Joep Vesseur wrote: >> a) Did PSARC/2007/700 integrate somewhere? > > No, not yet; I've been stuck in the changes needed for the graphical > installer. Need to pick up the pieces again. > >> b) If so, why didn't the manpage change integrate? >> c) Is having passwordless roles any less stupid than passwordless users? > > I'd say it is because with passwordless roles you have at least the > attribution to which user assumed a role. With passwordless users > you'd have no way knowing who logged into your system.
The reason Solaris expects roles, just like users, to has passwords is because of the need for a password to use AUTH_DH creds for NIS+ and NFS shared with sec=dh. If you don't need to use AUTH_DH then you may not need roles to have passwords. On the other hand you may wish roles to be Kerberos principals in which case you would likely need a password for them (or some way of maintaining and using a keytab for them). If you need none of the security provided by AUTH_DH or Kerberos then you may not need to use passwords with roles. -- Darren J Moffat
