MS-SQL에서 Oracle로 데이터 복제 사용시 발생되는 오류

http://cafe.naver.com/sanovice/264

MS-SQL에서 Oracle로 데이터 복제 사용시 발생되는 오류중

MS-SSQL에서는 ''가 NULL로 인식되지 않지만 Oracle에서는 ''가 NULL로 인식된다.



따라서 필요에 따라서 Oracle의 Not NULL컬럼을 NULL 허용으로 변경하여야 할 경우

아래 쿼리문을 참조하면 쉽게 변경할 수 있다.



select bb.table_name, bb.column_name, substr(bb.column_name, -3), cc.column_id, cc.data_type, cc.nullable,
'alter table ' || bb.table_name || ' modify ( ' || cc.column_name || ' NULL ); ' as mod_query
from user_constraints aa, user_cons_columns bb, USER_TAB_COLS cc
where aa.constraint_name = bb.constraint_name
and bb.table_name = cc.table_name (+)
and bb.column_name = cc.column_name (+)
and aa.owner = '변경할 사용자 계정'
and aa.constraint_type = 'C' /* 체크 옵션만 적용 */
and upper(bb.column_name) <> 'MSREPL_TRAN_VERSION' /* 특정컬럼(MS-SQL 복제용컬럼)은 제외 */
and cc.data_type like '%CHAR%' /* 문자형 컬럼만 적용 */
and substr(bb.column_name, -3) not in ('_ID', '_CD') /* 끝자리가 일치하는 문자 제외 처리 */
order by bb.table_name, cc.column_id ;

참고 사이트

http://www.iparktokyo.com/irubon/index.html

SQL Server 2000 관리

에러 메세지
2006/11/09 22:49:45, Application Error, Error, ID=1000
??? ndmpserver.exe 0.0.0.0 ndmpserver.exe 0.0.0.0 00001eb5

2006/11/09 22:49:51, SQLSERVERAGENT, Error, ID=318
Unable to read local eventlog (reason: システム コールに渡されるデータ領域が小さすぎます。).

해결책
SQL Server エージェント エラー イベント ID が無視できます。 318 が エラーは、ほかのアプリケーションのため、発生します。
SQL Server が実行された場所同じコンピュータで実行されているエラー。 エラーを禁止するには。
他のアプリケーションで発生されたアプリケーション エラーをトラブルシューティングし、解決します。
참고 링크
http://support.microsoft.com/kb/811484/ja


에러 메세지
エラー : 5180、レベル : 22、状態 : 1
無効なフィールド ID 7、データベース 'tempdb' では FCB を開けませんでした。

詳細な情報は、http://go.microsoft.com/fwlink/events.asp の [ヘルプとサポート センター] を参照してください。

참고링크
http://support.microsoft.com/kb/278366/ja

SQL Server 인덱스

http://support.microsoft.com/kb/601427/ko

SQL Server 인덱스
이 문서가 적용되는 제품 보기.
기술 자료 ID : 601427
마지막 검토 : 2004년 3월 4일 목요일
수정 : 1.0
이 문서는 이전에 다음 ID로 출판되었음: KR601427
요약
이 자료는 SQL Server Data와 Index Structure들이 어떻게 물리적으로 디스크 드라이브상에 위치하는지에 대하여 설명합니다.
추가 정보
SQL Server 7.0의 Data page 와 Index page는 모두 8 Kilobytes 크기입니다. SQL Server Data Page들은, Text Data와 Image Data를 제외한, 모든 Data를 포함합니다. Text와 Image 데이터의 경우에는 Text/Image Column과 관련되는 Row를 포함하는 SQL Server Data Page는, Text/Image 데이터를 포함하는 하나 이상의 8-KB page들의 Binary Tree (또는 B-Tree) 구조에 대한 Pointer를 가지고 있게 됩니다.
SQL Server Index에는 두 가지 형태가 있으며, 두 가지 모두 8-KB Index page들로 이루어진 B-Tree 구조입니다. 차이점은 B-Tree 구조의 Leaf Level에 있습니다.

- Clustered Index

Table에는 오직 하나의 Clustered Index만 존재합니다. 1. Clustered Index를 가지고 Key를 검색하여 데이터를 읽어 오게 되면, Clustered Index의 Leaf Level이 Data Page이기 때문에, Pointer jump가 필요 없습니다.
2. Clustered Index의 Leaf Level은 그 Clustered Index를 구성하는 Column들의 순으로 이미 정렬되어 있습니다. Clustered Index의 Leaf Level은 그 Table의 실제 8KB data page들을 포함하기 때문에, 전체 Table의 Row data가 물리적으로 Clustered Index에 의해 결정된 순서대로 디스크 드라이브에 정렬되어 있습니다. 그러므로, Clustered Index의 값에 기반을 두고 Table로부터 많은 양의 Row들을 fetch해 오는 경우에 (적어도 64 KB이상인 경우), Sequential Disk I/O가 사용되기 때문에 I/O Performance 이득을 얻을 수 있습니다. 이것이 많은 수의 Row들을 읽어 오기 위해 Range Scan을 수행하는 Column에 대해 Clustered Index를 선택해야 하는 중요한 이유입니다.

- Nonclustered Index

Nonclustered Index는 어떤 Key값에 근거하여 크기가 큰 SQL Server Table들로부터 선택성이 높은 소수의 Row들을 Fetch해 오는데 유용합니다. Nonclustered Index들은 8-KB Index page들로 이루어진 Binary Tree들입니다. Index Page들의 Binary Tree의 Leaf Level은, 그 Index를 구성하는 Column들의 모든 데이터를 포함합니다. Nonclustered Index가 Key값과 일치하는 정보를 읽어 오는데 사용될 때, Key에 일치하는 데이터를 Index의 Leaf Level에서 찾을 때까지 그 Index B-Tree를 따라가게 됩니다. 만약 그 Table로부터 그 Index의 부분이 아닌 Column들이 필요한 경우에는, Pointer Jump가 발생합니다. 이 Pointer Jump는 디스크상에서 Nonsequential I/O Operation을 필요로 하게 됩니다. 어떤 경우에는, 다른 디스크로부터 데이터를 읽어 올 필요가 있는 경우도 있습니다. 여러 Pointer들이 동일한 8-KB Data Page들로 연결된다면, 그 Page를 Data Cache로 한번만 읽어 오면 되므로, I/O Performance Penalty가 적어집니다. Nonclustered Index를 사용한 검색을 포함하는 SQL Query에 의해 리턴된 각각의 Row에 대해, 한번의 Pointer Jump가 필요합니다. 그러므로, Table로부터 하나 혹은 소수의 Row들을 리턴하는 SQL Query인 경우에 Nonclustered Index가 적합하다는 것입니다. 그리고 많은 수의 Row들을 리턴하는 것이 필요한 Query들의 경우에는 Clustered Index가 더 적합한 것입니다. 좀 더 자세한 정보는 SQL Server Books Online에서 "Nonclustered Index" 를 찾으면 얻을 수 있습니다.

- Covering Indexes

Nonclustered Index에만 해당되는 특별한 경우가 Covering Index입니다. Covering Index는, 어떤 SQL Query를 충족시키는데 필요한 모든 Column들이 포함되는 Nonclustered Index를 의미합니다. Covering Index들은 많은 양의 I/O를 절약할 수 있고, 그러므로 Query의 Performance를 많이 향상시킬 수 있습니다. 그러나, 새로운 Index(그 Index와 관련된 B-Tree Index Structure 유지)를 만들어야 하는 비용을, Covering Index로 얻을 수 있는 I/O Performance 이득과 비교하여 균형을 고려하여 선택해야 합니다. 만약 어떤 Covering Index가 SQL Server상에서 아주 자주 수행되는 Query 또는 여러 Query들의 Performance를 향상시킬 수 있다면 Covering Index를 생성하는 것이 좋습니다.

Covering Index의 예:
1. select col1, col3 from Table1 where col2 = 'value'
2. create Index Indexname1 on Table1 (col2, col1, col3)
또는 1. SQL Server가 Data Page가 아닌 Index Page로부터 필요한 모든 data를 얻을 수 있으므로, SQL Server가 디스크 I/O Operation을 절약할 수 있습니다.
2. 위의 Covering Index는 디스크상에 물리적으로 col2를 기준으로 필요로 하는 모든 데이터를 구성하고 있으므로, 하드 드라이브가 순차적으로 (col2 = 'value') 라는 조건과 관련되는 모든 Index Row들을 리턴할 수 있게 됩니다. 이것이 I/O Performance를 상당히 향상시킬 수 있게 되는 것입니다.

SQL Server Enterprise Manager에서 Create Index Wizard를 사용하여 Index를 생성합니다. SQL Server Enterprise Manager 메뉴 바에서 Tools/Wizards를 선택하고, Database wizard가 나타나도록 Database 옆에 있는 + 아이콘을 클릭한 다음, Create Index Wizard를 더블-클릭합니다.
이 예에서 만들어진 "indexname1" 이라는 Index는, select문의 모든 Column들과 WHERE 조건을 포함하기 때문에 Covering Index가 됩니다. 이것은, 이 Query를 수행할 때 SQL Server가 Table1과 관련되는 Data Page들을 액세스할 필요가 없으며, 그 Query를 충족하는데 필요로 하는 모든 정보를 Indexname1이라는 Index로부터 얻을 수 있다는 것을 의미합니다. SQL Server가 Indexname1과 관련되는 B-Tree를 traverse해서 col2가 "value" 와 동일한 Index Key들의 range를 찾기만 하면, SQL Server가 그 covering Index의 Leaf Level로부터 필요한 모든 데이터 (col1, col2, col3)를 Fetch해 올 수 있다는 것을 알게 됩니다. 이는 두 가지 측면에서 I/O Performance 향상을 제공해 줍니다.
일반적으로 그 Table의 한 Row의 Byte수에 비하여 covering Index의 모든 Column들의 Byte수를 합한 것이 작고, Covered Index를 이용하는 Query가 자주 수행되는 것이 확실한 경우에는 Covering Index를 사용하는 것이 합리적입니다.
그러나, 많은 Covered Index들을 만들기 전에 다음 내용을 참고할 것을 권장합니다.

- Automatic Covering Indexes 또는 Covered Queryies

SQL Server 7.0의 새로운 Query Processor는 Index Intersection을 제공합니다. Index Intersection은 Query Processor로 하여금 주어진 Table로부터 여러 개의 Index들을 고려하여 여러 Index들에 기반을 둔 Hash Table을 구축하고, Hash Table을 사용하여 주어진 Query에 대해서 I/O를 감소시킬 수 있도록 해 줍니다. Index Intersection으로부터 나온 Hash Table은 하나의 Covering Index를 가지게 되고, Covering Index가 하는 것과 동일한 I/O Performance 혜택을 제공합니다. Index Intersection은 Database에 대하여 수행될 모든 Query들을 미리 결정하는 것이 어려운 경우에 많은 유연성을 제공해 줍니다.

이 경우에 따라야 할 좋은 전략은, 자주 Query되는 모든 Column들에 대해서 단일 Column, Nonclustered Index들을 정의하고, Covered Index가 필요한 경우에는 Index Intersection으로 하여금 처리하도록 하는 것입니다.
추가정보를 얻으려면, SQL Server Books Online에서 "query tuning recommendations" 와 "designing an Index"를 찾으면 됩니다.

Index intersection을 이용하는 예:
1. select col3 from Table1 where col2 = 'value'
2. Create Index Indexname1 on Table1(col2)
3. Create Index Indexname2 on Table1(col3)
위의 예에서 "indexname1" 과 "indexname2" 은 "table1" 이라는 SQL Server Table에 만들어진 Nonclustered, single- Column Index들입니다. 그 Query가 수행될 때, Query processor가 Index Intersection을 사용하는 것이 유용할 것이라는 상황을 인식합니다. Query Optimizer는 그 Query를 수행하는데 있어서 I/O을 절약하기 위하여 자동적으로 두개의 Index들을 함께 Hashing합니다. 이러한 상황이 발생하는 데에는 Query Hint가 전혀 필요 없습니다. Covering Index들 (선언된 covered Index이건 Index intersection에 의한 것이건)에 의해 처리되는 Query들은 "covered queries" 라고도 합니다.

