Planning and Configuring HP DCE 1.8
136 Chapter6
HP-UX Integrated Login
Integrating DCE with HP-UX Integrated Login
• The UNIX backend will fail for any username longer than 64
characters, which is the maximum length for a UNIX username.
Specifically, this means that:
✓ If the primary login technology fails (for example, if secd is down)
the UNIX backup technology will deny system access to users with
long usernames.
✓ If secd is down, the UNIX backup technology will not allow users
to use the su command to access accounts that have long
usernames.
✓ If secd is running and the user enters the passwd command to
change the password for an account with a long username, the
UNIX backup technology will not process the password change.
Specifically, the following messages will display:
Password successfully changed in DCE registry
Invalid login name.
The first line in the message indicates that the password has been
changed in DCE. The second line indicates that the password
information in /etc/passwd is unchanged because of the UNIX
restriction on the long usernames.
✓ If secd is running, DCE will deny access to the machine to any
users with long usernames whose accounts are set to pwdvalid
no, or who use the force_pwd_expiry <
n
> feature and whose
passwords will expire within
n
days.
• DCE allows cell_admin tochange the password of any other principal.
However, UNIX does not allow this behavior. Therefore, if a user logs
in as cell_admin and tries to change another user's password, the
following message will display:
Password successfully changed in DCE registry
Permission denied.
As shown in the preceding message, the password has been changed
in DCE, but not in /etc/passwd. To resynchronize the passwords, the
user must login as root and run the passwd -r files command. This
command changes the password in the /etc/passwd file only.
• UNIX allows the root user to su to any other user's account without
prompting root for a password. DCE, however, cannot issue
credentials without a password. Therefore, the su operation will
appear to succeed, but the new user will not have DCE credentials.