rgy_edit(1m)rgy_edit(1m)NAMErgy_edit - Edits the registry database
SYNOPSISrgy_edit [[[-a | -p | -g | -o] [-s name] [-up[date]]
[-v [-f] [name | -un[ix__number]] [-nq]] | -l]
OPTIONS
The following options are supplied when rgy_edit is invoked. You can
specify only one of the options -a, -p, -g, and -o. If you specify the
-l option, you can specify no other options. Edits or views accounts.
Edits or views principals. Edits or views groups. Edits or views
organizations. Binds to the registry site specified by name. The name
variable is either the fully qualified name of the cell that contains
the registry to which you want access, or the fully qualified name of a
specific registry server. Binds to a read-write registry site in the
cell specified by the -s option. Views the registry entry specified by
name or unix_number. If no entry is specified, all entries are viewed.
Displays in full the entry (or entries) selected by the -v option. The
full entry includes all fields except the membership list and organiza‐
tion policy. Specifies that delete operations will not be queried.
The default is to prompt the user for verification when a delete opera‐
tion is requested. Edits or views entries in local registry.
NOTES
With the exception of the following subcommands, this command is
replaced at Revision 1.1 by the dcecp command. This command may be
fully replaced by the dcecp command in a future release of DCE, and may
no longer be supported at that time.
defaults domain scope help quit exit
delete purge view
DESCRIPTION
The rgy_edit tool views and edits information in the registry database.
You can invoke rgy_edit from any node.
You can edit and view principals, groups, organization, accounts, and
policies in the network registry (the default) or perform a subset of
those functions on the local registry (using the -l option). Changes
made by rgy_edit apply only to the registry. They do not apply to the
local override file or the local password and group files, both of
which can be edited manually. You can view and change only those reg‐
istry objects to which you are granted the appropriate permissions.
Invoking rgy_edit
When you invoke rgy_edit, it displays the following prompt: rgy_edit=>
At this prompt, you can enter any of the rgy_edit subcommands, and
rgy_edit will prompt you for the required information. Alternatively,
you can enter the subcommand followed by all the options required to
perform a specific operation. The rgy_edit command may prompt you for
any required information you do not enter.
SUBCOMMANDS
In the rgy_edit subcommands that follow, use two double quotation marks
with nothing in between to indicate a null fullname, password, misc,
homedir, or shell. Use double quotation marks to embed spaces, or
hyphens in fullname, misc, and homedir if you specify the argument on
the command line.
Principal, Group, and Organization Subcommands
v[iew] [name | -u unix_number] [-f] [-m] [-po] Views registry entries.
Whether name applies to a principal, group, or organization depends on
the domain in which you run rgy_edit. Use the do[main] subcommand
(described in Miscellaneous Commands, later in this reference page) to
change domains.
If you specify the -u unix_number option, rgy_edit displays all match‐
ing entries, including any aliases.
The -f option displays entries in full (all fields except the member‐
ship list and organization policy).
If you are viewing groups or organizations, -m displays the membership
list. For principals, -m lists all groups of which the principal is a
member, including groups that cannot appear in a project list.
If you are viewing organizations, -po displays policy information. If
you do not enter the -po option, rgy_edit shows only the organization's
name and the UNIX number.
a[dd] [principal_name [unix_number] [-f fullname] [-al] [-q quota]]
a[dd] [group_name [unix_number] [-f fullname [-nl]]] [-al] ls
a[dd] [organization_name [unix_number] [-f fullname]] Create a new name
entry.
If you do not specify principal_name, group_name, or organization-name,
the add subcommand prompts you for each field in the entry. If you are
adding organizations, the command prompts you for policy information as
well. If you specify only principal_name, group_name, or organiza‐
tion_name and no other arguments, the object's fullname defaults to ""
(that is, blank), the object's UNIX number is assigned automatically,
and the object's creation quota defaults to unlimited.
Use the -al option to create an alias for an existing principal or
group. No two principals or groups can have the same UNIX number, but
a principal or group and all its aliases share the same UNIX number.
The -al option creates an alias name for a principal or group and
assigns the alias name the same UNIX number as the principal or group.
The -q option specifies the principal's object creation quota, the
total number of registry objects that can be created by the principal.