- Index 선택

Index를 잘 선택하는 것이 디스크 I/O에 가장 큰 영향을 미치게 되므로, 결국 Performance 향상에 있어서 가장 중요한 요소가 됩니다. 이전에 왜 Nonclustered Index가 적은 수의 Row들을 읽어 오는 데 적합하고, Clustered Index가 Range-Scan에 적합한지를 설명했다.

Index를 설정할 때에는 가능한 한 적은 수의 Column들에 대하여, 그리고 Index 길이를 가능한 한 짧게 만들어 주는 것이 좋습니다. 특히 SQL 7.0 의 경우에는, Nonclustered Index 가 Row 데이터 위치정보로서 Clustered Index를 사용하기 때문에, Clustered Index의 바이트 길이를 짧게 만드는 것이 좋습니다.
Nonclustered Index의 경우에는, 선택성(selectivity) 을 고려해야 합니다. 크기가 큰 Table에 대해서 적은 종류의 data 를 가지는 Column 인 경우에 Nonclustered Index를 만들어 주는 것은 I/O를 감소시키는 데 있어서 비효율적입니다. 어떤 경우에는 Index를 사용하는 것이 sequential Table scan 을 수행하는 것보다 I/O를 증가하도록 할 수도 있습니다. Nonclustered Index 의 좋은 예로는 회사의 사번, 주민등록번호, 고객번호, 전화번호 등을 들 수 있습니다.
Clustered Index 는 실제적으로 Table 데이터를 정렬하여 저장하기 때문에, Nonclustered Index에 비해, 유일한 값의 종류가 많지 않은 Column에 대해서 Range Query를 수행하는 경우에 효과적입니다. 예를 들어, 회사지사, 판매날짜 등을 들 수 있습니다. Clustered Index를 어떤 Column에 대해서 만들 때에는, "그 Column의 순서에 의거하여 많은 수의 Row들을 Fetch하는 Query문들이 많은가" 라는 분석을 해야 합니다.

Clustered Index를 사용하는 것이 효과적인 유형의 Query문들:
WHERE < Column_name> > some_value
WHERE < Column_name> BETWEEN some_value AND some_value
WHERE < Column_name> < some_value

Clustered Index 선택, Sequential Key Data, Hot Spot을 보는 방법:

Clustered Index 선택은 두 가지 주요한 결정을 포함합니다: 1. 그 Table의 어느 Column이, Range Scan을 위해 순차적인 I/O를 제공하는 측면에서 Clustered Index를 만들면 가장 혜택을 받을 수 있는지를 결정합니다.
2. Hot Spot을 피하면서 Table 데이터의 물리적인 위치에 영향을 주기 위해 Clustered Index를 사용하는 것입니다.
Hot Spot은 많은 Query들이 동시에 동일한 영역의 디스크에 데이터를 읽거나 쓰려고 하는 경우에 발생합니다. 이는 하드 디스크가 동시에 처리할 수 있는 것보다 많은 디스크 I/O 요청들을 받게 되기 때문에, 디스크 I/O 병목현상(Bottleneck)을 유발하게 됩니다.

- FILLFACTOR와 PAD_INDEX의 중요성

만약 많은 양의 Insert 작업이 발생하는 경우라면, Page 분할(Splitting)을 방지하기 위하여 Index Page에 여분의 공간을 확보하는 것이 필요합니다. Page Splitting 은 Index Page나 Data Page에 새로 추가될 Row를 수용할 공간이 없어서, SQL Server가 새로운 Page를 할당해서 기존 Page에 있던 데이터들을 두개의 Page에 나누는 작업을 하는 것을 말하는 것으로서, 이러한 작업은 System 자원과 시간을 낭비하는 요인이 됩니다.
그러므로, Index를 만들 때 fillfactor와 pad_index 설정을 고려하는 것이 필요합니다. CREATE INDEX와 DBCC REINDEX 문의 FILLFACTOR 옵션을 사용하면 Index Page와 Data Page에 여분의 공간을 확보할 수 있습니다.
Performance Monitor에서 "SQL Server: Access Methods - Page Splits." 값을 주기적으로 관찰하여 0보다 큰 값이 발견되면, Page 분할이 발생하는 것이므로 DBCC SHOWCONTIG를 사용하여 자세하게 분석하는 것이 필요합니다.
과도한 Page 분할이 Table에서 발생하면, Index를 다시 생성해 주는 작업을 수행해 줄 것을 권장합니다.

oracle tip

lsnrctl status

alter session set cursor_sharing=FORCE;
alter session set cursor_sharing=EXACT;

select * from v$session where type= 'USER'
alter system kill session '331,6631'

터미널에서 에러코드 확인
[xxx:/oracle/OraHome1] oerr ora 07445

UTF8과 AL32UTF8의 차이점
UTF8은 유니코드 3.0 까지만 지원 하고 오라클에서도 더이상 개발하고 있지 않음
AL32UTF8은10g의 경우 유니코드 4.0 까지 지원 하며 계속 업데이트 중임

DB 문자셋 변경

MS SQL서버 디비별 문자셋 변경 방법
참고
http://ssw.com.au/SSW/KB/KB.aspx?KBID=Q711843

우선 디비 생성 스크립트 스키마 테이블 유저 제약 관련 스크립트 익스포트

1. 디비가 사용중인지 아닌지 Check 사용중인 sid kill
sp_who
kill 55

2.디비 detach
sp_detach_db @dbname='TDE_GM'

3.데이터 파일과 로그 파일명 변경
TDE_GM_Data.MDF
TDE_GM_Data.LDF
에 OLD를 붙여서 변경 후 새로운 디비 이름으로 attach

EXEC sp_attach_db
@dbname = N'TDE_GMOLD',
@filename1 = N'E:SqlDataMSSQLDataTDE_GM_DataOLD.MDF',
@filename2 = N'E:SqlDataMSSQLDataTDE_GM_LogOLD.LDF'


4.위에서 익스포트한 스크립트에 문자셋 관련부분 변경후
디비 생성

5.DTS로 데이터 COPY

생각보다는 간단한작업..

MSSQL 일본어 설정

http://www.kawabata.com/yoshihiro/blog/PermaLink.aspx/cf14534f-ff6e-4123-8946-8205986f7665
の内容

照合順序の指定
SQL Server の 照合順序のオプションを簡単にまとめました


CI
大文字、小文字を区別しない。全角アルファベットの大文字、小文字も区別しない
例: 「A」 と 「a」 を同一視する
CS
大文字、小文字を区別する。全角アルファベットの大文字、小文字も区別する
例: 「A」 と 「a」 を区別する
AI
アクセント、濁音、破裂音を区別しない。
半角カナの濁音、破裂音も区別しない
例: 「ハ」、「バ」、「パ」を区別しない
AS
アクセント、濁音、破裂音を区別する。
例: 「ハ」、「バ」、「パ」を区別する
KS
ひらがなとカタカナを区別する。半角でも区別する
KS に対して、KI という指定はない
例: 「は」と「ハ」を区別する
WS
文字幅を区別する。つまり全角、半角を区別する。
WS に対して、WI という指定はない
例: 「a」と「ａ」を区別する
BIN
バイナリで比較する。つまりすべて区別する。
指定書式
書式: Japanese_BIN
書式: Japanese_(CI | CS)_(AI | AS)[(_KS | _WS | _KS_WS)]
例: Japanese_BIN
例: Japanese_CI_AS_KS

exp/imp

리눅스 포털에서 퍼온 내용입니다.
오늘 개발 서버에 리얼서버 데이터를 퍼올일이 있어서..
10g부터 적용되는 dbpump를 적용해 봤는데..
expdp는 잘되는데 impdp가 잘 않되서...(데이터 갱신이 않됬음.로그는 문제가 없었는데.....)
그리고 database link를 테스트 해 봤는데..
10g부터는 권한 관련 부분이 변화가 있었는지 잘 않되서...음...
결국은 exp/imp...

http://www.superuser.co.kr/home/superuserboard/view.html?id=361&code=oracle&start=450&position=

import, export사용(imp, exp)

linux라는 사용자로 연결한다
SQL> connect linux/linux
연결되었습니다.
SQL> set pagesize 30

linux가 가진 테이블은 다음과 같다
SQL> select * from tab;
TNAME TABTYPE CLUSTERID
------------------------------ ------- ----------
S_CUSTOMER TABLE
S_DEPT TABLE
S_EMP TABLE
S_IMAGE TABLE
S_INVENTORY TABLE
S_ITEM TABLE
S_LONGTEXT TABLE
S_ORD TABLE
S_PRODUCT TABLE
S_REGION TABLE
S_TITLE TABLE
S_WAREHOUSE TABLE
TEST TABLE
13 개의 행이 선택되었습니다.
SQL> quit
Oracle8 Release 8.0.5.0.0 - Production
PL/SQL Release 8.0.5.0.0 - Production에서 분리되었습니다.
[linux@localhost db]$ ls -l /usr/local/Oracle
total 2
drwxr-xr-x 3 oracle dba 1024 Sep 22 13:23 app
drwxr-xr-x 3 oracle dba 1024 Sep 22 13:26 oradata
[linux@localhost db]$ ls -l /usr/local/Oracle/oradata
total 1
drwxr-xr-x 2 oracle dba 1024 Sep 22 13:34 kang
[linux@localhost db]$ ls -l /usr/local/Oracle/oradata/kang
total 131172
-rw-r----- 1 oracle dba 1435648 Oct 5 23:46 control01.ctl
-rw-r----- 1 oracle dba 1435648 Oct 5 23:46 control02.ctl
-rw-r----- 1 oracle dba 1435648 Oct 5 23:46 control03.ctl
-rw-r----- 1 oracle dba 15730688 Oct 5 23:44 rbs01.dbf
-rw-r----- 1 oracle dba 512512 Oct 5 23:41 redokang01.log
-rw-r----- 1 oracle dba 512512 Oct 5 23:42 redokang02.log
-rw-r----- 1 oracle dba 512512 Oct 5 23:44 redokang03.log
-rw-r----- 1 oracle dba 83888128 Oct 5 23:44 system01.dbf
-rw-r----- 1 oracle dba 1050624 Oct 5 23:42 temp01.dbf
-rw-r----- 1 oracle dba 26216448 Oct 5 23:42 tools01.dbf
-rw-r----- 1 oracle dba 1050624 Oct 5 23:42 users01.dbf

linux의 테이블을 export한다. OCP에서는 이 툴을 이용하는 백업을 논리적(logical) 백업이라고 한다
그냥 명령인자없이 주면 interactive하게 진행할 수 있다.
이 경우 direct백업(특별한 경우가 아닌 이상, 이 방법으로 하면 속도가 빨라진다.)이 불가능하다(디폴트로 N)
[linux@localhost db]$ exp linux/linux
Export: Release 8.0.5.0.0 - Production on 화 Oct 5 23:46:43 1999
(c) Copyright 1998 Oracle Corporation. All rights reserved.

연결할 곳: Oracle8 Release 8.0.5.0.0 - Production
PL/SQL Release 8.0.5.0.0 - Production
배열 인출 버퍼 크기 입력: 4096 >
엑스포트 파일: expdat.dmp > 그냥 엔터(디폴트 화일명은 expdat.dmp이다)

논리적 백업은 3가지가 있는데 아래에 있는 user, table과 아래에 나오지 않은 full백업이 있다
(full백업은 보통 dba만이 할 수 있다, 만일 백업만을 전담할 사용자를 둔다면, exp_full_database, imp_full_database 권한을 주면 된다.).
user는 사용자가 가진 스키마의 모든 것들을 export하는 것이고, table은 말 그대로 사용자의 지정된 table만을 export하는 것이다.
full은 전체 DB를 백업한다


(2)U(사용자), 또는 (3)T(테이블): (2)U > 여기서는 2을 선택했다
권한부여 엑스포트 (yes/no): yes > 그냥 엔터
테이블 데이터 엑스포트 (yes/no): yes > 그냥 엔터
확장 영역 압축 (yes/no): yes > 그냥 엔터
KO16KSC5601 문자 설정과 KO16KSC5601 NCHAR 문자 설정에서 엑스포트가 종료되었습니다
. LINUX 사용자를 위해 외래 함수 라이브러리 이름을 엑스포트합니다
. LINUX 사용자에 대한 개체 유형 정의를 엑스포트 합니다
LINUX의 개체를 엑스포트하려고 합니다 ...
. 데이터베이스 링크 엑스포트 중
. 순차 번호 엑스포트 중
. 클러스터 정의 엑스포트 중
. LINUX의 테이블을 엑스포트하려고 합니다 via 규정 경로...
. . 테이블 S_CUSTOMER(를)을 엑스포트 중 15 행이 엑스포트됨
. . 테이블 S_DEPT(를)을 엑스포트 중 12 행이 엑스포트됨
. . 테이블 S_EMP(를)을 엑스포트 중 25 행이 엑스포트됨
. . 테이블 S_IMAGE(를)을 엑스포트 중 19 행이 엑스포트됨
. . 테이블 S_INVENTORY(를)을 엑스포트 중 114 행이 엑스포트됨
. . 테이블 S_ITEM(를)을 엑스포트 중 62 행이 엑스포트됨
. . 테이블 S_LONGTEXT(를)을 엑스포트 중 33 행이 엑스포트됨
. . 테이블 S_ORD(를)을 엑스포트 중 16 행이 엑스포트됨
. . 테이블 S_PRODUCT(를)을 엑스포트 중 33 행이 엑스포트됨
. . 테이블 S_REGION(를)을 엑스포트 중 5 행이 엑스포트됨
. . 테이블 S_TITLE(를)을 엑스포트 중 8 행이 엑스포트됨
. . 테이블 S_WAREHOUSE(를)을 엑스포트 중 5 행이 엑스포트됨
. . 테이블 TEST(를)을 엑스포트 중 16 행이 엑스포트됨
. 동의어 엑스포트 중
. 뷰 엑스포트 중
. 저장 프로시저 엑스포트 중
. 참조 무결성 제약조건 엑스포트 중
. 트리거 엑스포트 중
. 이후 테이블 처리를 엑스포트 중
. 스냅샷 엑스포트 중
. 스냅샷 로그 엑스포트 중
. 작업 대기열을 엑스포트 중
. 리프레쉬 그룹과 자식 엑스포트 중
엑스포트가 경고 없이 정상적으로 종료되었습니다.
[linux@localhost db]$ ls -l
total 96
-rw-rw-r-- 1 linux linux 3340 Aug 15 22:30 JdbcTest.class
-rw-r--r-- 1 linux linux 3112 Aug 15 22:43 JdbcTest.java
drwxrwxr-x 2 linux linux 1024 Oct 1 01:10 db_ex
-rw-rw-r-- 1 linux linux 40960 Oct 5 23:46 expdat.dmp
-rw-r--r-- 1 linux linux 41841 Jun 30 11:59 summit.sql
-rw-rw-r-- 1 linux linux 4096 Oct 5 23:46 사용자관리-백업_리스토어.txt

kang이라는 사용자로 import를 수행한다.
[linux@localhost db]$ imp kang/kang
Import: Release 8.0.5.0.0 - Production on 화 Oct 5 23:48:1 1999
(c) Copyright 1998 Oracle Corporation. All rights reserved.

연결할곳: Oracle8 Release 8.0.5.0.0 - Production
PL/SQL Release 8.0.5.0.0 - Production
임포트 파일: expdat.dmp >
삽입 버퍼 크기를 입력하십시오 (최소치는 4096) 30720>
엑스포트 파일은 규정 경로를 거쳐 EXPORT:V08.00.05 에 의해 생성되었습니다
경고: 개체는 다른 사용자 LINUX(이)가 엑스포트한 것입니다.
임포트 파일의 내용만 표시합니다. (yes/no): no >
개체 존재로 인해 발생한 생성 오류는 무시합니다. (yes/no): no >
권한부여 임포트 (yes/no): yes >
테이블 데이터 임포트 (yes/no): yes >
엑스포트 파일 전체를 임포트합니다. (yes/no): no >
사용자명:linux 여기서 kang이라고 입력하지 않도록 주의한다
테이블(T) 또는 분할(T:P)명을 입력하십시오. 널 목록은 사용자의 모든 테이블을 의미합니다.
테이블(T) 또는 분할(T:P)명을 입력하거나 완료 시에는 .을 입력하십시오.
. LINUX 개체를 KANG(으)로 임포트하는 중입니다.
. . 테이블 "S_CUSTOMER"(를)을 임포트 중 15 행이 임포트되었습니다
. . 테이블 "S_DEPT"(를)을 임포트 중 12 행이 임포트되었습니다
. . 테이블 "S_EMP"(를)을 임포트 중 25 행이 임포트되었습니다
. . 테이블 "S_IMAGE"(를)을 임포트 중 19 행이 임포트되었습니다
. . 테이블 "S_INVENTORY"(를)을 임포트 중 114 행이 임포트되었습니다
. . 테이블 "S_ITEM"(를)을 임포트 중 62 행이 임포트되었습니다
. . 테이블 "S_LONGTEXT"(를)을 임포트 중 33 행이 임포트되었습니다
. . 테이블 "S_ORD"(를)을 임포트 중 16 행이 임포트되었습니다
. . 테이블 "S_PRODUCT"(를)을 임포트 중 33 행이 임포트되었습니다
. . 테이블 "S_REGION"(를)을 임포트 중 5 행이 임포트되었습니다
. . 테이블 "S_TITLE"(를)을 임포트 중 8 행이 임포트되었습니다
. . 테이블 "S_WAREHOUSE"(를)을 임포트 중 5 행이 임포트되었습니다
. . 테이블 "TEST"(를)을 임포트 중 16 행이 임포트되었습니다
사용 가능한 제약 조건에 관해서...
임포트가 경고 없이 정상적으로 종료되었습니다.
[linux@localhost db]$ sqlplus
SQL*Plus: Release 8.0.5.0.0 - Production on 화 Oct 5 23:48:37 1999
(c) Copyright 1998 Oracle Corporation. All rights reserved.
사용자명 입력: kang
암호 입력:
Connected to:
Oracle8 Release 8.0.5.0.0 - Production
PL/SQL Release 8.0.5.0.0 - Production

정말 import가 되었는지 확인하자
SQL> select * from tab;
TNAME TABTYPE CLUSTERID
------------------------------ ------- ----------
S_CUSTOMER TABLE
S_DEPT TABLE
S_EMP TABLE
S_IMAGE TABLE
S_INVENTORY TABLE
S_ITEM TABLE
S_LONGTEXT TABLE
S_ORD TABLE
S_PRODUCT TABLE
S_REGION TABLE
S_TITLE TABLE
S_WAREHOUSE TABLE
TEST TABLE
13 개의 행이 선택되었습니다.


다시 system으로 접속해서 kang이라는 사용자를 지운다.
이때 kang이라는 사용자의 schema에는 테이블이 존재하므로 cascade옵션을 사용해야 한다

SQL> connect system
암호 입력:
연결되었습니다.
SQL> drop user kang;
drop user kang
*
1행에 오류:
ORA-01922: 'KANG'(을)를 삭제하려면 CASCADE를 지정하여야 합니다

SQL> drop user kang cascade;
사용자가 삭제되었습니다.

추가: 2001-12-20
imp에서 show패러미터는 export파일의 내용을 보여주고, 실제 import는 수행하지 않는다.
보여주는 내용이 SQL문으로 되어 있으므로 어떤 경우, 유용하게 사용될 수 있다.

imp system/xxxxxx full=y show=y file=full_20011220.dmp log=exp_content.sql


복구과정
1. 가장 최근의 exp파일에서 full=y inctype=system으로 imp를 수행하여 data dictionary와 DB구조들을 재생성
(이때 적용될 exp파일은 complete, cumulative, incremental의 종류에 관계없이 가장 최근의 exp파일이다.)
2. 가장 최근의 complete exp파일에서 full=y inctype=restore로 import한다.
(나머지 exp파일들에 대해 full=y와 inctype=restore로 계속 수행한다)
3. 가장 최근의 complete exp파일 이후로 수행된 cumulative exp파일들을 처리
4. 가장 최근의 cumulative exp파일 이후로 수행된 incremental exp파일들을 처리

export시 DB를 restricted session에 두고,(alter system enable restricted session)
exp 패러미터중 consistent를 Y에 두면 최소한의 읽기일관성 보장한다.
단, consistent패러미터는 complete, cumulative에서만 사용할 수 있다.
consistent패러미터는 incremental에서는 사용될 수 없으므로, incremental수행시에는
DB를 restricted session에 두고 수행하는 것이 좋다.


-- 읽기일관성 문제 예
테이블 데이터가 먼저 export되고, index는 그 다음에 수행된다.
따라서, 테이블데이터에 있지 않으나, 인덱스에는 해당 데이터가 있을 수도 있다.
export수행중, 변경된 데이터는 export파일에 저장되지 않는다.


conventional Vs direct
디폴트는 conventional path를 이용해 export된다.
conventional path는 SQL을 SQL*PLUS에서 수행하는 것과 동일한 방식으로 실행된다.
direct패러미터는 디폴트가 N이므로 명시적으로 Y값으로 설정해야 한다.
direct는 데이터 정의와 몇몇 SQL을 skip하여 수행되므로 백업의 속도가 빠르다.
direct path를 사용할 때는 buffer패러미터가 사용되지 않는다.


full=y로 수행된 export파일은 import시 user,table,full 모두에 사용될 수 있다

DB Link 관련

DBA 택이 님 페이지 에서 퍼온 내용입니다.

http://blog.naver.com/taek78?Redirect=Log&logNo=40024448851

먼저 oraA, oraB 의 서비스네임을 가진 데이타베이스 2개가 있다고 하자.

그리고 oraA 에서 oraB 의 데이타를 보려고 한다.

간단하게 설명하면 아래의 절차와 같다.

1 oraA 에서 oraB 로 접속 가능하게 설정한다.
2 oraA 에서 oraB 로 접속해본다.
3 oraA 에서 db link 를 만든다.
4 만든 db_link 로 테이블을 select 해본다.




1. oraA 서버상에 상대 오라클 서버(oraB)를 등록한다.

% vi $ORACLE_HOME/network/admin/tnsnames.ora 파일에 등록함 (oraA)



oraB =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = oraB의 ip 또는 host name )(PORT = 포트번호))
)
(CONNECT_DATA =
(SERVICE_NAME 또는 SID = remote SID)



2. 일단 접속해본다.

% sqlplus /@oraB

접속이 되면 빠져나온다.



3. DB Link 를 사용할 오라클 계정(oraA)으로 sqlplus에 로그인하고 다음과 같이 DB Link를 생성한다.

SQL> create database link <링크로사용할이름> connect to identified by using 'oraB(상대 서비스 네임)';



4. 잘 만들어 졌는지 확인

SQL> select * from tab@<링크이름>
oraB의 테이블정보와 일치하면 성공.


5. drop Database link 방법

잘못 만들었다면 지우고 다시 만든다.

SQL> drop database link <링크이름>;

6. Database link 현황 보기

SQL> select * from all_db_links;

SQL> select * from dba_db_links;



7. TNS-03505 에러 발생시

oraA와 oraB의$ORACLE_HOME/network/admin/sqlnet.ora 비교하여 NAMES.DIRECTORY_PATH= 의 값이 동일한지 확인

FLICKR

http://kr.blog.yahoo.com/mineout/1360457.html
http://kldp.org/~kss/node/52
http://ilmol.com/wp/2005/06/11/28/
http://www.airtightinteractive.com/projects/related_tag_browser/app/

Select Insert Select Create

--select Insert
[oracle]
INSERT INTO TESTTABLE(SELECT * FROM TESTTABLE WHERE TESTCOLUMN = 'TESTVALUE');
[mssql]
INSERT INTO TESTTABLE SELECT * FROM TESTTABLE WHERE TESTCOLUMN = 'TESTVALYE'

--select create
[oracle]
CREATE TABLE TESTTABLEBK AS SELECT * FROM TESTTABLE;

[mssql]
SELECT * INTO TESTTABLEBK FROM TESTTABLE

TSQL

*날짜를 취득해 표시 하는 방법
select (convert(char(8),getdate(),112))
column1
----------
20060607

select (convert(char(10),getdate(),102))
column1
----------
2006.06.07


select REPLACE(REPLACE(REPLACE(CONVERT(varchar(20),
getdate() , 120), ':', ''), '-', ''), ' ', '')

Kerberos V5 Tutorial

http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.1/doc/krb5-user.html

--------------------------------------------------------------------------------
Node:Top, Next:Copyright, Previous:(dir), Up:(dir)

Copyright:
Introduction:
Kerberos V5 Tutorial:
Kerberos V5 Reference:
Kerberos Glossary:


--------------------------------------------------------------------------------
Node:Copyright, Next:Introduction, Previous:Top, Up:Top

Copyright
Copyright © 1985-2002 by the Massachusetts Institute of Technology.

Export of software employing encryption from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original MIT software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.

The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc:

Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system.

You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON.

OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code.

OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community.

The implementation of the Yarrow pseudo-random number generator in src/lib/crypto/yarrow has the following copyright:

Copyright 2000 by Zero-Knowledge Systems, Inc.

Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Zero-Knowledge Systems, Inc. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Zero-Knowledge Systems, Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.

ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The implementation of the AES encryption algorithm in src/lib/crypto/aes has the following copyright:

Copyright (c) 2001, Dr Brian Gladman , Worcester, UK. All rights reserved.

LICENSE TERMS

The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that:


distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer;
distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials;
the copyright holder's name is not used to endorse products built using this software without specific written permission.
DISCLAIMER

This software is provided 'as is' with no explcit or implied warranties in respect of any properties, including, but not limited to, correctness and fitness for purpose.

Kerberos V5 includes documentation and software developed at the University of California at Berkeley, which includes this copyright notice:
Copyright © 1983 Regents of the University of California.
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:


Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
All advertising materials mentioning features or use of this software must display the following acknowledgement:
This product includes software developed by the University of California, Berkeley and its contributors.
Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
Permission is granted to make and distribute verbatim copies of this manual provided the copyright notices and this permission notice are preserved on all copies.

Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided also that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.

Permission is granted to copy and distribute translations of this manual into another language, under the above conditions for modified versions.



--------------------------------------------------------------------------------
Node:Introduction, Next:Kerberos V5 Tutorial, Previous:Copyright, Up:Top

Introduction
Kerberos V5 is an authentication system developed at MIT. Kerberos is named for the three-headed watchdog from Greek mythology, who guarded the entrance to the underworld.

Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client's password as the key, and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password. If the client successfully decrypts the TGT (i.e., if the client gave the correct password), it keeps the decrypted TGT, which indicates proof of the client's identity.

The TGT, which expires at a specified time, permits the client to obtain additional tickets, which give permission for specific services. The requesting and granting of these additional tickets is user-transparent.

Since Kerberos negotiates authenticated, and optionally encrypted, communications between two points anywhere on the internet, it provides a layer of security that is not dependent on which side of a firewall either client is on. Since studies have shown that half of the computer security breaches in industry happen from inside firewalls, MIT's Kerberos V5 plays a vital role in maintaining your network security.

The Kerberos V5 package is designed to be easy to use. Most of the commands are nearly identical to UNIX network programs you already use. Kerberos V5 is a single-sign-on system, which means that you have to type your password only once per session, and Kerberos does the authenticating and encrypting transparently.

What is a Ticket?:
What is a Kerberos Principal?:


--------------------------------------------------------------------------------
Node:What is a Ticket?, Next:What is a Kerberos Principal?, Previous:Introduction, Up:Introduction

What is a Ticket?
Your Kerberos credentials, or "tickets", are a set of electronic information that can be used to verify your identity. Your Kerberos tickets may be stored in a file, or they may exist only in memory.

The first ticket you obtain is a ticket-granting ticket, which permits you to obtain additional tickets. These additional tickets give you permission for specific services. The requesting and granting of these additional tickets happens transparently.

A good analogy for the ticket-granting ticket is a three-day ski pass that is good at four different resorts. You show the pass at whichever resort you decide to go to (until it expires), and you receive a lift ticket for that resort. Once you have the lift ticket, you can ski all you want at that resort. If you go to another resort the next day, you once again show your pass, and you get an additional lift ticket for the new resort. The difference is that the Kerberos V5 programs notice that you have the weekend ski pass, and get the lift ticket for you, so you don't have to perform the transactions yourself.



--------------------------------------------------------------------------------
Node:What is a Kerberos Principal?, Previous:What is a Ticket?, Up:Introduction

What is a Kerberos Principal?
A Kerberos principal is a unique identity to which Kerberos can assign tickets. Principals can have an arbitrary number of components. Each component is separated by a component separator, generally `/'. The last component is the realm, separated from the rest of the principal by the realm separator, generally `@'. If there is no realm component in the principal, then it will be assumed that the principal is in the default realm for the context in which it is being used.

Traditionally, a principal is divided into three parts: the primary, the instance, and the realm. The format of a typical Kerberos V5 principal is primary/instance@REALM.

The primary is the first part of the principal. In the case of a user, it's the same as your username. For a host, the primary is the word host.
The instance is an optional string that qualifies the primary. The instance is separated from the primary by a slash (/). In the case of a user, the instance is usually null, but a user might also have an additional principal, with an instance called admin, which he/she uses to administrate a database. The principal jennifer@ATHENA.MIT.EDU is completely separate from the principal jennifer/admin@ATHENA.MIT.EDU, with a separate password, and separate permissions. In the case of a host, the instance is the fully qualified hostname, e.g., daffodil.mit.edu.
The realm is your Kerberos realm. In most cases, your Kerberos realm is your domain name, in upper-case letters. For example, the machine daffodil.example.com would be in the realm EXAMPLE.COM.


--------------------------------------------------------------------------------
Node:Kerberos V5 Tutorial, Next:Kerberos V5 Reference, Previous:Introduction, Up:Top

Kerberos V5 Tutorial
This tutorial is intended to familiarize you with the Kerberos V5 client programs. We will represent your prompt as "shell%". So an instruction to type the "ls" command would be represented as follows:

shell% ls

In these examples, we will use sample usernames, such as jennifer and david, sample hostnames, such as daffodil and trillium, and sample domain names, such as mit.edu and example.com. When you see one of these, substitute your username, hostname, or domain name accordingly.

Setting Up to Use Kerberos V5:
Ticket Management:
Password Management:
Kerberos V5 Applications:


--------------------------------------------------------------------------------
Node:Setting Up to Use Kerberos V5, Next:Ticket Management, Previous:Kerberos V5 Tutorial, Up:Kerberos V5 Tutorial

Setting Up to Use Kerberos V5
Your system administrator will have installed the Kerberos V5 programs in whichever directory makes the most sense for your system. We will use /usr/local throughout this guide to refer to the top-level directory Kerberos V5 directory. We will therefor use /usr/local/bin to denote the location of the Kerberos V5 user programs. In your installation, the directory name may be different, but whatever the directory name is, you should make sure it is included in your path. You will probably want to put it ahead of the directories /bin and /usr/bin so you will get the Kerberos V5 network programs, rather than the standard UNIX versions, when you type their command names.



--------------------------------------------------------------------------------
Node:Ticket Management, Next:Password Management, Previous:Setting Up to Use Kerberos V5, Up:Kerberos V5 Tutorial

Ticket Management
On many systems, Kerberos is built into the login program, and you get tickets automatically when you log in. Other programs, such as rsh, rcp, telnet, and rlogin, can forward copies of your tickets to the remote host. Most of these programs also automatically destroy your tickets when they exit. However, MIT recommends that you explicitly destroy your Kerberos tickets when you are through with them, just to be sure. One way to help ensure that this happens is to add the kdestroy command to your .logout file. Additionally, if you are going to be away from your machine and are concerned about an intruder using your permissions, it is safest to either destroy all copies of your tickets, or use a screensaver that locks the screen.

Kerberos Ticket Properties:
Obtaining Tickets with kinit:
Viewing Your Tickets with klist:
Destroying Your Tickets with kdestroy:


--------------------------------------------------------------------------------
Node:Kerberos Ticket Properties, Next:Obtaining Tickets with kinit, Previous:Ticket Management, Up:Ticket Management

Kerberos Ticket Properties
There are various properties that Kerberos tickets can have:

If a ticket is forwardable, then the KDC can issue a new ticket with a different network address based on the forwardable ticket. This allows for authentication forwarding without requiring a password to be typed in again. For example, if a user with a forwardable TGT logs into a remote system, the KDC could issue a new TGT for that user with the netword address of the remote system, allowing authentication on that host to work as though the user were logged in locally.

When the KDC creates a new ticket based on a forwardable ticket, it sets the forwarded flag on that new ticket. Any tickets that are created based on a ticket with the forwarded flag set will also have their forwarded flags set.

A proxiable ticket is similar to a forwardable ticket in that it allows a service to take on the identity of the client. Unlike a forwardable ticket, however, a proxiable ticket is only issued for specific services. In other words, a ticket-granting ticket cannot be issued based on a ticket that is proxiable but not forwardable.

A proxy ticket is one that was issued based on a proxiable ticket.

A postdated ticket is issued with the invalid flag set. After the starting time listed on the ticket, it can be presented to the KDC to obtain valid tickets.

Tickets with the postdateable flag set can be used to issue postdated tickets.

Renewable tickets can be used to obtain new session keys without the user entering their password again. A renewable ticket has two expiration times. The first is the time at which this particular ticket expires. The second is the latest possible expiration time for any ticket issued based on this renewable ticket.

A ticket with the initial flag set was issued based on the authentication protocol, and not on a ticket-granting ticket. Clients that wish to ensure that the user's key has been recently presented for verification could specify that this flag must be set to accept the ticket.

An invalid ticket must be rejected by application servers. Postdated tickets are usually issued with this flag set, and must be validated by the KDC before they can be used.

A preauthenticated ticket is one that was only issued after the client requesting the ticket had authenticated itself to the KDC.

The hardware authentication flag is set on a ticket which required the use of hardware for authentication. The hardware is expected to be possessed only by the client which requested the tickets.

If a ticket has the transit policy checked flag set, then the KDC that issued this ticket implements the transited-realm check policy and checked the transited-realms list on the ticket. The transited-realms list contains a list of all intermediate realms between the realm of the KDC that issued the first ticket and that of the one that issued the current ticket. If this flag is not set, then the application server must check the transited realms itself or else reject the ticket.

The okay as delegate flag indicates that the server specified in the ticket is suitable as a delegate as determined by the policy of that realm. A server that is acting as a delegate has been granted a proxy or a forwarded TGT. This flag is a new addition to the Kerberos V5 protocol and is not yet implemented on MIT servers.

An anonymous ticket is one in which the named principal is a generic principal for that realm; it does not actually specify the individual that will be using the ticket. This ticket is meant only to securely distribute a session key. This is a new addition to the Kerberos V5 protocol and is not yet implemented on MIT servers.



--------------------------------------------------------------------------------
Node:Obtaining Tickets with kinit, Next:Viewing Your Tickets with klist, Previous:Kerberos Ticket Properties, Up:Ticket Management

Obtaining Tickets with kinit
If your site is using the Kerberos V5 login program, you will get Kerberos tickets automatically when you log in. If your site uses a different login program, you may need to explicitly obtain your Kerberos tickets, using the kinit program. Similarly, if your Kerberos tickets expire, use the kinit program to obtain new ones.

