 |
Index for
Section 1 |
|
 |
Alphabetical
listing for C |
|
 |
Bottom of
page |
|
creacct(1)
NAME
creacct - Creates computer and user accounts on the Windows 2000 server
(Active Directory), extracts DNS hostnames and service principal names, and
sets principal passwords.
SYNOPSIS
/usr/sbin/creacct [-a principal] [-h hostname] [-s principal] [-t keytable]
[-u] [-x service]
OPTIONS
-a principal
Adds a user account to the current domain of the Windows 2000
server and sets its password.
When adding a new user account, creacct prompts you for the
username and password of a principal that has administrator
privileges. The Active Directory is searched first for the given
principal. If an entry is found, creacct prompts you to replace or
modify the existing entry. If you choose to replace the entry, the
current entry will be deleted and a new entry will be added.
When adding a new user account, creacct searches the security
database on the UNIX host for that user to retrieve the UNIX
attributes (username, UID, GID, gecos, home directory, and shell).
It prompts you to modify or keep the existing attributes. It also
prompts you for a password.
When replacing a specified user account, creacct searches the
Active Directory for that principal name and its UNIX attributes.
It prompts you to modify or keep the existing attributes. It also
prompts you for a password.
A password must be typed twice to prevent mistakes. You can choose
not to set a password when adding or modifying a user account. To
do this, press the Return key without entering any values at the
first password prompt.
All new user accounts will be added to the current domain in the
Active Directory under the Users group. All modified user accounts
will be replaced in their corresponding groups. The UNIX attributes
are set for the user account under the Tru64 UNIX tab of the Active
Directory. Tru64 UNIX user restrictions apply. See the System
Administration guide for more information on Tru64 UNIX user
account restrictions.
-h hostname
Adds a computer (UNIX host or cluster alias) account to the current
domain of the Windows 2000 server.
When adding a new host account, creacct prompts you for the user
name and password of a principal that has administrator privileges.
The Active Directory is searched first for the given host. If an
entry is found, creacct prompts you to replace or modify the
existing entry. If you choose to replace the entry, the current
entry will be deleted and a new entry will be added.
If you add a new host account without specifying the DNS suffix (to
create a fully qualified name), creacct will construct one for you
based on the local DNS name for the current UNIX host.
When replacing an existing host account, creacct searches the
Active Directory for that computer to retrieve the DNS host name.
It then prompts you to modify the DNS host name. You must specify a
valid DNS host name. You can also keep the existing host name by
reentering it at the prompt. All new or existing host accounts will
be added to the current domain in the Active Directory under the
Computers group.
The -h option does not require that the -t or the -u options be
specified. However, if the -t option is not specified, creacct
attempts to add the host service key entry to the default service
key table file, /krb5/v5srvtab. If the -u option is not specified,
the new host entry will not be added to the /etc/ldapcd.conf file.
Modifying the /etc/ldapcd.conf and /krb5/v5srvtab files requires
Tru64 UNIX root access. Root owns both files.
-s principal
Sets the password associated with the specified principal.
If you are changing a password, creacct prompts you for the user
name and password of a principal that has administrator privileges.
Then it prompts you for the new password. The new password must be
typed twice to prevent mistakes.
-t keytable
Specifies a service key table file other than the default, which is
/krb5/v5srvtab, unless the CSFC5KTNAME environment variable is set
to an alternate key table file name. You can use the -t option only
with the -h and the -x options.
-u Updates the ldapcd.conf configuration file with the host entry for
the Single Sign On daemon.
-x service
Extracts a key from the Windows 2000 server for the UNIX host
service principal or another service principal. It adds the key to
the default service key table file or the designated key table file
specified by the -t option.
The creacct command prompts you for the user name and password of a
principal that has administrator privileges. When extracting a key
for host services, use the host/ prefix and the fully qualified
name of your UNIX host. You must specify a service principal name.
For example, the following command obtains a service ticket for
the host/server1.company.com principal in the COMPANY.COM realm.
(Refer to ktutil(1) to manage the newly extracted service key).
# creacct -x host/server1.company.com
When extracting a principal service key from the security server,
the full principal name must be specified including the host name
of the Windows 2000 Active Directory host and its DNS suffix. For
example, the following command obtains a service ticket for the
user1/w2kserverhost.company.com principal in the COMPANY.COM realm:
# creacct -x user1/w2kserverhost.company.com
We recommend that the -x option be used with the -t option to
extract the key to a temporary key table file before adding it to
the default key table file, /krb5/v5srvtab. Use ktutil to view and
manage the key table file.
