NAME
rgy_edit - Edits the registry database
SYNOPSIS
rgy_edit [[[-a | -p | -g | -o] [-s name] [-up[date]]
[-v [-f] [name | -un[ix__number]] [-nq]] | -l]
OPTIONS
The following options are supplied when rgy_edit is invoked. You can
specify only one of the options -a, -p, -g, and -o. If you specify
the -l option, you can specify no other options.
-a (default)
Edits or views accounts.
-p Edits or views principals.
-g Edits or views groups.
-o Edits or views organizations.
-s Binds to the registry site specified by name. The name
variable is either the fully qualified name of the cell
that contains the registry to which you want access, or
the fully qualified name of a specific registry server.
-up[date] Binds to a read-write registry site in the cell specified
by the -s option.
-v Views the registry entry specified by name or unix_number.
If no entry is specified, all entries are viewed.
-f Displays in full the entry (or entries) selected by the -v
option. The full entry includes all fields except the
membership list and organization policy.
-nq Specifies that delete operations will not be queried. The
default is to prompt the user for verification when a delete
operation is requested.
-l Edits or views entries in local registry.
NOTES
With the exception of the following subcommands, this command is
replaced at Revision 1.1 by the dcecp command. This command may be
fully replaced by the dcecp command in a future release of DCE, and
may no longer be supported at that time.
+ defaults
+ domain
+ scope
+ help
+ quit
+ exit
+ delete
+ purge
+ view
DESCRIPTION
The rgy_edit tool views and edits information in the registry database.
You can invoke rgy_edit from any node.
You can edit and view principals, groups, organization, accounts, and
policies in the network registry (the default) or perform a subset of
those functions on the local registry (using the -l option). Changes
made by rgy_edit apply only to the registry. They do not apply to the
local override file or the local password and group files, both of
which can be edited manually. You can view and change only those
registry objects to which you are granted the appropriate permissions.
INVOKING RGY_EDIT
When you invoke rgy_edit, it displays the following prompt:
rgy_edit=>
At this prompt, you can enter any of the rgy_edit subcommands, and
rgy_edit will prompt you for the required information. Alternatively,
you can enter the subcommand followed by all the options required to
perform a specific operation. The rgy_edit command may prompt you for
any required information you do not enter.
SUBCOMMANDS
In the rgy_edit subcommands that follow, use two double quotation
marks with nothing in between to indicate a null fullname, password,
misc, homedir, or shell. Use double quotation marks to embed spaces,
or hyphens in fullname, misc, and homedir if you specify the argument
on the command line.
1 – pgo_commands
PRINCIPAL, GROUP, AND ORGANIZATION SUBCOMMANDS Whether name applies to a principal, group, or organization depends on the domain in which you run rgy_edit. Use the do[main] subcommand (described in Miscellaneous Commands) to change domains.
1.1 – view
v[iew] [name] [-f] [-m] [-po] Views registry entries. The -f option displays entries in full (all fields except the membership list and organization policy). If you are viewing groups or organizations, -m displays the membership list. For principals, -m lists all groups of which the principal is a member, including groups that cannot appear in a project list. If you are viewing organizations, -po displays policy information. If you do not enter the -po option, rgy_edit shows only the organization's name and the UNIX number.
1.2 – add
a[dd] [principal_name [unix_number] [-f fullname] [-al] [-q quota]] a[dd] [group_name [unix_number] [-f fullname [-nl]]] [-al] ls a[dd] [organization_name [unix_number] [-f fullname]] Create a new name entry. If you do not specify principal_name, group_name, or organization name, the add subcommand prompts you for each field in the entry. If you are adding organizations, the command prompts you for policy information as well. If you specify only principal_name, group_name, or organization_name and no other arguments, the object's fullname defaults to "" (that is, blank), the object's UNIX number is assigned automatically, and the object's creation quota defaults to unlimited. Use the -al option to create an alias for an existing principal or group. No two principals or groups can have the same UNIX number, but a principal or group and all its aliases share the same UNIX number. The -al option creates an alias name for a principal or group and assigns the alias name the same UNIX number as the principal or group. The -q option specifies the principal's object creation quota, the total number of registry objects that can be created by the principal. If you do not specify this option, the object creation quota defaults to unlimited. For groups, the -nl option indicates that the group is not to be included on project lists; omitting this option allows the group to appear on project lists.
