passwd_override(5sec)
The registry database override file
Description
The dcelocal/etc/passwd_override administrative file lets you override the password, GECOS, home directory, login shell, group membership, and principal UNIX ID information stored in the network registry database.
The passwd_override file is stored on each host machine. Any changes you make to it are in effect for the local machine only, and have no effect on the centralized registry. You may find passwd_override especially useful for excluding people from using certain machines, establishing local root passwords, or tailoring local user environments.
The passwd_override File Format
The format of the passwd_override entries is similar to entries in the UNIX password file. The format is
principal_name:passwd:principal_uid:group_id:GECOS:home_d ir:login_shell
In an override entry, principal_name, principal_uid, and group_id fields are keyfields. You must enter one of them to identify the principal or group to which the overrides apply. The keyfield is used to perform a lookup in the override file. The lookup is performed in order as the entries are specified in an override entry: first by principal name, then by principal UNIX ID, and finally by group UNIX ID. If you specify more than one keyfield in an override entry, the first keyfield specified is the lookup key; subsequent keyfields are used as overrides.
Field Descriptions
Each of the entries in the passwd_override file is described below.
principal_name
A keyfield that contains a principal name that identifies the account to which the overrides apply. Enter principal_name to apply the override only to
the account for the principals primary name and not to any accounts for the principals aliases.
passwd
The encrypted password. If you specify an override in this field, the password you enter is in effect for this local machine only.
When you override a principals password, only the principals local credentials are obtained at login, not the principals network credentials. Without network credentials, the principal cannot access the network registry and obtain the information normally provided at network login. Therefore, you must supply all this information in the password_override file entry. For overrides to passwords, you must enter all fields in the override entry, including all keyfields.
You can also specify OMIT in the passwd field to disallow login on the local machine. The use of OMIT in conjunction with an option to the passwd_export command also prevents the inclusion of this principal in the password file created by passwd_export. (See the topic entitled Using OMIT in this command reference, for details.)
principal_uid
An encrypted principal UNIX ID. This field can function as a keyfield (when the principal_name keyfield is not entered) or as an override field (when the
principal_name keyfield is entered). Enter principal_uid and not principal_name when you want to apply the overrides to all of a principals accounts, including any
accounts for the principals aliases. The principal_uid keyfield is especially useful for overrides to root. For example, if root has an alias of virtuoso, an
override keyed by principal name applies only when root logs in as root. An override keyed by roots principal_uid applies when root logs in as root, as
virtuoso, and under any other alias.
Enter principal_uid and principal_name to override the UNIX ID of the named principal.
group_id
A UNIX group ID. This field can function as a keyfield, when no other keyfields are entered, or as a field containing an override, when entered in conjunction with
principal_name or principal_uid.
Enter group_uid and no other keyfield (principal_name or principal_uid) to apply the override to all members of the group identified by group_uid. In this instance the group_uid field functions as a keyfield, identifying the accounts to which to apply the overrides (that is, accounts whose principal is a member of the specified group).
Enter group_uid and principal_name to change the group of the principal identified by principal_name to the group identified by group_uid. The change applies only to the account for the principals primary name, not to any accounts for the principals aliases. Enter group_uid and principal_uid to apply the group override to all the principals accounts, including any for the principals aliases. In these instances the group_uid field functions as a field supplying override information, not as a keyfield.
GECOS
The accounts GECOS field. You can specify an override in this field. To keep it unchanged, leave it empty.
home_dir
The accounts home directory. You can specify an override in this field. To keep it unchanged, leave it empty.
login_shell
The accounts log-in shell. You can specify an override in this field. To keep it unchanged, leave it empty.
Leaving Fields Blank
If you do not want to override an item, leave its field blank, separating each blank field with a colon (:). You must enter one of the keyfields,
however, to identify the principal or group for which you are creating overrides.) You are required to enter the colons associated with any blank trailing fields.
Using OMIT
If you enter either the word OMIT or another invalid password string (such as * (asterisk) or NO GOOD) in the passwd field, the principal
(or set of principals) will be unable to log in to the local machine. If you specify OMIT and run passwd_export with the -x option, the named principal (or set of
principals) will not appear in the /etc/passwd file produced by passwd_export.
You should also be aware that, if you have omitted principals from the /etc/passwd file, information about those principals will not be available to any programs that use the password file. For example, the ls -l and the finger commands both access the password file to obtain further information about a principal. If the principal is omitted, no password entry will exist and no information will be available. For this reason, you should use OMIT to omit principals from the /etc/passwd file only if your user community is very large and either of the following conditions occur:
The passwd file is taking up too much space.
User-ID-to-name mapping is too slow (during ls -l, for example).
Notes
Principals can update their entries in the override file for the local host by using chpass. Refer to the chpass reference page for details.
Examples
1. To prevent the principal with a UNIX ID of 52 from logging in to the local machine, the entry in the passwd_override file is as follows:
:exclude:52::::
2. To prevent members of the group identified by a UNIX ID of 25 from logging in to a node and to omit them from inclusion in the password file, put OMIT in the passwd field:
:OMIT::25:::
Then run the following passwd_export command with the -x option to omit these principals from /etc/passwd file:
dcelocal/etc/passwd_export
-x
3. To change the password, home directory, and initial shell for mozarts account, the entry is as follows:
mozart:sq1Rc1Urrb1L6:678:893:Wolfgang A. Mozart:/aria/wolfgang:/bin/csh
4. To override the home directory for user mozarts account, include the following entry in the passwd_override file:
mozart:::::/aria/wolfgang:
Related Information
Commands:
File: group_override(5sec)