Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Administration
Manual Administration Using kadmin
Chapter 6 183
Lock Principal Attribute
The Lock Principal attribute determines whether a principal account
is usable. A locked principal exists in the principal database but is
unable to use or provide security network services.
The Lock Principal attribute applies to both user and service
principals. If this attribute is set for a,
• User principal, no tickets can be issued to the user
• Service principal, no tickets are issued for principals to use the
service
This attribute is set automatically when a principal exceeds the
maximum number of failed authentication attempts specified in the
password policy file. The default maximum number of failed
authentication attempts allowed is five (5). If a principal account is
locked, a principal with the required administrative permissions must
unlock the principal account before the user can authenticate again.
To modify the parameter type attr for the principal admin, to set the
Lock Principal Attribute, you need to do the following:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno or quit) :attr
Attribute (or quit): {lock|nolock}
Principal modified.
Allow as Service Attribute
The Allow As Service attribute should be selected for any principal
that will be used as a service.
This attribute can be applied to all principal types, both user and service.
Selecting this attribute does not necessarily mean that the principal
account is being used by a network service application. Select this
attribute for user principals who run programs that require user-to-user
authentication.
When this attribute is set, the principal’s name appears in the server
field of the service ticket. If this attribute is not set, the security server
cannot issue a service ticket for that principal because the principal’s
name cannot appear in the server field of the service ticket.
This attribute is set by default, allowing principals to actas a service and
enabling user-to-user authentication for user principals.