU (NT:S-1-5-21-2091331072-1406801349-277364198-36480)
...

You have ClearCase administrative privileges.
****************************

This means that your site is in the process of migrating groups from an NT domain to an Active Directory domain.

If the migrated accounts include SID history, user accounts in the Active Directory domain include twice as many group memberships as they have in the Windows NT domain. Each user's group list includes groups from both domains. Users who are members of multiple groups in a Windows NT domain may find that their group list includes more than 32 groups after migration. Review technote 1124574 for more information about the CLEARCASE_GROUPS environment variable.

Refer to the ClearCase Administrators Guide for additional information on Active Directory Migration.

Note: As of version 2003.06.00, the OLD Domain entry will have a leading asterisk:

Login name:    DOM1\user1
USID:          NT:S-1-5-21-827945181-191126496-1124750213-4883
Primary group: DOM1\CC_Users (NT:S-1-5-21-827945181-191126496-1124750213-4962)
Groups: (25)
    DOM1\Domain Users (NT:S-1-5-21-827945181-191126496-1124750213-513)
    Everyone (NT:S-1-1-0)
    WREN\PD Developers (NT:S-1-5-21-436374069-507921405-839522115-1007)
    WREN\PD Team (NT:S-1-5-21-436374069-507921405-839522115-1004)
    BUILTIN\Administrators (NT:S-1-5-32-544)
    BUILTIN\Users (NT:S-1-5-32-545)
    NT AUTHORITY\INTERACTIVE (NT:S-1-5-4)
    NT AUTHORITY\Authenticated Users (NT:S-1-5-11)
    LOCAL (NT:S-1-2-0)
    DOM1\Product Development (NT:S-1-5-21-827945181-191126496-1124750213-5007)
    DOM1\Clear Case Admins (NT:S-1-5-21-827945181-191126496-1124750213-4963)
    DOM1\CMDS Associates (NT:S-1-5-21-827945181-191126496-1124750213-4965)
    DOM1\All CMDSers (NT:S-1-5-21-827945181-191126496-1124750213-4321)
    DOM1\Development-2 (NT:S-1-5-21-827945181-191126496-1124750213-4331)
    DOM1\TE Prog (NT:S-1-5-21-827945181-191126496-1124750213-4174)
    DOM1\HFD-Tech Staff (NT:S-1-5-21-827945181-191126496-1124750213-3899)
    DOM1\CC_Users (NT:S-1-5-21-2109960903-705956611-641664369-2902)
* DOM1\user1 (NT:S-1-5-21-2109960903-705956611-641664369-3172)
 DOM1\Clear Case Admins (NT:S-1-5-21-2109960903-705956611-641664369-2207)
    DOM1\Product Development (NT:S-1-5-21-2109960903-705956611-641664369-1252)
    DOM1\CMDS Associates (NT:S-1-5-21-2109960903-705956611-641664369-1018)
    DOM1\DOM1 Associates (NT:S-1-5-21-827945181-191126496-1124750213-4986)
    DOM1\PD - Local (NT:S-1-5-21-827945181-191126496-1124750213-4997)
    DOM1\DOM1 Associates (NT:S-1-5-21-2109960903-705956611-641664369-2841)
    DOM1\PD - Local (NT:S-1-5-21-2109960903-705956611-641664369-2861)

You have ClearCase administrative privileges.
You are logged onto Administrative-mode Terminal Server (Console).


How to use creds -t to determine if a domain is trusted

The creds -t output is specific to the domain to which the workstation resides. Log in to any available domain and the output will be the same per workstation because it can only belong to one domain.

Example of a one way trust, where Domain1 trusts Domain2, but Domain2 does not trust Domain1:

  • While logged in to a workstation that belongs to Domain1:

C:\Program Files\Rational\ClearCase\etc\utils> creds -t
Name             Offset       SID
LAB              0x01900000  S-1-5-21-1518097302-
DOMAIN2        0x01100000  S-1-5-21-1453292567-
NT01            0x01f00000  S-1-5-21-1186989896-
ATRIA           0x00f00000  S-1-5-21-108034363-
XERRA           0x02500000  S-1-5-21-1055335994-
CCSUPPT          0x01b00000  S-1-5-21-101735466-
TEST_DOMAIN      0x02600000  S-1-5-21-790525478-
WORKDOMAIN      0x02b00000  S-1-5-21-1644491937-

Note: DOMAIN 2 appears in the output because DOMAIN 1 trusts DOMAIN 2.

  • While logged in to a workstation that belongs to DOMAIN2:

C:\Program Files\Rational\ClearCase\etc\utils> creds -t
Name             Offset       SID
DISOCOVERY        0x01500000  S-1-5-21-1776094891-57206
COOP              0x00b00000  S-1-5-21-1581937804-37220
ATRIA           0x01700000  S-1-5-21-108034363-981813

Note: DOMAIN 1 does not appear in the output because DOMAIN 2 does not trust DOMAIN 1.


How to use creds -D to view cached data

The ClearCase creds command maintains a cache in memory that has a list of mappings that map, for example, a SID to a UID, or a UID to the information stored in the domain controller.

Here is a list of the specific mappings creds maintains:

  1. UID  ->  Passwd info
  2. User name  ->  Passwd info
  3. SID  ->  Passwd info
  4. GID  ->  Group info
  5. Group name  ->  Group info
  6. SID  ->  Group info
  7. Account name  ->  SID
  8. Account name  ->  SID
  9. SID  ->  UID
  10. Domain group SID map
  11. SID  ->  TPO
  12. TPO  ->  SID

Sometimes groups changes are made but are not picked up by the creds command. Why? For example, the current logged on user is added to ClearCase Administrator group, but creds still shows that the user does not have ClearCase administrative privilege. This has to do with the cache. The current login session still keeps the old creds information until the user has logged off or the host is restarted.

From the usage output, creds -D will dump the cached password and group tables for accounts logged on to the local system for ClearCase use. This output cannot be scaled down by account, which means the output will include, at least, information for your user account and the clearcase_albd account.

Since this information is cached, if your SID or other information changes, such as your account is added to a new group, then this cache needs to be refreshed also to reflect the change. This can be done manually using phash -f global and phash -f private (which is an undocumented utility) or creds will automatically check the cache for stale entries the next time it is run.

    usage: phash {-s | -f [global | private]}

            -s : to display cache hit/usage statistics
            -f : to flush the cache (default private)
Note: The phash utility is located, by default, in:

7.1.x: C:\Program Files\IBM\RationalSDLC\ClearCase\etc\utils

7.0.1 and earlier: C:\Program Files\Rational\ClearCase\etc\utils


Related information

Support Policy for Active Directory forests
A Japanese translation is available

Cross reference information
Segment Product Component Platform Version Edition
Software Development Rational ClearCase Utilities and Tools

Rate this page:

(0 users)Average rating

Document information


More support for:

Rational ClearCase
Utilities and Tools

Software version:

7.0, 7.0.1, 7.1

Operating system(s):

Windows

Reference #:

1221403

Modified date:

2009-10-13

Translate my page

Machine Translation

Content navigation