account man page on HP-UX

Printed from http://www.polarhome.com/service/man/?qf=account&af=0&tf=2&of=HP-UX

account(1m)							   account(1m)

NAME
       account	-  A  dcecp object that manages an account in the DCE Security
       Service

SYNOPSIS
       account catalog [cell_name] [-simplename]

       account create account_name_list	 -mypwd	 password  -password  password
       -group	 group_name    -organization   organization_name   [-attribute
       attribute_list | -attribute value]

       account delete account_name_list

       account generate account_name

       account help [operation | -verbose]

       account	 modify	  account_name_list   [-mypwd	 password]    {-change
       attribute_list | -attribute value}

       account operations

       account show account_name_list [-policies | -all]

ARGUMENTS
       The  name of a single account to act on.	 See account_name_list for the
       name format.  A list of one or more names of accounts to act on.	  Note
       that  accounts are identified by principal names, so when you create an
       account you supply a principal name for the account name.

       Supply the names as follows: Fully qualified account names in the  form
       /.../cell_name/account_name,	       /.:/account_name,	    or
       account_name@cell_name.	 Cell-relative	account	 names	in  the	  form
       account_name.   These  names refer to an account in the cell identified
       in the _s(sec) convenience variable,  or	 if  the  _s(sec)  convenience
       variable is not set, in the local host's default cell.

       Do not mix fully qualified names and cell-relative names in a list.  In
       addition, do not use the names of registry database objects  that  con‐
       tain account information; in other words, do not use account names that
       begin with /.:/sec/account/.  The name of a specific cell (or  /.:  for
       the  local cell) in which to catalog accounts.  The name of the account
       operation for which to display help information.

DESCRIPTION
       The account object represents registry accounts.	 Although  an  account
       is  associated  with one principal, one group, and one organization, it
       is identified by the principal's primary name.  Alias names are differ‐
       entiated	 for  principals,  so one principal can have multiple accounts
       under different alias names.

       When this command executes, it attempts to bind to the registry	server
       identified  in the _s(sec) variable.  If that server cannot process the
       request or if the _s(sec) variable is not set,  the  command  binds  to
       either an available slave server or the master registry server, depend‐
       ing on the operation.  Upon completion, the command  sets  the  _b(sec)
       convenience variable to the name of the registry server it bound to.

ATTRIBUTES
       The  account  object  supports  the  following two kinds of attributes:
       Account attributes may or may not have default values.  They  assume  a
       default value or a value set by administrators.	Policy attributes reg‐
       ulate such things as account and password lifetimes  for	 all  accounts
       associated with a particular registry.  Policy attributes have registry
       wide default values.  They always assume	 the  most  restrictive	 value
       whether	it  is	the  registry wide default value or a value set for an
       individual account.

   Account Attributes
       A flag set to determine account validity.  Its value is either  yes  or
       no.   An	 account  with an acctvalid attribute set to no is invalid and
       cannot be logged in to.	The default is yes.  A flag  set  to  indicate
       whether	the  account is for a principal that can act as a client.  Its
       value is either yes or no.  If you set this flag to yes, the  principal
       is  able	 to  log in to the account and acquire tickets for authentica‐
       tion.  The default is yes.  A list of two  items.   The	first  is  the
       principal  name	of  the	 creator  of the account, the second is an ISO
       timestamp showing the time of creation.	This attribute is set  by  the
       system at the time of account creation and cannot be specified or modi‐
       fied.  A text string (limited to the Portable Character Set)  typically
       used  to	 describe  the	use  of the account.  The default is the empty
       string ("").  A flag set to determine whether  tickets  issued  to  the
       account's  principal  can have duplicate keys.  Its value is either yes
       or no.  The default is no.

       In DCE this attribute is currently only	advisory.   However,  Kerberos
       clients	and servers make use of it when they interact with a DCE Secu‐
       rity server.  The date on which the  account  expires.	To  renew  the
       account,	 change	 the  date in this field.  To specify the time, use an
       ISO-compliant time format such as  CCYY-MM-DD-hh:mm:ss  or  the	string
       none.   The  default  is	 none.	 A flag set to determine whether a new
       ticket-granting ticket with a network address  that  differs  from  the
       present	ticket-granting	 ticket's network address can be issued to the
       account's principal.  The  proxiabletkt	attribute  performs  the  same
       function	 for  service  tickets.	  Its  value is either yes or no.  The
       default is yes.

