My opinion differs on this score.
At our site we have a variety of systems including SunOS 4.1.x,
Solaris 2.x, HP-UX 9.x, DEC OSF/1 2.0, Ultrix 4.3, and Cray Unicos 8.0.
On all of these systems, we have multiple entries in /etc/passwd with
UID=0. We have more than one person with ROOT access on each of our
server systems. We do not share a ROOT password. Each person has a
different ROOT login name so we can track who is logging in at any
time. This also allows each Superuser to have a different HOME directory
if desired.
The HOME directories for ROOT accounts are on the local disk and
they do not have an AFS account. We want to allow a ROOT login even if
AFS is down. If an Administrator needs AFS access, we use klog to
authenticate.
The only problems that I know about are to make sure that the name
"root" is on the first line of /etc/passwd. On DEC OSF/1 2.0, we
replaced the normal /usr/ucb/passwd with a Perl script which I have
appended below.
I recall that Transarc suggests "Do not use UID 0" in AFS.
I think this is a "policy" issue rather than a functiona problem.
But since UID=0 has special meaning in UNIX systems, I think it
is prudent to avoid using UID=0 in AFS.
----------------------------------------------------------------
| Joe Ramus NERSC Livermore (510) 423-8917 [EMAIL PROTECTED] |
----------------------------------------------------------------
>> > Since the UID is not part of the kaserver, but only part of the
>> > ptserver, you should beable to have a rootAFS defined in AFS,
>> > and in the local passwrd files. This rootAFS would have a UID of 0
>> > in the local password file. Thus if you login as rootAFS you use
>> > its password, end endup running with the uid=0, i.e. root.
>> > The local root still his its own passwords.
>>
>> Be very careful with this. Many operating systems deal badly with having
>> more than one user in /etc/passwd with UID 0. Besides, that shouldn't be
>> necessary in this case. If you attempt to log in as user foo, who has
>> both a local and AFS password, the login program will try both.
>> Naturally, you don't get authentication if you don't use the AFS password.
>>
>> -- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
>> Systems Programmer, CMU SCS Research Facility
>> Please send requests and problem reports to [EMAIL PROTECTED]
-----------------------------------------------------------------------------
On DEC OSF/1 2.0:
%% cat /usr/ucb/passwd
#!/usr/local/bin/perl
unless ( system( "/usr/bin/passwd.vendor @ARGV" ) ) {
if ( $> == 0 ) {
system( "/usr/sbin/mkpasswd /etc/passwd" );
print "Rehashed password database.\n";
}
}
