HPE Community
Operating System - HP-UX
1833780 Members
2328 Online
110063 Solutions
New Discussion

Sam "pasword aging" and Trusted default password aging setting

 
SOLVED
Go to solution
frank jordan_1
Advisor

‎07-17-2006 06:20 AM

‎07-17-2006 06:20 AM

Sam "pasword aging" and Trusted default password aging setting

Hello,
My questions is why when creating an new user account thru SAM on a trusted system, the /tcb/files/auth/system/default setting are not applied to the newly created user. The user values are all "-1" see below;
upwchg=-1, acctexp=-1, llog=-1, expwarn=-1,
0 Kudos
Reply
5 REPLIES 5
A. Clay Stephenson
Acclaimed Contributor

‎07-17-2006 06:43 AM

‎07-17-2006 06:43 AM

Solution

Re: Sam "pasword aging" and Trusted default password aging setting

Because you are reading something into the values that is not there. When the users' personal values are left undefined then the system default values are used. If you look at the underlying getprpwent() - see the man page -- you will find that the user's values and the system-wide value are retrieved for each user and there are flags to indicate whether the user's value or the system-wide value is in use for any given field. Man modprpw and look under the -m option.
If it ain't broke, I can fix that.
Reply
Steven E. Protter
Exalted Contributor

‎07-17-2006 06:55 AM

‎07-17-2006 06:55 AM

Re: Sam "pasword aging" and Trusted default password aging setting

Shalom,

Okay you are using sam to create users. I don't agree with the approach, but it is your system.

Default settings are right in the same section of sam.

You set them to what you want in the gui.

right now the settings you display show no expiration warning, pretty much no optional settings.

Password aging was set by default on my 11.11 systems in the US to 90 days.

This you control however with the global or systems setting on sam.

You can set defaults and password complexity in the /etc/defaults/security section of your system.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
frank jordan_1
Advisor

‎07-17-2006 08:15 AM

‎07-17-2006 08:15 AM

Re: Sam "pasword aging" and Trusted default password aging setting

The Sam values are the same as the Trusted system values. What I do not understand is, why when listing the user login values by
(getprpw "username") the values listed are not the same as the Trusted system values and or the SAM values. Also, the Trusted or Sam system defaults value are not enforced by the system. Example; expwarm default value is (5 days) and there are no advance warnings of password expiration. The only operation to apply the values is in SAM menu "Modify Security Policies" and changing the "password aging policy" from "Default (enable)" to "enable". Only then the vaules are listed for the user
Thanks

Thanks
0 Kudos
Reply
Darren Prior
Honored Contributor

‎07-17-2006 08:55 PM

‎07-17-2006 08:55 PM

Re: Sam "pasword aging" and Trusted default password aging setting

Hi Frank,

getprpw is a command designed for use within SAM - it's only relatively recently that it has been documented for public use. The values that it returns are the user's values, so SAM would also check for the system defaults and determine if they should also be applied.

If you edit the Security Policies within SAM for a particular user you are overriding the default, hence it will appear in the user's tcb file which is what getprpw is reading.

How are you testing the expwarn settings?

regards,

Darren.
Calm down. It's only ones and zeros...
Reply
IT Response
Esteemed Contributor

‎04-20-2007 04:17 AM

‎04-20-2007 04:17 AM

Re: Sam "pasword aging" and Trusted default password aging setting

same issue, SAM is not inheriting the u_life and expiration for password from the default file.
running 11.23
example:
/usr/lbin/getprpw sancho
uid=109, bootpw=NO, audid=35, audflg=1, mintm=-1, maxpwln=-1, exptm=-1, lftm=-1, spwchg=-1, upwchg=-1, acctexp=-1, llog=-1, expwarn=-1, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Fri Apr 20 12:04:09 2007, ulogint=-1, sloginy=-1, culogin=-1, uloginy=-1, umaxlntr=-1, alock=NO, lockout=0000001

although the default file is:
more /tcb/files/auth/system/default
default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:u_auditflag#-1:\
:u_minchg#0:u_maxlen#8:u_exp#15724800:u_life#16934400:\
:u_pw_expire_warning#604800:u_pswduser=root:u_pickpw:u_genpwd:\
:u_restrict@:u_nullpw@:u_genchars@:u_genletters:\
:u_suclog#0:u_unsuclog#0:u_maxtries#3:u_lock:\
:\
:t_logdelay#2:t_maxtries#10:t_login_timeout#0:\
:chkent:


and that is creating the account using useradd not SAM
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.