OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

401

402

403

404

405

406

407

408

409

410

Creating and Maintaining Accounts

then the renewable ticket lifetime is used as the maximum ticket lifetime. For

example, suppose an account’s is set to 15 hours. If you set the renewable ticket

lifetime to 20 hours, the effective maximum ticket lifetime is not 20, but 15 hours.

• The default ticket lifetime can never be larger than the maximum ticket lifetime (in

other words, default_life = min (default_life, max_life)) or less than 60 seconds. If

the default ticket lifetime is larger than the maximum ticket lifetime, then the

maximum ticket lifetime is used as the default ticket lifetime. For example, suppose

registry policy speciﬁes a default ticket lifetime of 25 hours. If you set the registry’s

maximum ticket lifetime to 15 hours, the registry’s effective default certiﬁcate

lifetime is not 25, but 15 hours.

• The minimum ticket lifetime can never be larger than the default certiﬁcate lifetime

(in other words, min_life = min (min_life, default_life)) or less than 60 seconds. If

the minimum ticket lifetime is larger than the default certiﬁcate lifetime, then the

default ticket lifetime is used as the minimum ticket lifetime. For example, suppose

registry policy speciﬁes a default ticket lifetime of 10 hours. If you set an account’s

minimum ticket lifetime to 15 hours, the account’s effective minimum ticket lifetime

is not 15, but 10 hours.

Although dcecp lets you enter values contrary to the rules and displays these values

when you view the account’s policies (with the account show command), the values

used are the ones described in the rules, not the ones you entered.

Note: To be exact, clocks in the network must be synchronized for the times that

are associated with registry data.

31.5.2 Ticket-Granting Ticket Lifetimes and Service Ticket Lifetimes

The authentication service never grants a principal a service ticket with a lifetime that

exceeds the time remaining in the principal’s ticket-granting ticket lifetime. For

example, if 2 hours remain in the life of a principal’s ticket-granting ticket and the

principal requests or accepts a default of 4 hours for a service ticket’s lifetime, only the

2-hour lifetime is granted.

If the renewable ticket ﬂag (the renewabletkt attribute) is set on for a principal’s

account, the lifetime of the principal’s ticket-granting ticket also affects the renewal of

service tickets. No service ticket is renewed with a lifetime that exceeds the remaining

lifetime of the principal’s ticket-granting ticket. Service tickets are normally renewed

for the lifetime that is allocated to the original ticket. If the original time exceeds the

lifetime of the ticket-granting ticket, the ticket is renewed only for the time remaining to

the ticket-granting ticket.

31.5.3 Adding Accounts Example

Use the dcecp account create command to create accounts. When you use the account

create command, you must supply the name of the principal for which the account is

being created and the group and organization with which the account is associated. In

124243 Tandem Computers Incorporated 31− 11