PreviousNext

Restarting a Security Server in Locksmith Mode

To restart a security server in locksmith mode, perform the following steps on the node on which the master replica is running. You must have root access to this node.

1. Shut down the security server.

a. If you cannot log in with administrative privileges and access dcecp to shut down the server, log in as root on the machine on which the server is running and kill the security server process.

b. If you are able to log in with administrative privileges, use the dcecp registry stop command to shut down the security server. When you use this command, you must supply the fully qualified name of the replica to stop as an argument. The following sample command stops the replica named slave_3:

dcecp> registry stop /.../giverny.com/subsys/dce/sec/slave_3

2. Start the security server in locksmith mode. The following example shows the security server started with the locksmith account that was created for the principal named master_admin. The -remote option is also supplied to allow master_admin to log in from a remote node; otherwise, master_admin must log in from the node on which the security server was started.

dcelocal/bin/secd -locksmith master_admin -remote

If the locksmith account exists but you have lost its password, use the -lockpw option to cause secd to prompt you for a new locksmith password and replace the existing password with the one you enter.

The security server normally runs in the background. When you start a security server in locksmith mode, it runs in the foreground so that you can answer prompts.

Once the security server is started in locksmith mode, you can use the dcecp registry modify command to change the registry so that the standard privileged account can access it. After these changes are made, you should do the following:

1. Shut down the security server that is running in locksmith mode.

2. Restart a security server according to your standard procedures.