Filter
Top Products
454 Chapter 10
Tuning, Troubleshooting, Security, and Maintenance
ITO Security
• an appropriate .rhosts entry or /etc/hosts.equiv
functionality must be available
-Or-
• the password must be specified interactively.
For more information on user accounts, access to files, and general file
permissions, see “File Access and Permissions” on page 451.
Passwords on DCE Managed Nodes
When executed on the management server with the -server option, the
ITO utility opc_sec_register_svr.sh creates a special principal
opc-agt-adm which has the permissions needed to modify accounts on
the managed node. Normally, the ITO agents log into DCE at startup
using the primary principal opc/opc-agt/<hostname>. However, if
this login fails for any reason, the ITO control agent then attempts to
login as opc-agt-adm and to generate a new random password for it’s
primary account. The new password will be updated in both the DCE
registry and the local keytab file. Generally, the initial DCE login will fail
in only the following situations, any of which may be rectified by logging
in on the managed node and running opc_sec_register.sh manually:
❏ After installation (or after running for the first time in authenticated
mode) and if the opc_sec_register.sh utility was executed on the
management server to create the managed node account. In this case,
the local keytab file doesn’t exist. If opc_sec_register.sh has been
executed locally on the managed node, it does create the requisite,
local keytab file.
❏ The managed node’s keytab file was removed or corrupted for any
other reason.
❏ The managed node’s password expired while the control agent was
not running and, as a consequence, is the control agent is unable to
login and generate a new one.
It is possible to simply disable or even remove the opc-agt-adm account
using standard DCE utilities. However, if you do disable or remove the
opc-agt-adm account, the automatic password recovery process will be
compromised. This does not affect automatic password generation while
the agent is running and password expiration is enabled.