       In DCE this attribute is currently only	advisory.   However,  Kerberos
       clients	and servers make use of it when they interact with a DCE Secu‐
       rity server.  The date and time the account was last known to be in  an
       uncompromised state.  Any tickets granted before this date are invalid.
       The value is an ISO timestamp.  When the account is initially  created,
       the  goodsince date is set to the current date.	Control over this date
       is especially useful if you know that an account's password was compro‐
       mised.	Changing  the  password can prevent the unauthorized principal
       from accessing the system again using that password,  but  the  changed
       password	 does not prevent the principal from accessing the system com‐
       ponents for which tickets were obtained fraudulently before  the	 pass‐
       word  was  changed.  To eliminate the principal's access to the system,
       the tickets must be cancelled.

       The default is the time the account was created.	 The name of the group
       associated  with	 the  account.	The value is a single group name of an
       existing group in the registry.	This attribute must be	specified  for
       the account create command; it does not have a default value.

       If  a  group is deleted from the registry, all accounts associated with
       the group are also deleted.  The file system  directory	in  which  the
       principal  is placed at login.  The default is the / directory.	A list
       of two items.  The first is the principal name of the last modifier  of
       the  account;  the  second  is an ISO timestamp showing the time of the
       last modification.  This attribute is set by the	 system	 whenever  the
       account	is  modified; it cannot be set or modified directly.  The ini‐
       tial value consists of the principal name of the creator of the account
       and  the	 time  the  account was created.  The name of the organization
       associated with the account.  The value is a single  organization  name
       of  an  existing	 organization in the registry.	This attribute must be
       specified for the account create command; it does not  have  a  default
       value.

       If  an  organization is deleted from the registry, all accounts associ‐
       ated with the organization are  deleted	also.	The  password  of  the
       account.	  This attribute must be specified for the account create com‐
       mand; there is no default value. This attribute is not returned	by  an
       account	show command.  A flag set to determine if tickets with a start
       time some time in the future can be issued to the account's  principal.
       Its value is either yes or no.  The default is no.

       In  DCE,	 this attribute is currently only advisory.  However, Kerberos
       clients and servers make use of it when they interact with a DCE	 Secu‐
       rity  server.  A flag set to determine whether a new ticket with a dif‐
       ferent network address than the present ticket can  be  issued  to  the
       account's  principal.   The  forwardabletkt attribute performs the same
       function for ticket-granting tickets.  Its value is either yes  or  no.
       The default is no.

       In  DCE,	 this attribute is currently only advisory.  However, Kerberos
       clients and servers make use of it when they interact with a DCE	 Secu‐
       rity  server.   A flag set to determine whether the current password is
       valid.  If this flag is set to no, the next time a principal logs in to
       the  account,  the system prompts the principal to change the password.
       (Note that this flag is separate from the pwdexpdate policy, which sets
       time limits on password validity.)  Its value is either yes or no.  The
       default is yes.	A flag set to determine if the ticket-granting	ticket
       issued  to the account's principal can be renewed.  If this flag is set
       to yes, the authentication service renews the ticket-granting ticket if
       its  lifetime is valid.	Its value is either yes or no.	The default is
       yes.

       In DCE this attribute is currently only	advisory.   However,  Kerberos
       clients	and servers make use of it when they interact with a DCE Secu‐
       rity server.  A flag set to indicate whether the account is for a prin‐
       cipal  that  can act as a server.  Its value is either yes or no.  This
       flag should be yes for any server that engages in authenticated	commu‐
       nications.  The default is yes.	The path of the shell that is executed
       when a principal logs in.  The legal value is any  shell	 supported  by
       the home cell.  The default value is the empty string ("").  A flag set
       to determine whether service tickets issued to the account's  principal
       use  the	 standard DCE ticket-granting ticket authentication mechanism.
       Its value is either yes or no.  The default is yes.

