OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

441

442

443

444

445

446

447

448

449

450

Administering a Multicell Environment

principal name is krbtgt/dresden.com. The unchanged cell name is stored as the

principal’s full name.

Note that registry connect uses your local cell name for the primary name of the local

cell’s account principal. This name is stripped of the full pathname and preﬁxed with

krbtgt, just as the foreign cell name is.

The following outlines additional information that you can supply to the registry

connect command:

-mypwd The registry connect command does not prompt you for a

password for the accounts that you are creating; it generates this

password randomly. However, you must supply your password

with the mypw option as to validate your identity.

-facct, -facctpw The system administrator in the foreign cell must provide you

with the name and password of an account in the foreign cell.

The foreign account must have the permissions that are required

to create principals and accounts. You need the account to

access the foreign registry in order to create the account that

represents your cell in the foreign account’s registry. The

lifetime and creation quota of this account should be limited to

only that necessary to complete the task.

-group, -fgroup The group name to be associated with the account in the local

cell (-group) and the foreign cell (-fgroup). These groups have

no meaning for the accounts and are not associated with any

users in the foreign or local cell. You must enter them because it

is a requirement of the registry that all accounts be associated

with groups. If the group does not exist, it will be created.

-org, -forg The organization name to be associated with the account in the

local cell (-org) and the foreign cell (-forg). These

organizations have no meaning for the accounts and are not

associated with any users in the foreign or local cell. You must

enter them because it is a requirement of the registry that all

accounts be associated with organizations. If the organization

does not exist, it will be created.

-expdate The time and date that both the local and the foreign cell’s

account expires, and the peer-to-peer relationship is ended,

prohibiting any further authenticated communications between

principals in the two cells. To renew the account, change the

date in this ﬁeld. The default is none.

33.2.2 Creating Cross-Cell Authentication Accounts Example

The following sample registry connect command is used to create an account for the

foreign cell identiﬁed by /.../dresden.com. The local account is associated with the

group named cell_group_local, the organization named cell_group_dres, and the

organization named cell_org_dres. The expiration date for the accounts is allowed to

124243 Tandem Computers Incorporated 33−9