To use the kinit program, simply type kinit and then type your password at the prompt. For example, Jennifer (whose username is jennifer) works for Bleep, Inc. (a fictitious company with the domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would type:

shell% kinit
Password for jennifer@ATHENA.MIT.EDU: <-- [Type jennifer's password here.]
shell%

If you type your password incorrectly, kinit will give you the following error message:

shell% kinit
Password for jennifer@ATHENA.MIT.EDU: <-- [Type the wrong password here.]
kinit: Password incorrect
shell%

and you won't get Kerberos tickets.

Notice that kinit assumes you want tickets for your own username in your default realm. Suppose Jennifer's friend David is visiting, and he wants to borrow a window to check his mail. David needs to get tickets for himself in his own realm, EXAMPLE.COM.1 He would type:

shell% kinit david@EXAMPLE.COM
Password for david@EXAMPLE.COM: <-- [Type david's password here.]
shell%

David would then have tickets which he could use to log onto his own machine. Note that he typed his password locally on Jennifer's machine, but it never went over the network. Kerberos on the local host performed the authentication to the KDC in the other realm.

If you want to be able to forward your tickets to another host, you need to request forwardable tickets. You do this by specifying the -f option:

shell% kinit -f
Password for jennifer@ATHENA.MIT.EDU: <-- [Type your password here.]
shell%

Note that kinit does not tell you that it obtained forwardable tickets; you can verify this using the klist command (see Viewing Your Tickets with klist).

Normally, your tickets are good for your system's default ticket lifetime, which is ten hours on many systems. You can specify a different ticket lifetime with the -l option. Add the letter s to the value for seconds, m for minutes, h for hours, or d for days. For example, to obtain forwardable tickets for david@EXAMPLE.COM that would be good for three hours, you would type:

shell% kinit -f -l 3h david@EXAMPLE.COM
Password for david@EXAMPLE.COM: <-- [Type david's password here.]
shell%

You cannot mix units; specifying a lifetime of 3h30m would result in an error. Note also that most systems specify a maximum ticket lifetime. If you request a longer ticket lifetime, it will be automatically truncated to the maximum lifetime.



--------------------------------------------------------------------------------
Node:Viewing Your Tickets with klist, Next:Destroying Your Tickets with kdestroy, Previous:Obtaining Tickets with kinit, Up:Ticket Management

Viewing Your Tickets with klist
The klist command shows your tickets. When you first obtain tickets, you will have only the ticket-granting ticket. (See What is a Ticket?.) The listing would look like this:

shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting Expires Service principal
06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
shell%

The ticket cache is the location of your ticket file. In the above example, this file is named /tmp/krb5cc_ttypa. The default principal is your kerberos principal. (see What is a Kerberos Principal?)

The "valid starting" and "expires" fields describe the period of time during which the ticket is valid. The service principal describes each ticket. The ticket-granting ticket has the primary krbtgt, and the instance is the realm name.

Now, if jennifer connected to the machine daffodil.mit.edu, and then typed klist again, she would have gotten the following result:

shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting Expires Service principal
06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU
shell%

Here's what happened: when jennifer used telnet to connect to the host daffodil.mit.edu, the telnet program presented her ticket-granting ticket to the KDC and requested a host ticket for the host daffodil.mit.edu. The KDC sent the host ticket, which telnet then presented to the host daffodil.mit.edu, and she was allowed to log in without typing her password.

Suppose your Kerberos tickets allow you to log into a host in another domain, such as trillium.example.com, which is also in another Kerberos realm, EXAMPLE.COM. If you telnet to this host, you will receive a ticket-granting ticket for the realm EXAMPLE.COM, plus the new host ticket for trillium.example.com. klist will now show:

shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting Expires Service principal
06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU
06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU
06/07/04 20:24:18 06/08/04 05:49:19 host/trillium.example.com@ATHENA.MIT.EDU
shell%

You can use the -f option to view the flags that apply to your tickets. The flags are:

F
Forwardable
f
forwarded
P
Proxiable
p
proxy
D
postDateable
d
postdated
R
Renewable
I
Initial
i
invalid
H
Hardware authenticated
A
preAuthenticated
T
Transit policy checked
O
Okay as delegate
a
anonymous
Here is a sample listing. In this example, the user jennifer obtained her initial tickets (I), which are forwardable (F) and postdated (d) but not yet validated (i). (See kinit Reference, for more information about postdated tickets.)

shell% klist -f
Ticket cache: /tmp/krb5cc_320
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting Expires Service principal
31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
Flags: FdiI
shell%

In the following example, the user david's tickets were forwarded (f) to this host from another host. The tickets are reforwardable (F).

shell% klist -f
Ticket cache: /tmp/krb5cc_p11795
Default principal: david@EXAMPLE.COM

Valid starting Expires Service principal
07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Flags: Ff
07/31/05 12:03:48 07/31/05 21:11:23 host/trillium.example.com@EXAMPLE.COM
Flags: Ff
shell%



--------------------------------------------------------------------------------
Node:Destroying Your Tickets with kdestroy, Previous:Viewing Your Tickets with klist, Up:Ticket Management

Destroying Your Tickets with kdestroy
Your Kerberos tickets are proof that you are indeed yourself, and tickets can be stolen. If this happens, the person who has them can masquerade as you until they expire. For this reason, you should destroy your Kerberos tickets when you are away from your computer.

Destroying your tickets is easy. Simply type kdestroy.

shell% kdestroy
shell%

If kdestroy fails to destroy your tickets, it will beep and give an error message. For example, if kdestroy can't find any tickets to destroy, it will give the following message:

shell% kdestroy
kdestroy: No credentials cache file found while destroying cache
shell%



--------------------------------------------------------------------------------
Node:Password Management, Next:Kerberos V5 Applications, Previous:Ticket Management, Up:Kerberos V5 Tutorial

Password Management
Your password is the only way Kerberos has of verifying your identity. If someone finds out your password, that person can masquerade as you--send email that comes from you, read, edit, or delete your files, or log into other hosts as you--and no one will be able to tell the difference. For this reason, it is important that you choose a good password (see Password Advice), and keep it secret. If you need to give access to your account to someone else, you can do so through Kerberos. (See Granting Access to Your Account.) You should never tell your password to anyone, including your system administrator, for any reason. You should change your password frequently, particularly any time you think someone may have found out what it is.

Changing Your Password:
Password Advice:
Granting Access to Your Account:


--------------------------------------------------------------------------------
Node:Changing Your Password, Next:Password Advice, Previous:Password Management, Up:Password Management

Changing Your Password
To change your Kerberos password, use the kpasswd command. It will ask you for your old password (to prevent someone else from walking up to your computer when you're not there and changing your password), and then prompt you for the new one twice. (The reason you have to type it twice is to make sure you have typed it correctly.) For example, user david would do the following:

shell% kpasswd
Password for david: <- Type your old password.
Enter new password: <- Type your new password.
Enter it again: <- Type the new password again.
Password changed.
shell%

If david typed the incorrect old password, he would get the following message:

shell% kpasswd
Password for david: <- Type the incorrect old password.
kpasswd: Password incorrect while getting initial ticket
shell%

If you make a mistake and don't type the new password the same way twice, kpasswd will ask you to try again:

shell% kpasswd
Password for david: <- Type the old password.
Enter new password: <- Type the new password.
Enter it again: <- Type a different new password.
kpasswd: Password mismatch while reading password
shell%

Once you change your password, it takes some time for the change to propagate through the system. Depending on how your system is set up, this might be anywhere from a few minutes to an hour or more. If you need to get new Kerberos tickets shortly after changing your password, try the new password. If the new password doesn't work, try again using the old one.



--------------------------------------------------------------------------------
Node:Password Advice, Next:Granting Access to Your Account, Previous:Changing Your Password, Up:Password Management

Password Advice
Your password can include almost any character you can type (except control keys and the "enter" key). A good password is one you can remember, but that no one else can easily guess. Examples of bad passwords are words that can be found in a dictionary, any common or popular name, especially a famous person (or cartoon character), your name or username in any form (e.g., forward, backward, repeated twice, etc.), your spouse's, child's, or pet's name, your birth date, your social security number, and any sample password that appears in this (or any other) manual. MIT recommends that your password be at least 6 characters long, and contain UPPER- and lower-case letters, numbers, and/or punctuation marks. Some passwords that would be good if they weren't listed in this manual include:

some initials, like "GykoR-66." for "Get your kicks on Route 66."
an easy-to-pronounce nonsense word, like "slaRooBey" or "krang-its"
a misspelled phrase, like "2HotPeetzas!" or "ItzAGurl!!!"
Note: don't actually use any of the above passwords. They're only meant to show you how to make up a good password. Passwords that appear in a manual are the first ones intruders will try. Kerberos V5 allows your system administrators to automatically reject bad passwords, based on certain criteria, such as a password dictionary or a minimum length. For example, if the user jennifer, who had a policy "strict" that required a minimum of 8 characaters, chose a password that was less than 8 characters, Kerberos would give an error message like the following:

shell% kpasswd
Password for jennifer: <- Type your old password here.

jennifer's password is controlled by the policy strict, which
requires a minimum of 8 characters from at least 3 classes (the five classes
are lowercase, uppercase, numbers, punctuation, and all other characters).

Enter new password: <- Type an insecure new password.
Enter it again: <- Type it again.

kpasswd: Password is too short while attempting to change password.
Please choose another password.

Enter new password: <- Type a good password here.
Enter it again: <- Type it again.
Password changed.
shell%

Your system administrators can choose the message that is displayed if you choose a bad password, so the message you see may be different from the above example.



--------------------------------------------------------------------------------
Node:Granting Access to Your Account, Previous:Password Advice, Up:Password Management

Granting Access to Your Account
If you need to give someone access to log into your account, you can do so through Kerberos, without telling the person your password. Simply create a file called .k5login in your home directory. This file should contain the Kerberos principal (See What is a Kerberos Principal?.) of each person to whom you wish to give access. Each principal must be on a separate line. Here is a sample .k5login file:

jennifer@ATHENA.MIT.EDU
david@EXAMPLE.COM

This file would allow the users jennifer and david to use your user ID, provided that they had Kerberos tickets in their respective realms. If you will be logging into other hosts across a network, you will want to include your own Kerberos principal in your .k5login file on each of these hosts.

Using a .k5login file is much safer than giving out your password, because:

You can take access away any time simply by removing the principal from your .k5login file.
Although the user has full access to your account on one particular host (or set of hosts if your .k5login file is shared, e.g., over NFS), that user does not inherit your network privileges.
Kerberos keeps a log of who obtains tickets, so a system administrator could find out, if necessary, who was capable of using your user ID at a particular time.
One common application is to have a .k5login file in root's home directory, giving root access to that machine to the Kerberos principals listed. This allows system administrators to allow users to become root locally, or to log in remotely as root, without their having to give out the root password, and without anyone having to type the root password over the network.



--------------------------------------------------------------------------------
Node:Kerberos V5 Applications, Previous:Password Management, Up:Kerberos V5 Tutorial

Kerberos V5 Applications
Kerberos V5 is a single-sign-on system. This means that you only have to type your password once, and the Kerberos V5 programs do the authenticating (and optionally encrypting) for you. The way this works is that Kerberos has been built into each of a suite of network programs. For example, when you use a Kerberos V5 program to connect to a remote host, the program, the KDC, and the remote host perform a set of rapid negotiations. When these negotiations are completed, your program has proven your identity on your behalf to the remote host, and the remote host has granted you access, all in the space of a few seconds.
The Kerberos V5 applications are versions of existing UNIX network programs with the Kerberos features added.

Overview of Additional Features:
telnet:
rlogin:
FTP:
rsh:
rcp:
ksu:


--------------------------------------------------------------------------------
Node:Overview of Additional Features, Next:telnet, Previous:Kerberos V5 Applications, Up:Kerberos V5 Applications

Overview of Additional Features
The Kerberos V5 network programs are those programs that connect to another host somewhere on the internet. These programs include rlogin, telnet, ftp, rsh, rcp, and ksu. These programs have all of the original features of the corresponding non-Kerberos rlogin, telnet, ftp, rsh, rcp, and su programs, plus additional features that transparently use your Kerberos tickets for negotiating authentication and optional encryption with the remote host. In most cases, all you'll notice is that you no longer have to type your password, because Kerberos has already proven your identity.

The Kerberos V5 network programs allow you the options of forwarding your tickets to the remote host (if you obtained forwardable tickets with the kinit program; see Obtaining Tickets with kinit), and encrypting data transmitted between you and the remote host.

This section of the tutorial assumes you are familiar with the non-Kerberos versions of these programs, and highlights the Kerberos functions added in the Kerberos V5 package.



--------------------------------------------------------------------------------
Node:telnet, Next:rlogin, Previous:Overview of Additional Features, Up:Kerberos V5 Applications

telnet
The Kerberos V5 telnet command works exactly like the standard UNIX telnet program, with the following Kerberos options added:

-f
forwards a copy of your tickets to the remote host.
-F
forwards a copy of your tickets to the remote host, and marks them re-forwardable from the remote host.
-k realm
requests tickets for the remote host in the specified realm, instead of determining the realm itself.
-K
uses your tickets to authenticate to the remote host, but does not log you in.
-a
attempt automatic login using your tickets. telnet will assume the same username unless you explicitly specify another.
-x
turns on encryption.
For example, if david wanted to use the standard UNIX telnet to connect to the machine daffodil.mit.edu, he would type:

shell% telnet daffodil.example.com
Trying 128.0.0.5 ...
Connected to daffodil.example.com.
Escape character is '^]'.

NetBSD/i386 (daffodil) (ttyp3)

login: david
Password: <- david types his password here
Last login: Fri Jun 21 17:13:11 from trillium.mit.edu
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.

NetBSD 1.1: Tue May 21 00:31:42 EDT 1996

Welcome to NetBSD!
shell%

Note that the machine daffodil.example.com asked for david's password. When he typed it, his password was sent over the network unencrypted. If an intruder were watching network traffic at the time, that intruder would know david's password.

If, on the other hand, jennifer wanted to use the Kerberos V5 telnet to connect to the machine trillium.mit.edu, she could forward a copy of her tickets, request an encrypted session, and log on as herself as follows:

shell% telnet -a -f -x trillium.mit.edu
Trying 128.0.0.5...
Connected to trillium.mit.edu.
Escape character is '^]'.
[ Kerberos V5 accepts you as ``jennifer@mit.edu'' ]
[ Kerberos V5 accepted forwarded credentials ]
What you type is protected by encryption.
Last login: Tue Jul 30 18:47:44 from {No value for `RANDOMHOST'}.example.com
Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002

shell%

Note that jennifer's machine used Kerberos to authenticate her to trillium.mit.edu, and logged her in automatically as herself. She had an encrypted session, a copy of her tickets already waiting for her, and she never typed her password.

If you forwarded your Kerberos tickets, telnet automatically destroys them when it exits. The full set of options to Kerberos V5 telnet are discussed in the Reference section of this manual. (see telnet Reference)



--------------------------------------------------------------------------------
Node:rlogin, Next:FTP, Previous:telnet, Up:Kerberos V5 Applications

rlogin
The Kerberos V5 rlogin command works exactly like the standard UNIX rlogin program, with the following Kerberos options added:

-f
forwards a copy of your tickets to the remote host.
-F
forwards a copy of your tickets to the remote host, and marks them re-forwardable from the remote host.
-k realm
requests tickets for the remote host in the specified realm, instead of determining the realm itself.
-x
encrypts the input and output data streams (the username is sent unencrypted)
For example, if david wanted to use the standard UNIX rlogin to connect to the machine daffodil.example.com, he would type:

shell% rlogin daffodil.example.com -l david
Password: <- david types his password here
Last login: Fri Jun 21 10:36:32 from :0.0
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.

NetBSD 1.1: Tue May 21 00:31:42 EDT 1996

Welcome to NetBSD!
shell%

Note that the machine daffodil.example.com asked for david's password. When he typed it, his password was sent over the network unencrypted. If an intruder were watching network traffic at the time, that intruder would know david's password.

If, on the other hand, jennifer wanted to use Kerberos V5 rlogin to connect to the machine trillium.mit.edu, she could forward a copy of her tickets, mark them as not forwardable from the remote host, and request an encrypted session as follows:

shell% rlogin trillium.mit.edu -f -x
This rlogin session is using DES encryption for all data transmissions.
Last login: Thu Jun 20 16:20:50 from daffodil
Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002
shell%

Note that jennifer's machine used Kerberos to authenticate her to trillium.mit.edu, and logged her in automatically as herself. She had an encrypted session, a copy of her tickets were waiting for her, and she never typed her password.

If you forwarded your Kerberos tickets, rlogin automatically destroys them when it exits. The full set of options to Kerberos V5 rlogin are discussed in the Reference section of this manual. (see rlogin Reference)



--------------------------------------------------------------------------------
Node:FTP, Next:rsh, Previous:rlogin, Up:Kerberos V5 Applications

FTP
The Kerberos V5 FTP program works exactly like the standard UNIX FTP program, with the following Kerberos features added:

-k realm
requests tickets for the remote host in the specified realm, instead of determining the realm itself.
-f
requests that your tickets be forwarded to the remote host. The -f argument must be the last argument on the command line.
protect level
(issued at the ftp> prompt) sets the protection level. "Clear" is no protection; "safe" ensures data integrity by verifying the checksum, and "private" encrypts the data. Encryption also ensures data integrity.
For example, suppose jennifer wants to get her RMAIL file from the directory ~jennifer/Mail, on the host daffodil.mit.edu. She wants to encrypt the file transfer. The exchange would look like the following:

shell% ftp daffodil.mit.edu
Connected to daffodil.mit.edu.
220 daffodil.mit.edu FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI authentication succeeded
200 Data channel protection level set to private.
Name (daffodil.mit.edu:jennifer):
232 GSSAPI user jennifer@ATHENA.MIT.EDU is authorized as jennifer
230 User jennifer logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> protect private
200 Protection level set to Private.
ftp> cd ~jennifer/MAIL
250 CWD command successful.
ftp> get RMAIL
227 Entering Passive Mode (128,0,0,5,16,49)
150 Opening BINARY mode data connection for RMAIL (361662 bytes).
226 Transfer complete.
361662 bytes received in 2.5 seconds (1.4e+02 Kbytes/s)
ftp> quit
shell%

The full set of options to Kerberos V5 FTP are discussed in the Reference section of this manual. (see FTP Reference)



--------------------------------------------------------------------------------
Node:rsh, Next:rcp, Previous:FTP, Up:Kerberos V5 Applications

rsh
The Kerberos V5 rsh program works exactly like the standard UNIX rlogin program, with the following Kerberos features added:

-f
forwards a copy of your tickets to the remote host.
-F
forwards a copy of your tickets to the remote host, and marks them re-forwardable from the remote host.
-k realm
requests tickets for the remote host in the specified realm, instead of determining the realm itself.
-x
encrypts the input and output data streams (the command line is not encrypted)
For example, if your Kerberos tickets allowed you to run programs on the host
trillium@example.com as root, you could run the date program as follows:

shell% rsh trillium.example.com -l root -x date
This rsh session is using DES encryption for all data transmissions.
Tue Jul 30 19:34:21 EDT 2002
shell%

If you forwarded your Kerberos tickets, rsh automatically destroys them when it exits. The full set of options to Kerberos V5 rsh are discussed in the Reference section of this manual. (see rsh Reference)



--------------------------------------------------------------------------------
Node:rcp, Next:ksu, Previous:rsh, Up:Kerberos V5 Applications

rcp
The Kerberos V5 rcp program works exactly like the standard UNIX rcp program, with the following Kerberos features added:

-k realm
requests tickets for the remote host in the specified realm, instead of determining the realm itself.
-x
turns on encryption.
For example, if you wanted to copy the file /etc/motd from the host daffodil.mit.edu into the current directory, via an encrypted connection, you would simply type:

shell% rcp -x daffodil.mit.edu:/etc/motd .

The rcp program negotiates authentication and encryption transparently. The full set of options to Kerberos V5 rcp are discussed in the Reference section of this manual. (see rcp Reference)



--------------------------------------------------------------------------------
Node:ksu, Previous:rcp, Up:Kerberos V5 Applications

ksu
The Kerberos V5 ksu program replaces the standard UNIX su program. ksu first authenticates you to Kerberos. Depending on the configuration of your system, ksu may ask for your Kerberos password if authentication fails. Note that you should never type your password if you are remotely logged in using an unencrypted connection.

Once ksu has authenticated you, if your Kerberos principal appears in the target's .k5login file (see Granting Access to Your Account) or in the target's .k5users file (see below), it switches your user ID to the target user ID.

For example, david has put jennifer's Kerberos principal in his .k5login file. If jennifer uses ksu to become david, the exchange would look like this. (To differentiate between the two shells, jennifer's prompt is represented as jennifer% and david's prompt is represented as david%.)

jennifer% ksu david
Account david: authorization for jennifer@ATHENA.MIT.EDU successful
Changing uid to david (3382)
david%

Note that the new shell has a copy of jennifer's tickets. The ticket filename contains david's UID with .1 appended to it:

david% klist
Ticket cache: /tmp/krb5cc_3382.1
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting Expires Service principal
07/31/04 21:53:01 08/01/04 07:52:53 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
07/31/04 21:53:39 08/01/04 07:52:53 host/daffodil.mit.edu@ATHENA.MIT.EDU
david%

If jennifer had not appeared in david's .k5login file (and the system was configured to ask for a password), the exchange would have looked like this (assuming david has taken appropriate precautions in protecting his password):

jennifer% ksu david
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for david@ATHENA.MIT.EDU: <- jennifer types the wrong password here.
ksu: Password incorrect
Authentication failed.
jennifer%

Now, suppose david did not want to give jennifer full access to his account, but wanted to give her permission to list his files and use the "more" command to view them. He could create a .k5users file giving her permission to run only those specific commands.

The .k5users file is like the .k5login file, except that each principal is optionally followed by a list of commands. ksu will let those principals execute only the commands listed, using the -e option. david's .k5users file might look like the following:

jennifer@ATHENA.MIT.EDU /bin/ls /usr/bin/more
joeadmin@ATHENA.MIT.EDU /bin/ls
joeadmin/admin@ATHENA.MIT.EDU *
david@EXAMPLE.COM

The above .k5users file would let jennifer run only the commands /bin/ls and /usr/bin/more. It would let joeadmin run only the command /bin/ls if he had regular tickets, but if he had tickets for his admin instance, joeadmin/admin@ATHENA.MIT.EDU, he would be able to execute any command. The last line gives david in the realm EXAMPLE.COM permission to execute any command. (I.e., having only a Kerberos principal on a line is equivalent to giving that principal permission to execute *.) This is so that david can allow himself to execute commands when he logs in, using Kerberos, from a machine in the realm EXAMPLE.COM.

Then, when jennifer wanted to list his home directory, she would type:

jennifer% ksu david -e ls ~david
Authenticated jennifer@ATHENA.MIT.EDU
Account david: authorization for jennifer@ATHENA.MIT.EDU for execution of
/bin/ls successful
Changing uid to david (3382)
Mail News Personal misc bin
jennifer%

If jennifer had tried to give a different command to ksu, it would have prompted for a password as with the previous example.

Note that unless the .k5users file gives the target permission to run any command, the user must use ksu with the -e command option.

