Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ user(8dce) — DCE 3.1

Media Vault

Software Library

Restoration Projects

Artifacts Sought

user(8dce)  —  Maintenance

NAME

user  — A dcecp task object that manipulates user information in a DCE cell

SYNOPSIS

user create user_name_list mypwd  password password  password group  group_name organization  organization_name  [force ]  {attribute  attribute_list | attribute  value }

user delete user_name_list

user help  [operation | verbose  ]

user operations

user show user_name_list

Arguments

operationThe name of the user  operation for which to display help information. 

user_name_list
A list of one or more names of principals to act on. Supply the names as follows:

   •Fully qualified principal names in the form

/.../cell_name/principal_name or /.:/principal_name

   •Cell-relative principal names in the form

principal_name

These names refer to a principal in the cell identified in the _s(sec) convenience variable, or if the _s(sec) convenience variable is not set, in the local host’s default cell. 

Do not mix fully qualified names and cell-relative names in a list.  In addition, do not use the names of registry database objects that contain principal information; in other words, do not use names that begin with /.:/sec/principal/. 

Description

The user  task object represents all of the data associated with a DCE user.  This consists of registry information and a Cell Directory Service (CDS) directory in the default implementation.  The user  task object allows administrators to easily create principals and accounts, delete principals and accounts, and view principal information. 

When it creates a principal and account, the user  task object adds a CDS directory named after the principal with the appropriate access control list (ACL).  If necessary the user  task object also adds the principal to a group and an organization, creating the group and organization if necessary.  Only the principal and account attributes are considered attributes of the user  task object, and are the only ones displayed by the show  operation. 

This object is implemented as a script to allow it to be manipulated and extended on a per-site basis.  For example, administrators might want to add Global Directory Service (GDS) and Distributed File Service (DFS) information to the object.  Other possible modifications include the following:

   •Changing the location of the CDS directory created for users, or remove it completely. 

   •Changing the default ACLs placed on the various objects. 

   •Setting certain attributes or policies on all newly created principals and accounts to match the site’s policies. 

   •Setting up site specific defaults for passwords (to be changed by the user later), groups, organizations, principal directories, and so on. 

   •Supporting a modify operation. 

Attributes

alias valueUsed with the create  operation.  The value of this attribute must be yes or no.  Each principal can have only one name, but may have one or more alias names.  All these names refer to the same principal and, therefore, the same Universal Unique Identifier (UUID) and UNIX ID (uid).  While aliases refer to the same principal, they are separate entries in the registry database.  Therefore the name supplied to a user  command can refer to either the primary name or an alias name of a principal.  The value of this attribute determines whether the name is a primary name (alias no) or an alias name (alias yes).  The default is no. 

client {yes | no}
A flag set to indicate whether the account is for a principal that can act as a client.  The value of this attribute must be yes or no.  If you set it to yes, the principal is able to log in to the account and acquire tickets for authentication.  The default is yes. 

description
A text string (limited to the Portable Character Set or PCS) typically used to describe the use of the account. The default is the empty string ("").

dupkey {yes | no}
A flag set to determine if tickets issued to the account’s principal can have duplicate keys.  The value of this attribute must be yes or no.  The default is no. 

In DCE, this attribute is currently only advisory.  However, Kerberos clients and servers will use of it when they interact with a DCE Security server. 

expdate  ISO_timestamp
The date on which the account expires.  To renew the account, change the date in this field.  Specify the time by using an ISO compliant time format such as CCYY-MM-DD-hh:mm:ss or the string none.  The default is none. 

forwardabletkt {yes | no}
A flag set to determine whether a new ticket-granting ticket with a network address that differs from the present ticket-granting ticket network address can be issued to the account’s principal.  The proxiabletkt attribute performs the same function for service tickets.  This attribute must have a value of yes or no.  The default is yes. 

In DCE, this attribute is currently only advisory.  However, Kerberos clients and servers will use it when they interact with a DCE Security server. 

fullname string
Used with the create  operation, this attribute specifies the full name of the principal.  It is for information purposes only.  It typically describes or expands a primary name to allow easy recognition by users.  For example, a principal could have a primary name of jsbach and a full name of Johann S. Bach.  The value is a string.  If it contains spaces, it is displayed in quotes, and on entry must be in quotations or braces (as per Tcl quoting rules).  If not entered, the full name defaults to the null string (that is, blank). 

forceForce creation of the specified group or organization if they do not exist. 

group group_name
The name of the group associated with the account.  The value is a single group name of an existing group in the registry.  This attribute must be specified for the user create  command; it does not have a default value. 

If a group is deleted from the registry, all accounts associated with the group are also deleted. 

home directory_name
The file system directory in which the principal is placed in at login. The default is the / directory. 

organization organization_name
The name of the organization associated with the account.  The value is a single organization name of an existing organization in the registry.  This attribute must be specified for the account create  command; it does not have a default value. 

If an organization is deleted from the registry, all accounts associated with the organization are also deleted. 

maxtktlife relative_time
The maximum amount of time that a ticket can be valid.  Specify the time by using the Distributed Time Service (DTS) relative time format ([-]DD-hh:mm:ss).  When a client requests a ticket to a server, the lifetime granted to the ticket takes into account the maxtktlife set for both the server and the client.  In other words, the lifetime cannot exceed the shorter of the server’s or client’s maxtktlife.  If you do not specify a maxtktlife for an account, the maxtktlife defined as registry authorization policy is used. 

maxtktrenew relative_time
The amount of time before a principal’s ticket-granting ticket expires and that principal must log in to the system again to reauthenticate and obtain another ticket-granting ticket.  Specify the time by using the DTS-relative time format ([-]DD-hh:mm:ss).  The lifetime of the principal’s service tickets can never exceed the lifetime of the principal’s ticket-granting ticket.  The shorter you make maxtktrenew, the greater the security of the system.  However, since principals must log in again to renew their ticket-granting ticket, the time needs to balance user convenience against level of security required.  If you do not specify this attribute for an account, the maxtktrenew lifetime defined as registry authorization policy is used.  This feature is not currently used by DCE; any use of this option is unsupported at the present time. 

mypwd password
Lets you enter your password. You must enter your password to create an account.  This check prevents a malicious user from using an existing privileged session to create unauthorized accounts.

password password
The password of the account. This attribute must be specified for the user create  command; there is no default value.  This attribute is not returned by a user show  command. 

postdatedtkt {yes | no}
A flag set to determine whether tickets with a start time some time in the future can be issued to the account’s principal. This attribute must have a value of yes or no.  The default is no. 

In DCE, this attribute is currently only advisory.  However, Kerberos clients and servers will use it when they interact with a DCE Security server. 

proxiabletkt {yes | no}
A flag set to determine whether a new ticket with a different network address than the present ticket can be issued to the account’s principal.  The forwardabletkt attribute performs the same function for ticket-granting tickets.  This attribute must have a value of yes or no.  The default is no. 

In DCE, this attribute is currently only advisory.  However, Kerberos clients and servers will use it when they interact with a DCE Security server. 

pwdvalid {yes | no}
A flag set to determine whether the current password is valid.  If this flag is set to no, the next time a principal logs in to the account, the system prompts the principal to change the password.  (Note that this flag is separate from the pwdexpdate policy, which sets time limits on password validity.)  This attribute must have a value of yes or no.  The default is yes. 

renewabletkt {yes | no}
A flag set to determine if the ticket-granting ticket issued to the account’s principal can be renewed.  If this flag is set to yes, the authentication service renews the ticket-granting ticket if its lifetime is valid.  This attribute must have a value of yes or no.  The default is yes. 

In DCE, this attribute is currently only advisory.  However, Kerberos clients and servers will use it when they interact with a DCE Security server. 

server {yes | no}
A flag set to indicate whether the account is for a principal that can act as a server.  If the account is for a server that engages in authenticated communications, set this flag to yes.  This attribute must have a value of yes or no.  The default is yes. 

shell path_to_shell
The path of the shell that is executed when a principal logs in. The legal value is any shell supported by the home cell.  The default value is the empty string ("").

stdtgtauth {yes | no}
A flag set to determine whether service tickets issued to the account’s principal use the standard DCE ticket-granting ticket authentication mechanism.  This attribute must have a value ofyes or no.  The default is yes. 

uid valueUsed with the create  operation, this specifies the UNIX ID (uid) for the principal.  No two principals can have the same uid.  However, aliases can share one uid.  It is often called the Unix ID and is an integer.  If this attribute is not supplied, a UID is assigned to principal automatically. 

See the OSF DCE Administration Guide for more information about principal and account attributes. 

Errors

A representative list of errors that might be returned is not shown here.  Refer to the OSF DCE Problem Determination Guide for complete descriptions of all error messages. 

Operations

user create

Creates a principal name, an account, and a directory in CDS for one or more DCE users.  The syntax is as follows:

user create user_name_list mypwd  password password  password
 -group group_name organization  organization_name [force ]
{attribute  attribute_list | -attribute value}

Options

-attribute value
As an alternative to using the attribute  option with an attribute list, you can change individual attribute options by prepending a hyphen (-) to any attributes listed in Attributes. 

attribute  attribute_list
Allows you to specify attributes, including ERAs, by using an attribute list rather than using the -attribute value option. The format of an attribute list is as follows:

{{attribute value}...{attribute value}}

forceForces creation of the specified group or organization if they do not exist. 

group  group_name
The name of the group to associate with the account. See Attributes for the format of a group name. 

mypwd  password
Your privileged password. You must enter your privileged password to create an account.  This check prevents a malicious user from using an existing privileged session to create unauthorized accounts. You must specify this option on the command line; it cannot be supplied in a script.

organization  organization_name
The name of the organization to associate with the account. See Attributes for the format of an organization name. 

password  password
The account password.  See Attributes for the format of a password. 

The create  operation creates a principal name, account, and a directory in CDS for one or more DCE users.  The user_name_list argument is the name of one or more principals to be added to the registry.  This operation returns an empty string on success.  If the operation encounters an error, it attempts to undo any interim operations that have completed. 

This command creates one or more principals and accounts for them.  If a principal or account already exists, an error is generated.  Each principal is then added to the specified group and organization (since the principal has just been created, it cannot have been a member of any group or organization).  If the group or organization does not exist, an error is generated unless the force  option is used.  The operation creates a CDS directory called /.:/users/principal_name and adds an ACL entry to the default ACL so that the user has rwtci permissions on the directory.  These permissions allow all access except for deleting the directory and administering replication on the directory. 

Attributes and policies for the newly created principal and account may be specified with the attributes  option and specifying an attribute list as the value, or with attribute options.  This command attempts to add any unknown attributes as ERAs on the created principal object.  Policies of the organization may not be specified, as they would probably affect more than the created user.  The required group and organization names may be specified either as attributes in the attributes  option or via the group  and organization options.  The required password attribute may be provided as in the account create  command, and the mypwd  option is also required. 

Privileges Required

Because the user create  command performs several operations, you need the permissions associated with each operation, as follows:

   •To create the principal name, you must have i (insert) permission to the directory in which the principal is to be created. 

   •If the specified groups or organizations do not already exist and you use the force  option, you must have i (insert) permission to the directories in which the groups and organizations are to be created. 

   •To create the account, you must have m (mgmt_info), a (auth_info), and u (user_info) permission to the principal named in the account, r (read) permission to the organization named in the account, r (read) permission to the group named in the account, and r (read) permission on the registry policy object. 

   •To create the directory in CDS you must have the following permissions:

   •r (read) and i (insert) permission to the parent directory

   •w (write) permission to the clearinghouse in which the master replica of the new directory is to be stored. 

Examples

The following example creates a principal named K_Parsons and adds him to a group named users and an organization named users:

dcecp> user create K_Parsons -mypwd 3kl_JL2 -password change.me
> -group users -organization users
dcecp> group list users
/.../my_cell.goodco.com/W_Ross
/.../my_cell.goodco.com/J_Severance
/.../my_cell.goodco.com/J_Hunter
/.../my_cell.goodco.com/B_Carr
/.../my_cell.goodco.com/E_Vliet
/.../my_cell.goodco.com/J_Egan
/.../my_cell.goodco.com/F_Willis
/.../my_cell.goodco.com/K_Parsons
dcecp> 

