Re: Solaris /etc/shadow - NP vs. *LK*

From: Jason Price (jason_at_jasonprice.net)
Date: 05/23/03 

Date: 23 May 2003 06:44:02 -0700

Also, we just ran into this one. We use to have *LK* accounts, but
they would still run CRON's. Now in Solaris 9, a *LK* account cannot
run crons but using NP will allow them.

>From docs.sun.com:

cron, at, and batch Cannot Schedule Jobs for Locked Accounts (4622431)

In the Solaris 9 operating environment, locked accounts are treated in
the same way as expired or nonexistent accounts. As a result, the
cron, at, and batch utilities cannot schedule jobs on locked accounts.

Workaround: To enable locked accounts to accept cron, at, or batch
jobs, replace the password field of a locked account (*LK*) with the
string NP (for no password.)

Jp

Casper H.S. *** <Casper.***@Sun.COM> wrote in message news:<3ebcff1a$0$49101$e4fe514c@news.xs4all.nl>...
> Joe Durusau <joseph.a.durusau@lmco.com> writes:
>
> >Joe Borgia wrote:
> >>
> >> Can anyone tell me the functional difference between these to password
> >> entries in the shadow file.
> >>
> >> -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
> >> http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
> >> -----== Over 80,000 Newsgroups - 16 Different Servers! =-----
>
> >NP == no password for this acount
> >*LK* == this account is not allowed to log in.
>
> Note that the latter is only enforced in Solaris 9 and Solaris 8
> with the (misnamed) "ldap2" patch (the patch includes a lot of new
> PAM stuff which now also enforces *LK*")
>
> In order to accomodate the commenting out of password entries, accounts
> are considered "locked" when the password string starts with "*LK*".
>
> Casper