account(1m)account(1m)NAMEaccount - A dcecp object that manages an account in the DCE Security
Service
SYNOPSISaccount catalog [cell_name] [-simplename]
account create account_name_list -mypwd password -password password
-group group_name -organization organization_name [-attribute
attribute_list | -attribute value]
account delete account_name_list
account generate account_name
account help [operation | -verbose]
account modify account_name_list [-mypwd password] {-change
attribute_list | -attribute value}
account operations
account show account_name_list [-policies | -all]
ARGUMENTS
The name of a single account to act on. See account_name_list for the
name format. A list of one or more names of accounts to act on. Note
that accounts are identified by principal names, so when you create an
account you supply a principal name for the account name.
Supply the names as follows: Fully qualified account names in the form
/.../cell_name/account_name, /.:/account_name, or
account_name@cell_name. Cell-relative account names in the form
account_name. These names refer to an account in the cell identified
in the _s(sec) convenience variable, or if the _s(sec) convenience
variable is not set, in the local host's default cell.
Do not mix fully qualified names and cell-relative names in a list. In
addition, do not use the names of registry database objects that con‐
tain account information; in other words, do not use account names that
begin with /.:/sec/account/. The name of a specific cell (or /.: for
the local cell) in which to catalog accounts. The name of the account
operation for which to display help information.
DESCRIPTION
The account object represents registry accounts. Although an account
is associated with one principal, one group, and one organization, it
is identified by the principal's primary name. Alias names are differ‐
entiated for principals, so one principal can have multiple accounts
under different alias names.
When this command executes, it attempts to bind to the registry server
identified in the _s(sec) variable. If that server cannot process the
request or if the _s(sec) variable is not set, the command binds to
either an available slave server or the master registry server, depend‐
ing on the operation. Upon completion, the command sets the _b(sec)
convenience variable to the name of the registry server it bound to.
ATTRIBUTES
The account object supports the following two kinds of attributes:
Account attributes may or may not have default values. They assume a
default value or a value set by administrators. Policy attributes reg‐
ulate such things as account and password lifetimes for all accounts
associated with a particular registry. Policy attributes have registry
wide default values. They always assume the most restrictive value
whether it is the registry wide default value or a value set for an
individual account.
Account Attributes
A flag set to determine account validity. Its value is either yes or
no. An account with an acctvalid attribute set to no is invalid and
cannot be logged in to. The default is yes. A flag set to indicate
whether the account is for a principal that can act as a client. Its
value is either yes or no. If you set this flag to yes, the principal
is able to log in to the account and acquire tickets for authentica‐
tion. The default is yes. A list of two items. The first is the
principal name of the creator of the account, the second is an ISO
timestamp showing the time of creation. This attribute is set by the
system at the time of account creation and cannot be specified or modi‐
fied. A text string (limited to the Portable Character Set) typically
used to describe the use of the account. The default is the empty
string (""). A flag set to determine whether tickets issued to the
account's principal can have duplicate keys. Its value is either yes
or no. The default is no.
In DCE this attribute is currently only advisory. However, Kerberos
clients and servers make use of it when they interact with a DCE Secu‐
rity server. The date on which the account expires. To renew the
account, change the date in this field. To specify the time, use an
ISO-compliant time format such as CCYY-MM-DD-hh:mm:ss or the string
none. The default is none. A flag set to determine whether a new
ticket-granting ticket with a network address that differs from the
present ticket-granting ticket's network address can be issued to the
account's principal. The proxiabletkt attribute performs the same
function for service tickets. Its value is either yes or no. The
default is yes.
In DCE this attribute is currently only advisory. However, Kerberos
clients and servers make use of it when they interact with a DCE Secu‐
rity server. The date and time the account was last known to be in an
uncompromised state. Any tickets granted before this date are invalid.
The value is an ISO timestamp. When the account is initially created,
the goodsince date is set to the current date. Control over this date
is especially useful if you know that an account's password was compro‐
mised. Changing the password can prevent the unauthorized principal
from accessing the system again using that password, but the changed
password does not prevent the principal from accessing the system com‐
ponents for which tickets were obtained fraudulently before the pass‐
word was changed. To eliminate the principal's access to the system,
the tickets must be cancelled.
The default is the time the account was created. The name of the group
associated with the account. The value is a single group name of an
existing group in the registry. This attribute must be specified for
the account create command; it does not have a default value.
