topic Re: Account is disabled - see Account Administrator in Operating System - HP-UX

Account is disabled - see Account Administrator

Nabil Boussetta — Tue, 19 Apr 2005 06:14:05 GMT

i try to telnet a hp-ux machine by the root user i get the following error:
Account is disabled - see Account Administrator.

connection with other users is good. what should be the problem?

Re: Account is disabled - see Account Administrator

Peter Godron — Tue, 19 Apr 2005 06:18:41 GMT

Nabil,
I would suspect either too many attempts were made to log on as root or the account was disabled due to a policy violation (password age etc.)
If you can not su from another user, you'll have to log on via the console and enable the account.
Also (0 points to 17 answers ):
http://forums1.itrc.hp.com/service/forums/helptips.do?#34
Regards

Re: Account is disabled - see Account Administrator

Jeff Schussele — Tue, 19 Apr 2005 06:18:53 GMT

Hi Nabil,

The problem is that your trusted system has disabled the root account due to one of the "rukes" being broken - such as:

Too many unsuccessful tries
Too long inactivity
etc.

Your only recourse is to log in as root from the *console* because even when root account is disabled console access will still be allowed.
Once in then run

/usr/lbin/modprpw -l -k root

HTH,
Jeff

Re: Account is disabled - see Account Administrator

Nabil Boussetta — Tue, 19 Apr 2005 06:25:03 GMT

console login is also disabled

Re: Account is disabled - see Account Administrator

Jeff Schussele — Tue, 19 Apr 2005 06:28:38 GMT

Well - it shouldn't be - but if it is then the only other thing you can do is reboot into single-user mode, mount the filesystems - at least /usr & run the command I gave you earlier.

Rgds,
Jeff

Re: Account is disabled - see Account Administrator

Devender Khatana — Tue, 19 Apr 2005 06:34:34 GMT

Hi,

Try if "su -" is working from any normal user. If not then you need to try some root equivalent user if you have created one. Check /etc/password through vipw and see if user_ID is set to Zero for some other user except root. Having login as that user you can change root password.
Another option is if your system in configurd for rlogin as root from some other system in your network. Having rlogin to this also you can change password.

If none of the above help then you will have to reboot system in single user mode. At PDC give "hpux -is" and system will come to a prompt without password. Here you can change root password and can then reboot.

HTH,
Devender

Re: Account is disabled - see Account Administrator

Rick Garland — Tue, 19 Apr 2005 08:50:15 GMT

setup a simple sodoers so that only the SAs have root access via sudo if this situation happens again.

prevents having to go to the console as well.

Re: Account is disabled - see Account Administrator

Joe Harrison_1 — Tue, 19 Apr 2005 09:23:19 GMT

Lock down root access and give SA the ability to unlock accounts (including root).

1) create unlock script (/usr/local/bin/unlock)

#!/bin/sh

quitnice()
{
# This function exits with a message, and confirmation.
echo $MSG
echo Command completed successfully
echo "Press Enter to continue --> " ; read
exit 0
}
viewlock()
{
LOCKED=`/usr/lbin/getprpw -m alock,lockout $STRING|grep -e YES -e 1`
}

# Read argument or get input:
if [ -z "$1" ] ; then
echo "Please enter a username to unlock --> " ; read STRING
else STRING=$1
fi

# Parse argument:
if [ -z "$STRING" ] ; then
MSG="Invalid argument" && quitnice
else viewlock
fi

# Unlock!
if [ -z "$LOCKED" ] ; then
MSG="Account was not locked" && quitnice
else /usr/lbin/modprpw -m alock=NO $STRING
/usr/lbin/modprpw -k $STRING
fi

# Check results
viewlock
if [ -z "$LOCKED" ] ; then
MSG="Account was unlocked successfully" && quitnice
else
MSG="Account could not be unlocked" && quitnice
fi

exit 0

# --------------------------

2) edit sudoers

$ visudo

Cmnd_Alias SYSADMIN = /bin/su -d - root, \
/usr/local/bin/unlock

%sysadmin ALL= NOPASSWD: SYSADMIN

# NOTE: replace 'sysadmin' with appropriate SA group name

3) change permissions on su (BE CAREFUL!!)

$ chown root:bin /bin/su
$ chown root:bin /usr/bin/su
$ chmod 4550 /bin/su
$ chmod 4550 /usr/bin/su

To log in as root:

$ sudo /bin/su -d - root

To unlock account:

$ sudo /usr/local/bin/unlock