3 — Managing Users


[Previous] [Next] [Contents] [Index]


This chapter describes basic management of principals, groups, organizations, users, and accounts. It contains the following sections:

3.1 Using the DCE Director
3.2 Definitions
3.3 Name Formats
3.4 Duplicate Names
3.5 Managing Users
3.6 Managing Principals
3.7 Managing Groups and Organizations
3.8 Managing Accounts

3.1 Using the DCE Director

For frequently-performed tasks, such as managing users, groups, and objects, it is easiest to use the DCE Director. The DCE Director is a graphical tool for managing DCE cells. The DCE Director makes it easy to perform management tasks, such as creating, deleting, and modifying user accounts, security groups, and CDS directories. In addition, the DCE Director allows you to access the standard DCE control programs (rgy_edit, cdscp, acl_edit, and dtscp), while providing new functions, such as allowing authorized users to preconfigure host machines in a cell and manage user accounts.

The DCE Director includes an enhanced ACL editor, the Visual DCE ACL Editor, which allows you to graphically manage ACLs. You can invoke the Visual DCE ACL Editor directly from the DCE Director or you can use it as a stand-alone tool by clicking its icon in the DCE program group.

For more information on either the DCE Director or the Visual DCE ACL Editor, refer to their respective online help systems.

If you are not using the DCE Director, you can use the DCE command line tools as described in this chapter to perform the same functions.

3.2 Definitions

This section defines many of the terms you will encounter in this chapter. You should understand these terms before attempting to perform the tasks described in this chapter.

Account - An entry in the registry database that defines a principal's network identity by associating the principal with a group and optional organization, and with related account information such as the password used to authenticate a principal's identity.

Alias - An alias is an optional alternate name for a primary name. You can assign aliases to principals and groups, but not to organizations. An alias and its associated primary name share the same uid and uuid. You can use an alias on the command line to specify a principal or group.

Because you can create an account for each primary name and each alias, aliases give you the flexibility to establish several accounts for the same principal. For example, suppose that you create a principal with primary name groucho and two aliases: gmarx and gm. You can then create three accounts for the principal groucho: one for the primary name and one for each of the name's aliases. The accounts can use different passwords and can be associated with different access rights, groups and organizations.

For groups, aliases are useful if you want to associate two group names with the same uid.

Full Name- You can optionally assign a full name to a principal, group, or organization. A full name typically describes or expands a primary name to allow easy recognition by users. For example, a principal could have a primary name of jsbach and a full name of Johann S. Bach. A full name is a data field only. You do not use it on the command line to specify a principal, group, or organization.

GID - The UNIX group ID associated with a group.

Group - Named set of principals who can be granted common access rights. Group names are included in access control lists (ACLs) that regulate user access to various server and data objects in the DCE environment.

Object Creation Quota - Attribute associated with a principal that controls the number of registry objects that can be created by the principal. If you allow users to create their own groups, for example, you can use this quota to limit the total number of groups they can create.

Each time a principal creates a registry object, the principal's object creation quota is decremented by 1. When the object creation quota reaches 0, the principal is prohibited from creating registry objects unless you reset the object creation quota to a number other than 0 by using the dcecp principal modify command.

Organization - Named set of users who can be granted common access rights, usually by means of administrative policy. Policies control things like the lifespan of accounts, whether or when account passwords expire, or whether passwords can contain nonalphanumeric characters.

OrgID - The UNIX group ID associated with an organization.

Primary Name - Primary names are assigned to principals, groups, and organizations. A primary name you will typically use when specifying a principal at the command line.

Principal - An entity that can communicate securely with another entity. Principals are represented as entries in the security registry database and include users, servers, and computers. A principal must exist before you can create an account.

Project List - A principal's project list is a list of all the groups in which a principal or alias is a member. When a principal tries to access an object, the principal has the access rights that accrue from membership in every group that is named in the object's ACL. For example, assume the ACL for file X contains two entries: one permits group A write access and one permits group B read access. Then, any principal who is a member of both groups A and B can read and write to file X.

Principals accrue project list access rights only from the groups that are associated with the name or alias with which they log in. For example, assume that a principal named gustav is a member of groups A and B. Under the alias gus, he is a member of groups C and D. When the principal logs in as gustav, the principal accrues access rights from groups A and B only. When the principal logs in with the alias gus, the principal accrues access rights from groups C and D only.

User - Refers either to a person who wishes to use DCE services, or the collection of security registry information required for such a person. The registry information required for a user consists of a principal identity and an account.

UUID - Universal Unique ID that identifies an object in the registry database. Normally, you do not have to be aware of UUIDs. They are created and maintained automatically. However, be aware that, although the DCE Security Service prints names and you can access objects by name, it identifies all objects internally by UUID.

UID - UNIX user ID number associated with a user, which the registry uses for compatibility with UNIX programs.

3.3 Name Formats

Names in the registry can contain any characters or digits, except the @ (at sign) and the : (colon) character. They must not exceed 1024 characters in length.

3.4 Duplicate Names

You must assign a name to each principal, group, and organization in the registry. Although a principal, a group, and an organization can have the same name, no two principals, groups, or organizations can have the same name. For example, two principals cannot be named smith, but a principal can be named smith, a group can be named smith, and an organization can be named smith. You can assign up to three types of names: primary, full, and aliases.

3.5 Managing Users

This section describes how to create and delete users, and show user information.

3.5.1 Creating Users

Use the dcecp user command to manage users. This command does the following:

  1. Creates a new principal name and adds the principal to a security group and organization. If the security group or organization does not exist when you invoke the operation, you can force its creation by using the -force option.

  2. Creates an account for the principal and creates the user's password.

  3. Adds a directory called /.:/users/principalname to CDS. This directory can store user-specific application location information.

  4. Adds an ACL entry to the default ACL which gives the user rwtci permissions on the /.:/users/principalname directory. These permissions allow users to insert objects and links, but they cannot delete the directory or administer replication on the directory. Furthermore, users cannot create additional directories unless you give them w (write) access to the clearinghouse.

The following example creates a principal name groucho and an account with the same name:

C:\> dce_login cell_admin -dce-
C:\> dcecp
dcecp> user create groucho -group none -organization none
-fullname {Groucho Marx} -mypwd -dce- -password change.me 

This example uses group none and organization none because they exist by default in a new cell.

You can create multiple users by specifying a list of user names as an argument to the user create operation. This method poses some limitations, however. All created users will have the same initial password, group name, and organization name. Furthermore, you cannot specify the fullname and uid attributes since these are unique for each user.

The following example creates several users with a password change.me, a group name of none, and an organization named none:

dcecp> user create {groucho harpo chico zeppo} -group none 
-organization none -mypwd -dce- -password change.me

3.5.2 Showing User Information

The user show command returns the principal attributes and ERAs, account attributes, and policies associated with a user. For example:

dcecp> user show harpo

{fullname {Harpo Marx}}
{uid 107}
{uuid 0000006b-80e6-2533-8d00-00802964ff95}
{alias no}
{quota unlimited}
{groups none}
{acctvalid yes}
{client yes}
{created /.../longwood/cell_admin 2000-04-14-11:29:42.000-04:00I-----}
{description {}}
{dupkey no}
{expdate none}
{forwardabletkt yes}
{goodsince 2000-04-14-11:29:42.000-04:00I-----}
{group none}
{home /}
{lastchange /.../longwood/cell_admin 2000-04-14-11:29:42.000-04:00I-----}
{organization none}
{postdatedtkt no}
{proxiabletkt no}
{pwdvalid yes}
{renewabletkt yes}
{server yes}
{shell {}}
{stdtgtauth yes}
nopolicy

You can show information about multiple users by specifying a list of user names as an argument to the user show command.

3.5.3 Deleting Users

The dcecp command user delete removes the principal name from the registry and deletes the account and removes the principal from any groups and organizations. The operation also deletes the /.:/users/principalname directory and any contents from CDS.

For example:

C:\> dce_login cell_admin -dce-
C:\> dcecp
dcecp> user delete zeppo

You can remove multiple users from your cell by specifying a list of user names as an argument to the user delete operation, as follows:

dcecp> user delete {groucho harpo chico zeppo}

If you have permissions in a foreign cell, you can remove one or more users from that cell by specifying the global principal name of the users to be deleted.

For example:

dcecp> user delete /.../their_cell.goodco.com/J_Jones

3.6 Managing Principals

Normally you use the dcecp user command to manage users. However, if you need to manage principals separately (for example, to create a principal without an associated account), this section describes how.

This section describes how to create, delete, and modify principals, and show principal information.

3.6.1 Reserved Principals and Accounts

Some principals and accounts are reserved for use by DCE. You cannot delete or modify reserved principals. You can modify, but not directly delete reserved accounts. A list of reserved principals and accounts follows. In the list cell_name is the name of your cell, and host_principal_name is the name of the machine principal. The actual form of this name is set during DCE configuration.

3.6.2 Adding Principals

To add principals to the registry, use the principal create command. For example, the following sample command creates a principal with a primary name of jagger:

dcecp> principal create jagger

There are additional attributes you can associate with the principal, including full name and quota.

3.6.2.1 Specifying a Full Name

The fullname is a string providing additional information about the principal. Typically, it contains a user's full name. For example, the following command creates a principal and an associated fullname:

dcecp> principal create jagger -fullname {Mick Jagger}

3.6.2.2 Specifying an Object Creation Quota

The object creation quota is the number of registry objects that this principal can create. Each time a principal creates a registry object, this value is decremented for that principal. To allow a principal to create an unlimited number of registry objects, enter the text string unlimited. To prevent a principal from creating any registry objects, enter 0. If you don't enter this argument, the quota defaults to unlimited. For example:

dcecp> principal create jagger -quota 5

NOTE: For an account for a foreign cell (used for intercell communication), the quota is cumulative for all principals who use the account. The quota is not per foreign principal. For example, if the quota is 10, the total number of objects that can be created by foreign principals who use the account cannot exceed 10.

3.6.2.3 Creating Multiple Principals

You can create multiple principals with one principal create command. To do so, enclose the principal names in braces, separated by spaces. For example, to create the principals jones, watts, wyman, jagger, and richards, enter the following:

dcecp> principal create {jones watts wyman jagger richards}

The following sample command creates the principals jones, watts, wyman, jagger, and richards and assigns each an object creation quota of 100.

dcecp> principal create {jones watts wyman jagger richards} -quota 100

3.6.3 Showing Principal Information

The dcecp command principal catalog displays a list of the principals in the cell. For example:

dcecp> principal catalog

/.../longwood/nobody
/.../longwood/root
/.../longwood/daemon
/.../longwood/sys
/.../longwood/bin
/.../longwood/uucp
/.../longwood/who
/.../longwood/mail
/.../longwood/tcb
/.../longwood/dce-ptgt
/.../longwood/dce-rgy
/.../longwood/cell_admin
/.../longwood/krbtgt/longwood
/.../longwood/hosts/darwin.entegrity.com/self
/.../longwood/hosts/darwin.entegrity.com/cds-server
/.../longwood/hosts/darwin.entegrity.com/gda
/.../longwood/hosts/chest.entegrity.com/self
/.../longwood/groucho
/.../longwood/harpo
/.../longwood/jagger
/.../longwood/hm

The dcecp command principal show principal displays attribute information about the principal. For example:

dcecp> principal show harpo

{fullname {Harpo Marx}}
{uid 107}
{uuid 0000006b-80e6-2533-8d00-00802964ff95}
{alias no}
{quota unlimited}
{groups none}

3.6.4 Modifying Principals

You can change a principal's primary name and other information related to the principal. The change is reflected in the membership lists of all the groups and organizations in which the principal is a member.

Additionally, you can change a primary name to an alias and an alias to a primary name. If you change a primary name to an alias and do not make an alias the primary name, operations that return names choose one of the aliases at random.

3.6.4.1 Changing the Primary Name

Use the dcecp principal rename command to change a primary name. Enter the command in the following form:

principal rename old_name -to new_name

old_name - primary name of the principal to be changed.

new_name - new primary name of the principal.

The following example shows the principal rename command used to change a full name from smit to smith:

dcecp> principal rename smit -to smith

3.6.4.2 Changing Principal Information

Use the dcecp principal modify command to change any principal information except the uid and uuid. The following example shows the principal modify command used to change principal jones's object creation quota to 10.

dcecp> principal modify jones -quota 10

3.6.4.3 Adding an Alias to a Principal

Use the dcecp command principal create to create an alias and associate it with a principal.

First use the principal show command to obtain the uid of the principal to which you are adding an alias:

dcecp> principal show harpo
{fullname {Harpo Marx}}
{uid 107}
{uuid 0000006b-80e6-2533-8d00-00802964ff95}
{alias no}
{quota unlimited}
{groups none}

Then issue the principal create command specifying the principal's uid and the -alias yes option:

dcecp> principal create hm -uid 107 -alias yes

3.6.5 Deleting Principals and Aliases

If you delete a principal or an alias, the system automatically deletes any accounts for that principal or alias. Be aware that deleting a principal or a principal's alias could orphan the objects that are owned by the principal (Refer to Section 3.6.6).

The following example shows the principal delete command used to delete the principal named mahler:

dcecp> principal delete mahler

You can delete multiple principals or aliases with one principal delete command. To do so, enclose the principal names in braces, separated by spaces. For example, to delete the principals bach, britten, and richards, you would enter the following:

dcecp> principal delete {bach britten richards}

3.6.6 Recovering Orphaned Objects

If you delete a principal from the registry, you also delete the principal's UUID. Any objects (files, programs) that are owned by the principal are associated with an orphaned UUID; that is, a UUID with no corresponding name. This means that the object is now owned by a deleted principal. If no other principals were previously given access to the object, the object cannot be accessed.

To solve this problem, use the dcecp principal create command with the -uuid option to associate the UUID with a name and thus adopt the orphaned object. UUIDs are assigned automatically when the object is created by using the DCE control program's principal create command. Therefore, you cannot simply add a new user and acquire a previously used UUID. You must execute the dcecp principal create command with the -uuid option for this purpose.

For example, an acl show of the object grade shows that only the user fred has privileges to the object:

dcecp> acl show -e /.:/grade
{user fred rwdtc}

If the principal fred is deleted, the object is an orphan:

dcecp> principal delete fred
dcecp> acl show -e /.:/grade
{user 00000080-d459-25b4-8000-0000c0987001 rwdtc}

Use the UUID now displayed in place of the name to create a new principal for the orphaned object. You can use the same name or a different name:

dcecp> principal create wilma -uuid 00000080-d459-25b4-8000-0000c0987001
dcecp> acl show -e /.:/grade
{user wilma rwdtc}

3.7 Managing Groups and Organizations

Groups provide a convenient way to control access rights for a set of users with the same security requirements. When you edit an object ACL to configure permissions, specifying the group name grants those permissions to all group members. (The exception is if the object ACL contains an entry for a specific user; in this case, the user permissions override the permissions for any group of which this user is a member.)

Use organizations to simplify policy management (policy regulates things like account and password lifetimes and password format). An organization's policies override the registry default policies if the organization's policies are more restrictive.

This section describes how to create and delete groups and organizations, and show group and organization information.

3.7.1 Adding Groups and Organizations

Use the dcecp group create command to add groups and the dcecp organization create command to add organizations. When you add a group or organization, you must specify the group's or organization's primary name.

Note that, when you use the dcecp group create command and dcecp organization create command, you can create multiple groups or organizations with one command in the same way that you can create multiple principals.

3.7.1.1 Adding a Group

The following example shows how to add a group named symphonists to the registry:

dcecp> group create symphonists

3.7.1.2 Adding an Organization

The following example shows how to add an organization named classic to the registry:

dcecp> organization create classic

3.7.2 Showing Group and Organization Information

The dcecp commands group catalog and organization catalog display lists of the groups and organizations in the cell. For example:

dcecp> group catalog

/.../longwood/nogroup
/.../longwood/system
/.../longwood/daemon
/.../longwood/uucp
/.../longwood/bin
/.../longwood/kmem
/.../longwood/mail
/.../longwood/tty
/.../longwood/none
/.../longwood/tcb
/.../longwood/acct-admin
/.../longwood/subsys/dce/sec-admin
/.../longwood/subsys/dce/cds-admin
/.../longwood/subsys/dce/dts-admin
/.../longwood/subsys/dce/dskl-admin
/.../longwood/subsys/dce/cds-server
/.../longwood/subsys/dce/dts-servers
/.../longwood/subsys/dce/audit-admin
/.../longwood/subsys/dce/dced-admin

The dcecp commands group show group and organization show organization display attribute information about groups and organizations. For example:

dcecp> group show none

{alias no}
{gid 12}
{uuid 0000000c-7bda-2533-9f01-00802964ff95}
{inprojlist yes}
{fullname {}}

3.7.3 Modifying Groups and Organizations

For groups and organizations, you can change the primary name and full name. In addition, for groups you can change whether or not the group can appear in project lists, and for organizations you can change policy.

