Administering the Kerberos Server
Manual Administration Using kadmin
When a new principal is added to the database or when a password of the principal is changed, this attribute is controlled by the NoReqChangePwd setting in the password policy file of the principle. By default, NoReqChangePwd is set to 0 (zero), that is, the user must change the password at first logon.
If you designate a random key for a principal using the HP Kerberos Administrator window or the kadmin addrnd command, the Require Change Password attribute is not set by default. As a result, a service principal with an extracted key need not contain a new key extracted during the next authentication attempt.
To modify the type of parameter attr for the principal admin and to set the Require Password Change attribute, type kadmin at the
Following is a sample output of the Require Password Change attribute:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui t) :attr
Attribute (or quit): {pwchgnopwchg}
Principal modified.
Lock Principal AttributeThe Lock Principal attribute determines whether a principal account is usable or not. A locked principal exists in the principal database but is unable to use or provide security network services.
The Lock Principal attribute applies to both user and service principals. If you set this attribute for a user principal, no tickets can be issued to the user. If you set this attribute for a service principal, no tickets are issued for principals to use the service.
This attribute is set automatically when a principal exceeds the maximum number of failed authentication attempts specified in the password policy file. The default maximum number of failed authentication attempts allowed is 5. If a principal account is locked, a principal with the required administrative permissions must unlock the principal account before the user can authenticate again.
Chapter 8 | 217 |