Account Subcommands
view
Synopsis
v[iew] [pname [gname [oname]]] [-f]
Description
Displays login accounts.
Without the -f option, view displays only the user fields in each account entry. These fields include each accounts
Principal, group, and organization name
Encrypted password
Miscellaneous information
Home directory
Login shell
With -f, view displays the full entry, including the administrative fields as well as the user fields. Administrative information includes:
Who created the account
When the account was created
Who last changed the account
When the account was last changed
When the account expires
Whether the account is valid
Whether the account principals password is valid
When the account principals password was last changed
add
Synopsis
a[dd] [pname [-g gname -o oname -mp password
{-rp | -pw password}
[-m misc] [-h homedir] [-s shell]
[-pnv | -pv] [-x account_exp | none]
[-anv | -av]
[ [-ena[ble] option | -dis[able] option]...]
[-gs date_and_time] [-mcr
lifespan] [-mcl lifespan]]]
Description
Creates a login account.
If you enter the subcommand only or the subcommand and the optional pname argument (principal name), rgy_edit prompts you for all information. If you enter the subcommand, the pname argument, and the gname (group name) argument or the pname, gname and oname (organization name) arguments, you must also enter the -mp, and -pw or -rp options. All other options are optional.
The pname argument specifies the principal for whom the account should be created. The -g and -o options specify the accounts group and organization. If the principal specified in pname is not already a member of the specified group and organization, rgy_edit automatically attempts to add the principal to the membership lists. If you do not have the appropriate permissions for the group and organization, the attempt fails and the account is not created.
The -rp option generates a random password for the account. The primary use of this option is to create passwords for accounts that will not be logged into (because the random password can never be supplied.) The -pw option is used to supply a password for the account on the command line.
If you use the -rp option or the -pw option, you must also use the -mp option to supply your password so your identity can be validated.
If you do not specify the -rp option or the -pw option, rgy_edit prompts for the accounts password twice to ensure you did not make a typing mistake. Then it prompts for your password to verify your identity.
If the users password management policy allows the selection of generated passwords, specifying * as the argument to the -pw option or at the accounts password prompt generates a plaintext password.
If the users password management policy requires the selection of generated passwords, specifying the -pw option is an error. rgy_edit displays a generated password and then prompts for the password for confirmation. The format of password must adhere to the policy of the associated organization or the policy of the registry as a whole, whichever is more restrictive.
The information supplied with the -m option is used to create the GECOS field for the account in the /etc/passwd file. If you run the passwd_export command, this entry contains the concatenation of the principals full name and the information specified with the -m option.
The -h option specifies the pathname of the principals home directory. The default homedir is /. The -s option specifies the pathname of the principals login shell. The default shell is a null string.
The -pnv (password not valid) option specifies that the password has expired. Generally, users must change their passwords when the passwords expire. However, the policy to handle expired passwords and the mechanism by which users change their passwords are defined for each platform, usually through the login facility. The -pv option indicates the password is not expired (the default).
The -x option sets an expiration date for the account in yy/mm/dd/hh/mm/ss format. The default is none, meaning that the password never expires.
The -anv (account not valid) option specifies that the account is not currently valid for login. The -av option indicates the account is currently valid (the default).
The -enable and -disable options set or clear the following options:
The c[lient] option, if enabled, allows the principal to act as a client and log in, acquire tickets, and be authenticated. If you disable client, the principal cannot act as a client. The default is enabled.
The s[erver] option, if enabled, allows the principal to act as a server and engage in authenticated communication. If you disable server, the principal cannot act as a server that engages in authenticated communication. The default is enabled.
The po[stdated] option, if enabled, allows tickets with a start time some time in the future to be issued to the accounts principal. The default is disabled.
The f[orwardable] option, if enabled, allows a new ticket-granting ticket with a network address that differs from the present ticket-granting ticket address to be issued to the accounts principal. The default is enabled.
The pr[oxiable] option, if enabled, allows a new ticket with a different network address than the present ticket to be issued to the accounts principal. The default is disabled.
The T[GT_authentication] option, if enabled, specifies that tickets issued to the accounts principal can use the ticket-granting-ticket authentication mechanism. The default is enabled.
The r[enewable] option turns on the Kerberos V5 renewable ticket feature. This feature is not currently used by the DCE; this option is unsupported at the present time.
The dup[_session_key] option allows tickets issued to the accounts principal to have duplicate keys. The default is disabled.
The -gs (good since date) is the date and time the account was last known to be valid. When accounts are created, this date is set to the account creation time. If you change the good since date, any tickets issued before the changed date are invalid. Enter the date in yy/mm/dd.hh:mm format.
The -mcr (maximum certificate renewable) option is the number of hours before a session with the principals identity expires and the principal must log in again to reauthenticate. The default is 4 weeks.
The -mcl (maximum certificate lifetime) option is the number of hours before the Authentication Service must renew a principals service certificates. This is handled automatically and requires no action on the part of the principal. The default is 1 day.
change
Synopsis
c[hange] [-p pname] [-g gname] [-o oname]
[-np pname] [-ng gname]
[-no oname]
[{-rp | -pw password} -mp password]
[-m misc] [-h homedir]
[-s shell] [-pnv | -pv]
[-x account_exp | none]
[-anv | -av] [[-ena[ble]
option | -dis[able] option]...]
[-gs date_and_time] [-mcr lifespan] [-mcl lifespan]
Description
Changes an account.
The -p, -g, and -o options identify the account to change. The -np, -ng, and -no options change the accounts, principal, group, and organization, respectively.
If you do not specify all three -p, -g, and -o options, wildcard updates can occur. For example, if you specify only the -g option, the changes affect all accounts that are associated with the named group. Note that you cannot use wildcarding to change passwords. To change a password, you must enter the -p, -g, and -o options.
All other options have the same meaning as described in the add command for accounts. Note that the -rp option can be used to change the random passwords of the reserved accounts created by sec_create_db when the registry database is created.
delete
Synopsis
del[ete] -p pname [-g gname] [-o oname]
Description
Deletes the specified account.
Enter the -p option to delete the specified principals account. Enter the -g or -o option to delete accounts associated with the specified group or organization. If you enter the -g or -o option, rgy_edit prompts individually for whether to delete each account associated with the group or organization.
cell
Synopsis
ce[ll] cellname [-ul unix_num] [-uf unix_num] [-gl gname]
[-ol oname] [-gf
gname] [-of oname] [-mp passwd]
[-fa name] [-fp passwd] [-q quota]
[-x account_expiration_date | none]
Description
Creates a cross-cell authentication account in the local and foreign cells.
This account allows local principals to access objects in the foreign cell as authenticated users and vice versa. The administrator in the foreign cell must have also set up a standard account, whose ID and password the administrator of the foreign cell must supply to you.
The cellname variable specifies the full pathname of the foreign cell with which you will establish the cross-cell authentication account. This name is stripped of the path qualifier and prefixed with krbtgt. The resulting name is used as the primary name for the cross-cell authentication account. For example, if you enter /.../dresden.com, the principal name is krbtgt/dresden.com.
The -ul option specifies the UNIX number for the local cells principal. The -uf option specifies the UNIX number for the foreign cells principal. If you do not specify these UNIX numbers, they are generated automatically.
The -gl and -ol options specify the local accounts group and organization. The -gf and -of options specify the foreign accounts group and organization.
The -mp option specifies the password of the person who invoked rgy_edit.
The -fa option specifies the name identifying the account in the foreign cell, and the -fp option specifies the accounts password.
The -q option specifies the total number of objects that can be created in your cells registry by all foreign users who use the cross-cell authentication account to access your cell. The object creation quota defaults to 0 (zero), meaning that principals in the foreign cell cannot create objects in the local cell. The object creation quota set for your cells account in the foreign cell places the same restriction on the number of objects that your cells principals can create in the foreign cells registry.
The -x option specifies the account expiration date for both the local and foreign accounts. The default for this option is none.
Note that the object creation quota for the local account defaults to 0 (zero), meaning that principals in the foreign cell cannot create objects in the local cell. You can change this with the rgy_edit change subcommand.