   Policy Attributes
       The maximum amount of time that a ticket can be valid.  To specify  the
       time,  use  the	Distributed  Time  Service  (DTS) relative time format
       ([-]DD-hh:mm:ss).  When a client requests a ticket  to  a  server,  the
       lifetime	 granted  to  the ticket takes into account the maxtktlife set
       for both the server and the client.  In other words, the lifetime  can‐
       not  exceed the shorter of the server's or client's maxtktlife.	If you
       do not specify a maxtktlife for an account, the maxtktlife  defined  as
       registry	 authorization	policy	is  used.  The amount of time before a
       principal's ticket-granting ticket expires and that principal must  log
       in  to  the  system  again to reauthenticate and obtain another ticket-
       granting ticket.	 To specify the time, use the DTS relative time format
       ([-]DD-hh:mm:ss).   The lifetime of the principal's service tickets can
       never exceed the lifetime of the	 principal's  ticket-granting  ticket.
       The  shorter you make maxtktrenew, the greater the security of the sys‐
       tem.  However, since principals	must  log  in  again  to  renew	 their
       ticket-granting ticket, the time specified needs to balance user conve‐
       nience against the level of security required.  If you do  not  specify
       this  for  an  account,	the  maxtktrenew  lifetime defined as registry
       authorization policy is used.

       This feature is not currently used by DCE; any use of  this  option  is
       unsupported at the present time.

       See the OSF DCE Administration Guide for more information about account
       attributes.

OPERATIONS
   account catalog
       Returns a list of the names of all accounts in the registry.  The  syn‐
       tax is as follows: account catalog [cell_name] [-simplename]

       Options	Returns	 a  list  of  account  names  in  the registry without
       prepending the name of the cell.

       The catalog operation returns a list of the names of  all  accounts  in
       the  local  registry  database.	Use the cell_name argument to return a
       list of accounts in another cell's registry.  By default, fully	quali‐
       fied  names  are	 returned in the form cell_name/account_name.  Use the
       -simplename option to return the names without the  cell	 name  in  the
       form account_name.

       Privileges Required

       You  must  have	r  (read)  permission  to  the	principal named in the
       account.

       Examples

       dcecp> account catalog -simplename nobody root daemon uucp bin dce-ptgt
       dce-rgy	     krbtgt/goodco.com	     cell_admin	     hosts/pmin17/self
       hosts/pmin17/cds-server hosts/pmin17/gda ward dcecp>

       dcecp>  account	catalog	 /.../goodco.com/nobody	  /.../goodco.com/root
       /.../goodco.com/daemon	  /.../goodco.com/uucp	   /.../goodco.com/bin
       /.../goodco.com/dce-ptgt			       /.../goodco.com/dce-rgy
       /.../goodco.com/krbtgt/goodco.com	    /.../goodco.com/cell_admin
       /.../goodco.com/hosts/pmin17/self     /.../goodco.com/hosts/pmin17/cds-
       server /.../goodco.com/hosts/pmin17/gda /.../goodco.com/ward dcecp>

   account create
       Creates	a new account in the registry database.	 The syntax is as fol‐
       lows: account create account_name_list -mypwd password -password	 pass‐
       word  -group  group_name	 -organization	organization_name  [-attribute
       attribute_list | -attribute value]

       Options

       As an alternative to using the  -attribute  option  with	 an  attribute
       list,  you  can	specify	 individual  attribute options by prepending a
       hyphen (-) to any attributes listed in the ATTRIBUTES section  of  this
       reference page.	Allows you to specify attributes by using an attribute
       list rather  than  individual  attribute	 options.  The	format	of  an
       attribute  list	is as follows: {{attribute value}...{attribute value}}
       The name of the group to	 associate  with  the  account.	  See  Account
       Attributes  for	the format of a group name.  Your privileged password.
       You must enter your privileged password to  create  an  account.	  This
       check  prevents a malicious user from using an existing privileged ses‐
       sion to create unauthorized accounts.  You must specify this option  on
       the  command  line; it cannot be supplied in a script.  The name of the
       organization to associate with the account. See Account Attributes  for
       the format of an organization name.  The account password.  See Account
       Attributes for the format of a password.

       The create operation creates  a	new  account.	The  account_name_list
       argument is a list of names of principals for which the accounts are to
       be created.  This operation returns an empty string on success.

       You  must  specify  the	group,	organization,  password,   and	 mypwd
       attributes  on  the  command  line (either in an attribute list or with
       attribute options).  The attributes specified are applied to all of the
       accounts created.

