Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
401402403404405406407408409410
Creating and Maintaining Accounts
principal’s part. Note, however, that the lifetime allocated to a service ticket can never
exceed the time remaining on the principal’s ticket-granting ticket (TGT).
31.4.3 Displaying Privilege Attributes and Tickets
DCE cell administrators can use the klist command to display a principal’s current
tickets and privilege attributes. The klist command displays three types of information:
privilege attributes, expiration information, and service ticket information. DCE users
can also run klist to display their current and expired tickets. The klist command is
described on the klist(8sec) reference page.
31.4.3.1 The First Part of the klist Display—Privilege Attributes
The klist command displays a principal’s privilege attributes. This display first lists the
fully qualified principal name, followed by the UUIDs and names of the cell, the
principal name (without the cell name and DCE global identifier), and all the groups of
which the principals is a member. A sample of this section of the klist display follows:
DCE Identity Information:
Global Principal: /.../dresden.com/music/mozart
Cell: 5ad96550-80c4-11ca-b26c-08001e039431 /.../dresden.com
Principal: 00000066-80c5-11ca-b600-08001e039431 music/mozart
Group: 00000003-80c4-11ca-b201-08001e039431 composers
31.4.3.2 The Second Part of the klist Display—Expiration Dates and Times
The second part of the klist display shows the dates and time that the principal’s ticket-
granting ticket, account, and password expire:
The first line shows the date and time the ticket-granting ticket expires. Before this
happens, the principal should reinitialize it by running kinit or logging in again to
DCE.
The second line shows when the principal’s account expires. If the account expires,
the principal will be unable to log into DCE. To remedy this, DCE administrators
must change the principal’s account expiration date in the registry.
The third line shows the date the principal’s password expires. Before this happens,
the principal should change the password by using the dcecp command. If the
password expires, the principal will be unable to log into DCE. To remedy this, DCE
administrators must change the principal’s password in the registry.
A sample of the second part of the klist display follows:
124243 Tandem Computers Incorporated 315