The ksu options you are most likely to use are:

-n principal
specifies which Kerberos principal you want to use for ksu. (e.g., the user joeadmin might want to use his admin instance. See What is a Ticket?.)
-c
specifies the location of your Kerberos credentials cache (ticket file).
-k
tells ksu not to destroy your Kerberos tickets when ksu is finished.
-f
requests forwardable tickets. (See Obtaining Tickets with kinit.) This is only applicable if ksu needs to obtain tickets.
-l lifetime
sets the ticket lifetime. (See Obtaining Tickets with kinit.) This is only applicable if ksu needs to obtain tickets.
-z
tells ksu to copy your Kerberos tickets only if the UID you are switching is the same as the Kerberos primary (either yours or the one specified by the -n option).
-Z
tells ksu not to copy any Kerberos tickets to the new UID.
-e command
tells ksu to execute command and then exit. See the description of the .k5users file above.
-a text
(at the end of the command line) tells ksu to pass everything after -a to the target shell.
The full set of options to Kerberos V5 ksu are discussed in the Reference section of this manual. (see ksu Reference)



--------------------------------------------------------------------------------
Node:Kerberos V5 Reference, Next:Kerberos Glossary, Previous:Kerberos V5 Tutorial, Up:Top

Kerberos V5 Reference
This section will include copies of the manual pages for the Kerberos V5 client programs. You can read the manual entry for any command by typing man command, where command is the name of the command for which you want to read the manual entry. For example, to read the kinit manual entry, you would type:

shell% man kinit

Note: To be able to view the Kerberos V5 manual pages on line, you may need to add the directory /usr/local/man to your MANPATH environment variable. (Remember to replace /usr/local with the top-level directory in which Kerberos V5 is installed.) For example, if you had the the following line in your .login file2:

setenv MANPATH /usr/local/man:/usr/man

and the Kerberos V5 man pages were in the directory /usr/krb5/man, you would change the line to the following:

setenv MANPATH /usr/krb5/man:/usr/local/man:/usr/man

kinit Reference:
klist Reference:
ksu Reference:
kdestroy Reference:
kpasswd Reference:
telnet Reference:
FTP Reference:
rlogin Reference:
rsh Reference:
rcp Reference:


--------------------------------------------------------------------------------
Node:kinit Reference, Next:klist Reference, Previous:Kerberos V5 Reference, Up:Kerberos V5 Reference

kinit Reference
kinit manpage


--------------------------------------------------------------------------------
Node:klist Reference, Next:ksu Reference, Previous:kinit Reference, Up:Kerberos V5 Reference

klist Reference
klist manpage


--------------------------------------------------------------------------------
Node:ksu Reference, Next:kdestroy Reference, Previous:klist Reference, Up:Kerberos V5 Reference

ksu Reference
ksu manpage


--------------------------------------------------------------------------------
Node:kdestroy Reference, Next:kpasswd Reference, Previous:ksu Reference, Up:Kerberos V5 Reference

kdestroy Reference
kdestroy manpage


--------------------------------------------------------------------------------
Node:kpasswd Reference, Next:telnet Reference, Previous:kdestroy Reference, Up:Kerberos V5 Reference

kpasswd Reference
kpasswd manpage


--------------------------------------------------------------------------------
Node:telnet Reference, Next:FTP Reference, Previous:kpasswd Reference, Up:Kerberos V5 Reference

telnet Reference
telnet manpage


--------------------------------------------------------------------------------
Node:FTP Reference, Next:rlogin Reference, Previous:telnet Reference, Up:Kerberos V5 Reference

FTP Reference
ftp manpage


--------------------------------------------------------------------------------
Node:rlogin Reference, Next:rsh Reference, Previous:FTP Reference, Up:Kerberos V5 Reference

rlogin Reference
rlogin manpage


--------------------------------------------------------------------------------
Node:rsh Reference, Next:rcp Reference, Previous:rlogin Reference, Up:Kerberos V5 Reference

rsh Reference
rsh manpage


--------------------------------------------------------------------------------
Node:rcp Reference, Previous:rsh Reference, Up:Kerberos V5 Reference

rcp Reference
rcp manpage


--------------------------------------------------------------------------------
Node:Kerberos Glossary, Previous:Kerberos V5 Reference, Up:Top

Kerberos Glossary
client
an entity that can obtain a ticket. This entity is usually either a user or a host.

host
a computer that can be accessed over a network.

Kerberos
in Greek mythology, the three-headed dog that guards the entrance to the underworld. In the computing world, Kerberos is a network security package that was developed at MIT.

KDC
Key Distribution Center. A machine that issues Kerberos tickets.

keytab
a key table file containing one or more keys. A host or service uses a keytab file in much the same way as a user uses his/her password.

principal
a string that names a specific entity to which a set of credentials may be assigned. It can have an arbitrary number of components, but generally has three:
primary
the first part of a Kerberos principal. In the case of a user, it is the username. In the case of a service, it is the name of the service.

instance
the second part of a Kerberos principal. It gives information that qualifies the primary. The instance may be null. In the case of a user, the instance is often used to describe the intended use of the corresponding credentials. In the case of a host, the instance is the fully qualified hostname.

realm
the logical network served by a single Kerberos database and a set of Key Distribution Centers. By convention, realm names are generally all uppercase letters, to differentiate the realm from the internet domain.
The typical format of a typical Kerberos principal is primary/instance@REALM.


service
any program or computer you access over a network. Examples of services include "host" (a host, e.g., when you use telnet and rsh), "ftp" (FTP), "krbtgt" (authentication; cf. ticket-granting ticket), and "pop" (email).

ticket
a temporary set of electronic credentials that verify the identity of a client for a particular service.

TGT
Ticket-Granting Ticket. A special Kerberos ticket that permits the client to obtain additional Kerberos tickets within the same Kerberos realm.
Table of Contents
Copyright
Introduction
What is a Ticket?
What is a Kerberos Principal?
Kerberos V5 Tutorial
Setting Up to Use Kerberos V5
Ticket Management
Kerberos Ticket Properties
Obtaining Tickets with kinit
Viewing Your Tickets with klist
Destroying Your Tickets with kdestroy
Password Management
Changing Your Password
Password Advice
Granting Access to Your Account
Kerberos V5 Applications
Overview of Additional Features
telnet
rlogin
FTP
rsh
rcp
ksu
Kerberos V5 Reference
kinit Reference
klist Reference
ksu Reference
kdestroy Reference
kpasswd Reference
telnet Reference
FTP Reference
rlogin Reference
rsh Reference
rcp Reference
Kerberos Glossary

--------------------------------------------------------------------------------

Footnotes
Note: the realm EXAMPLE.COM must be listed in your computer's Kerberos configuration file, /etc/krb5.conf.

The MANPATH variable may be specified in a different initialization file, depending on your operating system. Some of the files in which you might specify environment variables include .login, .profile, or .cshrc.

--------------------------------------------------------------------------------

ruby on rails Eclipse 連携

参考サイト
http://www.napcs.com/howto/railsonwindows.html


Setting up a Rails Development Environment on Windows Using EclipseBy Brian Hogan

Last updated on February 10, 2006 10:14 PM

It looks like the current version of RDT works correctly now. I have rebuilt the entire package from scratch once again to ensure that all of the links are up to date. Things are working now with Eclipse 3.1.2 but the Web Tools pieces require more manual work than before.

I also added a Downloads section where I'll be placing some templates and helper files to speed up the process.

Please, as always, provide some feedback. I can't answer emails about issues not directly related to the setup of this plugin.

If you feel so inclined, a small donation would be much appreciated to help cover bandwidth costs. Thanks for the donations so far.


--------------------------------------------------------------------------------

This is a quick yet detailed guide on how to set up a very easy-to-use development environment for Ruby On Rails. This guide is for Windows users but there's no reason that it couldn't be adapted for Linux users as well. The guide assumes that you already have a working database installed or available and that you have Ruby installed to c:
uby.



Lastly, this is not a guide on how to get started with Ruby on Rails! This is simply one method to create a useful IDE for Rails development.

Download and install Ruby and Rails
Install Eclipse
Configure Eclipse for Rails
Install the Ruby Developer Tools package
Configure the RDT plugin
Launching External Rails Scripts within Eclipse (Now with downloadable goodness! )
Configure Eclipse to Create Rails Projects
Configure Eclipse to Launch WEBrick server
Configure Eclipse to Create Rails Models
Configure Eclipse to Create Rails Controllers
Configure Eclipse to Generate Scaffold for Controllers and Views
Setting up the Favorites
Working with Rails Projects in Eclipse
Configure WEBrick's Output for Eclipse
Create a new Rails Project
Show All Files
Install the DBEdit Eclipse plugin
Connect to a Database
Install Web Developer Tools for Eclipse (Updated!)
Configure Eclipse to handle you View files
Add code hints for the views
Debugging within Eclipse
Setting up Breakpointer
Using Breakpointer
Installing SubClipse
Troubleshooting (Updated!)
Downloads (New!)
Screenshots

--------------------------------------------------------------------------------

Download and install Ruby and Rails
I am operating under the assumption that you're going to use the One-Click Ruby Installer created by Curt Hibbs. If you don't, then you're going to have to modify these instructions yourself.

Download and install the One-Click Ruby Installer for Windows
http://rubyforge.org/projects/rubyinstaller/
These instructions assume you have installed this to c:
uby (the default location)
Open a command prompt and type
gem install rails --include-dependencies

--------------------------------------------------------------------------------

Install Eclipse
Download Eclipse 3.1.2 SDK from http://www.eclipse.org/downloads/index.php
Direct Download
Unzip the files to C:javaeclipse
Make a shortcut to C:javaeclipseeclipse.exe
Start Eclipse and set the workspace to C:javaworkspace
One user had trouble with using the default workspace location for Eclipse, and setting it to a simple path with no spaces solved the problem

--------------------------------------------------------------------------------

Configure Eclipse for Rails
Install the Ruby Developer Tools package
The Ruby Developer Tools plugin is a great set of tools that turn Eclipse into a nice Ruby IDE. The current version (0.6.0 as of this writing) now supports Eclipse 3.1. However, I will continue to use the nightly build for this tutorial.

Launch Eclipse
Choose Help->Software Updates->Find and Install
Choose "Search for new features to install" and select Next
Select "New Remote Site",
Use the name “Ruby Developer Tools”
Use http://updatesite.rubypeople.org/release for the URL
You can use http://updatesite.rubypeople.org/nightly if you wish to use the most current nightly build.
Press OK
Check RDT and push Next
Select the feature RDT and push Next. You should confirm any messages relating to installing unsigned plugins. RDT will be installed and be available after restart.
Configure the RDT plugin
Select Windows > Prefrences > Ruby
Select Installed Interpreters
Click Add
Enter Ruby as the interpreter name (You might want to include the version number if you know it)
Enter the path to your ruby.exe file (usually c:
uby?in
ubyw.exe)
Select OK
Configure the rest of your Ruby settings and then select OK to save the settings.



--------------------------------------------------------------------------------

Launching External Rails Scripts Within Eclipse
You should know that hese settings are tied to your workspace. If you change workspaces then you will need to reconfigure these options. Hopefully the fine developers of RDT will build these into the plugin at some point so they appear on the context menus.

At this point, you're going to want to open the Ruby perspective. To do this, go to Window -> Open Perspective -> Other and choose Ruby

If you don't want to go through the trouble of creating these external tools, you can download this file and unzip it to the root of your c: drive. The files should then extact to c:javaworkspace.metadata.pluginsorg.eclipse.debug.core.launches (assuming you've followed along so far). Be sure to set up the favorites once you import these settings!


