Administration
Manual Administration Using kadmin
Lock Principal Attribute
The Lock Principal attribute determines whether a principal account is usable. A locked principal exists in the principal database but is unable to use or provide security network services.
The Lock Principal attribute applies to both user and service principals. If this attribute is set for a,
•User principal, no tickets can be issued to the user
•Service principal, no tickets are issued for principals to use the service
This attribute is set automatically when a principal exceeds the maximum number of failed authentication attempts specified in the password policy file. The default maximum number of failed authentication attempts allowed is five (5). If a principal account is locked, a principal with the required administrative permissions must unlock the principal account before the user can authenticate again.
To modify the parameter type attr for the principal admin, to set the Lock Principal Attribute, you need to do the following:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno or quit) :attr Attribute (or quit): {locknolock}
Principal modified.
Allow as Service Attribute
The Allow As Service attribute should be selected for any principal that will be used as a service.
This attribute can be applied to all principal types, both user and service. Selecting this attribute does not necessarily mean that the principal account is being used by a network service application. Select this attribute for user principals who run programs that require
When this attribute is set, the principal’s name appears in the server field of the service ticket. If this attribute is not set, the security server cannot issue a service ticket for that principal because the principal’s name cannot appear in the server field of the service ticket.
This attribute is set by default, allowing principals to act as a service and enabling
Chapter 6 | 183 |