HPE Community
Operating System - HP-UX
1751966 Members
4665 Online
108783 Solutions
New Discussion

Re: "Account is disabled - see Account Administrator" "message in a trusted system

 
SOLVED
Go to solution
ilputto
Occasional Visitor

‎03-15-2012 04:48 AM

‎03-15-2012 04:48 AM

"Account is disabled - see Account Administrator" "message in a trusted system

Hi at all,

 

I have a trusted system hp-ux 11.11. I have created further two super-user accounts;

Last month I disabled remote login using the /etc/securetty (set to "console") and using the "PermitRootLogin no" into sshd_config.  After some days I tried to login with my personal account and then switch to root user ( "su -") but i recieve the following error message: "Account is disabled - see Account Administrator".

 

I recieve the same error message if i try to login using other super-user accounts. Also I unable to use the getprpw command because my personal accoun is not a super-user. So I cannot understand why all super-user account has been disabled.

The only workaround I found is to login using MP console , but after some days I get the same login error.

 

So the questions are:

a) Can someone help me to understand why account become disabled?

b) Is it possible to prevent disabling of root account?

 

 

this is the output of getprpw command for root user.

 

lftm=-1,
acctexp=-1,
expwarn=-1,
admnum=-1,
timeod=-1,
sloginy=console,
culogin=-1,
uloginy=-1,
umaxlntr=-1,
alock=NO, l
ockout=0000000

 

thank you for any suggestion

 

 

Adriano C.

 

 

 

0 Kudos
Reply
2 REPLIES 2
Matti_Kurkela
Honored Contributor

‎03-15-2012 12:37 PM

‎03-15-2012 12:37 PM

Solution

Re: "Account is disabled - see Account Administrator" "message in a trusted system

With most getprpw parameters, "-1" means "use the system default value".

 

Apparently the default for all users (unless overridden by per-user settings) is to have your passwords expire after some number of days. Since you haven't specified that the root password should not expire, it will expire just like regular users' passwords. As you know, the workaround for the expired root account is to log in from the console - it allows root (only) to log in even if the password is in expired state.

 

To prevent the password from expiring on a specific account, you must set four password attribute values to zeroes: mintm, exptm, lftm and expwarn. If any one of those four values is non-zero, the account will be considered expirable.

 

modprpw -m mintm=0,exptm=0,lftm=0,expwarn=0 root

 

MK
0 Kudos
Reply
ilputto
Occasional Visitor

‎03-16-2012 02:35 AM

‎03-16-2012 02:35 AM

Re: "Account is disabled - see Account Administrator" "message in a trusted system

You are right about means of value "-1". 

Further analysis show me a problem with a specific windows application that was trying to connect to server with user root :-(. After 99 attempt user root was disabled.

 

thank you for your reply.

 

AdrianoC.

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.