If you do not specify this option, the object creation quota defaults
to unlimited.
For groups, the -nl option indicates that the group is not to be
included on project lists; omitting this option allows the group to
appear on project lists.
c[hange] [principal_name [-n name] [-f fullname] [-al | -pr] [-q
quota]]
c[hange] [group_name [-n name] [-f fullname] [-nl | -l] ] [-al | -pr]
c[hange] [organization_name [-n name] [-f fullname]]
Changes a principal, group, or organization.
Specify the entry to change with principal_name, group_name, or organi‐
zation_name. If you do not specify a principal_name, group_name, or
organization_name, the change subcommand prompts you for a name. If
you do not specify any fields, the subcommand prompts you for each
field in succession. To leave a field unchanged, press <RETURN> at the
prompt. If you are changing organization entries in the interactive
mode, the subcommand prompts you for policy information as well.
Use -n name and -f fullname, to specify a new primary name or fullname,
respectively.
For principals and groups, the -al option changes a primary name into
an alias, and the -pr option changes an alias into a primary name.
This change can be made only from the command line, not in the interac‐
tive mode.
The -q option specifies the total number of registry objects that can
be created by the principal.
For group entries, the -nl option disallows the group from appearing in
project lists, while the -l option allows the group to appear in
project lists.
For organization entries, you can change policy information only in the
interactive mode.
Changes to a principal name are reflected in membership lists that con‐
tain the principal name. For example, if the principal ludwig is a mem‐
ber of the group composers and the principal name is changed to louis,
the membership list for composers is automatically changed to include
louis but not ludwig.
For reserved names, you can change only fullname.
m[ember] [group_name | organization_name [-a member_list] [-r mem‐
ber_list] ]
Edits the membership list for a group or organization.
If you do not specify a group or organization, the member subcommand
prompts you for names to add or remove.
To add names or aliases to a membership list, use the -a option fol‐
lowed by the names separated by commas. To delete names from a member‐
ship list, use the -r option followed by the names separated by commas.
If you do not include either the -a or -r option on the command line,
rgy_edit prompts you for names to add or remove.
Removing names from the membership list for a group or organization has
the side effect of deleting the login account for removed member (and,
of course, eliminating any permissions granted as a result of the mem‐
bership the next time the member's ticket-granting ticket is renewed).
del[ete] name
Deletes a registry entry.
If you delete a principal, rgy_edit deletes the principal's account.
If you delete a group or organization, rgy_edit deletes any accounts
associated with the group or organization. You cannot delete reserved
principals.
adopt uuid principal_name [-u unix_number] [ -f fullname] [-q quota]
adopt uuid group_name [-f fullname] [-nl]
adopt uuid organization_name [-f fullname]
Creates a principal, group, or organization for the specified UUID.
The principal, group, or organization is created to adopt an orphan
object. Orphans are registry objects that cannot be accessed because
1) they are owned by UUIDs that are not associated with a principal or
group and 2) no other principal, group, or organization has access
rights to the orphaned object. UUIDs are associated with all registry
objects when the object is created. When the registry object is
deleted, the association between the object and the UUID is also
deleted.
The principal_name, group_name, or organization_name you specify must
be unique in the registry as it must be when you create a principal,
group, or organization using the add subcommand. Except for the manner
in which it is created, the principal, group, or organization created
by the adopt subcommand is no different from any other principal,
group, or organization.
The uuid option specifies the UUID number to be assigned to the princi‐
pal, group, or organization. The UUID supplied must be the one that
owns the orphaned object. Specify the uuid in RPC print string format
as 8 hexadecimal digits, a hyphen; 4 hexadecimal digits, a hyphen; 4
hexadecimal digits, a hyphen; 4 hexadecimal digits, a hyphen; and 12
hexadecimal digits. The format follows:
nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn
For cell principals only, the -u option specifies the UNIX number to be
associated with the cell name. If you do not enter this option, the
next sequential UNIX number is supplied as a default. For all princi‐
pals other than cells, the UNIX number is extracted from information
embedded in the principal's UUID and cannot be specified here.
For principals, the -q option specifies the principal's object creation
quota. If you do not enter the option, the object creation quota is
set to ''unlimited.''