If a group is deleted from the registry, all accounts associated with
the group are also deleted. The file system directory in which the
principal is placed at login. The default is the / directory. A list
of two items. The first is the principal name of the last modifier of
the account; the second is an ISO timestamp showing the time of the
last modification. This attribute is set by the system whenever the
account is modified; it cannot be set or modified directly. The ini‐
tial value consists of the principal name of the creator of the account
and the time the account was created. The name of the organization
associated with the account. The value is a single organization name
of an existing organization in the registry. This attribute must be
specified for the account create command; it does not have a default
value.
If an organization is deleted from the registry, all accounts associ‐
ated with the organization are deleted also. The password of the
account. This attribute must be specified for the account create com‐
mand; there is no default value. This attribute is not returned by an
account show command. A flag set to determine if tickets with a start
time some time in the future can be issued to the account's principal.
Its value is either yes or no. The default is no.
In DCE, this attribute is currently only advisory. However, Kerberos
clients and servers make use of it when they interact with a DCE Secu‐
rity server. A flag set to determine whether a new ticket with a dif‐
ferent network address than the present ticket can be issued to the
account's principal. The forwardabletkt attribute performs the same
function for ticket-granting tickets. Its value is either yes or no.
The default is no.
In DCE, this attribute is currently only advisory. However, Kerberos
clients and servers make use of it when they interact with a DCE Secu‐
rity server. A flag set to determine whether the current password is
valid. If this flag is set to no, the next time a principal logs in to
the account, the system prompts the principal to change the password.
(Note that this flag is separate from the pwdexpdate policy, which sets
time limits on password validity.) Its value is either yes or no. The
default is yes. A flag set to determine if the ticket-granting ticket
issued to the account's principal can be renewed. If this flag is set
to yes, the authentication service renews the ticket-granting ticket if
its lifetime is valid. Its value is either yes or no. The default is
yes.
In DCE this attribute is currently only advisory. However, Kerberos
clients and servers make use of it when they interact with a DCE Secu‐
rity server. A flag set to indicate whether the account is for a prin‐
cipal that can act as a server. Its value is either yes or no. This
flag should be yes for any server that engages in authenticated commu‐
nications. The default is yes. The path of the shell that is executed
when a principal logs in. The legal value is any shell supported by
the home cell. The default value is the empty string (""). A flag set
to determine whether service tickets issued to the account's principal
use the standard DCE ticket-granting ticket authentication mechanism.
Its value is either yes or no. The default is yes.
Policy Attributes
The maximum amount of time that a ticket can be valid. To specify the
time, use the Distributed Time Service (DTS) relative time format
([-]DD-hh:mm:ss). When a client requests a ticket to a server, the
lifetime granted to the ticket takes into account the maxtktlife set
for both the server and the client. In other words, the lifetime can‐
not exceed the shorter of the server's or client's maxtktlife. If you
do not specify a maxtktlife for an account, the maxtktlife defined as
registry authorization policy is used. The amount of time before a
principal's ticket-granting ticket expires and that principal must log
in to the system again to reauthenticate and obtain another ticket-
granting ticket. To specify the time, use the DTS relative time format
([-]DD-hh:mm:ss). The lifetime of the principal's service tickets can
never exceed the lifetime of the principal's ticket-granting ticket.
The shorter you make maxtktrenew, the greater the security of the sys‐
tem. However, since principals must log in again to renew their
ticket-granting ticket, the time specified needs to balance user conve‐
nience against the level of security required. If you do not specify
this for an account, the maxtktrenew lifetime defined as registry
authorization policy is used.
This feature is not currently used by DCE; any use of this option is
unsupported at the present time.
See the OSF DCE Administration Guide for more information about account
attributes.
OPERATIONSaccount catalog
Returns a list of the names of all accounts in the registry. The syn‐
tax is as follows: account catalog [cell_name] [-simplename]
Options Returns a list of account names in the registry without
prepending the name of the cell.
The catalog operation returns a list of the names of all accounts in
the local registry database. Use the cell_name argument to return a
list of accounts in another cell's registry. By default, fully quali‐
fied names are returned in the form cell_name/account_name. Use the
-simplename option to return the names without the cell name in the
form account_name.
Privileges Required
You must have r (read) permission to the principal named in the
account.
