topic Re: root account disabled - how to enable in Operating System - HP-UX

root account disabled - how to enable

Steve Grantham_1 — Tue, 04 Jan 2005 11:11:49 GMT

All,

My company operates a development shop, and one of our HP-UX 11.11 servers is configured as a trusted system to mirror client configurations. In our testing, the root account has become disabled--when I su or attempt to login, I get a message informing me of that fact.

Complicating this problem is the fact that this server is located across the country from our (my) office, but there is a (non technical) person located there who can follow directions.

How do I resolve this?

Thanks in advance,
Steve Grantham

Re: root account disabled - how to enable

Patrick Wallek — Tue, 04 Jan 2005 11:16:23 GMT

Is there a console attached to the machine? Does it have a web console?

If it has a web console you should be able to login that way and re-enable root.

If there is a direct attached console, then have the person at the location log in from the console and the reactivate root.

To reactivate once logged in do:

/usr/lbin/modprpw -k root

Re: root account disabled - how to enable

Steve Grantham_1 — Tue, 04 Jan 2005 14:40:34 GMT

Some further info on this: I've tried Patrick's solution of having someone at the console login as root and run the
/usr/lbin/modprpw -k root
command, but he isn't able to login. The message is that the account is locked in the commercial security database.

Assuming that we boot into single user and mount /usr read-write, what needs to be changed to allow root's account to be enabled again?

Thanks,
Steve Grantham

Re: root account disabled - how to enable

bhoopathi_1 — Wed, 05 Jan 2005 01:57:37 GMT

Hi Steve

If you are able to log into single user mode, then it won't ask for a root password. Since this is a trusted system, you can either edit the /tcb/auth/files/r/root file and remove the entry against the lock keyword or use sam and enable the account.

Re: root account disabled - how to enable

Chris Vail — Wed, 05 Jan 2005 10:50:56 GMT

Instead of console, have you tried logging in via secure web console, or dumb terminal attached to serial port A? That'd be my first choice.
The last ditch effort to fix this is to boot the system from the CDROM. You can then escape to a shell, and mount the /usr filesystem to a temporary directory. Once there, you can restore the /usr/tcb directory from a backup tape.
Alternatively, you can mount the various and sundry filesystems to the RAM disk and mess with modprpw to fix the root account.

Chris

Re: root account disabled - how to enable

Edward McCouch — Wed, 05 Jan 2005 15:22:30 GMT

If root on a trusted system becomes disabled you can always log in as root from the serial console.

Re: root account disabled - how to enable

Bill Hassell — Wed, 05 Jan 2005 22:10:10 GMT

Are you sure that the remote user is using the "REAL" system console, and not a telnet or Xwindow connection from a PC in the office? This can be any type of terminal (including a Windows-based emulator) connected to the serial console port in the computer room. The disabled status is overridden by the fact that the user has access to the console. For a standard HP server, the terminal would be a 700/92 or 700/96. If the user is on the real console, typing CTRL-B will bring up a CM> prompt which comes from the processor ROMs. There are a couple of exceptions for CTRL-B...what model HP server do you hve?

Very important: you don't want to go into single user mode unless the user is on the real console--you'll lose control of the system.

Re: root account disabled - how to enable

Thomas Lee_1 — Thu, 06 Jan 2005 01:41:36 GMT

Steve,

In extreme case,
use /usr/lbin/tsconvert -r to revert from
trusted system, so you can change password in single user mode.

Thomas

Re: root account disabled - how to enable

Steve Grantham_1 — Thu, 06 Jan 2005 08:51:29 GMT

To all who've responded,

Thanks very much for your input so far. The remote user swears he is sitting at "the system console" when he tries to log in. No way I can check that, since he's 3000 miles away, but he's a savvy developer and undoubtedly knows what console I'm referring to.

The 'server' is a j5000 running hp-ux 11.11. My understanding of hp web console is that it has to have been installed and configured prior to losing the root account, which--alas--wasn't the case.

We've scheduled time today to boot into single-user and I'll walk him through either a manual fix on /tcb/auth/files/r/root or by using sam to unlock the account. I'll post the results of this endeavor later today.

Thanks again for your help,
Steve

Re: root account disabled - how to enable

Patrick Wallek — Thu, 06 Jan 2005 09:08:04 GMT

OK, since a J5000 is technically a workstation, that may make a bit of a difference.

If the default is to log into CDE, then that might be part of the problem.

At the main CDE login panel, from the SESSIONS (I think) button choose "Command Line login" and then try logging in again as root.

Re: root account disabled - how to enable

Chris Vail — Thu, 06 Jan 2005 09:47:47 GMT

Even though a J5000 is a workstation, the serial console is still the best place to login. Try to hook some sort of serial terminal to that port. It doesn't have to be a dumb terminal, but could be a PC running hyperterm. You'll need a PC, the appropriate cables (the HP box has 9 pin connectors, your PC could have either 9 pin, 25 pin, or both) and a null modem. The null modems are widely available at any number of computer cable suppliers. Set the communication parameters for 9600 baud, 8 bits, 1 stop bit, no parity. Choose either ttyA or ttyB (whichever you have the cable on) and vt100 emulation. You should get a login prompt.

The secure web console DOES NOT have to be configured prior to losing root. Configuring one means that you need a ethernet crossover cable connected to it, and another system running a web browser. The SWC is, for all intents and purposes, a serial console running inside a browser. If you can get this up and running, then you can do everything as though you're sitting in front of the console.

Chris

Re: root account disabled - how to enable

Bill Hassell — Tue, 05 Sep 2023 09:27:29 GMT

Aha, it's not a server, it is an Xwindow workstation...very different animal. The "console" is actually a video card and display, not a "real" terminal at all. The J5000 doesn't have the independent Guardian Service Processor (a separate computer that talks directly to the hardware like a server). In this case, the workstation would indeed lockout root and there is no easy provision for recovering. Here are some choices:

1. As mentioned, hook a real terminal to the serial port on the J5000. Be sure to use a crossover (aka, printer or null-modem) cable and make sure you can send data to the terminal. Then reboot, interrupt the boot process and change the console from the video card to the serial port. That will then be useable to recover from a root lockout.

2. reboot into single user mode. Not a good choice for a true server but it will work to recover root's account. You just mount /usr and then use the modprpw -k command, then reboot.

3. Install sudo so specific users can run specific commands as root. Since sudo doesn't login, it can be used to run modprpw -k and fix root's account without a reboot--probably the simplest solution. Get a copy from HP at the Software Depot. It's part of the Internet Express collection (this is a recent and very welcom addition). Internet Express is found at:

https://support.hpe.com/connect/s/product?language=en_US&kmpmoid=3367813&tab=manualsAndGuides

[Moderator edit: Updated the broken link.]