Filter
Top Products
Administering the Kerberos Server
Manual Administration Using kadmin
Chapter 8 217
When a new principal is added to the database or when a password of the
principal is changed, this attribute is controlled by the NoReqChangePwd
setting in the password policy file of the principle. By default,
NoReqChangePwd is set to 0 (zero), that is, the user must change the
password at first logon.
If you designate a random key for a principal using the HP Kerberos
Administrator window or the kadmin addrnd command, the Require
Change Password attribute is not set by default. As a result, a service
principal with an extracted key need not contain a new key extracted
during the next authentication attempt.
To modify the type of parameter attr for the principal admin and to set
the Require Password Change attribute, type kadmin at the HP-UX
prompt and specify the mod command, the principal name, the attr
parameter type, and the attribute.
Following is a sample output of the Require Password Change
attribute:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui
t) :attr
Attribute (or quit): {pwchg|nopwchg}
Principal modified.
Lock Principal Attribute
The Lock Principal attribute determines whether a principal account
is usable or not. A locked principal exists in the principal database but is
unable to use or provide security network services.
The Lock Principal attribute applies to both user and service
principals. If you set this attribute for a user principal, no tickets can be
issued to the user. If you set this attribute for a service principal, no
tickets are issued for principals to use the service.
This attribute is set automatically when a principal exceeds the
maximum number of failed authentication attempts specified in the
password policy file. The default maximum number of failed
authentication attempts allowed is 5. If a principal account is locked, a
principal with the required administrative permissions must unlock the
principal account before the user can authenticate again.