1.3 – change
c[hange] [principal_name [-n name] [-f fullname] [-al | -pr]
[-q quota]]
c[hange] [group_name [-n name] [-f fullname] [-nl | -l] ]
[-al | -pr]
c[hange] [organization_name [-n name] [-f fullname]]
Changes a principal, group, or organization.
Specify the entry to change with principal_name, group_name, or
organization_name. If you do not specify a principal_name,
group_name, or organization_name, the change subcommand prompts
you for a name. If you do not specify any fields, the subcommand
prompts you for each field in succession. To leave a field
unchanged, press <RETURN> at the prompt. If you are changing
organization entries in the interactive mode, the subcommand
prompts you for policy information as well.
Use -n name and -f fullname, to specify a new primary name or
fullname, respectively.
For principals and groups, the -al option changes a primary name
into an alias, and the -pr option changes an alias into a primary
name. This change can be made only from the command line, not in
the interactive mode. The -q option specifies the total number of
registry objects that can be created by the principal.
For group entries, the -nl option disallows the group from
appearing in project lists, while the -l option allows the group
to appear in project lists.
For organization entries, you can change policy information only in
the interactive mode.
Changes to a principal name are reflected in membership lists that
contain the principal name. For example, if the principal ludwig is
a member of the group composers and the principal name is changed
to louis, the membership list for composers is automatically
changed to include louis but not ludwig.
For reserved names, you can change only fullname.
1.4 – member
m[ember] [group_name | organization_name [-a member_list]
[-r member_list] ]
Edits the membership list for a group or organization.
If you do not specify a group or organization, the member subcommand
prompts you for names to add or remove.
To add names or aliases to a membership list, use the -a option
followed by the names separated by commas. To delete names from a
membership list, use the -r option followed by the names separated
by commas. If you do not include either the -a or -r option on the
command line, rgy_edit prompts you for names to add or remove.
Removing names from the membership list for a group or organization
has the side effect of deleting the login account for removed member
(and, of course, eliminating any permissions granted as a result of
the membership the next time the member's ticket-granting ticket is
renewed).
1.5 – delete
del[ete] name Deletes a registry entry. If you delete a principal, rgy_edit deletes the principal's account.If you delete a group or organization, rgy_edit deletes any accounts associated with the group or organization. You cannot delete reserved principals.
1.6 – adopt
adopt uuid principal_name [-u unix_number] [ -f fullname] [-q quota]
adopt uuid group_name [-f fullname] [-nl]
adopt uuid organization_name [-f fullname]
Creates a principal, group, or organization for the specified UUID.
The principal, group, or organization is created to adopt an orphan
object. Orphans are registry objects that cannot be accessed
because 1) they are owned by UUIDs that are not associated with a
principal or group and 2) no other principal, group, or organiza-
tion has access rights to the orphaned object. UUIDs are associ-
ated with all registry objects when the object is created. When
the registry object is deleted, the association between the object
and the UUID is also deleted.
The principal_name, group_name, or organization_name you specify
must be unique in the registry as it must be when you create a
principal, group, or organization using the add subcommand. Except
for the manner in which it is created, the principal, group, or
organization created by the adopt subcommand is no different from
any other principal, group, or organization. The uuid option
specifies the UUID number to be assigned to the principal, group,or
organization. The UUID supplied must be the one that owns the
orphaned object. Specify the uuid in RPC print string format as 8
hexadecimal digits, a hyphen; 4 hexadecimal digits, a hyphen; 4
hexadecimal digits, a hyphen; 4 hexadecimal digits, a hyphen;
and 12 hexadecimal digits. The format follows:
nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn
For cell principals only, the -u option specifies the UNIX number to
be associated with the cell name. If you do not enter this option,
the next sequential UNIX number is supplied as a default. For all
principals other than cells, the UNIX number is extracted from
information embedded in the principal's UUID and cannot be
specified here.
For principals, the -q option specifies the principal's object
creation quota. If you do not enter the option, the object
creation quota is set to "unlimited."
For groups, the -nl option turns off the project list inclusion
property so that groups are not included in project lists. If you
do not enter this option, the group is included in project lists.
