Planning and Configuring HP DCE 1.7

ManualsBrandsHP ManualsSoftwareHP-UX DCE Software

141

142

143

144

145

146

147

148

149

150

6-20 Planning and Conﬁguring HP DCE 1.7

HP-UX Integrated Login

Integrating DCE with HP-UX Integrated Login

restrictions, and semantics. Also, be aware that conﬁguring the UNIX

backend as a backup technology can cause the following known

problems:

• If the DCE registry enforces hidden passwords (which it does by

default), an asterisk (*) is placed in /etc/passwd for all entries and

the UNIX backup will be unable to process any password. Therefore,

conﬁguring UNIX as the fallback login technology will fail to

authenticate the user and cause confusion when attempting to

change a password. Unless you plan not to enforce hidden passwords,

do not conﬁgure UNIX as the backup technology.

• The UNIX backend will fail for any username longer than eight

characters, which is the maximum length for a UNIX username.

Speciﬁcally, this means that:

✓ If the primary login technology fails (for example, if secd is down)

the UNIX backup technology will deny system access to users with

long usernames.

✓ If secd is down, the UNIX backup technology will not allow users

to use the su command to access accounts that have long

usernames.

✓ If secd is running and the user enters the passwd command to

change the password for an account with a long username, the

UNIX backup technology will not process the password change.

Speciﬁcally, the following messages will display:

Password successfully changed in DCE registry

Invalid login name.

The ﬁrst line in the message indicates that the password has been

changed in DCE. The second line indicates that the password

information in /etc/passwd is unchanged because of the UNIX

restriction on the long usernames.

✓ If secd is running, DCE will deny access to the machine to any

users with long usernames whose accounts are set to

pwdvalid no, or who use the force_pwd_expiry <n> feature

and whose passwords will expire within n days.

• DCE allows cell_admin to change the password of any other principal.

However, UNIX does not allow this behavior. Therefore, if a user logs

in as cell_admin and tries to change another user’s password, the

following message will display: