Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
391392393394395396397398399400
Creating and Maintaining Accounts
31.2.2 Steps for Creating Server Accounts
To create an account for a server, first run the dcecp account create command to create
the account and then run the dcecp keytab add command to add an entry to the keytab
file. The server’s password in the registry and the server’s key in the keytab file must
match. You can ensure that these passwords are the same by manually entering the same
passwords in both commands, or you can specify that the keytab add command should
reset the server’s registry password at the same time that it sets the server’s password in
the keytab file.
31.3 Machine Accounts
All machines must also have accounts in the registry. Machine accounts, like server
accounts, are created by first running the account create command to create the account
and then running the keytab add command to add the server’s password to the keytab
file. Like server accounts, the password for a machine account in the registry and in the
keytab file must match. Principal names in machine accounts must be the same as the
machine’s name in the cell namespace. (See the for more information on names in the
cell namespace.)
31.4 How Identities Represented by Accounts Are
Authenticated
When principals log into the DCE, the security client uses the password they supply (or
that is supplied for them in the case of a server or machine principal) to derive the
principal’s authentication key. A copy of the principal’s authentication key exists also in
the registry database, having been stored there when the principal’s account was created
(or when the password was changed.) It is thus available to the authentication service.
This key is used by the authentication service to authenticate the principal (that is, to
guarantee the principal’s identity) as follows:
1. The security client does the following:
a. Queries the user for the password and uses it to derive the principal’s
authentication key
b. Prepares a login request, part of which is encrypted using the authentication
key
c. Forwards the request to the authentication service
124243 Tandem Computers Incorporated 313