creacct(1)creacct(1)NAMEcreacct - Creates computer and user accounts on the Windows 2000 server
(Active Directory), extracts DNS hostnames and service principal names,
and sets principal passwords.
SYNOPSIS
/usr/sbin/creacct [-a principal] [-h hostname] [-s principal] [-t
keytable] [-u] [-x service]
OPTIONS
Adds a user account to the current domain of the Windows 2000 server
and sets its password.
When adding a new user account, creacct prompts you for the
username and password of a principal that has administrator
privileges. The Active Directory is searched first for the
given principal. If an entry is found, creacct prompts you to
replace or modify the existing entry. If you choose to replace
the entry, the current entry will be deleted and a new entry
will be added.
When adding a new user account, creacct searches the security
database on the UNIX host for that user to retrieve the UNIX
attributes (username, UID, GID, gecos, home directory, and
shell). It prompts you to modify or keep the existing
attributes. It also prompts you for a password.
When replacing a specified user account, creacct searches the
Active Directory for that principal name and its UNIX
attributes. It prompts you to modify or keep the existing
attributes. It also prompts you for a password.
A password must be typed twice to prevent mistakes. You can
choose not to set a password when adding or modifying a user
account. To do this, press the Return key without entering any
values at the first password prompt.
All new user accounts will be added to the current domain in the
Active Directory under the Users group. All modified user
accounts will be replaced in their corresponding groups. The
UNIX attributes are set for the user account under the Tru64
UNIX tab of the Active Directory. Tru64 UNIX user restrictions
apply. See the System Administration guide for more information
on Tru64 UNIX user account restrictions. Adds a computer (UNIX
host or cluster alias) account to the current domain of the Win‐
dows 2000 server.
When adding a new host account, creacct prompts you for the user
name and password of a principal that has administrator privi‐
leges. The Active Directory is searched first for the given
host. If an entry is found, creacct prompts you to replace or
modify the existing entry. If you choose to replace the entry,
the current entry will be deleted and a new entry will be added.
If you add a new host account without specifying the DNS suffix
(to create a fully qualified name), creacct will construct one
for you based on the local DNS name for the current UNIX host.
When replacing an existing host account, creacct searches the
Active Directory for that computer to retrieve the DNS host
name. It then prompts you to modify the DNS host name. You must
specify a valid DNS host name. You can also keep the existing
host name by reentering it at the prompt. All new or existing
host accounts will be added to the current domain in the Active
Directory under the Computers group.
The -h option does not require that the -t or the -u options be
specified. However, if the -t option is not specified, creacct
attempts to add the host service key entry to the default ser‐
vice key table file, /krb5/v5srvtab. If the -u option is not
specified, the new host entry will not be added to the
/etc/ldapcd.conf file. Modifying the /etc/ldapcd.conf and
/krb5/v5srvtab files requires Tru64 UNIX root access. Root owns
both files. Sets the password associated with the specified
principal.
If you are changing a password, creacct prompts you for the user
name and password of a principal that has administrator privi‐
leges. Then it prompts you for the new password. The new pass‐
word must be typed twice to prevent mistakes. Specifies a ser‐
vice key table file other than the default, which is
/krb5/v5srvtab, unless the CSFC5KTNAME environment variable is
set to an alternate key table file name. You can use the -t
option only with the -h and the -x options. Updates the
ldapcd.conf configuration file with the host entry for the Sin‐
gle Sign On daemon. Extracts a key from the Windows 2000 server
for the UNIX host service principal or another service princi‐
pal. It adds the key to the default service key table file or
the designated key table file specified by the -t option.
The creacct command prompts you for the user name and password
of a principal that has administrator privileges. When extract‐
ing a key for host services, use the host/ prefix and the fully
qualified name of your UNIX host. You must specify a service
principal name.
For example, the following command obtains a service ticket for
the host/server1.company.com principal in the COMPANY.COM realm.
(Refer to ktutil(1) to manage the newly extracted service key).
# creacct-x host/server1.company.com
When extracting a principal service key from the security
server, the full principal name must be specified including the
host name of the Windows 2000 Active Directory host and its DNS
suffix. For example, the following command obtains a service
ticket for the user1/w2kserverhost.company.com principal in the
COMPANY.COM realm:
# creacct-x user1/w2kserverhost.company.com
We recommend that the -x option be used with the -t option to
extract the key to a temporary key table file before adding it
to the default key table file, /krb5/v5srvtab. Use ktutil to
view and manage the key table file.
