*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->HP-UX 11i man pages -> secd (1m)              
Title
Content
Arch
Section
 

Contents


 secd(1m)                 Open Software Foundation                  secd(1m)




 NAME    [Toc]    [Back]
      secd - The DCE Security Server

 SYNOPSIS    [Toc]    [Back]
      secd [-b[ootstrap]] [-lockpw] [-locksm[ith]] [pname] [-rem[ote]]
      [-master_seqno new_master_seqno] [-cpi time] [-restore_master]
      [-noaudfilter] [-v[erbose]]


 OPTIONS    [Toc]    [Back]
      -locksm[ith]
                Restarts the master Security Server in locksmith mode. Use
                this mode if you cannot access the registry as the principal
                with full registry access, because that principal's account
                has been inadvertently deleted or its password lost.

      pname     The pname argument is the name of the locksmith principal.
                If no registry account exists for this principal, secd
                creates one.

      -lockpw   Prompt for a new locksmith password when running in
                locksmith mode. This option allows you to specify a new
                password for the locksmith account when the old one is
                unknown.

      -rem[ote] Allows the locksmith principal to log in remotely.  If this
                option is not used, the principal must log in from the local
                machine on which secd will be started.

      -bo[otstrap]
                Always waits only one minute between tries to export binding
                information to the Cell Directory Service during DCE
                configuration.  If you do not specify this option, during
                initialization secd sleeps for 1 minute if CDS is not
                available when it tries to export binding information.  If
                the export fails a second time, it sleeps for 2 minutes
                before it tries again.  If it still fails, it sleeps for 4,
                8, and 16 minutes between retries.  Then, sleep time stays
                at 16 minutes until the binding export succeeds.

      -master_seqno
                Sets a new master sequence number for the master replica.
                This option is used only in unusual situations when a
                replica that you want to be the master has a master sequence
                number that is lower than (or equal to) another master
                sequence number in the system.  When the master detects that
                its master sequence number is lower than another one in the
                system, it marks itself as a duplicate master and its
                process exits. Each time you start the master replica, it
                will notice that it has been deemed a duplicate master, and
                its process will again exit.  Use this option to assign a



 Hewlett-Packard Company            - 1 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96






 secd(1m)                 Open Software Foundation                  secd(1m)




                new master sequence number to the replica you want to be
                master.  The new sequence number should be one digit higher
                than the highest master sequence number in the system.  (Use
                the dcecp registry show -replica command for each replica to
                find the highest master sequence number.)

      -cpi      The checkpoint interval for the master registry database.
                This is the interval in seconds at which the master will
                read its database to disk.  The default is one hour.

      -restore_master
                Marks all slave replicas for initialization during the
                master restart. Use this option only to recover from a
                catastrophic failure of the master security server (for
                example, if the database is corrupted and then restored from
                a backup tape).

      -noaudfilter
                Disables audit filtering and enables full (unfiltered)
                auditing.  By default secd turns audit filtering on.

      -v[erbose]
                Runs in verbose mode.


      All options start the Security Server on the local node.

 DESCRIPTION    [Toc]    [Back]
      The secd daemon is the Security Server. It manages all access to the
      registry database. You must have root privileges to invoke the secd.

      The Security Server can be replicated, so that several copies of the
      registry database exist on a network, each managed by a secd process.
      Only one Security Server, the master replica, can perform database
      update operations (such as adding an account).  Other servers, the
      slave replicas, can perform only lookup operations (such as validating
      a login attempt).

      A DCE Host daemon (dced) must be running on the local node when secd
      is started.  Typically, dced and secd are started at boot time. The
      secd server places itself in the background when it is ready to
      service requests.

    Locksmith Mode    [Toc]    [Back]
      The secd -locksmith option starts secd in locksmith mode.  The -
      locksmith option can be used only with the master replica. In
      locksmith mode, the principal name you specify to secd with pname
      becomes the locksmith principal.  As the locksmith principal, you can
      repair malicious or accidental changes that prevent you from logging
      in with full registry access privileges.




 Hewlett-Packard Company            - 2 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96






 secd(1m)                 Open Software Foundation                  secd(1m)




      If no account exists for pname, secd establishes one and prompts you
      for the account's password. (Use this password when you log in to the
      account as the locksmith principal.) If an account for pname exists,
      secd changes the account and policy information as described in the
      tables titled "Locksmith Account Changes Made by the Security Server"
      and "Registry Policy Changes Made by the Security Server." These
      changes ensure that even if account or registry policy was tampered
      with, you will now be able to log in to the locksmith account.

      In locksmith mode, all principals with valid accounts can log in and
      operate on the registry with normal access checking.  The locksmith
      principal, however, is granted special access to the registry: no
      access checking is performed for the authenticated locksmith
      principal. This means that, as the locksmith principal, you can
      operate on the registry with full access.

 Table 0-0.  Locksmith Account Changes Made by the Security Server

 _______________________________________________________________________________________________
 |If the Security Server finds                            | It changes                          |
 |________________________________________________________|_____________________________________|
 |Password-Valid flag is set to no                        | Password-Valid flag to yes          |
 |________________________________________________________|_____________________________________|
 |Account Expiration date is set to less than the current | Account Expiration date to the      |
 |time plus one hour                                      | current time plus one hour          |
 |________________________________________________________|_____________________________________|
 |Client flag is set to no                                | Client flag to yes                  |
 |________________________________________________________|_____________________________________|
 |Account-Valid flag is set to no                         | Account-Valid flag to yes           |
 |________________________________________________________|_____________________________________|
 |Good Since date is set to greater than the current time | Good Since date to the current time |
 |________________________________________________________|_____________________________________|
 |Password Expiration date is set to less than current    | Password Expiration date to the     |
 |time plus one hour                                      | current time plus one hour          |
 |________________________________________________________|_____________________________________|

 Table 0-0.  Registry Policy Changes Made by the Security Server

            _________________________________________________________
             If the Security Server finds   It changes
            _________________________________________________________
             Account Lifespan is set to     Account Lifespan to the
             less than the difference       current time plus one
             between the locksmith          hour minus the locksmith
             account creation date and      account creation date
             the current time plus one
             hour
            _________________________________________________________






 Hewlett-Packard Company            - 3 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96






 secd(1m)                 Open Software Foundation                  secd(1m)




             Password Expiration date is    Password Expiration date
             set to greater than the time   to the current time plus
             the password was last          one hour
             changed but less than the
             current time plus one hour
            _________________________________________________________
            |                             |                          |
      Use the -lockpw option if the locksmith account exists but you do not
      know its password.  This option causes secd to prompt for a new|
      locksmith password and replace the existing password with the one
      entered.                            |                          |
            |                             |                          |
      Use the -remote option to allow the locksmith principal to log in from
      a remote machine.                   |                          |
            |                             |                          |
      The secd program normally runs in the background. When you start secd
      in locksmith mode, it runs in the foreground so that you can answer
      prompts.                            |                          |
            |                             |                          |
 EXAMPLES   |                             |                          |
      All of|the commands shown in the following examples must be run|by
      root: |                             |                          |
            |                             |                          |
            |                             |                          |
       1.  Start a Security Server after you create the database with|
           sec_create_db.                 |                          |
            |                             |                          |
            dcelocal/bin/secd             |                          |
            |                             |                          |
            |                             |                          |
       2.  Restart an existing replica (master or slave).            |
            |                             |                          |
            dcelocal/bin/secd             |                          |
            |                             |                          |
            |                             |                          |
       3.  Start the Security Server in locksmith mode and allow the |
           master_admin principal to log in on a remote machine.     |
            |                             |                          |
            dcelocal/bin/secd -locksmith master_admin -remote        |


 Hewlett-Packard Company            - 4 -OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
[ Back ]
 Similar pages
Name OS Title
t6ext_attr IRIX Activate extended security attributes or set policy on security attribute change
db_archive Tru64 displays security database log files no longer involved in active transactions (Enhanced Security)
secsetup Tru64 Security features setup graphical interface (Enhanced Security)
secconfig Tru64 Security features setup graphical interface (Enhanced Security)
db_checkpoint Tru64 Periodically checkpoint the security database log (Enhanced Security)
db_dump185 Tru64 Reads and writes the security databases (Enhanced Security)
db_dump Tru64 Reads and writes the security databases (Enhanced Security)
authcap Tru64 Format of security databases (Enhanced Security)
t6get_endpt_mask IRIX get or set endpoint security attribute mask, get or set endpoint default security attributes
t6get_attr IRIX Get or set security attributes
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service