user(1m) Open Software Foundation user(1m)
NAME [Toc] [Back]
user - A dcecp task object that manipulates user information in a DCE
cell
SYNOPSIS [Toc] [Back]
user create user_name_list -mypwd password -password password
-group group_name -organization organization_name
[-force]
{-attribute attribute_list | -attribute value}
user delete user_name_list
user help [operation | -verbose]
user operations
user show user_name_list
ARGUMENTS [Toc] [Back]
operation The name of the user operation for which to display help
information.
user_name_list
A list of one or more names of principals to act on. Supply
the names as follows:
+ Fully qualified principal names in the form
/.:/principal_name, /.../cell_name/principal_name, or
principal_name@cell_name.
+ Cell-relative principal names in the form
principal_name. These names refer to a principal in
the cell identified in the _s(sec) convenience
variable, or if the _s(sec) convenience variable is not
set, in the local host's default cell.
Do not mix fully qualified names and cell-relative names in
a list. In addition, do not use the names of registry
database objects that contain principal information; in
other words, do not use names that begin with
/.:/sec/principal/.
DESCRIPTION [Toc] [Back]
The user task object represents all of the data associated with a DCE
user. This consists only of registry information in the current
implementation. The user task object allows administrators to easily
create principals and accounts, delete principals and accounts, and
Hewlett-Packard Company - 1 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
user(1m) Open Software Foundation user(1m)
view principal and account information.
When it creates a principal and an account, the user task object adds
the principal to a group and an organization, if nessesary, and
creates the group and organization if required. Only the principal
and account attributes are considered attributes of the user task
object, and are the only ones displayed by the show operation.
This object is implemented as a script to allow it to be manipulated
and extended on a per-site basis. For example, administrators might
want to add Global Directory Service (GDS) and Distributed File
Service (DFS) information to the object. Other possible modifications
include the following:
+ Changing the default ACLs placed on the various objects.
+ Setting certain attributes or policies on all newly created
principals and accounts to match the site's policies.
+ Setting up site specific defaults for passwords (to be changed by
the user later), groups, organizations, principal directories,
and so on.
+ Supporting a modify operation.
ATTRIBUTES [Toc] [Back]
acctvalid {yes | no}
A flag set to determine account validity. Its value is
either yes or no. An account with an acctvalid attribute
set to no is invalid and cannot be logged in to. The
default is yes.
alias value
Used with the create operation. The value of this attribute
must be yes or no. Each principal can have only one name,
but may have multiple alias names. All these names refer to
the same principal and, therefore, the same Universal Unique
Identifier (UUID) and UNIX ID (uid). While aliases refer to
the same principal, they are separate entries in the
registry database. Therefore the name supplied to a user
command can refer to either the primary name or an alias
name of a principal. The value of this attribute determines
whether the name is a primary name (alias no) or an alias
name (alias yes). The default is no.
client {yes | no}
A flag set to indicate whether the account is for a
principal that can act as a client. The value of this
attribute must be yes or no. If you set it to yes, the
Hewlett-Packard Company - 2 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
user(1m) Open Software Foundation user(1m)
principal is able to log in to the account and acquire
tickets for authentication. The default is yes.
description
A text string (limited to the Portable Character Set or PCS)
typically used to describe the use of the account. The
default is the empty string ("").
dupkey {yes | no}
A flag set to determine if tickets issued to the account's
principal can have duplicate keys. The value of this
attribute must be yes or no. The default is no.
In DCE, this attribute is currently only advisory. However,
Kerberos clients and servers will use of it when they
interact with a DCE Security server.
expdate ISO_timestamp
The date on which the account expires. To renew the
account, change the date in this field. Specify the time by
using an ISO compliant time format such as CCYY-MM-DD-
hh:mm:ss or the string none. The default is none.
forwardabletkt {yes | no}
A flag set to determine whether a new ticket-granting ticket
with a network address that differs from the present
ticket-granting ticket network address can be issued to the
account's principal. The proxiabletkt attribute performs
the same function for service tickets. This attribute must
have a value of yes or no. The default is yes.