dcecp> account show K_Parsons
{acctvalid yes}
{client yes}
{created /.../my_cell.goodco.com/cell_admin 1994-07-27-13:02:51.000+00:00I-----}
{description {}}
{dupkey no}
{expdate none}
{forwardabletkt yes}
{goodsince 1994-07-27-13:02:51.000+00:00I-----}
{group users}
{home /}
{lastchange /.../my_cell.goodco.com/cell_admin 1994-07-27-13:02:51.000+00:00I-----}
{organization users}
{postdatedtkt no}
{proxiabletkt no}
{pwdvalid yes}
{renewabletkt yes}
{server yes}
{shell {}}
{stdtgtauth yes}
dcecp>

user delete

Deletes DCE users.  The syntax is as follows:

user delete user_name_list

The delete  operation deletes the DCE users named in user_name_list.  To delete a user, the operation procedes as follows:

   •Deletes the principal from the registry, which also deletes the account and removes the principal from any groups and organizations. 

   •Deletes the /.:/users/principal_name directory and any contents. 

This operation returns an empty string on success. 

Privileges Required

Because the user delete  command performs several operations, you need the permissions associated with each operation:

   •You must have d (delete ) permission to the directory in which the target principal exists.  You must have r (read) and D (Delete_object) permission on the principal to be deleted. 

   •You must have r (read) and M (Member_list) permission on the target groups and organizations and r (read) permission on the member to be removed. 

   •To delete the account, you must have r (read), m (mgmt_info), a (auth_info), and u (user_info) permissions for the principal named in the account. 

   •To delete the directory in CDS, you must have d (delete ) permission to the directory and w (write) permission to the clearinghouse that stores the master replica of the directory.  The server principal needs a (auth_info) permission to the parent directory or d (delete ) permission to the child pointer that points to the directory you intend to delete. 

Examples

The following example deletes user K_Parsons from the cell:

dcecp> user delete K_Parsons
dcecp> 

user help

Returns help information about the user  task object and its operations.  The syntax is as follows:

user help [operation | verbose ]

Options

verboseDisplays information about the user  task object. 

Used without an argument or option, the user help  command returns brief information about each user  operation.  The optional operation argument is the name of an operation about which you want detailed information.  Alternatively, you can use the verbose  option for more detailed information about the user  task object itself. 

Privileges Required

No special privileges are needed to use the user help command. 

Examples

dcecp> user help
create              Creates a DCE user.
delete              Deletes a DCE user.
show                Shows the attributes of a DCE user.
help                Prints a summary of command-line options.
operations          Returns a list of the valid operations for this command.
dcecp> 

user operations

Returns a list of the operations supported by the user task object.  The syntax is as follows:

user operations

The list of available operations is in alphabetical order except for help  and operations, which are listed last. 

Privileges Required

No special privileges are needed to use the user operations command. 

Examples

dcecp> user operations
create delete show help operations
dcecp> 

user show

Returns the attributes of a single DCE user.  The syntax is as follows:

user show user_name_list

The show  operation returns the attributes of the users named in user_name_list.  The information returned includes principal attributes, account attributes, and policies.  The information is returned as if the following commands were run in the following order:

principal show
account show -all 

Privileges Required

You must have r (read) permission to the principal named in the account. 

Examples

dcecp> user show K_Parsons
{fullname {}}
{uid 5129}
{uuid 00001409-a943-21cd-be00-0000c08adf56}
{alias no}
{quota unlimited}
{groups users}
{acctvalid yes}
{client yes}
{created /.../my_cell.goodco.com/cell_admin 1994-07-27-13:02:51.000+00:00I-----}
{description {}}
{dupkey no}
{expdate none}
{forwardabletkt yes}
{goodsince 1994-07-27-13:02:51.000+00:00I-----}
{group users}
{home /}
{lastchange /.../my_cell.goodco.com/cell_admin 1994-07-27-13:02:51.000+00:00I-----}
{organization users}
{postdatedtkt no}
{proxiabletkt no}
{pwdvalid yes}
{renewabletkt yes}
{server yes}
{shell {}}
{stdtgtauth yes}
nopolicy
dcecp> 

Related Information

Commands: account(8dce), dcecp(8dce), directory(8dce), group(8dce), organization(8dce), principal(8dce), xattrschema(8dce). 

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026