HPUX installation notes

This section describes the unique characteristics or known limitations that are specific to using authentication service on a computer with the HP-UX operating environment.

ia64 - Mapping local HP-UX user accounts to Active Directory accounts

In most environments, you can map local user accounts to Active Directory accounts to manage the passwords for local users using your Active Directory password policies. On HP-UX, however, if an account is a valid Active Directory account but the authentication through Active Directory fails, the PAM module will attempt to authenticate the account locally and will allow the account to log on if the local authentication succeeds. Because users can still log on to HP-UX systems using their local account password, you cannot effectively use Active Directory or the User Map group policy to enforce your password policies for local HP-UX user accounts.

To enforce Active Directory password policies for local HP-UX users, you need to disable the local user accounts to prevent those local account names and passwords from being used to log on.

Entering an incorrect password on HP-UX

On HP-UX, if Centrify-enabled users enter an incorrect password, they are normally prompted with a second "System password" prompt. This prompt is asking for a password for a local user, regardless of whether that user actually exists locally on the system. If the user exists locally, this prompt allows the user to log in using the local password. If the user does not exist locally, this prompt is unnecessary and will not allow the authentication service-enabled user to log in, regardless of the password entered.

This second prompt can be avoided by changing the options in /etc/pam.conf to the authentication modules. Two changes are necessary:

  1. Add an option to the authentication service PAM module to prompt all users for a password (not just Active Directory users)
  2. Add an option to the HP-UX UNIX login module to use the password obtained by the authentication service module.

    The lines which need to be modified appear like this in the file:

    service_name  auth sufficient  
    /usr/lib/security/libpam_centrifydc.1 debug
    service_name  auth  required 

    Where service_name is something like login, dtlogin, ftp, or similar. The pam_centrifydc.1 line needs the ask flag to prompt all users for passwords. The libpam_unix.1 line needs the use_first_pass option. For example:

    login auth sufficient /usr/lib/security/libpam_centrifydc.1
    debug ask

    login auth required /usr/lib/security/libpam_unix.1

Note:   It is extremely important that the pam_centrifydc line appear before the pam_unix line in the file, or users will never be prompted for a password. Administrators should be extremely careful when editing this file. Any typographically errors in this file could prevent all users from logging on to the system and render the system unusable.