For groups, the -nl option turns off the project list inclusion prop‐
erty so that groups are not included in project lists. If you do not
enter this option, the group is included in project lists.
For principals, groups, and organizations, the -f option supplies the
object's fullname. If you do not enter the -f option, fullname
defaults to blank.
An error occurs if you specify a name or UNIX number that is already
defined within the same domain of the database.
Note that in the current implementation of the DCE, UNIX numbers are
embedded in UUID numbers. If you try to create a group or organization
to adopt an orphaned object and fail, it could be because the embedded
UNIX number is invalid because it does not fall within the range of
valid UNIX numbers set for the cell as a registry property. If this is
the case, you must reset the range of valid UNIX numbers to include the
UNIX number embedded in the UUID and then try again to adopt the
object.
Account Subcommands
v[iew] [pname [gname [oname]]] [-f]
Displays login accounts.
Without the -f option, view displays only the user fields in each
account entry. These fields include each account's Principal, group,
and organization name Encrypted password Miscellaneous information Home
directory Login shell
With -f, view displays the full entry, including the administrative
fields as well as the user fields. Administrative information
includes: Who created the account When the account was created Who last
changed the account When the account was last changed When the account
expires Whether the account is valid Whether the account principal's
password is valid When the account principal's password was last
changed
a[dd] [pname [-g gname -o oname -mp password {-rp | -pw password}
[-m misc] [-h homedir] [-s shell]
[-pnv | -pv] [-x account_exp | none] [-anv | -av]
[ [-ena[ble] option | -dis[able] option]...]
[-gs date_and_time] [-mcr lifespan] [-mcl lifespan]]]
Creates a login account.
If you enter the subcommand only or the subcommand and the optional
pname argument (principal name), rgy_edit prompts you for all informa‐
tion. If you enter the subcommand, the pname argument, and the gname
(group name) argument or the the pname, gname and oname (organization
name) arguments, you must also enter the -mp, and -pw or -rp options.
All other options are optional.
The pname argument specifies the principal for whom the account should
be created. The -g and -o options specify the account's group and
organization. If the principal specified in pname is not already a
member of the specified group and organization, rgy_edit automatically
attempts to add the principal to the membership lists. If you do not
have the appropriate permissions for the group and organization, the
attempt will fail and the account will not be created.
The -rp option generates a random password for the account. The pri‐
mary use of this option is to create passwords for accounts that will
not be logged into (since the random password can never be supplied.)
The -pw option is used to supply a password for the account on the com‐
mand line.
If you use the -rp option or the -pw option, you must also use the -mp
option to supply your password so your identity can be validated.
If you do not specify the -rp option or the -pw option, rgy_edit
prompts for the account's password twice to ensure you did not make a
typing mistake. Then it prompts for your password to verify your iden‐
tity.
If the user's password management policy allows the selection of gener‐
ated passwords, specifying "*" as the argument to the -pw option or at
the account's password prompt automatically generates a plaintext pass‐
word.
If the user's password management policy requires the selection of gen‐
erated passwords, specifying the -pw option is an error. rgy_edit dis‐
plays a generated password and then prompts for the password for con‐
firmation. The format of password must adhere to the policy of the
associated organization or the policy of the registry as a whole,
whichever is more restrictive.
The information supplied with the -m option is used to create the GECOS
field for the account in the /etc/passwd file. If you run the
passwd_export command, this entry contains the concatenation of the
principal's full name and the information specified with the -m option.
The -h option specifies the pathname of the principal's home directory.
The default homedir is /. The -s option specifies the pathname of the
principal's login shell. The default shell is a null string.
The -pnv (password not valid) option specifies that the password has
expired. Generally, users must change their passwords when the pass‐
words expire. However, the policy to handle expired passwords and the
mechanism by which users change their passwords are defined for each
platform, usually through the login facility. The -pv option indicates
the password is not expired (the default).
The -x option sets an expiration date for the account in
yy/mm/dd/hh/mm/ss format. The default is "none," meaning that the
password will never expire.
The -anv (account not valid) option specifies that the account is not
currently valid for login. The -av option indicates the account is cur‐
rently valid (the default).
