nistbladm Command

The nistbladm command allows you to create, change, and display information about any NIS+ table, including the passwd table.

To perform password operations using the nistbladm command you must apply nistbladm to the shadow column of the passwd table. Applying nistbladm to the shadow column is complex and tricky. Therefore, you should not use the nistbladm command for any operation that can more easily be performed by the passwd command or by using the Solaris Management Console tools.

Use the passwd command or Solaris Management Console tools to perform the following operations:

• Changing a password

• Setting the maximum period that a password can be used (password aging)

• Setting the minimum period that a password must be used

• Setting the password warning period

• Turning off password aging

It is possible to use the nistbladm command to:

• Create new passwd table entries

• Delete an existing entry

• Change the UID and GID fields in the passwd table

• Change access rights and other security-related attributes of the passwd table

• Set expiration and inactivity periods for a user's account (see Password Privilege Expiration in NIS+ and Specifying Maximum Number of Inactive Days for Users in NIS+)

nistbladm and NIS+ Shadow Column Fields

You use the nistbladm command to set password parameters by specifying the values of the different fields in the shadow column. These fields are entered in the format:

Where:

• N1 Lastchange. The date of the last password change expressed as a number of days since January 1, 1970. The value in this field is automatically updated each time the user changes passwords. (See nistbladm and the Number of Days Password Parameter in NIS+ for important information regarding the number of days.) If the field is blank, or contains a zero, it indicates that there has not been any change in the past.

  Note that the number of days in the lastchange field is the base from which other fields and operations are calculated. Thus, an incorrect change in this field could have unintended consequence in regards to minimum, maximum, warning, and inactive time periods.

• N2 Min. The minimum number of days that must pass since the last time the password was changed before the user can change passwords again. For example, if the value in the lastchange field is 9201 (that is, 9201 days since 1/1/70) and the value in the min field is 8, the user is unable to change passwords until after day 9209. See Setting Minimum Password Life in NIS+ for additional information on password minimums.

  Where min is one of the following values:

  • Zero (0). A value of zero in this field (or a blank space) means that there is no minimum period.

  • Greater than zero. Any number greater than zero sets that number of days as the minimum password life.

  • Greater than max. A value in this field that is greater than the value in the max field prevents the user from ever changing passwords. The message: You may not change this password is displayed when the user attempts to change passwords.

• N3 Max. The maximum number of days that can pass since the last time the password was changed. Once this maximum number of days is exceeded, the user is forced to choose a new password the next time the user logs in. For example, if the value in the lastchange field is 9201 and the value in the max field is 30, after day 9231 (figured 9201+30=9231), the user is forced to choose a new password at the next login. See Setting a Password Age Limit in NIS+ for additional information on password maximums.

  Where max is one of the following values:

  • Zero (0). A value of zero (0) forces the user to change passwords the next time the user logs in, and it then turns off password aging.

  • Greater than zero. Any number greater than zero sets that number of days before the password must be changed.

  • Minus one (-1). A value of minus one (-1) turns off password aging. In other words, entering passwd -x -1 username cancels any previous password aging applied to that user. A blank space in the field is treated as if it were a minus one.

• N4 Warn. The number of days before a password reaches its maximum that the user is warned to change passwords. For example, suppose the value in the lastchange field is 9201, the value in the max field is 30, and the value in the warn field is 5. Then after day 9226 (figured 9201+30-5=9226) the user starts receiving “change your password” type warnings at each longing time. See Establishing a Password Warning Period in NIS+ for additional information on password warning times.

  Where warn is one of the following values:

  • Zero (0). No warning period.

  • Greater than zero. A value of zero (0) sets the warning period to that number of days.

• N5 Inactive. The maximum number of days between logins. If this maximum is exceeded, the user is not allowed to log in. For example, if the value of this field is 6, and the user does not log in for six days, on the seventh day the user is no longer allowed to log in. See Specifying Maximum Number of Inactive Days for Users in NIS+ for additional information on account inactivity.

  Where inactive is one of the following values:

  • Minus one (-1). A value of minus one (-1) turns off the inactivity feature. The user can be inactive for any number of days without losing login privileges. This is the default.

  • Greater than zero. A value greater than zero sets the maximum inactive period to that number of days.

• N6 Expire. The date on which a password expires, expressed as a number of days since January 1, 1970. After this date, the user can no longer log in. For example, if this field is set to 9739 (September 1, 1995) on September 2, 1995 GMT, the user will not be able to login and will receive a Login incorrect message after each try. See Password Privilege Expiration in NIS+ for additional information on password expiration.

  Where expire is one of the following values:

  • Minus one (-1). A value of minus one (-1) turns off the expiration feature. If a user's password has already expired, changing this value to -1 restores it. If you do not want to set any expiration date, type a -1 in this field.

  • Greater than zero. A value greater than zero sets the expiration date to that number of days since 1/1/70. If you enter today's date or an earlier date, you immediately deactivate the users password.

• N7 Unused. This field is not currently used. Values entered in this field will be ignored.

• Login is the user's login ID.

When using nistbladm on the shadow column of the password table, all of the numeric fields must contain appropriate values. You cannot leave a field blank, or enter a zero, as a no change placeholder.

For example, to specify that the user amy last changed her password on day 9246 (May 1, 1995), cannot change her password until it has been in use for 7 days, must change her password after 30 days, will be warned to change her password after 25 days, must not remain inactive more than 15 days, and has an account that will expire on day number 9285, you would type:

nistbladm -m shadow=9246:7:30:5:15:9285 [name=amy], passwd.org.dir

nistbladm and the Number of Days Password Parameter in NIS+

Most password aging parameters are expressed in number of days.

The following principles and rules apply:

• Days are counted from January 1, 1970. That is day zero. January 2, 1970, is day 1.

• NIS+ uses Greenwich mean time (GMT) in figuring and counting days. In other words, the day count changes at midnight GMT.

• When you specify a number of days, you must use a whole number. You cannot use fractions of days.

• When the number of days is used to specify some action, such as locking a password, the change takes effect on the day. For example, if you specify that a user's password privilege expires on day 9125 (January 2, 1995), that is the last day that the user can use the password. On the next day, the user can no longer use the password.

Values are entered in both the Lastchange and the Expire fields as a number of days since January 1, 1970, as in the following.