On AIX 4.3.3: User password expiry does not work for NISPLUS users.

On AIX 4.3.3: User password expiry does not work for NISPLUS users.

Post by gbe.. » Thu, 06 Jul 2000 04:00:00



We have setup an AIX 4.3.3 box as a NIS+ server and want to hang a
number of AIX 4.3.3 NIS+ clients from it.  Authentication is working via
NISPLUS.

Login of NIS+ users on both clients and servers does not recognise the
password expiry fields in the NIS+ passwd.org_dir table.  This is true
for all methods of login, including dtlogin, telnet, rlogin, login and
ftp.

NIS+ user authentication itself is functioning correctly and the
"nisdefaults" correctly shows that valid principle credentials have been
authenticated.

The /etc/security/user file's default stanza contains:
        SYSTEM="NISPLUS"
        registry=NISPLUS

The /usr/lib/security/methods.cfg contains the bos.net.nisplus provided
entry "NISPLUS".

Running "dtlogin -debug 3" shows that the system call "passwdexired()"
returns return code 0, indicating that the password has NOT expired when
the following user shadow entry contains:
        "11000:0:30:6:-1:-1:0"

The passwd lastchg field of 11000 is much older than the specified
MAXAGE of 30 days and as such should be expiring the password.

Testing has shown that the MINAGE field of the shadow column is also
being ignored.

However the Account Expire Date field in passwd.org_dir is being
honoured correctly!

We have a specific requirement for NIS+ account password expiry.

AIX oslevel = 4.3.3.0
bos.net.nisplus = 4.3.3.10

The latest AIX update CD (04/2000) has been applied.  The workaround for
IY11461 re the /etc/security/user registry=NISPLUS has been implemented,
see above.

Can anybody please shed some light on this, perhaps explain why this is
happening? - am I doing something wrong etc?

Regards,
   G.L. Bevan.

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

On AIX 4.3.3: User password expiry does not work for NISPLUS users.

Post by Juli » Thu, 06 Jul 2000 04:00:00



> We have setup an AIX 4.3.3 box as a NIS+ server and want to hang a
> number of AIX 4.3.3 NIS+ clients from it.  Authentication is working via
> NISPLUS.

> Login of NIS+ users on both clients and servers does not recognise the
> password expiry fields in the NIS+ passwd.org_dir table.  This is true
> for all methods of login, including dtlogin, telnet, rlogin, login and
> ftp.

> NIS+ user authentication itself is functioning correctly and the
> "nisdefaults" correctly shows that valid principle credentials have been
> authenticated.

It's a bug in the NISPLUS module.  Ring up your IBM support folks
and report it.

-- Julie.

 
 
 

On AIX 4.3.3: User password expiry does not work for NISPLUS users.

Post by gbe.. » Fri, 07 Jul 2000 04:00:00


Thanks for that Julie,
   We are in the process of reporting it.

   I have a home-written workaround which implements password ageing for
dtlogin, telnet, rlogin (not rsh or rexec) and login.  It mimics pretty
much exactly what I expect should happen if the NISPLUS module was
working correctly.  I'll pursue the real fix though...

Regards,
   G.L. Bevan.






Quote:> > We have setup an AIX 4.3.3 box as a NIS+ server and want to hang a
> > number of AIX 4.3.3 NIS+ clients from it.  Authentication is working
via
> > NISPLUS.

> > Login of NIS+ users on both clients and servers does not recognise
the
> > password expiry fields in the NIS+ passwd.org_dir table.  This is
true
> > for all methods of login, including dtlogin, telnet, rlogin, login
and
> > ftp.

> > NIS+ user authentication itself is functioning correctly and the
> > "nisdefaults" correctly shows that valid principle credentials have
been
> > authenticated.

> It's a bug in the NISPLUS module.  Ring up your IBM support folks
> and report it.

> -- Julie.

Sent via Deja.com http://www.deja.com/
Before you buy.
 
 
 

On AIX 4.3.3: User password expiry does not work for NISPLUS users.

Post by Juli » Fri, 07 Jul 2000 04:00:00



> Thanks for that Julie,
>    We are in the process of reporting it.

>    I have a home-written workaround which implements password ageing for
> dtlogin, telnet, rlogin (not rsh or rexec) and login.  It mimics pretty
> much exactly what I expect should happen if the NISPLUS module was
> working correctly.  I'll pursue the real fix though...

One of the things you can do, assuming you want to write some code,
is write your own authentication only module and add it to the SYSTEM
grammar for that user.

That way you can extend the set of authentication rules to include
anything not actually implemented by the module.  For example, old
style NIS which doesn't use the password aging field in the password
entry that comes over the wire from the NIS server.

-- Julie.

 
 
 

1. Is there a unix command to display unix user account expiry, inactive expiry

Dear Unix Gurus,

1. Is there a Solaris command to display configured unix user account
expiry days i.e let's say I execute

%unix usermod -e 06/11/2004 jk1

How can I see this date using a unix command ? and similarly for
inactive expiry days. I tried using passwd -s jk1 but that displays
only Passoword information only.

2. Is there a Solaris API to convert expiry date in /etc/shadow to
mm/dd/yy format and vice-versa ?ie.

jk1:2j92MGiE0iljY:12577:7:30:7::12580: <--How can I convert 12580 to
06/11/2004?

Any help/pointers will be highly appreciated.

Thanks a ton in advance.
Jitendra

2. Linux terminal server!

3. access to users directories (/~user) not working

4. Download command

5. Sendmail help - alias works for install-created users, does not for new users.

6. Dial in........

7. Keyboard works in Single-user mode, not in multi-user

8. How do I swap disks in RedHat 5.2?

9. Moving users, groups, and passwords from aix 4.14 to aix 4.3.1

10. Keyboard works in single-user mode; not in multi-user

11. win98 -> linux (samba) password requested, no user, no password works ...

12. password does not allow add a password for a new user with a Permission denied

13. xdm not honoring shadow password aging/expiry ?