PreviousNext

account(8dce)

A dcecp object that manages an account in the DCE Security Service

Synopsis

account catalog [cell-name] [-simplename]

account create account_name_list -mypwd password
-password password -group group_name
-organization organization_name
[-attribute attribute_list | -attribute value]

account delete account_name_list

account generate account_name

account help [operation | -verbose]

account modify
account_name_list [-mypwd password
{-change {attribute_list | -attribute value}

account operations

account show
account_name_list [-policies | -all]

Arguments

account_name
A list of one or more names of accounts to act on. Note that accounts are identified by principal names, so when you create an account you supply a principal name for the account name.

Supply the names as follows:

· Fully qualified account names in the form /.../cell_name/account_name or /.:/account name

· Cell-relative account names in the form account_name. These names refer to an account in the cell identified in the _s(sec) convenience variable, or if the _s(sec) convenience variable is not set, in the local host's default cell.

Do not mix fully qualified names and cell-relative names in a list. In addition, do not use names of registry database objects that contain account information; in other words, do not use account names that begin with /.:/sec/account/.

account_name_list
The name of a single account to act on. See account_name_list for the name format.

cell_name
The name of a specific cell (or /.: for the local cell) in which to catalog accounts.

operation
The name of one specific account operation for which to display help information.

Description
The account object represents registry accounts. Each account is associated with one principal, one group and one organization. However, accounts are named by just the principal name. Aliases are differentiated for principals, so one principal can have multiple accounts under different alias names. The account has attributes to specify the group and organization of the account, these must be specified on account creation.

When this command executes, the _b(sec) convenience variable is set to the name of the server that was bound to for the command. The value of the variable _s(sec) before the command is treated as a hint; the server specified is contacted if it can service the request. A case where it cannot service the request is if a read-only registry was bound to, and the next command is a create, modify, or delete command. In this case, the master registry is bound to automatically and the _b(sec) variable updated appropriately. The value of the _s(sec) variable is the name of the registry bound to in one of the formats specified as valid for the argument to the registry object.

Attributes

The account object supports two kinds of attributes.

· Account attributes may or may not have default values. They assume a default value or a value set by administrators.

· Policy attributes regulate such things as account and password lifetimes for all accounts associated with a particular account. Policy attributes have registry-wide default values. Policy attributes always assume the most restrictive value whether it is the registry-wide default value or a value set by administrators.

· Public Key attributes regulate the creation and modification of public key pairs used for public key authentication.

Account Attributes

acctvalid {yes | no}
A flag set to determine account validity. Possible values are either yes or no. An account with an acctvalid attribute set to no is invalid and cannot be logged into. The default is yes.

client {yes | no}
A flag set to indicate whether the account is for a principal that can act as a client. Possible values are either yes or no. If you set this flag to yes, the principal is able to log in to the account and acquire tickets for authentication. The default is yes.

created creators_name ISO_timestamp
A list of two items. The first is the principal name of the creator of the account, the second is an ISO timestamp showing the time of creation. This attribute is set by the system and may not be modified.

description
A text string (limited to PCS) that typically describes the use of the account.

dupkey {yes | no}
A flag set to determine if tickets issued to the account's principal can have duplicate keys. Possible values are either yes or no. The default is no.

expdate date
The date on which the account expires. To renew the account, change the date in this field. Specify the time using an ISO-compliant time format such as CCYY-MM-DD-hh:mm:ss or the string none. The default is none.

forwardabletkt {yes | no}
A flag set to determine whether a new ticket-granting ticket with a network address that differs from the present ticket-granting ticket network address can be issued to the account's principal. The proxiabletkt attribute performs the same function for service tickets. Possible values are either yes or no. The default is yes.

goodsince ico_timestamp
The date and time the account was last known to be in an uncompromised state. Any tickets granted before this date are invalid. The value is an ISO timestamp. When the account is initially created, the goodsince date is set to the current date. Control over this date is especially useful if you know that an account's password was compromised. Changing the password can prevent the unauthorized principal from accessing the system again using that password, but it does not prevent the principal from accessing the system components for which tickets were obtained fraudulently before the password was changed. To eliminate the principal's access to the system, the tickets must be canceled.