The -enable and -disable options set or clear the following options:
The c[lient] option, if enabled, allows the principal to act as as a
client and log in, acquire tickets, and be authenticated. If you dis‐
able client, the principal cannot act as a client. The default is
enabled. The s[erver] option, if enabled, allows the principal to act
as a server and engage in authenticated communication. If you disable
server, the principal cannot act as a server that engages in authenti‐
cated communication. The default is enabled. The po[stdated] option,
if enabled, allows tickets with a start time some time in the future to
be issued to the account's principal. The default is disabled. The
f[orwardable] option, if enabled, allows a new ticket-granting ticket
with a network address that differs from the present ticket-granting
ticket address to be issued to the account's principal. The default is
enabled. The pr[oxiable] option, if enabled, allows a new ticket with
a different network address than the present ticket to be issued to the
account's principal. The default is disabled. The T[GT_authentica‐
tion] option, if enabled, specifies that tickets issued to the
account's principal can use the ticket-granting-ticket authentication
mechanism. The default is enabled. The r[enewable] option turns on
the Kerberos V5 renewable ticket feature. This feature is not cur‐
rently used by the DCE; any use of this option is unsupported at the
present time. The dup[_session_key] option allows tickets issued to
the account's principal to have duplicate keys. The default is dis‐
abled.
The -gs (good since date) is the date and time the account was last
known to be valid. When accounts are created, this date is set to the
account creation time. If you change the good since date, any tickets
issued before the changed date are invalid. Enter the date in
yy/mm/dd.hh:mm format.
The -mcr (maximum certificate renewable) option is the number of hours
before a session with the principal's identity expires and the princi‐
pal must log in again to reauthenticate. The default is 4 weeks.
The -mcl (maximum certificate lifetime) option is the number of hours
before the Authentication Service must renew a principal's service cer‐
tificates. This is handled automatically and requires no action on the
part of the principal. The default is 1 day.
c[hange] [-p pname] [-g gname] [-o oname]
[-np pname] [-ng gname] [-no oname]
[{-rp | -pw password} -mp password]
[-m misc] [-h homedir] [-s shell]
[-pnv | -pv] [-x account_exp | none] [-anv | -av]
[[-ena[ble] option | -dis[able] option]...]
[-gs date_and_time] [-mcr lifespan] [-mcl lifespan]
Changes an account.
The -p, -g, and -o options identify the account to change. The -np,
-ng, and -no options change the account's, principal, group, and orga‐
nization, respectively.
If you do not specify all three -p, -g, and -o options, wildcard
updates can occur. For example, if you specify only the -g option, the
changes affect all accounts that are associated with the named group.
Note that you cannot use wildcarding to change passwords. To change a
password, you must enter the -p, -g, and -o options.
All other options have the same meaning as described in the add command
for accounts. Note that the -rp option can be used to change the ran‐
dom passwords of the reserved accounts created by sec_create_db when
the registry database is created.
del[ete] -p pname [-g gname] [-o oname]
Deletes the specified account.
Enter the -p option to delete the specified principal's account. Enter
the -g or -o option to delete accounts associated with the specified
group or organization. If you enter the -g or -o option, rgy_edit
prompts individually for whether to delete each account associated with
the group or organization.
ce[ll] cellname [-ul unix_num] [-uf unix_num] [-gl gname] [-ol oname]
[-gf gname] [-of oname] [-mp passwd]
[-fa name] [-fp passwd]
[-q quota] [-x account_expiration_date | none]
Creates a cross-cell authentication account in the local and foreign
cells.
This account allows local principals to access objects in the foreign
cell as authenticated users and vice versa. The administrator in the
foreign cell must have also set up a standard account, whose ID and
password the administrator of the foreign cell must supply to you.
The cellname variable specifies the full pathname of the foreign cell
with which you will establish the cross-cell authentication account.
This name is stripped of the path qualifier and prefixed with "krbtgt."
The resulting name is used as the primary name for the cross-cell
authentication account. For example, if you enter /.../dresden.com,
the principal name is krbtgt/dresden.com.
The -ul option specifies the UNIX number for the local cell's princi‐
pal. The -uf option specifies the UNIX number for the foreign cell's
principal. If you do not specify these UNIX numbers, they are gener‐
ated automatically.
The -gl and -ol options specify the local account's group and organiza‐
tion. The -gf and -of options specify the foreign account's group and
organization.
The -mp option specifies the password of the person who invoked
rgy_edit.
The -fa option specifies the name identifying the account in the for‐
eign cell, and the -fp option specifies the account's password.
The -q option specifies the total number of objects that can be created
in your cell's registry by all foreign users who use the cross-cell
authentication account to access your cell. The object creation quota
defaults to 0 (zero), meaning that principals in the foreign cell can‐
not create objects in the local cell. The object creation quota set
for your cell's account in the foreign cell places the same restriction
on the number of objects that your cell's principals can create in the
foreign cell's registry.
The -x option specifies the account expiration date for both the local
and foreign accounts. The default for this option is "none."
Note that the object creation quota for the local account defaults to 0
(zero), meaning that principals in the foreign cell cannot create
objects in the local cell. You can change this with the rgy_edit
change subcommand.
Key Management Subcommands
The key management subcommands must be run in command-line mode.
kta[dd] -p principal_name [-pw password] [-a[uto]] [-r[egistry]] [-f
keyfile] Creates a password for a server or machine in the keytab file
on the local node.
The -p option specifies the name of the server or machine principal for
which you are creating a password.
The -pw option lets you supply the password on the command line. If
you do not enter this option or the -auto option, ktadd prompts for the
password.
The -a option generates the password randomly. If you use this option,
you must also use the -r option. If you do not specify the -auto or
the -pw option, you are prompted for a password.
The -r option updates the principal's password in the registry to match
the string you enter (or automatically generate) for the password in
the keytab file. Use it to ensure that the principal's password in the
registry and the keytab file are in synch when you change a principal's
password in the keytab file. To use this option, a password for the
principal must exist in the default keytab file or the keytab file
named by the -f option.
The -f option specifies the name of the server keytab file on the local
node to which you are adding the password. If you do not specify a
keytab file name, /krb5/v5srvtab is used. Note that you must be root
to add entries in the default keytab file.
ktl[ist] [-p principal_name] [-f keyfile]
Displays principal names and password version numbers in the local
keytab file.
The -p option specifies the name of the server or machine principal for
which you are displaying passwords.
The -f option specifies the name of the server keytab file on the local
node for which you want to display entries. If you do not specify a
keytab file name, /krb5/v5srvtab is used.
ktd[elete] -p principal_name -v version_number [-f keyfile]
Deletes a sever or machine principal's password entry from a keytab
file.
The -p option specifies the name of the server or machine principal for
whom you are deleting a password entry.
The -v option specifies the version number of the password you want to
delete. Version numbers are assigned to a principal's password when‐
ever the principal's password is changed. This allows any servers or
machines still using tickets granted under the old password to run
without interruption until the ticket expires naturally.
The -f option specifies the name of the server keytab file on the local
node from which you want to delete passwords. If you do not specify a
keytab file name, /krb5/v5srvtab is used. Note that you must be root
to delete entries in the default keytab file. You must have the appro‐
priate access rights to delete entries in other keytab files.
Miscellaneous Commands
do[main] [p | g | o | a]
Changes or displays the type of registry information being viewed or
edited.
You can specify p for principals, g for groups, o for organizations, or
a for accounts. If you supply no argument, rgy_edit displays the cur‐
rent domain.
si[te] [[name]] [-u[pdate]]
Changes or displays the registry site being viewed or edited.
The name variable is the fully qualified name of the cell that contains
the registry to which you want access. If you supply no argument,
rgy_edit displays the current site.
The -update option indicates you want to talk to an update site in the
specified cell. prop[erties] Changes or displays registry properties.
This command prompts you for changes. Press <Return> to leave informa‐
tion unchanged.
po[licy] [organization_name] [-al lifespan | forever] [-pl passwd_life‐
span | forever]
[-px passwd_exp_date | none] [-pm passwd_min_length] [-pa | -pna] [-ps
| -pns]
Changes or displays registry standard policy or the policy for an orga‐
nization.
Enter organization_name to display or change policy for that specific
organization. If you do not enter organization_name the subcommand
affects standard policy for the entire registry.
The -al option determines the account's lifespan, the period during
which accounts are valid. After this period of time passes, the
accounts become invalid and must be recreated. An account's lifespan
is also controlled by the add and change subcommands -x option. If the
two lifespans conflict, the shorter one is used. Enter the lifespan in
the following in the following format:
weekswdaysdhourshminutesm
For example, 4 weeks and 5 days is entered as 4w5d.
