Hi!
I just recently configured a new AS 4100 5/533 running DU 4.0D. I
attached it to my network and configured it as an NIS slave to my
current production server (which it is due to replace in December).
I ran secsetup to convert the system from BASE to ENHANCED after
configuring the networking, BIND, NIS and NFS. I chose Yes to create
the extended profiles for NIS users, and it did so successfully (or so
it seemed). I was able to login as an NIS user; the passwords were
pre-expired of course, so I simply changed the password as the system
prompted.
Eventually, the database sofware and applications were installed and the
system was ready for in-house testing. On of the first users to login
was not able to with any of his old passowrds. Let's call his userid
gman. He called me and said that his account was locked. So I ran the
graphical utility (dxaccounts?) and under the NIS view, I saw his
account was indeed locked. I removed the tick from the Account locked
field and clicked the OK button. I got two error popus: One saying Bad
address, the other descriptively stating that my user was most likely
present in /etc/passwd but not in the protected password database
produced when you're running Enhanced security. It suggested I use
authck and convuser to rectify the situation.
I ran authck and realized that there were a number of users who were not
converted; however, gman was not among them. I looked at the utilities
in /tcb/bin and read their manpages to see if they could help me. I
eventually ran edauth -g -d p to view the contents of the auth.db or
protected password database (remember I'm an NIS slave, so the users are
not defined in /var/yp/src/passwd nor in /etc/passwd; hence they are not
present in the ASCII files in /tcb/files/auth/[a..z]/*; only in the
/tcb/files/auth.db protected password database). Lo and behold, gman
was not present (among others). So my first question is what
circumstances would lead to the secsetup script being selective in
creating extended profiles for NIS users?
Now, to solve gman's problem, I went about looking for a way to get the
system to re-create the extended profile for gman. None of the
utilities, convuser or edauth, seem to be able to do this. I would
rather NOT want to re-run secsetup to do this. To workaround this
temporarily, I had to create user gman, using the useradd utility. It
initially failed saying that the UID already exists (it does in NIS but
not /etc/passwd). So I used the option -o to force duplicates. So now
I have a local user rcc; but his profile still does NOT exist in edauth.
My second question is, why?
My goal is to have simple management of user accounts on my UNIX servers
(which at best may number 2, worst 4) and minimize the effort in
password management for my users who are only interested in getting
their work done (not changing passwords on a few UNIX and NT servers
everytime a password expires). I also wish to have my servers run the
Enhanced security level, so that I can get the features like expiration
of passwords, etc. I've been made to understand that NIS and C2
security are really opposite sides on the table of good security
measures, since NIS introduces a hole in your network security, as it
were. My third question is, how do I achieve my goal without doing what
is currently being done on my production server, which is to have the
users defined in BOTH /var/yp/src/passwd and in /etc/passwd, and then
write a script to call the passwd and yppasswd commands one after the
next?
Thanks for your help!
Best regards,
Edmund Nigel Gall
Information Systems Specialist
Process Plant Services Limited
Atlantic Avenue, Point Lisas Industrial Estate
Point Lisas, Couva, Trinidad & Tobago, W.I.
Tel: (868) 636 3153 Fax: (868) 636 3770
Received on Thu Oct 29 1998 - 21:47:37 NZDT