HP UX DCE Software manual 144

HP-UX Integrated Login

Integrating DCE with HP-UX Integrated Login

restrictions, and semantics. Also, be aware that configuring the UNIX backend as a backup technology can cause the following known problems:

•If the DCE registry enforces hidden passwords (which it does by default), an asterisk (*) is placed in /etc/passwd for all entries and the UNIX backup will be unable to process any password. Therefore, configuring UNIX as the fallback login technology will fail to authenticate the user and cause confusion when attempting to change a password. Unless you plan not to enforce hidden passwords, do not configure UNIX as the backup technology.

•The UNIX backend will fail for any username longer than eight characters, which is the maximum length for a UNIX username. Specifically, this means that:

✓If the primary login technology fails (for example, if secd is down) the UNIX backup technology will deny system access to users with long usernames.

✓If secd is down, the UNIX backup technology will not allow users to use the su command to access accounts that have long usernames.

✓If secd is running and the user enters the passwd command to change the password for an account with a long username, the UNIX backup technology will not process the password change. Specifically, the following messages will display:

Password successfully changed in DCE registry

Invalid login name.

The first line in the message indicates that the password has been changed in DCE. The second line indicates that the password information in /etc/passwd is unchanged because of the UNIX restriction on the long usernames.

✓If secd is running, DCE will deny access to the machine to any users with long usernames whose accounts are set to pwdvalid no, or who use the force_pwd_expiry <n> feature and whose passwords will expire within n days.

•DCE allows cell_admin to change the password of any other principal. However, UNIX does not allow this behavior. Therefore, if a user logs in as cell_admin and tries to change another user’s password, the following message will display: