VMS Help  —  DCE  DCE_SECURITY, Admin Intro, rgy_edit, account_commands
   ACCOUNT SUBCOMMANDS

1  –  view

 v[iew] [pname [gname [oname]]] [-f]

   Displays login accounts.

   Without the -f option, view displays only the user fields in each
   account entry. These fields include each account's

     +  Principal, group, and organization name

     +  Encrypted password

     +  Miscellaneous information

     +  Home directory

     +  Login shell

   With -f, view displays the full entry, including the adminis-
   trative fields as well as the user fields.  Administrative
   information includes:

     +  Who created the account

     +  When the account was created

     +  Who last changed the account

     +  When the account was last changed

     +  When the account expires

     +  Whether the account is valid

     +  Whether the account principal's password is valid

     +  When the account principal's password was last changed

2  –  add

 a[dd] [pname [-g gname -o oname -mp password {-rp | -pw password}
       [-m misc] [-h homedir] [-s shell]
       [-pnv | -pv] [-x account_exp | none] [-anv | -av]
       [ [-ena[ble] option | -dis[able] option]...]
       [-gs date_and_time] [-mcr lifespan] [-mcl lifespan]]]

 Creates a login account.

 If you enter the subcommand only or the subcommand and the optional
 pname argument (principal name), rgy_edit prompts you for all
 information.  If you enter the subcommand, the pname argument, and
 the gname (group name) argument or the the pname, gname and oname
 (organization name) arguments, you must also enter the -mp, and -pw
 or -rp options.  All other options are optional.

 The pname argument specifies the principal for whom the account
 should be created. The -g and -o options specify the account's group
 and organization.  If the principal specified in pname is not
 already a member of the specified group and organization, rgy_edit
 automatically attempts to add the principal to the membership lists.
 If you do not have the appropriate permissions for the group and
 organization, the attempt will fail and the account will not be
 created.

 The -rp option generates a random password for the account. The
 primary use of this option is to create passwords for accounts that
 will not be logged into (since the random password can never be
 supplied.) The -pw option is used to supply a password for the
 account on the command line.

 If you use the -rp option or the -pw option, you must also use the
 -mp option to supply your password so your identity can be
 validated.

 If you do  not specify the -rp option or the -pw option, rgy_edit
 prompts for the account's password twice to ensure you did not make
 a typing mistake. Then it prompts for your password to verify your
 identity.

 If the user's password management policy allows the selection of
 generated passwords, specifying "*" as the argument to the -pw
 option or at the account's password prompt automatically generates
 a plaintext password.

 If the user's password management policy requires the selection of
 generated passwords, specifying the -pw option is an error.
 rgy_edit displays a generated password and then prompts for the
 password for confirmation.  The format of password must adhere to
 the policy of the associated organization or the policy of the
 registry as a whole, whichever is more restrictive.

 The information supplied with the -m option is used to create the
 GECOS field for the account in the /etc/passwd file [on UNIX].

 The -h option specifies the pathname of the principal's home
 directory.  The default homedir is /. The -s option specifies the
 pathname of the principal's login shell.  The default shell is a
 null string.

 The -pnv (password not valid) option specifies that the password
 has expired. Generally, users must change their passwords when the
 passwords expire. However, the policy to handle expired passwords
 and the mechanism by which users change their passwords are defined
 for each platform, usually through the login facility.  The -pv
 option indicates the password is not expired (the default).

 The -x option sets an expiration date for the account in
 yy/mm/dd/hh/mm/ss format. The default is "none," meaning that
 the password will never expire.

 The -anv (account not valid) option specifies that the account is
 not currently valid for login. The -av option indicates the account
 is currently valid (the default).

 The -enable and -disable options set or clear the following options:

  +  The c[lient] option, if enabled, allows the principal to act as
     a client and log in, acquire tickets, and be authenticated.  If
     you disable client, the principal cannot act as a client.  The
     default is enabled.

  +  The s[erver] option, if enabled, allows the principal to act as
     a server and engage in authenticated communication.  If you
     disable server, the principal cannot act as a server that
     engages in authenticated communication. The default is enabled.

  +  The po[stdated] option, if enabled, allows tickets with a start
     time some time in the future to be issued to the account's
     principal. The default is disabled.

  +  The f[orwardable] option, if enabled, allows a new ticket-
     granting ticket with a network address that differs from the
     present ticket-granting ticket address to be issued to the
     account's principal.  The default is enabled.

  +  The pr[oxiable] option, if enabled, allows a new ticket with a
     different network address than the present ticket to be issued
     to the account's principal.   The default is disabled.

