NIS account locking feature 1

[tedans]

we have a NIS master server and set up accounts for users to have 5 failed login attempts before account is locked.
When trying to login on NIS server with one of the user accounts it indeed will lockout the login name after 5 login attempts.

However, when we do login on a NIS client station and intentionally fail the login attempt 5 times, it still would accept correct login even after 5 failed attempts.

On the workstation side (AIX) /etc/security/logfile - which records number of login attempts - does not record the failedlogin attempts. I don't know which directory on the HP stations is the logfile stored for failedlogins

 

[jonoheap]

There is major flaw (or should I say feature as software vendors call it!!) with the way NIS works with clients and you have found it. Even though you may set the user attributes on the NIS server, these are not carried through to the clients correctly.
The same applies to password aging. This is a classic example of wanting NIS client users to be automatically forced to change their password on a regular basis. The only way it works is to get the user to logon onto the NIS server and then they will be forced to change it.

There are ways to force it to work however this is NOT recommended. The NIS files from the server /etc/security/passwd etc can be NFS mounted to the clients (all admininstrators scream now!). If you do this, it works, but you are asking for trouble if you then have problems with NFS.

I believe the all the problems (features) with NIS have now solved with NIS+ which is now available on AIX. I hav'nt personally tried this yet so I cant say, but I will be looking at it in the near future.....

Hope this helps.

 

[tedans]

many thanks. We'll look into the NIS+ feature too if indeed it resolves this issue