Examples
dcecp> account catalog -simplename nobody root daemon uucp bin dce-ptgt
dce-rgy krbtgt/goodco.com cell_admin hosts/pmin17/self
hosts/pmin17/cds-server hosts/pmin17/gda ward dcecp>
dcecp> account catalog /.../goodco.com/nobody /.../goodco.com/root
/.../goodco.com/daemon /.../goodco.com/uucp /.../goodco.com/bin
/.../goodco.com/dce-ptgt /.../goodco.com/dce-rgy
/.../goodco.com/krbtgt/goodco.com /.../goodco.com/cell_admin
/.../goodco.com/hosts/pmin17/self /.../goodco.com/hosts/pmin17/cds-
server /.../goodco.com/hosts/pmin17/gda /.../goodco.com/ward dcecp>
account create
Creates a new account in the registry database. The syntax is as fol‐
lows: account create account_name_list -mypwd password -password pass‐
word -group group_name -organization organization_name [-attribute
attribute_list | -attribute value]
Options
As an alternative to using the -attribute option with an attribute
list, you can specify individual attribute options by prepending a
hyphen (-) to any attributes listed in the ATTRIBUTES section of this
reference page. Allows you to specify attributes by using an attribute
list rather than individual attribute options. The format of an
attribute list is as follows: {{attribute value}...{attribute value}}
The name of the group to associate with the account. See Account
Attributes for the format of a group name. Your privileged password.
You must enter your privileged password to create an account. This
check prevents a malicious user from using an existing privileged ses‐
sion to create unauthorized accounts. You must specify this option on
the command line; it cannot be supplied in a script. The name of the
organization to associate with the account. See Account Attributes for
the format of an organization name. The account password. See Account
Attributes for the format of a password.
The create operation creates a new account. The account_name_list
argument is a list of names of principals for which the accounts are to
be created. This operation returns an empty string on success.
You must specify the group, organization, password, and mypwd
attributes on the command line (either in an attribute list or with
attribute options). The attributes specified are applied to all of the
accounts created.
To protect the account password being entered, the account create com‐
mand can be entered only from within dcecp. You cannot enter this com‐
mand from the operating system prompt by using dcecp with the -c
option.
Before you can create a new account, you must create a principal by
using the principal create command. Then you must add the principal to
an existing group and organization using the group add and organization
add commands.
Privileges Required
You must have the following permissions: gmau (groups, mgmt_info,
auth_info, and user_info) permissions to the principal named in the
account rtM (read, test, Member_list) permissions to the organization
named in the account tM (test, Member_list) permissions to the group
named in the account r (read) permission on the registry policy object.
Examples
dcecp> principal create John_Hunter dcecp>
dcecp> group add users -member John_Hunter dcecp>
dcecp> organization add users -member John_Hunter dcecp>
dcecp> account create John_Hunter -group users -organization users \ >
-mypwd my.secret.password -password change.me dcecp>
dcecp> account create jimbo@gumby_cell -group none -organization none \
> -mypwd my.secret.password -password change.me dcecp>
account delete
Deletes existing accounts from the registry. The syntax is as follows:
account delete account_name_list
The delete operation deletes existing accounts from the registry. The
argument is a list of names of accounts to be deleted. If the accounts
do not exist, an error is generated. This operation returns an empty
string on success.
Privileges Required
You must have rmau (read, mgmt_info, auth_info, user_info) permissions
for the principal named in the account.
Examples
dcecp> account delete john_hunter dcecp>
account generate
Randomly generates a password for a named account. The syntax is as
follows: account generate account_name
To run the account generate command, the pwd_strength server must be
running, the principal identified by account_name must exist, and the
pwd_mgmt_binding and pwd_val_type Extended Registry Attributes must be
attached to that principal. Otherwise, an error is generated. The
command returns a randomly generated password on success.
See the OSF DCE Administration Guide for more information about the
pwd_strength server.
After the password is generated, run the account create command to
establish the account. Supply the randomly generated password as the
account's password (using the -password option).
Privileges Required
You must have the gmau (groups, mgmt_info, auth_info, and user_info)
permissions for the principal named in the account.
Examples
dcecp> account generate john_hunter 7xZ34yF dcecp>
account help
Returns help information about the account object and its operations.
The syntax is as follows: account help [operation | -verbose]
Options Displays information about the account object.
Used without an argument or option, the account help command returns
brief information about each account operation. The optional operation
argument is the name of an operation about which you want detailed
information. Alternatively, you can use the -verbose option for more
detailed information about the account object itself.
Privileges Required
No special privileges are needed to use the account help command.