For principals, groups, and organizations, the -f option supplies
the object's fullname. If you do not enter the -f option, fullname
defaults to blank.
An error occurs if you specify a name or UNIX number that is
already defined within the same domain of the database.
Note that in the current implementation of the DCE, UNIX numbers
are embedded in UUID numbers. If you try to create a group or
organization to adopt an orphaned object and fail, it could be
because the embedded UNIX number is invalid because it does not
fall within the range of valid UNIX numbers set for the cell as
a registry property. If this is the case, you must reset the
range of valid UNIX numbers to include the UNIX number embedded
in the UUID and then try again to adopt the object.
2 – account_commands
ACCOUNT SUBCOMMANDS
2.1 – view
v[iew] [pname [gname [oname]]] [-f]
Displays login accounts.
Without the -f option, view displays only the user fields in each
account entry. These fields include each account's
+ Principal, group, and organization name
+ Encrypted password
+ Miscellaneous information
+ Home directory
+ Login shell
With -f, view displays the full entry, including the adminis-
trative fields as well as the user fields. Administrative
information includes:
+ Who created the account
+ When the account was created
+ Who last changed the account
+ When the account was last changed
+ When the account expires
+ Whether the account is valid
+ Whether the account principal's password is valid
+ When the account principal's password was last changed
2.2 – add
a[dd] [pname [-g gname -o oname -mp password {-rp | -pw password}
[-m misc] [-h homedir] [-s shell]
[-pnv | -pv] [-x account_exp | none] [-anv | -av]
[ [-ena[ble] option | -dis[able] option]...]
[-gs date_and_time] [-mcr lifespan] [-mcl lifespan]]]
Creates a login account.
If you enter the subcommand only or the subcommand and the optional
pname argument (principal name), rgy_edit prompts you for all
information. If you enter the subcommand, the pname argument, and
the gname (group name) argument or the the pname, gname and oname
(organization name) arguments, you must also enter the -mp, and -pw
or -rp options. All other options are optional.
The pname argument specifies the principal for whom the account
should be created. The -g and -o options specify the account's group
and organization. If the principal specified in pname is not
already a member of the specified group and organization, rgy_edit
automatically attempts to add the principal to the membership lists.
If you do not have the appropriate permissions for the group and
organization, the attempt will fail and the account will not be
created.
The -rp option generates a random password for the account. The
primary use of this option is to create passwords for accounts that
will not be logged into (since the random password can never be
supplied.) The -pw option is used to supply a password for the
account on the command line.
If you use the -rp option or the -pw option, you must also use the
-mp option to supply your password so your identity can be
validated.
If you do not specify the -rp option or the -pw option, rgy_edit
prompts for the account's password twice to ensure you did not make
a typing mistake. Then it prompts for your password to verify your
identity.
If the user's password management policy allows the selection of
generated passwords, specifying "*" as the argument to the -pw
option or at the account's password prompt automatically generates
a plaintext password.
If the user's password management policy requires the selection of
generated passwords, specifying the -pw option is an error.
rgy_edit displays a generated password and then prompts for the
password for confirmation. The format of password must adhere to
the policy of the associated organization or the policy of the
registry as a whole, whichever is more restrictive.
The information supplied with the -m option is used to create the
GECOS field for the account in the /etc/passwd file [on UNIX].
The -h option specifies the pathname of the principal's home
directory. The default homedir is /. The -s option specifies the
pathname of the principal's login shell. The default shell is a
null string.
The -pnv (password not valid) option specifies that the password
has expired. Generally, users must change their passwords when the
passwords expire. However, the policy to handle expired passwords
and the mechanism by which users change their passwords are defined
for each platform, usually through the login facility. The -pv
option indicates the password is not expired (the default).
The -x option sets an expiration date for the account in
yy/mm/dd/hh/mm/ss format. The default is "none," meaning that
the password will never expire.
The -anv (account not valid) option specifies that the account is
not currently valid for login. The -av option indicates the account
is currently valid (the default).
The -enable and -disable options set or clear the following options:
+ The c[lient] option, if enabled, allows the principal to act as
a client and log in, acquire tickets, and be authenticated. If
you disable client, the principal cannot act as a client. The
default is enabled.
+ The s[erver] option, if enabled, allows the principal to act as
a server and engage in authenticated communication. If you
disable server, the principal cannot act as a server that
engages in authenticated communication. The default is enabled.