group group_name
The name of the group associated with the account. The value is a single group name of an existing group in the registry. This attribute must be specified on an account create command, it does not have a default value. If this group is deleted from the registry, all accounts associated with the group are also deleted.

home directory_name
The file system directory in which the principal is placed in at login.

lastchange principal_name ISO_timestamp
A list of two items. The first is the principal name of the last modifier of the account, the second is an ISO timestamp showing the time of the last modification. This attribute is set by the system and may not be modified directly.

organization organization_name
The name of the organization associated with the account. The value is a single organization name of an existing organization in the registry. This attribute must be specified on an account create command, it does not have a default value. If this organization is deleted from the registry, all accounts associated with the group are also deleted.

password password
The value of this attribute is the password of the account. There is no default value, so this attribute must be specified in an account create command. This attribute is not returned by an account show command.

postdatedtkt {yes | no}
A flag set to determine if tickets with a start time some time in the future can be issued to the account's principal. Possible values are either yes or no. The default is no.

proxiabletkt {yes | no}
A flag set to determine whether or not a new ticket with a different network address than the present ticket can be issued to the account's principal. The forwardabletkt attribute performs the same function for ticket-granting tickets. Possible values are either yes or no. The default is no.

pwdvalid {yes | no}
A flag set to determine whether the current password is valid. If this flag is set to no, the next time a principal logs in to the account, the system prompts the principal to change the password. (Note that this flag is separate from the pwdexpdate policy, which sets time limits on password validity.) Possible values are either yes or no. The default is yes.

renewabletkt {yes | no}
A flag set to determine if the ticket-granting ticket issued to the account's principal can be renewed. If this flag is set to yes, the Authentication service renews the ticket-granting ticket if its lifetime is valid. Possible values are either yes or no. The default is yes.

server {yes | no}
A flag set to indicate whether or not the account is for a principal that can act as a server. If the account is for a server that engages in authenticated communications, set this flag to yes. Possible values are either yes or no. The default is yes.

shell path_to_shell
The path of the shell that is executed when a principal logs in. The legal value is any shell supported by the home cell. The default value is the empty string (" ").

stdtgtauth {yes | no}
A flag set to determine whether service tickets issued to the account's principal use the standard DCE ticket-granting ticket authentication mechanism. Its value is either yes or no. The default is yes.

usertouser {yes| no}
For server principals, a flag set to determine whether the server must use user-to-user authentication. Its value is either yes (must use user-to-user authentication) or no (uses server-key-based authentication). The default is no.

Policy Attributes

maxtktlife relative_time
The maximum amount of time that a ticket can be valid. To specify the time, use the Distributed Time Service (DTS) relative time format ([-]DD-hh:mm:ss). When a client requests a ticket to a server, the lifetime granted to the ticket takes into account the maxtktlife set for both the server and the client. In other words, the lifetime, cannot exceed the shorter of the server's or client's maxtktlife. If you do not specify a maxtktlife for an account, the maxtktlife defined as registry authorization policy is used.

maxtktrenew relative_time
The amount of time before a principal's ticket-granting ticket expires and that principal must log in again to the system to reauthenticate and obtain another ticket-granting ticket. To specify the time, use the DTS relative time format ([-]DD-hh:mm:ss). The lifetime of the principal's service tickets can never exceed the lifetime of the principal's ticket-granting ticket. The shorter you make this, the greater the security of the system. However, since principals must log in again to renew their ticket-granting ticket, the time needs to take into consideration user convenience and the level of security required. If you do not specify this for an account, the maxtktrenew lifetime defined as registry authorization policy is used.

This feature is not currently used by DCE; any use of this option is unsupported at the present time.

More:

Public Key Attributes

Errors

Operations

Related Information