Examples
dcecp> account help catalog Returns the names of all
accounts in the registry. create Creates an account in
the registry. delete Deletes an account from the reg‐
istry. generate Generates a random password for an account
in the registry. modify Modifies an account in the reg‐
istry. show Returns the attributes of an account. help
Prints a summary of command-line options. operations Returns
a list of the valid operations for this command. dcecp>
account modify
Changes attributes and policies of existing accounts. The syntax is as
follows: account modify account_name_list [ -mypwd password] {-change
attribute_list | -attribute value}
Options As an alternative to using the -change option with an attribute
list, you can specify individual attribute options by prepending a
hyphen (-) to any attributes listed in the ATTRIBUTES section of this
reference page. Allows you to modify attributes by using an attribute
list rather than individual attribute options. The format of an
attribute list is as follows: {{attribute value}...{attribute value}}
Lets you supply your privileged password when changing policy or admin‐
istration data. You must enter your privileged password to change an
account password; otherwise, the -mypwd option is optional. This check
prevents a malicious user from using an existing privileged session to
modify passwords of existing accounts.
The modify operation modifies account attributes. The -add and -remove
options are not supported because the attributes created when the
account is created cannot be deleted, nor can additional attributes be
added. To change an account attribute, supply the new value in an
attribute list or as an individual attribute option. This operation
returns an empty string on success.
When an account's password is being modified, in order to protect the
password being entered, you can execute the account modify command only
from within the dcecp program; you cannot execute it from the operating
system prompt using dcecp with the -c option.
Privileges Required
You must have rm (read, mgmt_info) permissions for the principal named
in the account.
Examples
The following example changes the account's expiration date and login
shell by specifying the expdate and shell attributes as individual
attribute options. dcecp> account modify John_Hunter -expdate
1998-03-19-00:00:00.000 -shell /bin/csh dcecp>
dcecp> account show John_Hunter {acctvalid yes} {client yes} {created
/.../my_cell.goodco.com/cell_admin 1994-06-15-18:31:08.000+00:00I-----}
{description {}} {dupkey no} {expdate
1998-03-19-00:00:00.000+00:00I-----} {forwardabletkt yes} {goodsince
1994-06-15-18:31:05.000+00:00I-----} {group users} {home /} {lastchange
/.../my_cell.goodco.com/cell_admin 1994-06-16-12:21:07.000+00:00I-----}
{name John_Hunter} {organization users} {postdatedtkt no} {proxiabletkt
no} {pwdvalid yes} {renewabletkt yes} {server yes} {shell /bin/csh}
{stdtgtauth yes} dcecp>
account operations
Returns a list of the operations supported by the account object. The
syntax is as follows: account operations
The list of available operations is in alphabetical order except for
help and operations, which are listed last.
Privileges Required
No special privileges are needed to use the account operations command.
Examples
dcecp> account operations catalog create delete generate modify show
help operations dcecp>
account show
Returns attribute information for the specified accounts. The syntax
is as follows: account show account_name_list [-policies | -all]
Options Returns only account polices. Returns account attributes fol‐
lowed by account policies.
The show operation returns an attribute list describing the specified
accounts. The argument is a list of names of accounts to be operated
on. If more than one account is given, the attributes and policies are
concatenated and a blank line inserted between accounts. The -policies
option lets you return the policies of the account instead of the
attributes. The -all option returns the attributes followed by the
policies.
Attributes and policies are returned in lexical order. If the account
has no policies, the operation displays the string nopolicy.
The policies that are actually in effect can be different from the
account policies due to conflicts with registry wide policies. If this
is the case, the show operation alters the attribute structure on out‐
put to include an effective tag and the effective value, much in the
same way organization show does.
Privileges Required
You must have r (read) permission to the principal named in the
account.
Examples
dcecp> account show John_Hunter {acctvalid yes} {client yes} {created
/.../my_cell.goodco.com/cell_admin 1994-06-15-18:31:08.000+00:00I-----}
{description {}} {dupkey no} {expdate
1998-03-19-00:00:00.000+00:00I-----} {forwardabletkt yes} {goodsince
1994-06-15-18:31:05.000+00:00I-----} {group users} {home /} {lastchange
/.../my_cell.goodco.com/cell_admin 1994-06-16-12:21:07.000+00:00I-----}
{name John_Hunter} {organization users} {postdatedtkt no} {proxiabletkt
no} {pwdvalid yes} {renewabletkt yes} {server yes} {shell {}} {stdtg‐
tauth yes} dcecp>
RELATED INFORMATION
Commands: dcecp(1m), dcecp_group(1m), dcecp_organization(1m),
dcecp_principal(1m), dcecp_registry(1m).
account(1m)