Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
391392393394395396397398399400
OSF DCE Administration Guide—Core Components
31.1 User Accounts
User accounts are associated with the user’s password and information that is used when
the user logs into DCE. Account information includes such things as the principal’s
home directory and login shell, and authentication policy, which defines parameters that
help control a principal’s access to DCE. Use the dcecp account create command to
create accounts for human users, the dcecp account modify command to modify them,
and the dcecp account delete command to delete them.
31.2 Server Accounts
Servers, which can also be called applications, that engage in communications across the
network can run under their own network identity or the network identity of the principal
who started them. To run under their own identity, servers must be programmed to
perform a login and authenticate that identity. Therefore, you must use the dececp
account create command to create registry accounts for these servers.
31.2.1 Passwords for Server Accounts
During login, all principals (human, server, and machine) must pass their password to the
DCE Authentication Service, which uses these passwords to generate authentication
keys. The most common method for human users is to simply enter their password. A
different method must be provided for server principals. The recommended method,
which is based on APIs that are supplied with DCE, is to store server keys in a locally
protected key table. The default implementation of the DCE-supplied API stores the key
table in a keytab file on the server’s local machine and protects the file so that only a
principal’s local identity can read or write the file.
You can access the keytab files remotely. On the local machine, store the keytab files in
a partition of the machine’s disk that is not exported by any file system.
Except for servers running as root or under the identity of the local machine, a separate
keytab file needs to be used for each server. During login, the server can access this file
to obtain its key, pass its key to the authentication service, log in, and be authenticated.
Use the dcecp keytab add command to add keys for servers to the keytab file and the
dcecp keytab remove command to delete server keys.
31 2 Tandem Computers Incorporated 124243