Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
411412413414415416417418419420
Creating and Maintaining Accounts
31.6.3 Changing Server and Machine Passwords in the Keytab File
Passwords for all principals must be changed when they expire. Human principals can
use their platform’s chpass command to change their password. The dced security
validation service automatically changes the machine’s password as necessary by
assigning a randomly generated password. This daemon is supplied with DCE and runs
on each local machine that engages in network access. Generally, you can assume that
servers or applications created by other vendors also automatically change their
password as required by randomly generating passwords. However, if a server that runs
under its own identity does not automatically update its password, you must do it
manually by using the dcecp keytab add command, as described in Section 31.6.2.2.
Note: Servers that run under the identity of a human principal should not
automatically update their own passwords. When such a server updates its
password, it also updates the password of the human principal under
whose identity it runs. The human principal must then supply this
randomly generated password to log into the system and to reauthenticate.
Since the human principal can never know the randomly generated
password, the principal cannot log into the system and cannot
reauthenticate.
31.6.4 Handling Compromised Server or Machine Passwords in the
Keytab File
If a server’s or machine’s password is compromised, you must change it in the registry
and in the server’s local keytab file by performing the following steps:
1. Use the keytab remove command to delete the compromised password.
2. Use the keytab add command to create a new password for the server or machine.
3. If you do not use the registry option of the keytab add command to update the
server’s or machine’s registry account simultaneously with the server’s or
machine’s keytab file, run the registry modify command to change the server’s or
machine’s password in the registry to the match the one in the keytab file.
31.7 Maintaining the Local Registry
The local registry allows login from that machine if a network registry is not available.
The local registry is created automatically the first time that a human or nonhuman user
performs a DCE login from the local machine if the network registry server is running.
As users log into the machine, their account information is automatically added to the
local registry.
124243 Tandem Computers Incorporated 31 19