beautypg.com

Passwords on dce managed nodes – HP UX B6941-90001 User Manual

Page 454

background image

454

Chapter 10

Tuning, Troubleshooting, Security, and Maintenance

ITO Security

• an appropriate

.rhosts

entry or

/etc/hosts.equiv

functionality must be available

-Or-

• the password must be specified interactively.

For more information on user accounts, access to files, and general file
permissions, see “File Access and Permissions” on page 451.

Passwords on DCE Managed Nodes

When executed on the management server with the

-server

option, the

ITO utility

opc_sec_register_svr.sh

creates a special principal

opc-agt-adm

which has the permissions needed to modify accounts on

the managed node. Normally, the ITO agents log into DCE at startup
using the primary principal

opc/opc-agt/

. However, if

this login fails for any reason, the ITO control agent then attempts to
login as

opc-agt-adm

and to generate a new random password for it’s

primary account. The new password will be updated in both the DCE
registry and the local keytab file. Generally, the initial DCE login will fail
in only the following situations, any of which may be rectified by logging
in on the managed node and running

opc_sec_register.sh

manually:

❏ After installation (or after running for the first time in authenticated

mode) and if the

opc_sec_register.sh

utility was executed on the

management server to create the managed node account. In this case,
the local keytab file doesn’t exist. If

opc_sec_register.sh

has been

executed locally on the managed node, it does create the requisite,
local keytab file.

❏ The managed node’s keytab file was removed or corrupted for any

other reason.

❏ The managed node’s password expired while the control agent was

not running and, as a consequence, is the control agent is unable to
login and generate a new one.

It is possible to simply disable or even remove the

opc-agt-adm

account

using standard DCE utilities. However, if you do disable or remove the

opc-agt-adm

account, the automatic password recovery process will be

compromised. This does not affect automatic password generation while
the agent is running and password expiration is enabled.

See also other documents in the category HP Computers: