PreviousNext

Adding Accounts

Use the dcecp account create command to add accounts to the registry. Information that is associated with accounts falls roughly into the following two categories:

· User information similar to that typically found in the /etc/passwd file.

· Authentication policy that lets you control the account's access to the network. Authentication policy establishes account and password validity, account expiration policy, and ticket expiration policy. The tighter you control authentication policy, the more secure your cell is, but the more processing overhead you can accrue.

Both types of information are supplied as attributes in standard dcecp attribute lists or as attribute options.

Note that authentication policy can also be set for the registry. If the registry policy differs from the policy that you enter for an account, the stricter policy applies. (See Maintaining Policies and Properties for more information on contradictory policy.)

The following table lists the attribute options used to create accounts. Note that the options described in this table can also be supplied without the dashes in attribute lists.


Attribute Options to Create Accounts

Option Meaning
-acctvalid {yes|no} A flag that determines account validity. If you set this flag to no, the account is invalid and the account principal cannot log into the account. The default is yes.
-client {yes|no} A flag that indicates whether or not the account is for a principal that can act as a client. If you set this flag to yes, the principal is able to log into the account and acquire tickets for authentication. The default is yes.
-description string A text string in Portable Character Set (PCS) format that is typically used to describe the use of the account. No default.
-dupkey {yes|no} A flag that determines if tickets issued to the account's principal can have duplicate keys. The default is no.
-expdate The date (in ISO timestamp format YY-MM-DD-hh:mm:ss) on which the account expires. To renew a account after it expires, change the date. The default is none, meaning the account never expires.
-forwardabletkt {yes|no} A flag determining whether a new ticket-granting ticket with a network address that differs from the present TGT's network address can be issued to the account's principal. (The -proxiabletkt attribute performs the same function for service tickets.) The default is yes.
-goodsince date The date and time (in ISO timestamp format YY-MM-DD-hh:mm:ss) that the account was last known to be in an uncompromised state. Any tickets granted before this date are invalid. Control over this date is especially useful if you know that an account's password was compromised. Changing the password can prevent the unauthorized principal from accessing the system again by using that password, but does not prevent the principal from accessing the system components for which tickets were obtained fraudulently before the password was changed. To eliminate the principal's access to the system, the tickets must be canceled. Set the -goodsince attribute to the date and time the compromised password was changed to invalidate all tickets issued before that time and eliminate the unauthorized principal's system access. When the account is created, the -goodsince attribute is set to the current date.
-group group_name The name of the group that is associated with the account. This attribute must be supplied to create an account; there is no default.
-home dir_name The directory in which the principal is placed at login. No default.
-organization org_name The name of the organization that is associated with the account. This attribute must be supplied to create an account; there is no default.
-password password The required password for the account in plaintext. The system encrypts the password you supply. No default.
-postdatedtkt {yes|no} A flag that determines whether or not tickets with a start time in the future can be issued to the account's principal. The default is no.
-proxiabletkt {yes|no} A flag determines whether or not a new ticket with a different network address than the present ticket can be issued to the account's principal. (The -forwardabletkt attribute option performs the same function for ticket-granting tickets.) The default is no.
-pwdvalid {yes|no} A flag that determines whether the current password is valid. If this flag is set to no, the account password has expired and the principal will be prompted to change it the next time that the principal logs into the account. The default is yes.
-renewabletkt {yes|no} The Kerberos V5 renewable ticket feature is not currently used by DCE; any use of the renewable ticket attribute is unsupported at the present time.
-server {yes|no} A flag that indicates whether or not the account is for a principal that can act as a server. If the account is for a server that engages in authenticated communications, set this flag to yes. The default is yes.
-shell path_to_shell The shell that is executed when a principal logs in.
-stdtgtauth {yes|no} A flag that determines whether or not tickets issued to the account's principal can use the ticket-granting-ticket authentication mechanism. The default is yes.
-usertouser {yes|no} For server principals, a flag that determines whether or not the server must use user-to-user authenication. The value is either yes (must use authentication based on user-to-user protocol) or no (uses authentication based on server-key ticket protocol. The default is no.
-maxtktlife hours The maximum ticket lifetime. This is the maximum amount of time in hours that a ticket can be valid. When a client requests a ticket to a server, the lifetime granted to the ticket takes into account the maxtktlife attribute value for both the server and the client. In other words, the lifetime cannot exceed the shorter of the server's or client's maximum ticket lifetime.
If you do not specify a maxtktlifetime attribute value for an account, the maxtktlifetime attribute value defined for the registry authorization policy is used. (See Maintaining Policies and Properties.)
-maxtktrenew hours The maximum ticket renewable. This is the amount of time in hours before a principal's ticket-granting ticket expires and that principal must log into the system again to reauthenticate and obtain another ticket-granting ticket. The lifetime of the principal's service tickets can never exceed the lifetime of the principal's ticket-granting ticket. The shorter you make maximum certificate renewable, the greater the security of the system. However, since principals must log in again to renew their ticket-granting ticket, the time needs to take into consideration user convenience and the level of security required.
If you do not specify a maxtktrenew attribute value for an account, the maxtktrenew attribute value defined for the registry authorization policy is used. (See Maintaining Policies and Properties.) Renewable ticket functionality is not currently used by DCE RPC when refreshing service tickets. However, it is supported by the DCE Security Server and is useful for Kerberos V5 applications that use the DCE Security Server as a KDC.
Note: The maximum ticket lifetime and maximum ticket renewable can be set as registry properties for the registry as a whole with the dcecp registry modify command. When they are set with the dcecp account create or account modify commands, they apply only to a specific account.

More:

Setting Ticket Lifetimes

Ticket-Granting Ticket Lifetimes and Service Ticket Lifetimes

Adding Accounts Example

Modifying Accounts

Deleting Accounts