  +  The T[GT_authentication] option, if enabled, specifies that
     tickets issued to the account's principal can use the ticket-
     granting-ticket authentication mechanism.  The default is
     enabled.

  +  The r[enewable] option turns on the Kerberos V5 renewable
     ticket feature. This feature is not currently used by the DCE;
     any use of this option is unsupported at the present time.

  +  The dup[_session_key] option allows tickets issued to the
     account's principal to have duplicate keys.  The default is
     disabled.

 The -gs (good since date) is the date and time the account was last
 known to be valid. When accounts are created, this date is set to
 the account creation time.  If you change the good since date, any
 tickets issued before the changed date are invalid.  Enter the date
 in yy/mm/dd.hh:mm format.

 The -mcr (maximum certificate renewable) option is the number of
 hours before a session with the principal's identity expires and
 the principal must log in again to reauthenticate. The default
 is 4 weeks.

 The -mcl (maximum certificate lifetime) option is the number of
 hours before the Authentication Service must renew a principal's
 service certificates.  This is handled automatically and requires
 no action on the part of the principal. The default is 1 day.

3  –  change

 c[hange] [-p pname] [-g gname] [-o oname]
          [-np pname] [-ng gname] [-no oname]
          [{-rp | -pw password} -mp password]
          [-m misc] [-h homedir] [-s shell]
          [-pnv | -pv] [-x account_exp | none] [-anv | -av]
          [[-ena[ble] option | -dis[able] option]...]
          [-gs date_and_time] [-mcr lifespan] [-mcl lifespan]

 Changes an account.

 The -p, -g, and -o options identify the account to change. The -np,
 -ng, and -no options change the account's, principal, group, and
 organization, respectively.

 If you do not specify all three -p, -g, and -o options, wildcard
 updates can occur.  For example, if you specify only the -g option,
 the changes affect all accounts that are associated with the named
 group.  Note that you cannot use wildcarding to change passwords.
 To change a password, you must enter the -p, -g, and -o options.

 All other options have the same meaning as described in the add
 command for accounts.  Note that the -rp option can be used to
 change the random passwords of the reserved accounts created by
 sec_create_db when the registry database is created.

4  –  delete

 del[ete] -p pname [-g gname] [-o oname]

 Deletes the specified account.

 Enter the -p option to delete the specified principal's account.
 Enter the -g or -o option to delete accounts associated with the
 specified group or organization.  If you enter the -g or -o option,
 rgy_edit prompts individually for whether to delete each account
 associated with the group or organization.

5  –  cell

 ce[ll] cellname [-ul unix_num] [-uf unix_num] [-gl gname]
                 [-ol oname] [-gf gname] [-of oname] [-mp passwd]
                 [-fa name] [-fp passwd] [-q quota]
                 [-x account_expiration_date | none]

 Creates a cross-cell authentication account in the local and
 foreign cells.

 This account allows local principals to access objects in the
 foreign cell as authenticated users and vice versa. The admin-
 istrator in the foreign cell must have also set up a standard
 account, whose ID and password the administrator of the foreign
 cell must supply to you.

 The cellname variable specifies the full pathname of the foreign
 cell with which you will establish the cross-cell authentication
 account. This name is stripped of the path qualifier and prefixed
 with "krbtgt." The resulting name is used as the primary name for
 the cross-cell authentication account.  For example, if you enter
  /.../dresden.com, the principal name is krbtgt/dresden.com.

 The -ul option specifies the UNIX number for the local cell's
 principal.  The -uf option specifies the UNIX number for the
 foreign cell's principal.  If you do not specify these UNIX
 numbers, they are generated automatically.

 The -gl and -ol options specify the local account's group and
 organization.  The -gf and -of options specify the foreign
 account's group and organization.

 The -mp option specifies the password of the person who invoked
 rgy_edit.

 The -fa option specifies the name identifying the account in the
 foreign cell, and the -fp option specifies the account's password.

 The -q option specifies the total number of objects that can be
 created in your cell's registry by all foreign users who use the
 cross-cell authentication account to access your cell.  The object
 creation quota defaults to 0 (zero), meaning that principals in the
 foreign cell cannot create objects in the local cell. The object
 creation quota set for your cell's account in the foreign cell
 places the same restriction on the number of objects that your
 cell's principals can create in the foreign cell's registry.

 The -x option specifies the account expiration date for both the
 local and foreign accounts. The default for this option is "none."

 Note that the object creation quota for the local account defaults
 to 0 (zero), meaning that principals in the foreign cell cannot
 create objects in the local cell. You can change this with the
 rgy_edit change subcommand.
Close Help