+ The po[stdated] option, if enabled, allows tickets with a start
time some time in the future to be issued to the account's
principal. The default is disabled.
+ The f[orwardable] option, if enabled, allows a new ticket-
granting ticket with a network address that differs from the
present ticket-granting ticket address to be issued to the
account's principal. The default is enabled.
+ The pr[oxiable] option, if enabled, allows a new ticket with a
different network address than the present ticket to be issued
to the account's principal. The default is disabled.
+ The T[GT_authentication] option, if enabled, specifies that
tickets issued to the account's principal can use the ticket-
granting-ticket authentication mechanism. The default is
enabled.
+ The r[enewable] option turns on the Kerberos V5 renewable
ticket feature. This feature is not currently used by the DCE;
any use of this option is unsupported at the present time.
+ The dup[_session_key] option allows tickets issued to the
account's principal to have duplicate keys. The default is
disabled.
The -gs (good since date) is the date and time the account was last
known to be valid. When accounts are created, this date is set to
the account creation time. If you change the good since date, any
tickets issued before the changed date are invalid. Enter the date
in yy/mm/dd.hh:mm format.
The -mcr (maximum certificate renewable) option is the number of
hours before a session with the principal's identity expires and
the principal must log in again to reauthenticate. The default
is 4 weeks.
The -mcl (maximum certificate lifetime) option is the number of
hours before the Authentication Service must renew a principal's
service certificates. This is handled automatically and requires
no action on the part of the principal. The default is 1 day.
2.3 – change
c[hange] [-p pname] [-g gname] [-o oname]
[-np pname] [-ng gname] [-no oname]
[{-rp | -pw password} -mp password]
[-m misc] [-h homedir] [-s shell]
[-pnv | -pv] [-x account_exp | none] [-anv | -av]
[[-ena[ble] option | -dis[able] option]...]
[-gs date_and_time] [-mcr lifespan] [-mcl lifespan]
Changes an account.
The -p, -g, and -o options identify the account to change. The -np,
-ng, and -no options change the account's, principal, group, and
organization, respectively.
If you do not specify all three -p, -g, and -o options, wildcard
updates can occur. For example, if you specify only the -g option,
the changes affect all accounts that are associated with the named
group. Note that you cannot use wildcarding to change passwords.
To change a password, you must enter the -p, -g, and -o options.
All other options have the same meaning as described in the add
command for accounts. Note that the -rp option can be used to
change the random passwords of the reserved accounts created by
sec_create_db when the registry database is created.
2.4 – delete
del[ete] -p pname [-g gname] [-o oname] Deletes the specified account. Enter the -p option to delete the specified principal's account. Enter the -g or -o option to delete accounts associated with the specified group or organization. If you enter the -g or -o option, rgy_edit prompts individually for whether to delete each account associated with the group or organization.
2.5 – cell
ce[ll] cellname [-ul unix_num] [-uf unix_num] [-gl gname]
[-ol oname] [-gf gname] [-of oname] [-mp passwd]
[-fa name] [-fp passwd] [-q quota]
[-x account_expiration_date | none]
Creates a cross-cell authentication account in the local and
foreign cells.
This account allows local principals to access objects in the
foreign cell as authenticated users and vice versa. The admin-
istrator in the foreign cell must have also set up a standard
account, whose ID and password the administrator of the foreign
cell must supply to you.
The cellname variable specifies the full pathname of the foreign
cell with which you will establish the cross-cell authentication
account. This name is stripped of the path qualifier and prefixed
with "krbtgt." The resulting name is used as the primary name for
the cross-cell authentication account. For example, if you enter
/.../dresden.com, the principal name is krbtgt/dresden.com.
The -ul option specifies the UNIX number for the local cell's
principal. The -uf option specifies the UNIX number for the
foreign cell's principal. If you do not specify these UNIX
numbers, they are generated automatically.
The -gl and -ol options specify the local account's group and
organization. The -gf and -of options specify the foreign
account's group and organization.
The -mp option specifies the password of the person who invoked
rgy_edit.
The -fa option specifies the name identifying the account in the
foreign cell, and the -fp option specifies the account's password.