       To  protect the account password being entered, the account create com‐
       mand can be entered only from within dcecp.  You cannot enter this com‐
       mand  from  the	operating  system  prompt  by  using dcecp with the -c
       option.

       Before you can create a new account, you must  create  a	 principal  by
       using the principal create command.  Then you must add the principal to
       an existing group and organization using the group add and organization
       add commands.

       Privileges Required

       You  must  have	the  following	permissions:  gmau (groups, mgmt_info,
       auth_info, and user_info) permissions to the  principal	named  in  the
       account	rtM  (read, test, Member_list) permissions to the organization
       named in the account tM (test, Member_list) permissions	to  the	 group
       named in the account r (read) permission on the registry policy object.

       Examples

       dcecp> principal create John_Hunter dcecp>

       dcecp> group add users -member John_Hunter dcecp>

       dcecp> organization add users -member John_Hunter dcecp>

       dcecp>  account create John_Hunter -group users -organization users \ >
       -mypwd my.secret.password -password change.me dcecp>

       dcecp> account create jimbo@gumby_cell -group none -organization none \
       > -mypwd my.secret.password -password change.me dcecp>

   account delete
       Deletes existing accounts from the registry.  The syntax is as follows:
       account delete account_name_list

       The delete operation deletes existing accounts from the registry.   The
       argument is a list of names of accounts to be deleted.  If the accounts
       do not exist, an error is generated.  This operation returns  an	 empty
       string on success.

       Privileges Required

       You  must have rmau (read, mgmt_info, auth_info, user_info) permissions
       for the principal named in the account.

       Examples

       dcecp> account delete john_hunter dcecp>

   account generate
       Randomly generates a password for a named account.  The	syntax	is  as
       follows: account generate account_name

       To  run	the  account generate command, the pwd_strength server must be
       running, the principal identified by account_name must exist,  and  the
       pwd_mgmt_binding	 and pwd_val_type Extended Registry Attributes must be
       attached to that principal.  Otherwise, an  error  is  generated.   The
       command returns a randomly generated password on success.

       See  the	 OSF  DCE  Administration Guide for more information about the
       pwd_strength server.

       After the password is generated, run  the  account  create  command  to
       establish  the  account.	 Supply the randomly generated password as the
       account's password (using the -password option).

       Privileges Required

       You must have the gmau  (groups, mgmt_info, auth_info,  and  user_info)
       permissions for the principal named in the account.

       Examples

       dcecp> account generate john_hunter 7xZ34yF dcecp>

   account help
       Returns	help  information about the account object and its operations.
       The syntax is as follows: account help [operation | -verbose]

       Options Displays information about the account object.

       Used without an argument or option, the account	help  command  returns
       brief information about each account operation.	The optional operation
       argument is the name of an operation  about  which  you	want  detailed
       information.   Alternatively,  you can use the -verbose option for more
       detailed information about the account object itself.

       Privileges Required

       No special privileges are needed to use the account help command.

       Examples

       dcecp> account  help  catalog		  Returns  the	names  of  all
       accounts	 in  the  registry.  create		 Creates an account in
       the registry.  delete		  Deletes an  account  from  the  reg‐
       istry.	generate	    Generates a random password for an account
       in the registry.	 modify		     Modifies an account in  the  reg‐
       istry.  show		   Returns the attributes of an account.  help
       Prints a summary of command-line options.  operations	       Returns
       a list of the valid operations for this command.	 dcecp>

   account modify
       Changes attributes and policies of existing accounts.  The syntax is as
       follows: account modify account_name_list [ -mypwd  password]  {-change
       attribute_list | -attribute value}

       Options As an alternative to using the -change option with an attribute
       list, you can specify individual	 attribute  options  by	 prepending  a
       hyphen  (-)  to any attributes listed in the ATTRIBUTES section of this
       reference page.	Allows you to modify attributes by using an  attribute
       list  rather  than  individual  attribute  options.   The  format of an
       attribute list is as follows: {{attribute value}...{attribute value}}

       Lets you supply your privileged password when changing policy or admin‐
       istration  data.	  You must enter your privileged password to change an
       account password; otherwise, the -mypwd option is optional.  This check
       prevents	 a malicious user from using an existing privileged session to
       modify passwords of existing accounts.

       The modify operation modifies account attributes.  The -add and -remove
       options	are  not  supported  because  the  attributes created when the
       account is created cannot be deleted, nor can additional attributes  be
       added.	To  change  an	account	 attribute, supply the new value in an
       attribute list or as an individual attribute  option.   This  operation
       returns an empty string on success.

       When  an	 account's password is being modified, in order to protect the
       password being entered, you can execute the account modify command only
       from within the dcecp program; you cannot execute it from the operating
       system prompt using dcecp with the -c option.

       Privileges Required

       You must have rm (read, mgmt_info) permissions for the principal	 named
       in the account.

       Examples

       The  following  example changes the account's expiration date and login
       shell by specifying the expdate	and  shell  attributes	as  individual
       attribute   options.    dcecp>	account	 modify	 John_Hunter  -expdate
       1998-03-19-00:00:00.000 -shell /bin/csh dcecp>

       dcecp> account show John_Hunter {acctvalid yes} {client	yes}  {created
       /.../my_cell.goodco.com/cell_admin 1994-06-15-18:31:08.000+00:00I-----}
       {description	    {}}		{dupkey		 no}	      {expdate
       1998-03-19-00:00:00.000+00:00I-----}  {forwardabletkt  yes}  {goodsince
       1994-06-15-18:31:05.000+00:00I-----} {group users} {home /} {lastchange
       /.../my_cell.goodco.com/cell_admin 1994-06-16-12:21:07.000+00:00I-----}
       {name John_Hunter} {organization users} {postdatedtkt no} {proxiabletkt
       no}  {pwdvalid  yes}  {renewabletkt  yes} {server yes} {shell /bin/csh}
       {stdtgtauth yes} dcecp>

   account operations
       Returns a list of the operations supported by the account object.   The
       syntax is as follows: account operations

       The  list  of  available operations is in alphabetical order except for
       help and operations, which are listed last.

       Privileges Required

       No special privileges are needed to use the account operations command.

       Examples

       dcecp> account operations catalog create delete	generate  modify  show
       help operations dcecp>

   account show
       Returns	attribute  information for the specified accounts.  The syntax
       is as follows: account show account_name_list [-policies | -all]

       Options Returns only account polices.  Returns account attributes  fol‐
       lowed by account policies.

       The  show  operation returns an attribute list describing the specified
       accounts.  The argument is a list of names of accounts to  be  operated
       on.  If more than one account is given, the attributes and policies are
       concatenated and a blank line inserted between accounts.	 The -policies
       option  lets  you  return  the  policies	 of the account instead of the
       attributes.  The -all option returns the	 attributes  followed  by  the
       policies.

       Attributes  and policies are returned in lexical order.	If the account
       has no policies, the operation displays the string nopolicy.

       The policies that are actually in effect	 can  be  different  from  the
       account	policies due to conflicts with registry wide policies. If this
       is the case, the show operation alters the attribute structure on  out‐
       put  to	include	 an effective tag and the effective value, much in the
       same way organization show does.

       Privileges Required

       You must have r	(read)	permission  to	the  principal	named  in  the
       account.

       Examples

       dcecp>  account	show John_Hunter {acctvalid yes} {client yes} {created
       /.../my_cell.goodco.com/cell_admin 1994-06-15-18:31:08.000+00:00I-----}
       {description	     {}}	  {dupkey	  no}	      {expdate
       1998-03-19-00:00:00.000+00:00I-----}  {forwardabletkt  yes}  {goodsince
       1994-06-15-18:31:05.000+00:00I-----} {group users} {home /} {lastchange
       /.../my_cell.goodco.com/cell_admin 1994-06-16-12:21:07.000+00:00I-----}
       {name John_Hunter} {organization users} {postdatedtkt no} {proxiabletkt
       no} {pwdvalid yes} {renewabletkt yes} {server yes} {shell  {}}  {stdtg‐
       tauth yes} dcecp>

RELATED INFORMATION
       Commands:     dcecp(1m),	   dcecp_group(1m),    dcecp_organization(1m),
       dcecp_principal(1m), dcecp_registry(1m).

								   account(1m)
[top]

List of man pages available for HP-UX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net