Gary Winiger wrote: >>> If you don't want an account to be able to login at >>> all it should be >>> *LK* (passwd -l) not NP (passwd -N). >> I have to say i'm confused about this. My prior understanding of *LK* and >> NP was that: >> >> 1) *LK* prohibited login and execution of scheduled jobs via cron/at >> 2) NP prohibited login but allowed execution of scheduled jobs via cron/at > > Your understanding is correct. I believe Darren misspoke. > passwd -l locks an account for all those name services that > support it. In files, the sp_pwdp field is set to "*LK*".
sp_pwdp is PREFIXED with *LK* now, it used to be set. We prefix so that we can implement passwd -u. > This is a consolidation private interface between various > components of the ON Consolidation to indicate that this > account can neither login or have delayed execution jobs run. The string NP isn't documented the passwd -N behaviour is. > passwd -N sets the account to a no-login account for all those > name services that support it. In files, the sp_pwdp field is > set to "NP". This is a consolidation private ... blah blah ... > account can not login, but can have delayed execution jobs run. > See the contents of /etc/shadow for the destinction on accounts > Sun ships. Those that need to run cron such as lp and sys are > no login. Those that don't need to run cron such as webservd, > gdm, listen are locked. NP as I understood it means "Not Participating" rather than "No Password" and the reason we can't use *LK* is because pam_unix_account will not allow cron to run. The reason I use that working rather than Non Login is because there are valid uses for this other than cron or for daemon accounts. Namely having an account that can not authenticate with UNIX username and password but can authenticate by other means, eg LDAP or Kerberos. The reason this works all works is that cron doesn't call pam_authenticate() but does call pam_acct_mgmt(). If the account was marked *LK* we couldn't login but also couldn't run cron jobs. > "*NP*" can also show up in sp_pwdp. It again is a consolidation > private ... that indicates the password could not be retrieved > from the name service. There are various reasons this could > occur. *NP* means "No permission" and is as you say in sp_pwdp but it isn't actually stored. NIS+ and LDAP can both cause this to be returned via the nsswitch/nscd code but files and NIS don't I believe. -- Darren J Moffat