In DCE, this attribute is currently only advisory. However,
Kerberos clients and servers will use it when they interact
with a DCE Security server.
fullname string
Used with the create operation, this attribute specifies the
full name of the principal. It is for information purposes
only. It typically describes or expands a primary name to
allow easy recognition by users. For example, a principal
could have a primary name of jsbach and a full name of
Johann S. Bach. The value is a string. If it contains
spaces, it is displayed in quotes, and on entry must be in
quotations or braces (as per Tcl quoting rules). If not
entered, the full name defaults to the null string (that is,
blank).
goodsince ISO_timestamp
The date and time the account was last known to be in an
uncompromised state. Any tickets granted before this date
are invalid. The value is an ISO timestamp. When the
Hewlett-Packard Company - 3 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
user(1m) Open Software Foundation user(1m)
account is initially created, the goodsince date is set to
the current date. Control over this date is especially
useful if you know that an account's password was
compromised. Changing the password can prevent the
unauthorized principal from accessing the system again using
that password, but the changed password does not prevent the
principal from accessing the system components for which
tickets were obtained fraudulently before the password was
changed. To eliminate the principal's access to the system,
the tickets must be cancelled.
The default is the time the account was created.
group group_name
The name of the group associated with the account. The
value is a single group name of an existing group in the
registry. This attribute must be specified for the user
create command; it does not have a default value.
If a group is deleted from the registry, all accounts
associated with the group are also deleted.
home directory_name
The file system directory in which the principal is placed
in at login. The default is the / directory.
lastchange principal_name ISO_timestamp
A list of two items. The first is the principal name of the
last modifier of the account; the second is an ISO timestamp
showing the time of the last modification. This attribute
is set by the system whenever the account is modified; it
cannot be set or modified directly. The initial value
consists of the principal name of the creator of the account
and the time the account was created.
organization organization_name
The name of the organization associated with the account.
The value is a single organization name of an existing
organization in the registry. This attribute must be
specified for the user create command; it does not have a
default value.
If an organization is deleted from the registry, all
accounts associated with the organization are also deleted.
maxtktlife relative_time
The maximum amount of time that a ticket can be valid.
Specify the time by using the Distributed Time Service (DTS)
relative time format ([-]DD-hh:mm:ss). When a client
requests a ticket to a server, the lifetime granted to the
ticket takes into account the maxtktlife set for both the
Hewlett-Packard Company - 4 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
user(1m) Open Software Foundation user(1m)
server and the client. In other words, the lifetime cannot
exceed the shorter of the server's or client's maxtktlife.
If you do not specify a maxtktlife for an account, the
maxtktlife defined as registry authorization policy is used.
maxtktrenew relative_time
The amount of time before a principal's ticket-granting
ticket expires and that principal must log in to the system
again to reauthenticate and obtain another ticket-granting
ticket. Specify the time by using the DTS-relative time
format ([-]DD-hh:mm:ss). The lifetime of the principal's
service tickets can never exceed the lifetime of the
principal's ticket-granting ticket. The shorter you make
maxtktrenew, the greater the security of the system.
However, since principals must log in again to renew their
ticket-granting ticket, the time needs to balance user
convenience against level of security required. If you do
not specify this attribute for an account, the maxtktrenew
lifetime defined as registry authorization policy is used.
This feature is not currently used by DCE; any use of this
option is unsupported at the present time.
password password
The password of the account. This attribute must be
specified for the user create command; there is no default
value. This attribute is not returned by a user show
command.
postdatedtkt {yes | no}
A flag set to determine whether tickets with a start time
some time in the future can be issued to the account's
principal. This attribute must have a value of yes or no.
The default is no.
