> > If you don't want an account to be able to login at
> > all it should be
> > *LK* (passwd -l) not NP (passwd -N).
>
> I have to say i'm confused about this. My prior understanding of *LK* and NP
> was that:
>
> 1) *LK* prohibited login and execution of scheduled jobs via cron/at
> 2) NP prohibited login but allowed execution of scheduled jobs via cron/at
Your understanding is correct. I believe Darren misspoke.
passwd -l locks an account for all those name services that
support it. In files, the sp_pwdp field is set to "*LK*".
This is a consolidation private interface between various
components of the ON Consolidation to indicate that this
account can neither login or have delayed execution jobs run.
passwd -N sets the account to a no-login account for all those
name services that support it. In files, the sp_pwdp field is
set to "NP". This is a consolidation private ... blah blah ...
account can not login, but can have delayed execution jobs run.
See the contents of /etc/shadow for the destinction on accounts
Sun ships. Those that need to run cron such as lp and sys are
no login. Those that don't need to run cron such as webservd,
gdm, listen are locked.
"*NP*" can also show up in sp_pwdp. It again is a consolidation
private ... that indicates the password could not be retrieved
from the name service. There are various reasons this could
occur.
N.B. All this is in relationship to the Unix account authority.
Other account authorities may act differently.
Gary..
