bonnetf@apo.esiee.fr (bonnet-franck) (05/27/91)
Hi, Does somebody has used the /etc/rgy/passwd_override file ? I've read the book named "Administering the Domain/OS Registry" I've done EVERYTHING is written is that book. NOTHING works ... I didn't found the /etc/rgy/passwd_refresh command !!! This sounds like the book it earlier than our OS (10.3) ! If somebody could explain to me how it works this would be OK ! Thanks by advance. -------------------------------------------------------------------------------| bonnetf@apo.esiee.fr | | Frank Bonnet | Surfing ... | E.S.I.E.E | | BP99 93162 Noisy le Grand cedex.FRANCE. | the rest is details ! | Fax : 33 1 45 92 66 99 | | -------------------------------------------------------------------------------|
dbfunk@ICAEN.UIOWA.EDU (David B Funk) (05/31/91)
in posting <9105271613.AA02348@apo.esiee.fr>, bonnetf@apo.esiee.fr (bonnet-franck) writes: > Does somebody has used the /etc/rgy/passwd_override file ? > > I've read the book named "Administering the Domain/OS Registry" > I've done EVERYTHING is written is that book. > NOTHING works ... I didn't found the /etc/rgy/passwd_refresh command !!! > > This sounds like the book it earlier than our OS (10.3) ! > > If somebody could explain to me how it works this would be OK ! > Thanks by advance. the passwd_override file was introduced at sr10.2 and it continues to work at sr10.3 (we use it all over the place). Here are a couple of quick examples that may be helpful: $ catf /etc/rgy/passwd_override ftp:::::/bbs/files: %.staff.%::::::/bin/sh %.%.civil:*::::: %.student.%::::::/etc/logout The first entry "ftp:::::/bbs/files:" overrides the system definition of the home directory for the account "ftp" for this machine. This lets us have a particular directory for the anonymous ftp account on this node. The second entry "%.staff.%::::::/bin/sh" will cause all members of the group "staff" to have a Borne shell as their default shell, when they login to this node. The third entry "%.%.civil:*:::::" will prevent all members of the organization "civil" from logging into this node. This is because their encrypted password would have to match the string "*" for them to login. As the encryption routine always produces 13 character strings, this will never match, so it is effectively a total password lock-out for this organization. The fourth entry "%.student.%::::::/etc/logout" will cause all members of the group "student" to run the program "/etc/logout" when ever they log in on this node. This is a locally developed program that gives them a message that tells them they aren't allowed to use this node and then terminates, effectively logging them out (well it's a little more involved than that because of the DM, but you get the idea). The tool "passwd_refresh" is only needed with the HP/Apollo product Passwd Etc. This is not needed for Domain systems, its functionality is automatically provided by the typed object file system. Thus it is not even included with Domain/OS systems. My bet is that your probem is being caused by the setting of your registry properties. If you read section 4.2.2 of the manual "Administering the Domain/OS Registry" you will see a short cryptic reference to this. What this means is, you must tell your rgyd system to enable useage of the override files. The default setting for this is "off", IE ignore them. Log in as "root", fire up "/etc/edrgy", and give it the "prop" command. You will probably see something like: root_$ edrgy edrgy=> prop Registry Properties: Registry Owner: root.%.% Person Owner: root.%.% Group Owner: root.%.% Org Owner: root.%.% UNIX restrictions: are NOT enforced, are NOT met Registry is NOT read-only Registry Policy: Account lifespan: forever Password min len: 0 Password lifespan: forever Passwords expire: N/A Passwords MAY be all spaces, MAY be all alphanumeric. Override Policy For "domain" Machines: Password exclusion is NOT allowed Root passwords may NOT be overridden Non-root passwords may NOT be overridden Non-password data may NOT be overridden Override Policy For "non_domain" Machines: Password exclusion is ALLOWED Root passwords MAY be overridden Non-root passwords MAY be overridden Non-password data MAY be overridden Do you wish to make changes [y/n]? (n) The problem is that the 'Override Policy For "domain" Machines:' entries are all set to "NOT". You need to make changes so that it looks like: Override Policy For "domain" Machines: Password exclusion is ALLOWED Root passwords MAY be overridden Non-root passwords MAY be overridden Non-password data MAY be overridden Override Policy For "non_domain" Machines: Password exclusion is NOT allowed Root passwords may NOT be overridden Non-root passwords may NOT be overridden Non-password data may NOT be overridden Then everything should work as expected. One last note, in FCS sr10.2 there was a bug in /lib/rgylib so that telnetd logins ignored the override file. There is a patch "90/02 Patch m0111 /lib/rgylib" that fixed this. Hope this helps. Dave Funk