In DCE, this attribute is currently only advisory. However,
Kerberos clients and servers will use it when they interact
with a DCE Security server.
proxiabletkt {yes | no}
A flag set to determine whether a new ticket with a
different network address than the present ticket can be
issued to the account's principal. The forwardabletkt
attribute performs the same function for ticket-granting
tickets. This attribute must have a value of yes or no.
The default is no.
In DCE, this attribute is currently only advisory. However,
Kerberos clients and servers will use it when they interact
with a DCE Security server.
Hewlett-Packard Company - 5 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
user(1m) Open Software Foundation user(1m)
pwdvalid {yes | no}
A flag set to determine whether the current password is
valid. If this flag is set to no, the next time a principal
logs in to the account, the system prompts the principal to
change the password. (Note that this flag is separate from
the pwdexpdate policy, which sets time limits on password
validity.) This attribute must have a value of yes or no.
The default is yes.
quota {quota | unlimited}
Used with the create operation to specify the principal's
object creation quota, which is the total number of registry
objects that can be created by the principal. It is either
a non-negative number or the string unlimited. A value of 0
prohibits the principal from creating any registry objects.
Each time a principal creates a registry object, this value
is decremented for that principal.
renewabletkt {yes | no}
A flag set to determine if the ticket-granting ticket issued
to the account's principal can be renewed. If this flag is
set to yes, the authentication service renews the ticketgranting
ticket if its lifetime is valid. This attribute
must have a value of yes or no. The default is yes.
In DCE, this attribute is currently only advisory. However,
Kerberos clients and servers will use it when they interact
with a DCE Security server.
reserved {yes | no}
Indicates whether the principal object is reserved or not.
The default is no. This attribute may not be set or
modified by the user.
server {yes | no}
A flag set to indicate whether the account is for a
principal that can act as a server. If the account is for a
server that engages in authenticated communications, set
this flag to yes. This attribute must have a value of yes
or no. The default is yes.
shell path_to_shell
The path of the shell that is executed when a principal logs
in. The legal value is any shell supported by the home cell.
The default value is the empty string ("").
stdtgtauth {yes | no}
A flag set to determine whether service tickets issued to
the account's principal use the standard DCE ticket-granting
ticket authentication mechanism. This attribute must have a
value of yes or no. The default is yes.
Hewlett-Packard Company - 6 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
user(1m) Open Software Foundation user(1m)
uid value Used with the create operation, this specifies the UNIX ID
(uid) for the principal. No two principals can have the same
uid. However, aliases can share one uid. It is often called
the Unix ID and is an integer. If this attribute is not
supplied, a UID is assigned to the principal automatically.
uuid hexadecimal number
Used with the create operation to specify the internal
identifier, known as a UUID, for the principal. No two
principals can have the same UUID, so do not use this option
when creating more than one principal with a single create
command.
This option can also be used to adopt an orphaned UUID.
Normally, the UUID for a new principal is generated by the
registry. When data is tagged with a UUID of a principal
that has been deleted from the registry, this option can be
used to specify the old UUID for a new principal. The UUID
specified must be an orphan (a UUID for which no name exists
in the registry). An error occurs if you specify a name or
UUID that is already defined in the registry.
See the OSF DCE Administration Guide for more information about
principal and account attributes.
OPERATIONS [Toc] [Back]
user create
Creates a principal name and an account for one or more DCE users.
The syntax is as follows:
user create user_name_list -mypwd password -password password
-group group_name -organization organization_name
[-force]
{-attribute attribute_list | -attribute value}
Options [Toc] [Back]
-attribute value
As an alternative to using the -attribute option with an
attribute list, you can specify individual attribute options
by prepending a hyphen (-) to any attributes listed in the
ATTRIBUTES section of this reference page.
-attribute attribute_list
Allows you to specify attributes, including ERAs, by using
an attribute list rather than individual attribute options.
The format of an attribute list is as follows:
Hewlett-Packard Company - 7 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
user(1m) Open Software Foundation user(1m)
{{attribute value}...{attribute value}}
-force Forces creation of the specified group or organization if
they do not exist.
