Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ creacct(1) — Tru64 UNIX 5.1b

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

kdestroy(1)

kinit(1)

klist(1)

ktutil(1)

creacct(1)  —  Commands

NAME

creacct − Creates computer and user accounts on the Windows 2000 server (Active Directory), extracts DNS hostnames and service principal names, and sets principal passwords. 

SYNOPSIS

/usr/sbin/creacct [−a principal] [−h hostname] [−s principal] [−t keytable] [−u] [−x service]

OPTIONS

−a principal
Adds a user account to the current domain of the Windows 2000 server and sets its password.

When adding a new user account, creacct prompts you for the username and password of a principal that has administrator privileges.  The Active Directory is searched first for the given principal. If an entry is found, creacct prompts you to replace or modify the existing entry. If you choose to replace the entry, the current entry will be deleted and a new entry will be added. 

When adding a new user account, creacct searches the security database on the UNIX host for that user to retrieve the UNIX attributes (username, UID, GID, gecos, home directory, and shell). It prompts you to modify or keep the existing attributes. It also prompts you for a password. 

When replacing a specified user account, creacct searches the Active Directory for that principal name and its UNIX attributes.  It prompts you to modify or keep the existing attributes. It also prompts you for a password. 

A password must be typed twice to prevent mistakes. You can choose not to set a password when adding or modifying a user account. To do this, press the Return key without entering any values at the first password prompt. 

All new user accounts will be added to the current domain in the Active Directory under the Users group. All modified user accounts will be replaced in their corresponding groups. The UNIX attributes are set for the user account under the Tru64 UNIX tab of the Active Directory. Tru64 UNIX user restrictions apply. See the System Administration guide for more information on Tru64 UNIX user account restrictions. 

−h hostname
Adds a computer (UNIX host or cluster alias) account to the current domain of the Windows 2000 server.

When adding a new host account, creacct prompts you for the user name and password of a principal that has administrator privileges.  The Active Directory is searched first for the given host. If an entry is found, creacct prompts you to replace or modify the existing entry. If you choose to replace the entry, the current entry will be deleted and a new entry will be added. 

If you add a new host account without specifying the DNS suffix (to create a fully qualified name), creacct will construct one for you based on the local DNS name for the current UNIX host. 

When replacing an existing host account, creacct searches the Active Directory for that computer to retrieve the DNS host name.  It then prompts you to modify the DNS host name. You must specify a valid DNS host name. You can also keep the existing host name by reentering it at the prompt. All new or existing host accounts will be added to the current domain in the Active Directory under the Computers group. 

The −h option does not require that the −t or the −u options be specified. However, if the −t option is not specified, creacct attempts to add the host service key entry to the default service key table file, /krb5/v5srvtab. If the −u option is not specified, the new host entry will not be added to the /etc/ldapcd.conf file.  Modifying the /etc/ldapcd.conf and /krb5/v5srvtab files requires Tru64 UNIX root access. Root owns both files. 

−s principal
Sets the password associated with the specified principal.

If you are changing a password, creacct prompts you for the user name and password of a principal that has administrator privileges.  Then it prompts you for the new password. The new password must be typed twice to prevent mistakes. 

−t keytable
Specifies a service key table file other than the default, which is /krb5/v5srvtab, unless the CSFC5KTNAME environment variable is set to an alternate key table file name. You can use the −t option only with the −h and the −x options. 

−uUpdates the ldapcd.conf configuration file with the host entry for the Single Sign On daemon. 

−x service
Extracts a key from the Windows 2000 server for the UNIX host service principal or another service principal. It adds the key to the default service key table file or the designated key table file specified by the −t option. 

The creacct command prompts you for the user name and password of a principal that has administrator privileges. When extracting a key for host services, use the host/ prefix and the fully qualified name of your UNIX host. You must specify a service principal name. 

For example, the following  command obtains a service ticket for the host/server1.company.com principal in the COMPANY.COM realm. (Refer to ktutil(1) to manage the newly extracted service key). 

# creacct -x host/server1.company.com

When extracting a principal service key from the security server, the full principal name must be specified including the host name of the Windows 2000 Active Directory host and its DNS suffix. For example, the following command obtains a service ticket for the user1/w2kserverhost.company.com principal in the COMPANY.COM realm:

# creacct -x user1/w2kserverhost.company.com

We recommend that the −x option be used with the −t option to extract the key to a temporary key table file before adding it to the default key table file, /krb5/v5srvtab.  Use ktutil to view and manage the key table file. 

Note

The −x option will set a random password for the given principal or service. 

DESCRIPTION

The creacct command adds computers and users to the Windows 2000 server, extracts DNS host names and service principal names, sets principal passwords, extracts service tickets, creates Kerberos key table files, and updates the /etc/ldapcd.conf configuration file. 

RESTRICTIONS

Before you can perform any creacct operation, the Kerberos environment must be set up. You also must be able to authenticate yourself to the Kerberos server and have appropriate permissions. 

All creacct operations require a valid user in the Windows 2000 server with administrator privileges. Some creacct operations (−h, −x, and −u) require write access to the /krb5/v5srvtab (service key table) and /etc/ldapcd.conf (configuration) files. Because these files are owned by root, you must log on as root to access them. All user accounts must comply with the Tru64 UNIX user restrictions. 

All new user accounts will be added to the current domain in the Active Directory under the Users group. When prompted for a user with administrator privileges, do not enter the administrator principal of your Windows 2000 server. This is a restriction by the Windows 2000 security paradigm. Refer to the System Administration guide for more information on Tru64 UNIX user account restrictions. 

EXAMPLES

     1.To add a user account called usera to the security server COMPANY.COM, enter:

# creacct -a usera
Enter Admin principal: adminprn
Password for adminprn@COMPANY.COM: password
Adding usera to directory...
Enter the UNIX user attributes for the KDC:
Enter comments: testing
Enter home directory: /usr/users/usera
Enter shell: /bin/ksh
Enter GID (i.e. 15): 15
Enter UID (i.e. 200): 333
Enter the new password for user (usera): password
Confirm password: password

     2.To modify the Tru64 UNIX attribute of a user account called usera in the security server COMPANY.COM without changing the password, enter:

# creacct -a usera
Enter Admin principal: adminprn
Password for adminprn@COMPANY.COM: [Return]
Adding usera to directory...
Found an existing entry. Replace/Modify? [r/m] m
User usera has the following attributes:
comments: (testing)
home directory: (/usr/users/usera)
shell: (/bin/ksh)
GID: (15)
UID: (333)
These attributes are required for the KDC. Modify? [y/n] n
Enter the new password for user (usera): [Return]
Password will not be set.

     3.To add a computer host account to the security server COMPANY.COM and update the /krb5/v5srvtab file and the /etc/ldapcd.conf file, enter:

# creacct -h hosta -u
Enter Admin principal: adminprn
Password for adminprn@COMPANY.COM: password
Adding hosta.unix.com to directory...
Extracting host/hosta.unix.com key...
Updating /etc/ldapcd.conf...

To view the service key for hosta in the key table file, enter:

# ktutil
Keytab name: /krb5/v5srvtab
KVNO TimestampPrincipal
-----------------------------------------------------
1 Mon Mar 12 13:38:42 2001host/hosta.unix.com@COMPANY.COM

     4.To modify the DNS attribute of a UNIX host in the security server, enter:

# creacct -h hosta.unix.com -u
Enter Admin principal: adminprn
Password for adminprn@COMPANY.COM: password
Adding hosta.unix.com to directory...
Found an existing entry. Replace/Modify? [r/m] m
Current DNS is hosta.unix.com, enter new name: hosta.unix1.com
Extracting host/hosta.unix.com key...
Updating /etc/ldapcd.conf...

To view the service key for hosta in the key table file, enter:

# ktutil
Keytab name: /krb5/v5srvtab
KVNO TimestampPrincipal
-----------------------------------------------------
1 Mon Mar 12 13:38:42 2001host/hosta.unix.com@COMPANY.COM

In this example, only the DNS host value changed. The UNIX host service key did not change. 

     5.To extract a service key from the security server and add it to the service key table called /krb5/srvtable, enter:

# creacct -x host/hosta.unix.com -t /krb5/srvtable

If the −t option is not used to specify the file, the default key table file will be used. 

ENVIRONMENT VARIABLES

CSFC5KTNAME
Controls the service key table file.

FILES

/krb5/v5srvtab
Default service key table file.

/etc/ldapcd.conf
Configuration file.

SEE ALSO

Commands: kdestroy(1), kinit(1), klist(1), ktutil(1)

SSO Installation and Administration Guide

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026