The -q option specifies the total number of objects that can be
created in your cell's registry by all foreign users who use the
cross-cell authentication account to access your cell. The object
creation quota defaults to 0 (zero), meaning that principals in the
foreign cell cannot create objects in the local cell. The object
creation quota set for your cell's account in the foreign cell
places the same restriction on the number of objects that your
cell's principals can create in the foreign cell's registry.
The -x option specifies the account expiration date for both the
local and foreign accounts. The default for this option is "none."
Note that the object creation quota for the local account defaults
to 0 (zero), meaning that principals in the foreign cell cannot
create objects in the local cell. You can change this with the
rgy_edit change subcommand.
3 – key_management_commands
KEY MANAGEMENT SUBCOMMANDS The key management subcommands must be run in command-line mode.
3.1 – ktadd
kta[dd] -p principal_name [-pw password] [-a[uto]] [-r[egistry]]
[-f key-file]
Creates a password for a server or machine in the keytab file on
the local node.
The -p option specifies the name of the server or machine principal
for which you are creating a password.
The -pw option lets you supply the password on the command line. If
you do not enter this option or the -auto option, ktadd prompts for
the password.
The -a option generates the password randomly. If you use this
option, you must also use the -r option. If you do not specify
the -auto or the -pw option, you are prompted for a password.
The -r option updates the principal's password in the registry to
match the string you enter (or automatically generate) for the
password in the keytab file. Use it to ensure that the principal's
password in the registry and the keytab file are in synch when you
change a principal's password in the keytab file. To use this
option, a password for the principal must exist in the default
keytab file or the keytab file named by the -f option.
The -f option specifies the name of the server keytab file on the
local node to which you are adding the password. If you do not
specify a keytab file name, dce$local:[krb5]v5srvtab.; is used.
Note that you must be privileged to add entries in the default
keytab file.
3.2 – ktlist
ktl[ist] [-p principal_name] [-f keyfile] Displays principal names and password version numbers in the local keytab file. The -p option specifies the name of the server or machine principal for which you are displaying passwords. The -f option specifies the name of the server keytab file on the local node for which you want to display entries. If you do not specify a keytab file name, dce$local:[krb5]v5srvtab.; is used.
3.3 – ktdelete
ktd[elete] -p principal_name -v version_number [-f keyfile] Deletes a sever or machine principal's password entry from a keytab file. The -p option specifies the name of the server or machine principal for whom you are deleting a password entry. The -v option specifies the version number of the password you want to delete. Version numbers are assigned to a principal's password whenever the principal's password is changed. This allows any servers or machines still using tickets granted under the old pass- word to run without interruption until the ticket expires naturally. The -f option specifies the name of the server keytab file on the local node from which you want to delete passwords. If you do not specify a keytab file name, dce$local:[krb5]v5srvtab.; is used. Note that you must be privileged to delete entries in the default keytab file. You must have the appropriate access rights to delete entries in other keytab files.
4 – miscellaneous_commands
Miscellaneous Commands
4.1 – domain
do[main] [p | g | o | a] Changes or displays the type of registry information being viewed or edited. You can specify p for principals, g for groups, o for organizations, or a for accounts. If you supply no argument, rgy_edit displays the current domain.
4.2 – site
si[te] [[name]] [-u[pdate]] Changes or displays the registry site being viewed or edited. The name variable is the fully qualified name of the cell that contains the registry to which you want access. If you supply no argument, rgy_edit displays the current site. The -update option indicates you want to talk to an update site in the specified cell.
4.3 – properties
prop[erties] Changes or displays registry properties. This command prompts you for changes. Press <Return> to leave information unchanged.
4.4 – policy
po[licy] [organization_name] [-al lifespan | forever]
[-pl passwd_lifespan | forever]
[-px passwd_exp_date | none] [-pm passwd_min_length]
[-pa | -pna] [-ps | -pns]
Changes or displays registry standard policy or the policy for an
organization.
Enter organization_name to display or change policy for that
specific organization. If you do not enter organization_name the
subcommand affects standard policy for the entire registry.
The -al option determines the account's lifespan, the period during
which accounts are valid. After this period of time passes, the
accounts become invalid and must be recreated. An account's
lifespan is also controlled by the add and change subcommands -x
option. If the two lifespans conflict, the shorter one is used.
