Planning and Configuring HP-UX DCE 1.9
Chapter 7
HP-UX Integrated Login
Integrating DCE with HP-UX Integrated Login
89
Unconfiguring DCE from HP-UX Integrated Login
To unconfigure DCE without deactivating HP-UX Integrated Login, perform the steps in the section
"Activating HP-UX Integrated Login", and specify a different authentication policy. To unconfigure DCE and
deactivate HP-UX Integrated Login, follow the steps in the section "Deactivating HP-UX Integrated Login."
Notes, Cautions, and Warnings About Using HP-UX Integrated Login with DCE
• After configuring HP-UX Integrated Login with DCE as the login technology, do not activate HP
Commercial Security. For Integrated Login support of Commercial Security and how to configure it, see
“Notes, Cautions, and Warnings” on page 83".
• In previous releases, when ilogin was activated with DCE as the primary authentication technology, the
chsh and chfn commands transparently changed the shell and finger information in the DCE registry.
At 11.0, the chsh and chfn utilities are no longer transparently integrated with ilogin. chsh -r dce
and chfn -r dce must be used for this purpose. Alternately, one can also use the passwd -r dce -e
and passwd -r dce -g commands. For further information, refer to the manpages for chsh, chfn, or
passwd.
• If the passwd_export cron job has been set up and DCE becomes unavailable, the cron job will fail and
generate an e-mail error message. To stop these error messages, remove the cron job by unconfiguring
DCE from HP-UX Integrated Login after you stop or remove DCE.
• If you have set up a passwd_export cron job to update /etc/passwd with DCE Registry data, any
changes you make to /etc/passwd will be lost when the cron job updates/etc/passwd.
• When DCE is unavailable and HP-UX Integrated Login is configured to fall back to /etc/passwd, if
/etc/passwd has been updated with information from the DCE Security Registry, and the first 8
characters of the password a user enters at login match the first 8 characters of that user's DCE
password, then the login will succeed even though the password entered may not be identical to the DCE
password. The user will not, however, have DCE credentials.
• If you are logged in to DCE from a foreign cell, note that you cannot use the passwd command to change
your password.
• The HP-UX Integrated Login utilities may not work when the system disk is full or disk quotas are
exceeded. DCE requires disk space for the creation of temporary files.
• DCE credentials are not automatically removed when the user logs out. The administrator can set up a
cron job to remove credentials when users log out as described in “Removing DCE Credentials” on
page 13".
• CDE requires that users have permission to write to their home directories. By default, dcecp and the
Account Manager set a user's home directory to "/". To enable users other than root to write to their home
directories, change the default home directory ("/") to a home directory that the user can write to, such as
/users/foo. Failure to take this action could prevent users from accessing the system.
• Principals with a passwd_override entry (for example, root) cannot use the passwd command to change
passwords in the passwd_override file. This can be done in two steps. First, use the passwd -r files
command to change the password in the /etc/passwd file. Then, as root, cut and paste the appropriate
password entry from /etc/passwd into passwd_override.
• By default, the HP-UX DCE 1.9 Security Server disables logins for principals whose passwords have
expired, and intervention by cell_admin is required before the principal can log in. If you want to allow a
principal to log in with an expired password, attach an instance of the passwd_override ERA to that
principal. See the OSF DCE Administration Guide-Core Components and the WARNPWDEXP and
FORCEPWDCHANGE parameters in the section "Activating HP-UX Integrated Login" earlier in this
chapter for information on how to manage password expiration.