ADSM-L

Re: Force Password Reset

2002-10-29 17:14:32
Subject: Re: Force Password Reset
From: Andrew Raibeck <storman AT US.IBM DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Tue, 29 Oct 2002 15:12:34 -0700
Ah, OK, I misunderstood something. I thought in your last post you were
telling me the problem went away.

You are correct, resetting the password should force a password change
regardless of PASSWORDACCESS setting. While this appears to be a bug, I
can tell you (because I just timewarped my system to verify it) that if
you set the global TSM server password expiration interval to 60 days, the
client should be forced to regenerate a password whether PASSWORDACCESS is
GENERATE or PROMPT.

Your understanding about password encryption in the registry is also
correct. If you are using PROMPT, the password is not stored in the
registry or anywhere else on your system (at least not by TSM!). If you
are using GENERATE, then the password is encrypted into the registry so
that at a later time, the client can retrieve it, decrypt it, and send it
to the server during authentication.

Regards,

Andy

Andy Raibeck
IBM Software Group
Tivoli Storage Manager Client Development
Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
Internet e-mail: storman AT us.eyebm DOT com (change eye to i to reply)

The only dumb question is the one that goes unasked.
The command line is your friend.
"Good enough" is the enemy of excellence.




Mark Baker <mbake5 AT JCPENNEY DOT COM>
Sent by: "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
10/29/2002 14:33
Please respond to "ADSM: Dist Stor Manager"


        To:     ADSM-L AT VM.MARIST DOT EDU
        cc:
        Subject:        Re: Force Password Reset



Ok, maybe using PASSWORDACCESS GENERATE up until now didn't have anything
to
do with my problem but I thought it might.  But shouldn't resetting the
password from the server side when using PASSWORDACCESS PROMPT force the
user to change the password?  I thought that is the way it was supposed to
work.  If that isn't the way it works then how can I force the user using
PROMPT to change the password at 60 day intervals.

Also, the way I understand this, if you are using PROMPTED the password is
not encrypted in the registry.  It is not stored in the registry at all.
That is only used for GENERATE.  Is this correct?

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU]On Behalf Of
Andrew Raibeck
Sent: Tuesday, October 29, 2002 3:04 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: Force Password Reset


I'm not sure I follow.... I've actually reproduced your problem. It seems
that when PASSWORDACCESS PROMPT is in effect, forcing the password reset
from the server side does not force the user to change the password,
regardless of whether PASSWORDACCESS GENERATE was in effect earlier...
even if I clean out any old passwords encrypted in the registry. Are you
seeing something different?

When using PASSWORDACCESS PROMPT, there is no way to view the password. If
someone forgets their TSM password, they have to contact their TSM
administrator who will need to change the node's password.

Andy Raibeck
IBM Software Group
Tivoli Storage Manager Client Development
Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
Internet e-mail: storman AT us.eyebm DOT com (change eye to i to reply)

The only dumb question is the one that goes unasked.
The command line is your friend.
"Good enough" is the enemy of excellence.




Mark Baker <mbake5 AT JCPENNEY DOT COM>
Sent by: "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
10/29/2002 13:34
Please respond to "ADSM: Dist Stor Manager"


        To:     ADSM-L AT VM.MARIST DOT EDU
        cc:
        Subject:        Re: Force Password Reset



Ahhh..I figured it out.  I changed the passwordaccess from generate to
prompt.  I was using the password that was stored in the registry from
when
it was using generate.  When I changed to prompt that was no longer the
valid password.

The only questions I have now is if you set the password through prompted
how can you view the password?  Using generate you can see it with
"dsmcutil
showpw" but when you are using prompted can you view it either through the
server or client side?

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU]On Behalf Of
Andrew Raibeck
Sent: Tuesday, October 29, 2002 12:52 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: Force Password Reset


Are you using PASSWORDACCESS GENERATE? If so, why do you think the
password is not being reset?

You can test this with a Windows client:

1) From the client machine, open an OS prompt and change into the
directory where the TSM client executables reside, i.e. C:\Program
Files\Tivoli\TSM\baclient.

2) Issue this command:

   dsmcutil showpw /node:yournodename

(where 'yournodename' is the client node name).

Make a note of the password.

3) From an Admin command, update the client node with the FORCEPWRESET=YES
option.

4) From the client OS prompt, issue these commands:

   dsmc q se
   dsmcutil showpw /node:yournodename

Is the password different from that shown in step 2 above?

Regards,

Andy

Andy Raibeck
IBM Software Group
Tivoli Storage Manager Client Development
Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
Internet e-mail: storman AT us.eyebm DOT com (change eye to i to reply)

The only dumb question is the one that goes unasked.
The command line is your friend.
"Good enough" is the enemy of excellence.




Mark Baker <mbake5 AT JCPENNEY DOT COM>
Sent by: "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
10/29/2002 11:38
Please respond to "ADSM: Dist Stor Manager"


        To:     ADSM-L AT VM.MARIST DOT EDU
        cc:
        Subject:        Force Password Reset



What I am trying to do is force certain clients to change its password
every
60 days or so.  I can't seem to force the client to change its password. I
issue the command "upd node client forcepwreset=yes" expecting it to force
the client to change its password the next time it logs into TSM.  It
doesn't seem to force me to do anything.  When I log in, I get no prompts
to
change my password.  What am I doing wrong?  I am feeling sort of stupid
right now :)

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  If the reader of this message is not the intended recipient,
you are hereby notified that you have received this message in error and
that any review, dissemination, distribution or copying of this message
including any attachments is strictly prohibited.   If you received this
in error, please contact the sender and delete the material from any
computer.

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  If the reader of this message is not the intended recipient,
you are hereby notified that you have received this message in error and
that any review, dissemination, distribution or copying of this message
including any attachments is strictly prohibited.   If you received this
in error, please contact the sender and delete the material from any
computer.

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  If the reader of this message is not the intended recipient,
you are hereby notified that you have received this message in error and
that any review, dissemination, distribution or copying of this message
including any attachments is strictly prohibited.   If you received this
in error, please contact the sender and delete the material from any
computer.

<Prev in Thread] Current Thread [Next in Thread>