Configure Eclipse to Create Rails Projects
Select Run -> External Tools -> External Tools
Select "Program" from the configuration tree
Select New to create a new program
Enter “Create Rails Application in Project” as the name
Enter C:
uby?in
ails.cmd for the Location
Enter ${project_loc} for the Working Directory
Enter ../${project_name} for the Arguments
Select the refresh tab and check Refresh Resources Upon Completion
Select the Common tab
Find the section for Display in Favorites Menu
Check the box next to External Tools
Select Apply
Configure Eclipse to Launch WEBrick server
Select Run -> External Tools -> External Tools
Select "Program" from the configuration tree
Select New to create a new program
Enter “Start WEBrick” as the name
Enter C:
uby?in
uby.exe for the Location
For the Working Directory, use
${project_loc}
Enter scriptserver for the Arguments
Select the refresh tab and check Refresh Resources Upon Completion
Select the Common tab
Find the section for Display in Favorites Menu
Check the box next to External Tools
Select Apply

Configure Eclipse to Create Rails Models
Select Run -> External Tools -> External Tools
Select "Program" from the configuration tree
Select New to create a new program
Enter “Generate Model” as the name
Enter C:
uby?in
uby.exe for the Location
For the Working Directory, use
${project_loc}
Enter for the arguments
script/generate model ${string_prompt:Model name} -f
Select the refresh tab and check Refresh Resources Upon Completion
Select the Common tab
Find the section for Display in Favorites Menu
Check the box next to External Tools
Select Apply
Configure Eclipse to Create Rails Controllers
As many have noted, you could simply duplicate the previous entry and simply change the arguments

Select Run -> External Tools -> External Tools
Select "Program" from the configuration tree
Select New to create a new program
Enter “Generate Controller” as the name
Enter C:
uby?in
uby.exe for the Location
For the Working Directory, use
${project_loc}
Enter for the arguments
script/generate controller ${string_prompt:Controller name} -f
Select the refresh tab and check Refresh Resources Upon Completion
Select the Common tab
Find the section for Display in Favorites Menu
Check the box next to External Tools
Select Apply
(You could just copy the "generate model" example above and change the argument).
Configure Eclipse to Generate Scaffold for Controllers and Views
As many have noted, you could simply duplicate the previous entry and simply change the arguments

Select Run -> External Tools -> External Tools
Select "Program" from the configuration tree
Select New to create a new program
Enter “Generate Scaffold” as the name
Enter C:
uby?in
uby.exe for the Location
For the Working Directory, use
${project_loc}
Enter for the arguments
script/generate scaffold ${string_prompt:Model name} ${string_prompt:Controller name} ${string_prompt:Actions separated with spaces} -f

Select the refresh tab and check Refresh Resources Upon Completion
Select the Common tab
Find the section for Display in Favorites Menu
Check the box next to External Tools
Select Apply
Setting Up the Favorites
Sometimes, all of these external commands won't show up under the External Commands icon. We can fix that by making them "Favorites".

Select Run > External Tools > Organize Favorites
Add each external tool that you want to appear on your menu of External Tools
Select Add...
Select the tools you wish to add to your menu and press OK
Use the Up and Down buttons to change the order of the items in the menu
Select OK to save the items

--------------------------------------------------------------------------------

Working with Rails Projects in Eclipse
Configure WEBrick's Output for Eclipse
For some strange reason, WEBrick's output doesn't always get piped to Eclipse's console. We can hack this a bit to make this work for us. We need to add these two lines to the Rails server script:

Provided that you've installed Ruby to c:
uby as instructed above, you can navigate to

C:
ubylib
ubygems1.8gems
ails-0.13.1?in

and edit the server file with a good text editor (anything except for notepad or wordpad).

Add this to the second line of the script:

$stdout.sync=true
$stderr.sync=true

Alternatively, you could just add these two lines to WEBrick once you've created your Rails project by modifying the server file under /scripts in your Rails project.

Create a new Rails Project
Select File > New > Other : Ruby > Ruby Project
Enter a name for your project.
This name will be the name you'll use for your Rails project name when you generate the Rails application files
Make sure to use the Eclipse Workspace for the project contents!
Select the project in the Ruby Resources view
Go to Run -> External Tools and choose Create Rails Project. A few seconds later, your Eclipse Console should show the results of the file creation and your file project tree should be populated with your ruby files.
At this point, you'll want to edit your config/database.yml file with your database properties.
Show All Files
Under Ruby Resources, select the down arrow icon and deselect Show Ruby Files Only so you can see all the files in your project and not just the .rb files (If you don't see Ruby Resources, it's most likely because you didn't change to the Ruby perspective. (Eclipse defaults to the Java perspective!)


--------------------------------------------------------------------------------

Install the DBEdit Eclipse plugin
The DBEdit plugin for Eclipse will allow you to view and edit your database tables from Eclipse as well as run various SQL statements against your database.

Shut down Eclipse
Download the DBEdit plugin version 1.0.3_1 from http://prdownloads.sourceforge.net/dbedit/dbedit_1.0.3_1.bin.dist_3.X.zip?download
Unzip the file to your c:javaeclipse folder. The file should place new files in your features and plugins folder.
Download and the appropriate driver for your database
MySQL
http://www.mysql.com/products/connector/j/
Microsoft SQL Server
http://www.microsoft.com/downloads/details.aspx?familyid=9F1874B6-F8E1-4BD6-947C-0FC5BF05BF71&displaylang=en

SQLite:
If anyone gets this to work for Windows, please send me instructions!
Extract the contents of this driver to c:javadrivers
Launch Eclipse
Select Window -> Show View -> Other
Select DBEdit and choose Tables
Connect to a Database
Connecting to a database is pretty straight-forward. I'll use MySQL for an example. In this article, I assume you're using MySQL 4.1 and that you have installed the appropriate driver.

Right-click anywhere in the whitespace of the Tables pallette and select Connection -> Configure from the popup menu
Select New
Enter a name for the connection in the Name field
Select the Classpath tab and press Add to Archive. Navigate to your drivers folder and select the appropriate driver jar file.
For MySQL, choose mysql-connector-java-3.1.12-bin.jar
Select the Commom tab
Select com.mysql.jdbc.Driver for the Driver
Enter jdbc:mysql://host/dbname for your database
Enter your database username
For MySql, remove the entry in the Schema field!
Enter your passwod and select Save Password
Press Connect to save and connect to the database.
You can go to Window -> Show View -> Other ->DBEdit ->Instant SQL to bring up a SQL editor panel. Here you can execute statements against your database!

--------------------------------------------------------------------------------

Install Web Developer Tools Plugin for Eclipse
There is a great plugin bundle for JSP development that we can take advantage of for our Rails development. The WTP plugin has a very versatile CSS, XML, and HTML editor

Download the following files:
EMF SDK version 2.1.1 or higher emf-sdo-xsd-SDK-2.1.1.zip
GEF SDK 3.1.1 or higher GEF-SDK-3.1.1.zip
JEM SDK 1.1.0.1 or higher JEM-SDK-1.1.0.1.zip
Download the Web Tools plugin from http://www.eclipse.org/downloads/download.php?file=/webtools/downloads/drops/R-1.0-200512210855/wtp-1.0.zip (~24 MB)
Unzip each file to C:java, overwriting any files.
Restart Eclipse.
Now, when you open your CSS or HTML files, you'll be able to use auto complete for elements and attributes, as well as create templates.

Opening the Properties view will let you inspect the attributes and properties of the element you select, and opening the Outline view will show you a representation of your document model.

Configure Eclipse to handle your Rails Presentation files
Eclipse can handle your rhtml files with syntax highlighting! All you have to do is associate the .rhtml extention with the JSP editor. Once you do that, you can add templates for all of the ActionView helper functions to make development even easier.

Select Window -> Preferences
Expand the General section
Select the Content Types option
Expand Text
Select JSP
Select Add
Enter *.rhtml and press OK
Select Add
Enter *.rxml and press OK
Press OK to save the changes
Add Code Hints for the Views
Now, let's add the Rails Link_to tag to the templates library

Selct Window -> Preferences
Expand the Web and XML section
Expand the JSP Files section
Select JSP Templates
Select New
Enter link_to for the name
The context should be ALL JSP
Automatically Insert should be checked
Enter the following for the pattern:
<%= link_to "${url}", :controller=>"${controller}", :action=>"${action}", :id=>"${id}" %>

Create a new .rhtml file and press CTRL+Spacebar

Your Link_to tag should be in that list. When you type the < character, your list of options should appear. Type link to filter the list of results.

When the template is first inserted, the cursor is placed at the url variable, if you hit tab, it will cycle to the next variable in the list.

You can repeat these steps with other helper tags to speed up development. To get you started, I've provided this starter template. Import this into the JSP Templates section via the Import button.



Debugging in Eclipse
Ruby on Rails has some interesting techniques to debug projects. One technique is the Breakpointer script. The Breakpointer connects an IRB session to your running web application.

Setting up Breakpointer
Select Run -> External Tools -> External Tools
Select New to create a new program
Enter “Start Breakpointer ” as the name
Enter C:
uby?in
uby.exe for the Location
For the Working Directory, use
${project_loc}
Enter script?reakpointer for the Arguments
Select the refresh tab and check Refresh Resources Upon Completion
Select the Common tab
Find the section for Display in Favorites Menu
Check the box next to External Tools
Select Apply
Using Breakpointer
In your project, place the following line of code in any method where you want to stop code execution:
breakpoint
Start up WEBrick:
Go to Run -> External Tools ->Start WEBrick
Start up Breakpointer
Go to Run -> External Tools ->Start Breakpointer
Open a browser and navigate to your project (should be at port 3000)
Once you hit your breakpoint, return to Eclipse and you should see an IRB console that you can use to inspect your local variables, objects, request data and session data.
To stop processing the breakpoint and allow the application to continue, type exit in the console. Breakpointer will begin waiting for a new breakpoint.

--------------------------------------------------------------------------------

Installing SubClipse
If you use Subversion (and you should if you're serious about Rails development) then you can install the SubClipse SubVersion client plugin.

Visit http://subclipse.tigris.org/install.html and follow their directions, or simply follow the same process as RDT and use their update site at http://subclipse.tigris.org/update

Choose Help->Software Updates->Find and Install
Choose "Search for new features to install" and select Next
Select "New Remote Site ",
Use the name “SubClipse”
Use the URL: http://subclipse.tigris.org/update
Press OK
Check SubClipse and push Next
Select the feature RDT and push Next. You should confirm any messages relating to installing unsigned plugins. RDT will be installed and be available after restart.

--------------------------------------------------------------------------------



Troubleshooting
DBEdit gives me errors when I attempt to connect to MySQL
"Fetching children of MySQL" is a common error that I've seen. It seems to be related to the version of DBEdit that you use. SourceForge isn't very helpful with the proper version; sometimes you get lucky. If you get this error, uninstall DBEdit and redownload a new version.
I used Cygwin and all the paths in your tutoral arewrong. You should change them or make a note about this.
You're on your own. This guide uses a specific method. It can easily be adapted for other uses, such as Cygwin or even Linux. However, please understand that I can't support all of those configurations. Compared to developing useful web applications, configuring these plugins should be pretty easy.
When I try to run one of the external programs, I get an error stating something about "not valid in prolog"
You probably set up all of your external apps as Ant Buids instead of programs.

The breakpointer hangs up on me... I can't exit out
Just hit the red stop button on the console to kill the breakpointer. Do the same for the console that contains WEBrick.

When I run one of the external programs, the message says "variable references empty selection"
It usually means that the project isn't selected. Just click on the project name before you run one of the programs.

I've set up SubClipse but whenever I try to open one of the SubClipse views, it says my workspace path is invalid and needs to be changed. The suggested path for the change is the same path I'm currently using!
SubClipse is picky. It wants the drive letter to be capitalized. Change your workspace path from c:javaworkspace to C:javaworkspace and restart Eclipse
Downloads
externals.zip
External Programs launchers for
Create Rails Structure in Project
Generate Model
Generate Controller
Generate Scaffold for Model and Controller
Generate Migration
Install Plugin via SVN
Rake
Start Breakpointer
Start Webrick Server
Open Explorer in Project Folder
Command Prompt
Start Console
rails-model-controller.xml
Contains code templates for various Ruby on Rails code methods. Import this into Ruby Templates
rails-rhtml.xml
Contains code templates for various Rails helpers used in views. Import into JSP Templates


--------------------------------------------------------------------------------

That about does it. I'll keep looking for other things to add to this procedure since this is the method I am now using for my development environment. If anyone has any feedback that I should add, please send it to railsdev@napcs.com

Thanks to Tom Davies for his comments regarding project locations and his tips about the Rails templates.

Thanks to Chris Williams for the information about WEBrick's output.

Thanks to everyone on the RDT team for working so hard on a great plugin.


--------------------------------------------------------------------------------

Brian Hogan is the owner of New Auburn Personal Computer Services, a small web design company that specializes in standards-based design and accessibility for the disabled. He has been developing web sites for ten years. He also works at the University of Wisconsin-Eau Claire where he oversees development of various web-based applications.


Site design and content copyright © 2003 New Auburn Personal Computer Services, All rights reserved. Unauthorized duplication or republication in any form is not allowed.