-group group_name
The name of the group to associate with the account. See
ATTRIBUTES for the format of a group name.
-mypwd password
Your privileged password. You must enter your privileged
password to create an account. This check prevents a
malicious user from using an existing privileged session to
create unauthorized accounts. You must specify this option
on the command line; it cannot be supplied in a script.
-organization organization_name
The name of the organization to associate with the account.
See ATTRIBUTES for the format of an organization name.
-password password
The account password. See ATTRIBUTES for the format of a
password.
The create operation creates a principal name and an account for one
or more DCE users. The user_name_list argument is the name of one or
more principals to be added to the registry. This operation returns
an empty string on success. If the operation encounters an error, it
attempts to undo any interim operations that have completed.
This command creates one or more principals and accounts for them. If
a principal or account already exists, an error is generated. Each
principal is then added to the specified group and organization (since
the principal has just been created, it cannot have been a member of
any group or organization). If the group or organization does not
exist, an error is generated unless the -force option is used.
Attributes and policies for the newly created principal and account
may be specified with the -attributes option and specifying an
attribute list as the value, or with attribute options. This command
attempts to add any unknown attributes as ERAs on the created
principal object. Policies of the organization may not be specified,
as they would probably affect more than the created user. The
required group and organization names may be specified either as
attributes in the -attributes option or via the -group and -
organization options. The required password attribute may be provided
as in the account create command, and the -mypwd option is also
required.
Hewlett-Packard Company - 8 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
user(1m) Open Software Foundation user(1m)
Privileges Required [Toc] [Back]
Because the user create command performs several operations, you need
the permissions associated with each operation, as follows:
+ To create the principal name, you must have i (insert) permission
to the directory in which the principal is to be created.
+ If the specified groups or organizations do not already exist and
you use the -force option, you must have i (insert) permission to
the directories in which the groups and organizations are to be
created.
+ To create the account, you must have m (mgmt_info), a
(auth_info), and u (user_info) permission to the principal named
in the account, r (read) permission to the organization named in
the account, r (read) permission to the group named in the
account, and r (read) permission on the registry policy object.
Examples [Toc] [Back]
The following example creates a principal named K_Parsons and adds him
to a group named users and an organization named users:
dcecp> user create K_Parsons -mypwd 3kl_JL2 -password change.me \
> -group users -organization users
dcecp>
dcecp> group list users
/.../my_cell.goodco.com/W_Ross
/.../my_cell.goodco.com/J_Severance
/.../my_cell.goodco.com/J_Hunter
/.../my_cell.goodco.com/B_Carr
/.../my_cell.goodco.com/E_Vliet
/.../my_cell.goodco.com/J_Egan
/.../my_cell.goodco.com/F_Willis
/.../my_cell.goodco.com/K_Parsons
dcecp>
dcecp> principal show K_Parsons
{name K_Parsons}
{fullname {}}
{uid 5129}
{uuid 00001409-a943-21cd-be00-0000c08adf56}
{alias no}
{reserved no}
{quota unlimited}
{groups users}
dcecp>
Hewlett-Packard Company - 9 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
user(1m) Open Software Foundation user(1m)
dcecp> account show K_Parsons
{acctvalid yes}
{client yes}
{created /.../my_cell.goodco.com/cell_admin 1994-07-27-13:02:51.000+00:00I-----}
{description {}}
{dupkey no}
{expdate none}
{forwardabletkt yes}
{goodsince 1994-07-27-13:02:51.000+00:00I-----}
{group users}
{home /}
{lastchange /.../my_cell.goodco.com/cell_admin 1994-07-27-13:02:51.000+00:00I-----}
{name K_Parsons}
{organization users}
{postdatedtkt no}
{proxiabletkt no}
{pwdvalid yes}
{renewabletkt yes}
{server yes}
{shell {}}
{stdtgtauth yes}
dcecp>
dcecp> user create jimbo@gumby_cell -mypwd beanie -password change.me \
> -group none -organization none
dcecp>
user delete
Deletes DCE users. The syntax is as follows:
user delete user_name_list
The delete operation deletes the DCE users named in user_name_list.
