Planning and Configuring HP-UX DCE 1.9
Chapter 7
HP-UX Integrated Login
Integrating DCE with HP-UX Integrated Login
88
• Set up a cron job to export information from the DCE Security Registry to /etc/passwd. You are asked,
during the activation process, whether or not to set up such a cron job. With your approval, a
passwd_export cron job is set up. If NSS-DCE is activated, this cron job is run once every day.
Otherwise, it is run once every hour. You can adjust this frequency by using the crontab(1) command.
Frequencies greater than once per hour are not recommended.
• If you wish to prevent a certain user from logging in to the local system, create an entry for that user in
the passwd_override file and place the word "OMIT" in the password field of the entry. passwd_export
will exclude those entries from /etc/passwd when transferring information from the DCE Security
Registry.
Users who configure DCE as the primary login and UNIX as the backup technology should be aware that the
UNIX backend is useful as a backup only for names and passwords that meet UNIX requirements,
restrictions, and semantics. Also, be aware that configuring the UNIX backend as a backup technology can
cause the following known problems:
• If the DCE registry enforces hidden passwords (which it does by default), an asterisk (*) is placed in
/etc/passwd for all entries and the UNIX backup will be unable to process any password. Therefore,
configuring UNIX as the fallback login technology will fail to authenticate the user and cause confusion
when attempting to change a password. Unless you plan not to enforce hidden passwords, do not
configure UNIX as the backup technology.
• The UNIX backend will fail for any username longer than eight characters, which is the maximum length
for a UNIX username. Specifically, this means that:
✓ If the primary login technology fails (for example, if secd is down) the UNIX backup technology will
deny system access to users with long usernames.
✓ If secd is down, the UNIX backup technology will not allow users to use the su command to access
accounts that have long usernames.
✓ If secd is running and the user enters the passwd command to change the password for an account
with a long username, the UNIX backup technology will not process the password change.
Specifically, the following messages will display:
Password successfully changed in DCE registryInvalid login name.
The first line in the message indicates that the password has been changed in DCE. The second line
indicates that the password information in /etc/passwd is unchanged because of the UNIX
restriction on the long usernames.
✓ If secd is running, DCE will deny access to the machine to any users with long usernames whose
accounts are set to pwdvalid no, or who use the force_pwd_expiry <
n
> feature and whose
passwords will expire within
n
days.
• DCE allows cell_admin to change the password of any other principal. However, UNIX does not allow this
behavior. Therefore, if a user logs in as cell_admin and tries to change another user's password, the
following message will display:
Password successfully changed in DCE registryPermission denied.
As shown in the preceding message, the password has been changed in DCE, but not in /etc/passwd. To
resynchronize the passwords, the user must login as root and run the passwd -r files
command. This command changes the password in the /etc/passwd file only.
• UNIX allows the root user to su to any other user's account without prompting root for a password. DCE,
however, cannot issue credentials without a password. Therefore, the su operation will appear to succeed,
but the new user will not have DCE credentials.