Use the dcecp group modify command to change groups. The following example shows the use of this command with the -inprojlist option to change the group symphonist's project list inclusion property from yes (include on project lists) to no (prohibit from project lists).

dcecp> group modify symphonists -inprojlist no

Use the dcecp group rename command to change a group's primary name or the dcecp organization rename command to change an organization's primary name. These commands have the following form:

group rename old_name -to new_name

organization rename old_name -to new_name

where:

old_name - Primary name of the group or organization to be changed.

new_name - New primary name of the group or organization.

The following example shows the group rename command used to change a full name from symphonists to symphonists7:

dcecp> group rename symphonists -to symphonists7

Note that, if you change a primary name, that change is reflected in the membership lists of all the groups and organizations in which the group or organization is listed as a member.

3.7.4 Deleting Groups and Organizations

If you delete a group or organization, you also automatically delete any accounts that use the group or organization. For example, if you delete the group symphonists, you also automatically delete the accounts vivaldi symphonists baroque and mozart symphonists classic.

NOTE: The default groups none and nogroup and the default organization none represent users that have either not yet been assigned to a group or organization or have been chosen not to be assigned to any group or organization. DCE needs these groups — do not delete them.

Use the dcecp group delete to delete groups and the dcecp organization delete command to delete organizations. The following example shows the group delete command being used to delete the group symphonists:

dcecp> group delete symphonists

The next example shows the organization delete command being used to delete the organization classic:

dcecp> organization delete classic

Note that you can delete multiple groups or organizations with a single group delete or organization delete command by including the names to delete in braces and separated by spaces just as you would to delete multiple principals.

3.7.5 Maintaining Membership Lists

Each group and organization has a membership list, which lists the principals that are members of the group or organization. Use the dcecp group add command to add members to the membership list and the dcecp group remove command to remove members from the list.

If you delete a member from a group or organization, any accounts for the deleted member that are associated with the group or organization are also deleted. For example, if you delete the principal mahler from the group symphonists, the account mahler symphonists classic is also deleted.

Note that the deleting of a principal from a group or organization can affect the principal's rights to objects. This change takes effect only when the principal's ticket-granting ticket is renewed.

3.7.5.1 Effects of Account Creation on Membership Lists

When you create accounts, the principal for whom the account is created must be a member of the group or organization that is named in the account. For example, if you create the account mahler symphonists classic, the principal mahler must be a member of the symphonists group and the classic organization.

The dcecp command recognizes this requirement and, if you have the permissions to add to the group or organization, tries to add the principal to the group and organization. For example, assume that the principal mahler is not a member of either the group symphonists or the organization classic. If you have the proper permissions when you create the account mahler symphonists classic, the account create command automatically adds mahler to the symphonists and classic membership lists so that you can create the account in one step.

However, if you do not have the required permissions, the command fails and displays a message like the following:

Not authorized to perform operation

3.7.5.2 Adding and Deleting Group Members

The following example shows the use of the dcecp group add command with the -member option to add mahler to the group symphonists and delete strauss from the group symphonists:

dcecp> group add symphonists -member mahler
dcecp> group remove symphonists -member strauss

You can add and remove multiple members with one group add or group remove command. To do so, enclose the member names in quotes, separated by spaces. For example, to add the principals bach, britten, and mccartney to the group symphonists, you would enter the following:

dcecp> group add symphonists -member {bach britten mccartney}

3.7.5.3 Displaying Membership Lists

To display the members of a group or organization, use the dcecp command group list group or organization list organization. For example:

dcecp> group list none

/.../longwood/dce-ptgt
/.../longwood/dce-rgy
/.../longwood/krbtgt/longwood
/.../longwood/cell_admin
/.../longwood/hosts/darwin.entegrity.com/self
/.../longwood/hosts/darwin.entegrity.com/gda
/.../longwood/hosts/darwin.entegrity.com/cds-server
/.../longwood/hosts/chest.entegrity.com/self
/.../longwood/groucho
/.../longwood/harpo

3.8 Managing Accounts

Registry accounts define a network identity by associating a principal with a group, an organization, and related account information, such as the password that is used to authenticate a principal's identity. You must create a registry account for any principal that engages in communications across the network, regardless of whether the communications are authenticated. The following types of principals require registry accounts:

3.8.1 User Accounts

User accounts are associated with the user's password and information that is used when the user logs into DCE. Account information includes such things as the principal's home directory and login shell, and authentication policy, which defines parameters that help control a principal's access to DCE.

3.8.2 Creating an Account

Normally, to create a user account you use the DCE Director or the dcecp user create command, both of which create both a principal and associated account. If you want to create an account for an existing human user principal, use the dcecp account create command. For example:

  1. Associate the principal with a group and organization:

    C:\> dce_login cell_admin -dce-
    C:\> dcecp
    dcecp> group add straight_men -member zeppo
    dcecp> organization add entertainers -member zeppo
    

  2. Create the account:

    dcecp> account create zeppo -group straight_men 
    -organization entertainers -mypwd -dce- -password change.me
    

When creating an account, you can specify any of the account attribute values that you do not wish to default. The following section (Section 3.8.2.1) describes these attribute values.

3.8.2.1 Account Attribute Values

When creating an account, you can specify any of the account attribute values that you do not wish to default. Refer to Table 3-1.

Table 3-1: Attribute Options to Create Accounts

Option Meaning
-acctvalid {yes|no}

A flag that determines account validity. If you set this flag to no, the account is invalid and the account principal cannot log into the account.

The default is yes.

-client {yes|no}

A flag that indicates whether or not the account is for a principal that can act as a client. If you set this flag to yes, the principal is able to log into the account and acquire tickets for authentication.

The default is yes.

-description string

A text string in Portable Character Set (PCS) format that is typically used to describe the use of the account. No default.

-dupkey {yes|no}

A flag that determines if tickets issued to the account's principal can have duplicate keys. The default is no.

-expdate

The date (in ISO timestamp format YYYY-MM-DD-hh: mm:ss) on which the account expires. To renew an account after it expires, change the date. The default is none, meaning the account never expires.

-forwardabletkt {yes|no}

A flag determining whether a new ticket-granting ticket with a network address that differs from the present TGT's network address can be issued to the account's principal. (The -proxiabletkt attribute performs the same function for service tickets.) The default is yes.

-goodsince date

The date and time (in ISO timestamp format YYYY-MM- DD-hh:mm:ss) that the account was last known to be in an uncompromised state. Any tickets granted before this date are invalid.

When the account is created, the -goodsince attribute is set to the current date.

Control over this date is especially useful if you know that an account's password was compromised. Changing the password can prevent the unauthorized principal from accessing the system again by using that password, but does not prevent the principal from accessing the system components for which tickets were obtained fraudulently before the password was changed. To eliminate the principal's access to the system, the tickets must be canceled. Set the -goodsince attribute to the date and time the compromised password was changed to invalidate all tickets issued before that time and eliminate the unauthorized principal's system access.

-group group_name

The name of the group that is associated with the account. This attribute must be supplied to create an account; there is no default.

-home dir_name

The directory in which the principal is placed at login. No default.

-organization org_name

The name of the organization that is associated with the account. This attribute must be supplied to create an account; there is no default.

-password password

The required password for the account in plaintext. The system encrypts the password you supply. No default.

-postdatedtkt {yes|no}

A flag that determines whether or not tickets with a start time in the future can be issued to the account's principal. The default is no.

-proxiabletkt {yes|no}

A flag determines whether or not a new ticket with a different network address than the present ticket can be issued to the account's principal. (The -forwardabletkt attribute option performs the same function for ticket-granting tickets.) The default is no.

-pwdvalid {yes|no}

A flag that determines whether the current password is valid. If this flag is set to no, the account password has expired and the principal will be prompted to change it the next time that the principal logs into the account. The default is yes.

-renewabletkt {yes|no}

The Kerberos V5 renewable ticket feature is not currently used by DCE; any use of the renewable ticket attribute is unsupported at the present time.

-server {yes|no}

A flag that indicates whether or not the account is for a principal that can act as a server. If the account is for a server that engages in authenticated communications, set this flag to yes. The default is yes.

-shell path_to_shell

The shell that is executed when a principal logs in.

-stdtgtauth {yes|no}

A flag that determines whether or not tickets issued to the account's principal can use the ticket-granting-ticket authentication mechanism. The default is yes.

-maxtktlife hours

The maximum ticket lifetime. This is the maximum amount of time in hours that a ticket can be valid.

When a client requests a ticket to a server, the lifetime granted to the ticket takes into account the maxtktlife attribute value for both the server and the client. In other words, the lifetime cannot exceed the shorter of the server's or client's maximum ticket lifetime.

If you do not specify a maxtktlifetime attribute value for an account, the maxtktlifetime attribute value defined for the registry authorization policy is used.

-maxtktrenew hours

The maximum ticket renewable. This is the amount of time in hours before a principal's ticket-granting ticket expires and that principal must log into the system again to reauthenticate and obtain another ticket-granting ticket. The lifetime of the principal's service tickets can never exceed the lifetime of the principal's ticket-granting ticket.

The shorter you make Maximum Certificate Renewable, the greater the security of the system. However, since principals must log in again to renew their ticket-granting ticket, the time needs to take into consideration user convenience and the level of security required.

If you do not specify a maxtktrenew attribute value for an account, the maxtktrenew attribute value defined for the registry authorization policy is used.

3.8.3 Showing an Account

To view a list of accounts, use the dcecp account catalog command. For example:

dcecp> account catalog

/.../longwood/nobody
/.../longwood/root
/.../longwood/daemon
/.../longwood/uucp
/.../longwood/bin
/.../longwood/dce-ptgt
/.../longwood/dce-rgy
/.../longwood/krbtgt/longwood
/.../longwood/cell_admin
/.../longwood/hosts/darwin.entegrity.com/self
/.../longwood/hosts/darwin.entegrity.com/cds-server
/.../longwood/hosts/darwin.entegrity.com/gda
/.../longwood/hosts/banks.entegrity.com/self
/.../longwood/groucho
/.../longwood/harpo
/.../longwood/zeppo

To view an account's attributes, use the dcecp account show command. For example:

dcecp> account show zeppo

{acctvalid yes}
{client yes}
{created /.../longwood/cell_admin 2000-04-16-11:05:15.000-04:00I-----}
{description {}}
{dupkey no}
{expdate none}
{forwardabletkt yes}
{goodsince 2000-04-16-11:05:15.000-04:00I-----}
{group none}
{home /}
{lastchange /.../longwood/cell_admin 2000-04-16-11:05:15.000-04:00I-----}
{organization none}
{postdatedtkt no}
{proxiabletkt no}
{pwdvalid yes}
{renewabletkt yes}
{server yes}
{shell {}}
{stdtgtauth yes}

3.8.4 Modifying an Account

To modify an attribute, use the dcecp account modify command. The following example changes the expiration date on account zeppo:

dcecp> account modify zeppo -expdate 1999-12-10-00:00:00 -mypwd -dce-

3.8.5 Deleting an Account

To delete an account, use the dcecp account delete command. The following example deletes account zeppo:

dcecp> account delete zeppo

If you delete a group or organization, you will also automatically delete any accounts that specify this group or organization as the primary group or organization.

You can delete multiple accounts with one account delete command. To do so enclose the names of the account principals in braces, separated by spaces. For example, to delete accounts for bach, britten, and mahler, you would enter:

dcecp> account delete {bach britten mahler}


[Previous] [Next] [Contents] [Index]


To make comments or ask for help, contact support@entegrity.com.

Portions of this document were derived from materials provided by Compaq Computer Corporation. Copyright © 1998-2003 Compaq Computer Corporation.

Copyright © 2003 Entegrity Solutions Corporation & its subsidiaries.

All rights reserved.