The Results of sec_create_db
The master registry database that is created by sec_create_db contains the principals, groups, and organizations listed in the following table.
Initial Persons, Groups, and Organizations
| Principal | Group | Organization |
| bin | bin | none |
| daemon | daemon | - |
| dce-ptgt | kmem | - |
| dce-rgy | - | |
| krbtgt/local_cell_name | nogroup | - |
| hosts/local_host/self | none | - |
| system | - | |
| nobody | tcb | - |
| root | tty | - |
| sys | uucp | - |
| tcb | - | - |
| uucp | - | - |
| who | - | - |
· bin bin none
· daemon daemon none
· dce-ptgt none none
· dce-rgy none none
· hosts/local_host/self none none
· krbtgt/cell_name none none
· nobody nogroup none
· root system none
· uucp uucp none
Some of the objects that were initially created by sec_create_db are reserved and cannot be deleted. These are indicated in the following list.
· The reserved principals are as follows:
- dce-ptgt
- krbtgt/cell_name
- dce-rgy
· The reserved group is none.
· The reserved organization is none.
· The reserved accounts are as follows:
- dce-ptgt none none
- krbtgt/cell_name none none
- dce-rgy none none
When you run the sec_create_db command to create the master registry database, you can name the principal who has the most privileged access to the registry. This person is known as the registry creator. If the registry creator you name is not one of the default principals, sec_create_db adds the account rgy_creator none none, where rgy_creator is the principal you named as the registry creator. If you do not name a registry creator, sec_create_db assigns the most privileged registry access to the root system none account.
With one exception, all of the accounts created by the sec_create_db command are assigned randomly generated passwords and are marked as invalid. Before these principals can log into these accounts, you must change the account passwords and mark the accounts as valid. You can do this by using the dcecp account modify command. Creating and Maintaining Accounts provides instructions for using the dcecp account modify command to change all of the attributes for a principal's account in the registry, including the principal's password. Also, dcecp has options to randomly generate new passwords.
However, the exception is that the account created for the registry creator is valid and is assigned the DCE default password (-dce-). Change the default password to ensure the security of the registry creator account.
In addition to the group memberships implied by the accounts that are created by sec_create_db, the principals are also made members of the groups listed in the following table.
Group Memberships Created by sec_create_db
| The principal... | Is a member of the group... |
| who | bin |
| root | system kmen tty |
| sys | kmem |
| tcb | tcb |