/sys$common/syshlp/helplib.hlb
DCE_SECURITY, Admin Intro, rgy_edit, account_commands, add

 *Conan The Librarian (sorry for the slow response - running on an old VAX)

   a[dd] [pname [-g gname -o oname -mp password {-rp | -pw password}
         [-m misc] [-h homedir] [-s shell]
         [-pnv | -pv] [-x account_exp | none] [-anv | -av]
         [ [-ena[ble] option | -dis[able] option]...]
         [-gs date_and_time] [-mcr lifespan] [-mcl lifespan]]]

   Creates a login account.

   If you enter the subcommand only or the subcommand and the optional
   pname argument (principal name), rgy_edit prompts you for all
   information.  If you enter the subcommand, the pname argument, and
   the gname (group name) argument or the the pname, gname and oname
   (organization name) arguments, you must also enter the -mp, and -pw
   or -rp options.  All other options are optional.

   The pname argument specifies the principal for whom the account
   should be created. The -g and -o options specify the account's group
   and organization.  If the principal specified in pname is not
   already a member of the specified group and organization, rgy_edit
   automatically attempts to add the principal to the membership lists.
   If you do not have the appropriate permissions for the group and
   organization, the attempt will fail and the account will not be
   created.

   The -rp option generates a random password for the account. The
   primary use of this option is to create passwords for accounts that
   will not be logged into (since the random password can never be
   supplied.) The -pw option is used to supply a password for the
   account on the command line.

   If you use the -rp option or the -pw option, you must also use the
   -mp option to supply your password so your identity can be validated.

   If you do  not specify the -rp option or the -pw option, rgy_edit
   prompts for the account's password twice to ensure you did not make
   a typing mistake. Then it prompts for your password to verify your
   identity.

   If the user's password management policy allows the selection of
   generated passwords, specifying "*" as the argument to the -pw
   option or at the account's password prompt automatically generates
   a plaintext password.

   If the user's password management policy requires the selection of
   generated passwords, specifying the -pw option is an error. rgy_edit
   displays a generated password and then prompts for the password for
   confirmation.  The format of password must adhere to the policy of
   the associated organization or the policy of the registry as a whole,
   whichever is more restrictive.

   The information supplied with the -m option is used to create the
   GECOS field for the account in the /etc/passwd file [on UNIX].

   The -h option specifies the pathname of the principal's home
   directory.  The default homedir is /. The -s option specifies the
   pathname of the principal's login shell.  The default shell is a
   null string.

   The -pnv (password not valid) option specifies that the password has
   expired. Generally, users must change their passwords when the pass-
   words expire. However, the policy to handle expired passwords and
   the mechanism by which users change their passwords are defined for
   each platform, usually through the login facility.  The -pv option
   indicates the password is not expired (the default).

   The -x option sets an expiration date for the account in
   yy/mm/dd/hh/mm/ss format. The default is "none," meaning that
   the password will never expire.

   The -anv (account not valid) option specifies that the account is
   not currently valid for login. The -av option indicates the account
   is currently valid (the default).

   The -enable and -disable options set or clear the following options:

     +  The c[lient] option, if enabled, allows the principal to act as
        a client and log in, acquire tickets, and be authenticated.  If
        you disable client, the principal cannot act as a client.  The
        default is enabled.

     +  The s[erver] option, if enabled, allows the principal to act as
        a server and engage in authenticated communication.  If you
        disable server, the principal cannot act as a server that
        engages in authenticated communication. The default is enabled.

     +  The po[stdated] option, if enabled, allows tickets with a start
        time some time in the future to be issued to the account's
        principal. The default is disabled.

     +  The f[orwardable] option, if enabled, allows a new ticket-
        granting ticket with a network address that differs from the
        present ticket-granting ticket address to be issued to the
        account's principal.  The default is enabled.

     +  The pr[oxiable] option, if enabled, allows a new ticket with a
        different network address than the present ticket to be issued
        to the account's principal.   The default is disabled.

     +  The T[GT_authentication] option, if enabled, specifies that
        tickets issued to the account's principal can use the ticket-
        granting-ticket authentication mechanism.  The default is
        enabled.

     +  The r[enewable] option turns on the Kerberos V5 renewable
        ticket feature. This feature is not currently used by the DCE;
        any use of this option is unsupported at the present time.

     +  The dup[_session_key] option allows tickets issued to the
        account's principal to have duplicate keys.  The default is
        disabled.

   The -gs (good since date) is the date and time the account was last
   known to be valid. When accounts are created, this date is set to
   the account creation time.  If you change the good since date, any
   tickets issued before the changed date are invalid.  Enter the date
   in yy/mm/dd.hh:mm format.

   The -mcr (maximum certificate renewable) option is the number of
   hours before a session with the principal's identity expires and
   the principal must log in again to reauthenticate. The default is
   4 weeks.

   The -mcl (maximum certificate lifetime) option is the number of
   hours before the Authentication Service must renew a principal's
   service certificates.  This is handled automatically and requires
   no action on the part of the principal. The default is 1 day.
  Close     HLB-list     TLB-list     Help  

[legal] [privacy] [GNU] [policy] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.