creacct - Creates computer and user accounts on the Windows
2000 server (Active Directory), extracts DNS hostnames
and service principal names, and sets principal
passwords.
/usr/sbin/creacct [-a principal] [-h hostname] [-s principal]
[-t keytable] [-u] [-x service]
Adds a user account to the current domain of the Windows
2000 server and sets its password.
When adding a new user account, creacct prompts you
for the username and password of a principal that
has administrator privileges. The Active Directory
is searched first for the given principal. If an
entry is found, creacct prompts you to replace or
modify the existing entry. If you choose to replace
the entry, the current entry will be deleted and a
new entry will be added.
When adding a new user account, creacct searches
the security database on the UNIX host for that
user to retrieve the UNIX attributes (username,
UID, GID, gecos, home directory, and shell). It
prompts you to modify or keep the existing
attributes. It also prompts you for a password.
When replacing a specified user account, creacct
searches the Active Directory for that principal
name and its UNIX attributes. It prompts you to
modify or keep the existing attributes. It also
prompts you for a password.
A password must be typed twice to prevent mistakes.
You can choose not to set a password when adding or
modifying a user account. To do this, press the
Return key without entering any values at the first
password prompt.
All new user accounts will be added to the current
domain in the Active Directory under the Users
group. All modified user accounts will be replaced
in their corresponding groups. The UNIX attributes
are set for the user account under the Tru64 UNIX
tab of the Active Directory. Tru64 UNIX user
restrictions apply. See the System Administration
guide for more information on Tru64 UNIX user
account restrictions. Adds a computer (UNIX host
or cluster alias) account to the current domain of
the Windows 2000 server.
When adding a new host account, creacct prompts you
for the user name and password of a principal that
has administrator privileges. The Active Directory
is searched first for the given host. If an entry
is found, creacct prompts you to replace or modify
the existing entry. If you choose to replace the
entry, the current entry will be deleted and a new
entry will be added.
If you add a new host account without specifying
the DNS suffix (to create a fully qualified name),
creacct will construct one for you based on the
local DNS name for the current UNIX host.
When replacing an existing host account, creacct
searches the Active Directory for that computer to
retrieve the DNS host name. It then prompts you to
modify the DNS host name. You must specify a valid
DNS host name. You can also keep the existing host
name by reentering it at the prompt. All new or
existing host accounts will be added to the current
domain in the Active Directory under the Computers
group.
The -h option does not require that the -t or the
-u options be specified. However, if the -t option
is not specified, creacct attempts to add the host
service key entry to the default service key table
file, /krb5/v5srvtab. If the -u option is not specified,
the new host entry will not be added to the
/etc/ldapcd.conf file. Modifying the
/etc/ldapcd.conf and /krb5/v5srvtab files requires
Tru64 UNIX root access. Root owns both files. Sets
the password associated with the specified principal.
If you are changing a password, creacct prompts you
for the user name and password of a principal that
has administrator privileges. Then it prompts you
for the new password. The new password must be
typed twice to prevent mistakes. Specifies a service
key table file other than the default, which
is /krb5/v5srvtab, unless the CSFC5KTNAME environment
variable is set to an alternate key table file
name. You can use the -t option only with the -h
and the -x options. Updates the ldapcd.conf configuration
file with the host entry for the Single
Sign On daemon. Extracts a key from the Windows
2000 server for the UNIX host service principal or
another service principal. It adds the key to the
default service key table file or the designated
key table file specified by the -t option.
The creacct command prompts you for the user name
and password of a principal that has administrator
privileges. When extracting a key for host services,
use the host/ prefix and the fully qualified
name of your UNIX host. You must specify a service
principal name.
For example, the following command obtains a service
ticket for the host/server1.company.com principal
in the COMPANY.COM realm. (Refer to ktutil(1)
to manage the newly extracted service key).
# creacct -x host/server1.company.com
When extracting a principal service key from the
security server, the full principal name must be
specified including the host name of the Windows
2000 Active Directory host and its DNS suffix. For
example, the following command obtains a service
ticket for the user1/w2kserverhost.company.com
principal in the COMPANY.COM realm:
# creacct -x user1/w2kserverhost.company.com
We recommend that the -x option be used with the -t
option to extract the key to a temporary key table
file before adding it to the default key table
file, /krb5/v5srvtab. Use ktutil to view and manage
the key table file.
Note
The -x option will set a random password for the
given principal or service.
The creacct command adds computers and users to the Windows
2000 server, extracts DNS host names and service
principal names, sets principal passwords, extracts service
tickets, creates Kerberos key table files, and
updates the /etc/ldapcd.conf configuration file.
Before you can perform any creacct operation, the Kerberos
environment must be set up. You also must be able to
authenticate yourself to the Kerberos server and have
appropriate permissions.
All creacct operations require a valid user in the Windows
2000 server with administrator privileges. Some creacct
operations (-h, -x, and -u) require write access to the
/krb5/v5srvtab (service key table) and /etc/ldapcd.conf
(configuration) files. Because these files are owned by
root, you must log on as root to access them. All user
accounts must comply with the Tru64 UNIX user restrictions.
All new user accounts will be added to the current domain
in the Active Directory under the Users group. When
prompted for a user with administrator privileges, do not
enter the administrator principal of your Windows 2000
server. This is a restriction by the Windows 2000 security
paradigm. Refer to the System Administration guide for
more information on Tru64 UNIX user account restrictions.
To add a user account called usera to the security server
COMPANY.COM, enter:
# creacct -a usera Enter Admin principal: adminprn
Password for [email protected]: password
Adding usera to directory...
Enter the UNIX user attributes for the KDC:
Enter comments: testing Enter home directory:
/usr/users/usera Enter shell: /bin/ksh
Enter GID (i.e. 15): 15 Enter UID (i.e.
200): 333 Enter the new password for user
(usera): password Confirm password: password To
modify the Tru64 UNIX attribute of a user account
called usera in the security server COMPANY.COM
without changing the password, enter:
# creacct -a usera Enter Admin principal: adminprn
Password for [email protected]: [Return]
Adding usera to directory...
Found an existing entry. Replace/Modify? [r/m] m
User usera has the following attributes: comments:
(testing) home directory:
(/usr/users/usera) shell: (/bin/ksh) GID:
(15) UID: (333)
These attributes are required for the KDC. Modify?
[y/n] n
Enter the new password for user (usera): [Return]
Password will not be set. To add a computer
host account to the security server COMPANY.COM and
update the /krb5/v5srvtab file and the
/etc/ldapcd.conf file, enter:
# creacct -h hosta -u Enter Admin principal: adminprn
Password for [email protected]: password
Adding hosta.unix.com to directory...
Extracting host/hosta.unix.com key...
Updating /etc/ldapcd.conf...
To view the service key for hosta in the key table
file, enter:
# ktutil Keytab name: /krb5/v5srvtab KVNO Timestamp
Principal
-----------------------------------------------------
1 Mon Mar 12 13:38:42
2001 host/[email protected] To
modify the DNS attribute of a UNIX host in the
security server, enter:
# creacct -h hosta.unix.com -u Enter Admin principal:
adminprn Password for [email protected]:
password
Adding hosta.unix.com to directory...
Found an existing entry. Replace/Modify? [r/m] m
Current DNS is hosta.unix.com, enter new name:
hosta.unix1.com
Extracting host/hosta.unix.com key...
Updating /etc/ldapcd.conf...
To view the service key for hosta in the key table
file, enter:
# ktutil Keytab name: /krb5/v5srvtab KVNO Timestamp
Principal
-----------------------------------------------------
1 Mon Mar 12 13:38:42
2001 host/[email protected]
In this example, only the DNS host value changed.
The UNIX host service key did not change. To
extract a service key from the security server and
add it to the service key table called
/krb5/srvtable, enter:
# creacct -x host/hosta.unix.com -t /krb5/srvtable
If the -t option is not used to specify the file,
the default key table file will be used.
ENVIRONMENT VARIABLES [Toc] [Back] Controls the service key table file.
Default service key table file. Configuration file.
Commands: kdestroy(1), kinit(1), klist(1), ktutil(1)
SSO Installation and Administration Guide
creacct(1)
[ Back ] |
