Planning and Configuring HP-UX DCE 1.9
Chapter 7
HP-UX Integrated Login
Integrating DCE with HP-UX Integrated Login
87
• Starts ilogind (the integrated login daemon) and adds it to the startup list. The DCE backend to PAM
(PAM-DCE), as well as the DCE backend to NSS (NSS-DCE), communicate with ilogind, which in turn
communicates with secd (the DCE Security daemon) to perform security functions. ilogind was
introduced at HP-UX DCE 1.6.
During this process, you are asked whether or not you want to activate the DCE backend to the Name Service
Switch (NSS-DCE) so that getpw* and getgr* calls access the DCE registry for user information. If you
choose to activate NSS-DCE, UNIX utilities will function properly without requiring synchronization of
/etc/passwd and the DCE registry. However, if you are configuring a fallback technology, you may still want
to run passwd_export in case the DCE registry is unavailable.
If NSS-DCE is activated, auth.adm saves the current version of /etc/nsswitch.conf and creates a new
version, which has the same semantics as the configuration policy. For example, if you are configuring
integrated login with DCE as the primary login and UNIX as the fallback, then /etc/nsswitch.confwill also
use DCE as the primary repository for user information and will use UNIX (/etc/passwd) as the fallback
repository for cases where the primary is unavailable.
To enhance performance, NSS-DCE caches information it retrieves from the DCE registry. The cached
information is considered valid for a certain number of seconds (called tstale), after which time it becomes
stale. The default setting for tstale is 60 seconds, and this can be configured by the user by setting the
environment variable NSSDCE_CACHE_TSTALE (the stale time in seconds). If the user desires to disable
the caching facility completely, NSSDCE_CACHE_TSTALE can be set to 0 seconds (zero).
During this process you are asked whether or not you want to set up a cron job to export information from the
DCE Security Registry to /etc/passwd. If you choose to set up the cron job, the activation process also:
• Saves the /etc/passwd file in /etc/passwd.nodce and the /etc/group file in /etc/group.nodce (if
these files do not already exist).
• Executes passwd_export as a cron command. If NSS-DCE is activated, this cron job is run once every
day. Otherwise, it is run once every hour. You can adjust this frequency by using the crontab(1)
command. Frequencies greater than once per hour are not recommended.
Activation terminates with an error message when any of these steps fails.
Configuring ux as a Fallback Technology for DCE
You can configure ux as a fallback technology to allow system access when DCE, as a login technology, is not
available (DCE down or network problem). If you wish to replicate information of the DCE Security Registry
in /etc/passwd, do the following:
• Make sure the DCE Security Registry is not set up to hide exported passwords. When exported passwords
are hidden, passwd_export does not export the encrypted passwords from the DCE Security Registry to
/etc/ passwd. You can verify this property of the DCE Security Registry by running dcecp and issuing
the command registry show at the prompt. You can disable hidden passwords by issuing the command
registry modify -hidepwd no at the prompt. To change this property, you must have cell_admin DCE
credentials.
NOTE If you wish to take advantage of the increased security provided by the DCE Security
Registry hidden passwords policy, do not configure ux as a fallback technology. Specify DCE
as the primary login technology, with no fallback login technology.