To delete a user, the operation procedes as follows:
+ Deletes the principal from the registry, which also deletes the
account and removes the principal from any groups and
organizations.
This operation returns an empty string on success.
Privileges Required [Toc] [Back]
Because the user delete command performs several operations, you need
the permissions associated with each operation:
+ You must have d (delete) permission to the directory in which the
target principal exists.
Hewlett-Packard Company - 10 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
user(1m) Open Software Foundation user(1m)
+ You must have r (read) and D (Delete_object) permission on the
principal to be deleted.
+ You must have r (read) and M (Member_list) permission on the
target groups and organizations and r (read) permission on the
member to be removed.
+ To delete the account, you must have r (read), m (mgmt_info), a
(auth_info), and u (user_info) permissions for the principal
named in the account.
Examples [Toc] [Back]
The following example deletes user K_Parsons from the cell:
dcecp> user delete K_Parsons
dcecp>
user help
Returns help information about the user task object and its
operations. The syntax is as follows:
user help [operation | -verbose]
Options [Toc] [Back]
-verbose Displays information about the user task object.
Used without an argument or option, the user help command returns
brief information about each user operation. The optional operation
argument is the name of an operation about which you want detailed
information. Alternatively, you can use the -verbose option for more
detailed information about the user task object itself.
Privileges Required [Toc] [Back]
No special privileges are needed to use the user help command.
Examples [Toc] [Back]
dcecp> user help
create Creates a DCE user.
delete Deletes a DCE user.
show Shows the attributes of a DCE user.
help Prints a summary of command-line options.
operations Returns a list of the valid operations for this command.
Hewlett-Packard Company - 11 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
user(1m) Open Software Foundation user(1m)
dcecp>
user operations
Returns a list of the operations supported by the user task object.
The syntax is as follows:
user operations
The list of available operations is in alphabetical order except for
help and operations, which are listed last.
Privileges Required [Toc] [Back]
No special privileges are needed to use the user operations command.
Examples [Toc] [Back]
cecp> user operations
create delete show help operations
dcecp>
user show
Returns the attributes of a single DCE user. The syntax is as
follows:
user show user_name_list
The show operation returns the attributes of the users named in
user_name_list. The information returned includes principal
attributes, account attributes, and policies. The information is
returned as if the following commands were run in the following order:
principal show
account show -all
Privileges Required [Toc] [Back]
You must have r (read) permission to the principal named in the
account.
Examples [Toc] [Back]
dcecp> user show K_Parsons
{name K_Parsons}
{fullname {}}
{uid 5129}
Hewlett-Packard Company - 12 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
user(1m) Open Software Foundation user(1m)
{uuid 00001409-a943-21cd-be00-0000c08adf56}
{alias no}
{reserved no}
{quota unlimited}
{groups users}
{acctvalid yes}
{client yes}
{created /.../my_cell.goodco.com/cell_admin 1994-07-27-13:02:51.000+00:00I-----}
{description {}}
{dupkey no}
{expdate none}
{forwardabletkt yes}
{goodsince 1994-07-27-13:02:51.000+00:00I-----}
{group users}
{home /}
{lastchange /.../my_cell.goodco.com/cell_admin 1994-07-27-13:02:51.000+00:00I-----}
{organization users}
{postdatedtkt no}
{proxiabletkt no}
{pwdvalid yes}
{renewabletkt yes}
{server yes}
{shell {}}
{stdtgtauth yes}
nopolicy
dcecp>
RELATED INFORMATION [Toc] [Back]
Commands: dcecp(1m), dcecp_account(1m), dcecp_group(1m),
dcecp_organization(1m), dcecp_principal(1m), dcecp_xattrschema(1m).
Hewlett-Packard Company - 13 -�OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96 [ Back ] |
