ITEM: DE5433L

DCE: changing password policy, can't add client


 ENV: 58H, AIX 4.2.1, DCE 2.1 PTF set 14 (borg06)
two Sparc stations are the cds and security servers.

*CUSTOMER REP: Scott Stansil

 PROBLEM: 

When I tried the full configuration from borg-06, this is what I got:
-----------------------------------------
Configuring RPC Endpoint Mapper (rpc)...
RPC Endpoint Mapper (rpc) configured successfully

Configuring Security Client (sec_cl)...
Current site is: registry server at
/.../larc.nasa.gov/subsys/dce/sec/master
Domain changed to: principal
Domain changed to: account
?(rgy_edit) Unable to add "hosts/borg-06/self" - Password is too short
(dce / se
c)
bye.
Cannot create security account hosts/borg-06/self for machine borg-06
Current state of DCE configuration:
rpc          COMPLETE   RPC Endpoint Mapper
sec_cl       PARTIAL    Security Client
          Press Enter to continue
----------------------------------------------

The local DCE/DFS guru made the following statement:
-----------------------------------------------------------------
[10:05] \ sounds like the configuration script has a problem.  
It should not be using string passwords, but rather should use DES
passwords...
[10:05] \ Short passwords don't exist for DES passwords since
they're all the same length.
-----------------------------------------------------------------

Sorry to have kinda gone on my own.  I hope this actually narrows the
problem down.  I will call there about 10:30 est.

*ACTION TAKEN: NILM,
There was a DCE 1.3 defect with this exact description which resulted
because the hostname of the client was shorter than the minimum
password length.  

*ACTION TAKEN: Customer found that about the time all the problems
started, the password policies were changed.  Under these new policies
the cell_admin password would be invalid.  It did work at present
(they could dce_login and such), but they could not get this client
configured into the cell.

When they relaxed the password policies again, they were able to
configure the client into the cell, and all previous problems have
disappeared.

From Robin Redden in L3DCE:

When configuring in a client with split config, the hostname is
used as the password.  The hostname may have fewer characters than
the password min length policy decrees.  Thus, failure.  The 
cell_admin password isn't used for this.  However, one must have the
correct cell_admin password for admin config due to having to write
the new data to security and the namespace.  

Response:

Hi Donovan,

   The "next release" meant aixdce22.  This is not yet in aixdce210.
Yes, the hostname is used as a temporary password.  In a full
config it will fail immediately.  In a split config scenario, one
might succeed with one part of the config, then if the password 
policy had changed fail with the other part of the config. 

Robin

*ACTION TAKEN: the release which will fix this problem is 
AIX DCE 2.2 (when it becomes available).

*ACTION PLAN: closing


Support Line: DCE: changing password policy, can't add client ITEM: DE5433L
Dated: July 1997 Category: N/A
This HTML file was generated 99/06/24~13:30:16
Comments or suggestions? Contact us