Planning and Configuring HP-UX DCE 1.9
Chapter 7
HP-UX Integrated Login
Integrating DCE with HP-UX Integrated Login
85
• The passwd utility manipulates the DCE registry. It will fail if the DCE network registry cannot be
reached. The passwd command synchronously changes the DCE registry, supporting the password
generation and password strength checking features provided by HP-UX DCE Version 1.9 servers.
However, if DCE is configured as an additional technology, you cannot use passwd to change a DCE
password that is required to be generated. You must use dcecp instead.
• User root cannot change account information (such as passwords, finger information, and shell programs)
of other users in the DCE Security Registry. The cell administrator must login as cell_admin and use
dcecp or the HP-UX Integrated utilities (such as passwd, or chfnchsh) to change other users'
information.
• Unlike user root, the cell administrator must provide cell_admin's password when using the HP-UX
Integrated passwd to change other users' passwords in the DCE Security Registry.
• User passwords are limited to 128 characters for ftp; otherwise, passwords can be up to 512 characters.
• HP-UX Integrated Login utilities take longer to execute and require more system resources than the
HP-UX equivalents.
• For operations that do not require the user to enter a password, no DCE credentials are obtained.
Examples include:
- su when executed by root
- rlogin when an.rhosts file authorizes access
- Anonymous ftp
Preparing to Integrate DCE with HP-UX Integrated Login
Before integrating DCE with HP-UX Integrated Login on a system, you must prepare as follows. You can
configure DCE as either the login technology or as an additional technology.
If you plan to configure DCE as the login technology:
• Configure the system as a DCE cell member.
• Set up a valid root account in the DCE Security Registry.
• Set up valid accounts in the DCE Security Registry for all users that require login access to the cell, or
local login access to cell member systems. Use either dcecp or passwd_import to set up accounts.
• Decide whether to configure ux as the fallback technology, and, if so, whether to export DCE Registry data
to /etc/passwd via a passwd_export entry in your crontab file. It is recommended that you use this
mechanism to keep the local password file synchronized with the DCE Registry, in the event that fallback
login is needed. (See "Activating HP-UX Integrated Login" in this chapter for further information.)
• Decide whether to activate the DCE backend to the Name Service Switch (NSS-DCE) so that getpw* and
getgr* calls access the DCE registry for user information. (See the previous section, "Operation of the
HP-UX Integrated Login Utilities," for further information.)
• Create entries in /etc/opt/dce/passwd_override for any accounts (such as printing or backup services)
that require access to your system, but not to the DCE cell. Entries may be copied directly from
/etc/passwd and appended to /etc/opt/dce/passwd_override. The activation process will
automatically create an override entry for root; however, you must create override entries for any root
aliases.
• The passwd_override file can also be used to disable access to the local system for selected users or
groups. See the passwd_override manpage for details.