HPE Community
Operating System - HP-UX
1831665 Members
2103 Online
110029 Solutions
New Discussion

/tcb/files not getting shadow data - spurious expiration

 
mvpel
Trusted Contributor

‎01-05-2010 06:03 AM

‎01-05-2010 06:03 AM

/tcb/files not getting shadow data - spurious expiration

I've run into an issue, after correcting the construction of the trusted.org_dir table, that certain HP 11.11 systems with fairly recent patch levels don't construct the /tcb/files file properly when a user logs in who doesn't already have a file in there.

The trusted.org_dir data comes in fine, including the last unsuccessful login and maxtries, etc, but the u_succhg value is not derived from the shadow field in passwd.org_dir, and is not included in the /tcb/files entry.

This leads to a spurious password expiration warning and mandatory change for the user, since it assumes u_succhg is zero.

I've checked the NIS+ credentials and permissions, and root and the user both have the ability to view the shadow field of the passwd.org_dir table.

The problem occurs in both SSH and telnet, so I think it's part of the OS login mechanisms. The libpam patch on the problem system is recent, but on systems where this works properly there's an older libpam patch, I think.

Any suggestions on where to look? I didn't want to tinker with patches unless the problem here isn't obvious and straightforward. I can write a workaround script in the meantime if it's not.
0 Kudos
3 REPLIES 3
Steven E. Protter
Exalted Contributor

‎01-05-2010 06:29 AM

‎01-05-2010 06:29 AM

Re: /tcb/files not getting shadow data - spurious expiration

Shalom,

NIS+ does not work right with trusted systems. You can not as far as I remember use both and have "single" sign on.

This integration may not be possible.

There is an alternate shadow password system for HP-UX 11.x on http://software.hp.com that works more like Linux shadow passwords. Single file. Whether it works with NIS+ is an open question.

Note that trusted system is deprecated and will not be offered in the next major HP-UX release.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
mvpel
Trusted Contributor

‎01-05-2010 11:03 AM

‎01-05-2010 11:03 AM

Re: /tcb/files not getting shadow data - spurious expiration

With some analysis and testing, I was able to narrow the problem down - it appears to be fixed in the latest ONC/NFS General Release/Performance patch, which updates the NIS+ Name Service Switch library libnss_nisplus.sl, among other things.

This is presumably what fetches the shadow information from NIS+ - the shadow information which wasn't going into the /tcb/files/auth entry.
0 Kudos
mvpel
Trusted Contributor

‎01-05-2010 11:04 AM

‎01-05-2010 11:04 AM

Re: /tcb/files not getting shadow data - spurious expiration

.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.