Administering the Kerberos Server

Manual Administration Using kadmin

The Allow Postdated attribute applies to both user and service principals specified as follows:

You can issue either a postdated or postdatable ticket for user principals.

The server can issue postdated service tickets for the service.

NOTE

Before the server issues a postdated service ticket, the requesting user

 

must possess a postdatable TGT.

 

 

To modify the type of the parameter attr for the principal admin and to set the Allow Postdated attribute, type kadmin at the HP-UX prompt and specify the mod command, the principal name, the attr parameter type, and the attribute.

Following is a sample output of the Allow Postdated attribute:

Command: mod

Name of Principal to Modify: admin

Parameter Type to be Modified (attr,fcnt,vno,dn or quit) :attr Attribute (or quit): {postdatenopostdate}

Principal modified.

Allow Renewable Attribute

The Allow Renewable attribute determines whether a principal is allowed to request renewable tickets. Renewable tickets are those that can be revalidated up to the maximum renewal time.

The principal database krbtgt/REALM@REALM principal contains the maximum ticket lifetime and the renewable time. You can use the Maximum Renew Time Setting in the General tab of the Principal Information window to limit individual principal accounts.

The Allow Renewable attribute applies to both user and service principals. If this attribute is set to a user principal, the principal can be issued a renewable ticket. If this attribute is set to a service principal, the server can issue a renewable ticket for the service.

212

Chapter 8

Page 212
Image 212
HP UX Kerberos Data Security Software manual Allow Renewable Attribute