Note
The -x option will set a random password for the given principal
or service.
DESCRIPTION
The creacct command adds computers and users to the Windows 2000
server, extracts DNS host names and service principal names, sets prin‐
cipal passwords, extracts service tickets, creates Kerberos key table
files, and updates the /etc/ldapcd.conf configuration file.
RESTRICTIONS
Before you can perform any creacct operation, the Kerberos environment
must be set up. You also must be able to authenticate yourself to the
Kerberos server and have appropriate permissions.
All creacct operations require a valid user in the Windows 2000 server
with administrator privileges. Some creacct operations (-h, -x, and -u)
require write access to the /krb5/v5srvtab (service key table) and
/etc/ldapcd.conf (configuration) files. Because these files are owned
by root, you must log on as root to access them. All user accounts must
comply with the Tru64 UNIX user restrictions.
All new user accounts will be added to the current domain in the Active
Directory under the Users group. When prompted for a user with adminis‐
trator privileges, do not enter the administrator principal of your
Windows 2000 server. This is a restriction by the Windows 2000 security
paradigm. Refer to the System Administration guide for more information
on Tru64 UNIX user account restrictions.
EXAMPLES
To add a user account called usera to the security server COMPANY.COM,
enter:
# creacct-a usera Enter Admin principal: adminprn Password for
adminprn@COMPANY.COM: password
Adding usera to directory...
Enter the UNIX user attributes for the KDC: Enter comments:
testing Enter home directory: /usr/users/usera Enter
shell: /bin/ksh Enter GID (i.e. 15): 15 Enter UID
(i.e. 200): 333 Enter the new password for user (usera):
password Confirm password: password To modify the Tru64 UNIX
attribute of a user account called usera in the security server
COMPANY.COM without changing the password, enter:
# creacct-a usera Enter Admin principal: adminprn Password for
adminprn@COMPANY.COM: [Return]
Adding usera to directory...
Found an existing entry. Replace/Modify? [r/m] m
User usera has the following attributes: comments: (test‐
ing) home directory: (/usr/users/usera) shell:
(/bin/ksh) GID: (15) UID: (333)
These attributes are required for the KDC. Modify? [y/n] n
Enter the new password for user (usera): [Return] Password
will not be set. To add a computer host account to the security
server COMPANY.COM and update the /krb5/v5srvtab file and the
/etc/ldapcd.conf file, enter:
# creacct-h hosta -u Enter Admin principal: adminprn Password
for adminprn@COMPANY.COM: password
Adding hosta.unix.com to directory...
Extracting host/hosta.unix.com key...
Updating /etc/ldapcd.conf...
To view the service key for hosta in the key table file, enter:
# ktutil Keytab name: /krb5/v5srvtab KVNO Time‐
stamp Principal
----------------------------------------------------- 1 Mon Mar
12 13:38:42 2001 host/hosta.unix.com@COMPANY.COM To mod‐
ify the DNS attribute of a UNIX host in the security server,
enter:
# creacct-h hosta.unix.com -u Enter Admin principal: adminprn
Password for adminprn@COMPANY.COM: password
Adding hosta.unix.com to directory...
Found an existing entry. Replace/Modify? [r/m] m Current DNS is
hosta.unix.com, enter new name: hosta.unix1.com
Extracting host/hosta.unix.com key...
Updating /etc/ldapcd.conf...
To view the service key for hosta in the key table file, enter:
# ktutil Keytab name: /krb5/v5srvtab KVNO Time‐
stamp Principal
----------------------------------------------------- 1 Mon Mar
12 13:38:42 2001 host/hosta.unix.com@COMPANY.COM
In this example, only the DNS host value changed. The UNIX host
service key did not change. To extract a service key from the
security server and add it to the service key table called
/krb5/srvtable, enter:
# creacct-x host/hosta.unix.com -t /krb5/srvtable
If the -t option is not used to specify the file, the default
key table file will be used.
ENVIRONMENT VARIABLES
Controls the service key table file.
FILES
Default service key table file. Configuration file.
SEE ALSO
Commands: kdestroy(1), kinit(1), klist(1), ktutil(1)
SSO Installation and Administration Guide
creacct(1)