If you enter only a number and no weeks, days, or hours designation,
the designation defaults to hours. If you end the lifepan with an num‐
ber and no weeks, days, or hours designation, the number with no desig‐
nation defaults to seconds. For example, 12w30 is assumed to be 12
weeks thirty seconds.
The -pl option determines the password lifespan, the period of time
before account's password expires. Generally, users must change their
passwords when the passwords expire. However, the policy to handle
expired passwords and the mechanism by which users change their pass‐
words are defined for each platform, usually through the login facil‐
ity.
Enter passwd_lifespan as a number indicating the number of days. If
you define a password lifespan as forever, the password has an unlim‐
ited lifespan.
The -px option specifies the password expiration date in
yy/mm/dd/hh.mm:ss format. Generally, users must change their passwords
when the passwords expire. However, the policy to handle expired pass‐
words and the mechanism by which users change their passwords are
defined for each platform, usually through the login facility.
If you define a password expiration date as none, the password has an
unlimited lifespan.
The -pm, -ps, -pns, -pa, and -pna options all control the format of
passwords as follows: -pm — Specifies the minimum length of passwords
in characters. If you enter 0, no password minimum length is in
effect. -ps and -pns — Specify whether passwords can contain all spa‐
ces (-ps) or can not be all spaces (-pns). -pa and -pna — Specify
whether passwords can consist of all alphanumeric characters (-pn) or
must include some non-alphanumeric characters (-pna).
au[th_policy]
Changes and/or displays registry authentication policies.
This command prompts you for changes. Press <Return> to leave informa‐
tion unchanged.
def[aults]
Changes or displays the home directory, login shell, password valid
option, account expiration date, and account valid option default val‐
ues that rgy_edit uses.
This command first displays the current defaults. It then prompts you
for whether or not you want to make changes. If you make changes,
defaults immediately changes the defaults for the current session, and
it saves the new defaults in ~/.rgy_editrc. The newly saved defaults
are used until you change them.
h[elp] [command
Displays usage information for rgy_edit.
If you do not specify a particular command, rgy_edit lists the avail‐
able commands.
q[uit]
Exit rgy_edit.
e[xit]
Exit rgy_edit.
l[ogin]
Lets you establish a new network identity for use during the rgy_edit
session.
The rgy_edit login command prompts for a principal name and password.
sc[ope] [name]
Limits the scope of the information displayed by the view subcommand to
the directory (specified by name) in the registry database.
Commands for the Local Registry
To edit or view the local registry, invoke rgy_edit with the -l option
while you are logged into the machine whose local registry you want to
maintain. This section lists the commands that are valid for editing
or viewing the local registry. When you invoke rgy_edit with the -l
option, only the subcommands and options listed here can be used.
v[iew]
Displays local registry entries.
del[ete] principal_name
Deletes the account and credential information for principal_name from
the local registry.
pu[rge]
Purges expired local registry entries.
This command has no options or arguments.
The time limit, or lifespan, for which an entry in the local registry
is valid is set as a property of the local registry with the properties
subcommand. When the purge subcommand is run, it deletes all expired
entries. The lifespan begins when an entry for the principal is added
to the local registry (that is, the beginning of the lifespan is the
last time the principal logged in to the local machine.) The lifespan
ends after the time limit set as a local registry property.
pr[operties]
Changes and/or displays local registry properties and policies.
This command displays the current properties and then prompts for
whether you want to make changes to them. You can change the local
registry's: Capacity — A number representing the total number of
entries the local registry can contain at any one time. When the
capacity is reached, subsequent new entries overwrite the oldest
entries. Account lifespan — The time in which an account in the local
registry is valid in the following format:
weekswdaysdhourshminutesm
For example, 4 weeks and 5 days is entered as 4w5d.
If you enter only a number and no weeks, days, or hours designation,
the designation defaults to hours. If you end the lifepan with an num‐
ber and no weeks, days, or hours designation, the number with no desig‐
nation defaults to seconds. For example, 12w30 is assumed to be 12
weeks thirty seconds.
rgy_edit(1m)