Enter the lifespan in the following in the following format:
weekswdaysdhourshminutesm
For example, 4 weeks and 5 days is entered as 4w5d.
If you enter only a number and no weeks, days, or hours designation,
the designation defaults to hours. If you end the lifepan with a
number and no weeks, days, or hours designation, the number with no
designation defaults to seconds. For example, 12w30 is assumed to
be 12 weeks thirty seconds.
The -pl option determines the password lifespan, the period of time
before account's password expires. Generally, users must change
their passwords when the passwords expire. However, the policy to
handle expired passwords and the mechanism by which users change
their passwords are defined for each platform, usually through the
login facility.
Enter passwd_lifespan as a number indicating the number of days.
If you define a password lifespan as forever, the password has an
unlimited lifespan.
The -px option specifies the password expiration date in
yy/mm/dd/hh.mm:ss format. Generally, users must change their
passwords when the passwords expire. However, the policy to
handle expired passwords and the mechanism by which users change
their passwords are defined for each platform, usually through
the login facility.
If you define a password expiration date as none, the password has
an unlimited lifespan.
The -pm, -ps, -pns, -pa, and -pna options all control the format of
passwords as follows:
+ -pm - Specifies the minimum length of passwords in characters.
If you enter 0, no password minimum length is in effect.
+ -ps and -pns - Specify whether passwords can contain all spaces
(-ps) or can not be all spaces (-pns).
+ -pa and -pna - Specify whether passwords can consist of all
alphanumeric characters (-pn) or must include some non-
alphanumeric characters (-pna).
4.5 – auth_policy
au[th_policy] Changes and/or displays registry authentication policies. This command prompts you for changes. Press <Return> to leave information unchanged.
4.6 – defaults
def[aults] Changes or displays the home directory, login shell, password valid option, account expiration date, and account valid option default values that rgy_edit uses. This command first displays the current defaults. It then prompts you for whether or not you want to make changes. If you make changes, defaults immediately changes the defaults for the current session, and it saves the new defaults in sys$login:.rgy_editrc. The newly saved defaults are used until you change them.
4.7 – help
h[elp] [command Displays usage information for rgy_edit. If you do not specify a particular command, rgy_edit lists the available commands.
4.8 – quit
q[uit] Exit rgy_edit.
4.9 – exit
e[xit] Exit rgy_edit.
4.10 – login
l[ogin] Lets you establish a new network identity for use during the rgy_edit session. The rgy_edit login command prompts for a principal name and password.
4.11 – scope
sc[ope] [name] Limits the scope of the information displayed by the view subcommand to the directory (specified by name) in the registry database.
5 – local_registry_commands
Commands for the Local Registry To edit or view the local registry, invoke rgy_edit with the -l option while you are logged into the machine whose local registry you want to maintain. This section lists the commands that are valid for editing or viewing the local registry. When you invoke rgy_edit with the -l option, only the subcommands and options listed here can be used.
5.1 – view
v[iew] Displays local registry entries.
5.2 – delete
del[ete] principal_name Deletes the account and credential information for principal_name from the local registry.
5.3 – purge
pu[rge] Purges expired local registry entries. This command has no options or arguments. The time limit, or lifespan, for which an entry in the local registry is valid is set as a property of the local registry with the properties subcommand. When the purge subcommand is run, it deletes all expired entries. The lifespan begins when an entry for the principal is added to the local registry (that is, the beginning of the lifespan is the last time the principal logged in to the local machine.) The lifespan ends after the time limit set as a local registry property.
5.4 – properties
pr[operties]
Changes and/or displays local registry properties and policies.
This command displays the current properties and then prompts for
whether you want to make changes to them. You can change the local
registry's:
+ Capacity - A number representing the total number of entries
the local registry can contain at any one time. When the
capacity is reached, subsequent new entries overwrite the
oldest entries.
+ Account lifespan - The time in which an account in the local
registry is valid in the following format:
weekswdaysdhourshminutesm
For example, 4 weeks and 5 days is entered as 4w5d. If you
enter only a number and no weeks, days, or hours designation,
the designation defaults to hours. If you end the lifepan
with a number and no weeks, days, or hours designation, the
number with no designation defaults to seconds. For example,
12w30 is assumed to be 12 weeks thirty seconds.