Note
The -x option will set a random password for the given principal or
service.
DESCRIPTION
The creacct command adds computers and users to the Windows 2000 server,
extracts DNS host names and service principal names, sets principal
passwords, extracts service tickets, creates Kerberos key table files, and
updates the /etc/ldapcd.conf configuration file.
RESTRICTIONS
Before you can perform any creacct operation, the Kerberos environment must
be set up. You also must be able to authenticate yourself to the Kerberos
server and have appropriate permissions.
All creacct operations require a valid user in the Windows 2000 server with
administrator privileges. Some creacct operations (-h, -x, and -u) require
write access to the /krb5/v5srvtab (service key table) and /etc/ldapcd.conf
(configuration) files. Because these files are owned by root, you must log
on as root to access them. All user accounts must comply with the Tru64
UNIX user restrictions.
All new user accounts will be added to the current domain in the Active
Directory under the Users group. When prompted for a user with
administrator privileges, do not enter the administrator principal of your
Windows 2000 server. This is a restriction by the Windows 2000 security
paradigm. Refer to the System Administration guide for more information on
Tru64 UNIX user account restrictions.
EXAMPLES
1. To add a user account called usera to the security server COMPANY.COM,
enter:
# creacct -a usera
Enter Admin principal: adminprn
Password for adminprn@COMPANY.COM: password
Adding usera to directory...
Enter the UNIX user attributes for the KDC:
Enter comments: testing
Enter home directory: /usr/users/usera
Enter shell: /bin/ksh
Enter GID (i.e. 15): 15
Enter UID (i.e. 200): 333
Enter the new password for user (usera): password
Confirm password: password
2. To modify the Tru64 UNIX attribute of a user account called usera in
the security server COMPANY.COM without changing the password, enter:
# creacct -a usera
Enter Admin principal: adminprn
Password for adminprn@COMPANY.COM: [Return]
Adding usera to directory...
Found an existing entry. Replace/Modify? [r/m] m
User usera has the following attributes:
comments: (testing)
home directory: (/usr/users/usera)
shell: (/bin/ksh)
GID: (15)
UID: (333)
These attributes are required for the KDC. Modify? [y/n] n
Enter the new password for user (usera): [Return]
Password will not be set.
3. To add a computer host account to the security server COMPANY.COM and
update the /krb5/v5srvtab file and the /etc/ldapcd.conf file, enter:
# creacct -h hosta -u
Enter Admin principal: adminprn
Password for adminprn@COMPANY.COM: password
Adding hosta.unix.com to directory...
Extracting host/hosta.unix.com key...
Updating /etc/ldapcd.conf...
To view the service key for hosta in the key table file, enter:
# ktutil
Keytab name: /krb5/v5srvtab
KVNO Timestamp Principal
-----------------------------------------------------
1 Mon Mar 12 13:38:42 2001 host/hosta.unix.com@COMPANY.COM
4. To modify the DNS attribute of a UNIX host in the security server,
enter:
# creacct -h hosta.unix.com -u
Enter Admin principal: adminprn
Password for adminprn@COMPANY.COM: password
Adding hosta.unix.com to directory...
Found an existing entry. Replace/Modify? [r/m] m
Current DNS is hosta.unix.com, enter new name: hosta.unix1.com
Extracting host/hosta.unix.com key...
Updating /etc/ldapcd.conf...
To view the service key for hosta in the key table file, enter:
# ktutil
Keytab name: /krb5/v5srvtab
KVNO Timestamp Principal
-----------------------------------------------------
1 Mon Mar 12 13:38:42 2001 host/hosta.unix.com@COMPANY.COM
In this example, only the DNS host value changed. The UNIX host
service key did not change.
5. To extract a service key from the security server and add it to the
service key table called /krb5/srvtable, enter:
# creacct -x host/hosta.unix.com -t /krb5/srvtable
If the -t option is not used to specify the file, the default key
table file will be used.
ENVIRONMENT VARIABLES
CSFC5KTNAME
Controls the service key table file.
FILES
/krb5/v5srvtab
Default service key table file.
/etc/ldapcd.conf
Configuration file.
SEE ALSO
Commands: kdestroy(1), kinit(1), klist(1), ktutil(1)
SSO Installation and Administration Guide
|
Index for
Section 1 |
|
|
Alphabetical
listing for C |
|
 |
Top of
page |
|