Hello,
I'm trying so summarize all problems I know about with dxaccounts. These
are present in DU 4.0D, but most probably are also in previous versions.
If problems reported here are bugs, I can't report them to DEC (because we
don't pay for software support-DEC Campus is not of help in this case).
Would someone report this as his own problem tomake things changed for all
of us? In such case I'd like to hear from you. I'd have few more reports.
;-)
1. Lock icon appears only if in etc/passwd is :*Nologin: entry
The nice GUI shows lock icon only aside accounts, which have in
/etc/passwd :*Nologin: in the password field. If there's just :*: or
:Nologin*: then there's _not_ the lock icon by the account name.
One has to View the account by double-clik (Create/Modify local user
window), and then he can see, that the account is _really_ locked (in this
case is most probably checked protected database).
But again dxaccounts search protected database for string `*Nologin'.
IF USER HAS, I DON'T KNOW WHY
kugy:u_name=kugy:u_id#657:u_pwd=*:u_succhg#0:\
:u_oldcrypt#2:u_lock_at_:chkent:
HE'S NOT FOUND TO BE LOCKED BY _NEITHER_ method mentioned above!
I hope 'authck -a -v' should report that there's something wrong with this
account (it doesn't).
2. :u_numunsuclog#number: and :u_lock_at_: mismatch
And more fun. Our system is configured to lock accounts after 5
UNsuccessfull login attempts. If the user profile in protected database
gets into this state, when the number of unsuccessfull login attempts
is larger that those 5, the account is locked.
When the account gets locked after exceeding the limit, there's still
:u_lock_at_: entry present in protected database for this user, so the
locked state reported by /bin/login, XSysAdmin and dxaccounts is
:u_numunsuclog#number: entry exceeding default number of _allowed_
unsuccessfull attempts.
But than `authck -a -v` command should complain in this state that if
:u_numunsuclog#number: is larger than allowed limit, than
it should issue warning that :u_lock_at_: entry is NOT appropriate in this
case. This case is here:
kugy:u_name=kugy:u_id#657:u_pwd=*:u_succhg#0:\
:u_oldcrypt#2:u_numunsuclog#30:u_lock_at_:chkent:
There should be :u_lock: entry instead.
-------
I think, if system runs ENHANCED security, than dxaccounts should CHANGE
their behavior and to check if account is locked ONLY in protected
database, not to bother what is in /etc/passwd. It should search for any
all of these
:u_pwd=*:
:u_pwd=*Nologin:
:u_lock:
:u_numunsuclog#number: ;where the number is larger than allowed limit
and report such account as locked.
I think, if SECURITY=BASE, than dxaccounts should search /etc/passwd in
the password field _JUST_ for appearance of '*' sign. When people have
different autenthorization methods as we do have (kerberos), we have in
almost _all_ account settings in passwd like this:
username:*:UID:......
What do you think about that? Am I right or not?
Martin
-------------------------------------------------------------------------
| Martin MOKREJS - Net&SysAdmin |
| PGP 5.0i key at: finger://mail.natur.cuni.cz/mmokrejs |
| mmokrejs_at_natur.cuni.cz Faculty of Science, The Charles University |
| tel.: +420-2-2195 2315 Albertov 6, PRAGUE 2, 128 43, Czech Republic |
-------------------------------------------------------------------------
Received on Wed Mar 18 1998 - 22:33:03 NZST