HPE Community
Operating System - HP-UX
1827212 Members
2287 Online
109716 Solutions
New Discussion

Account is disabled - see Account Administrator

 
Nabil Boussetta
Frequent Advisor

‎04-18-2005 11:14 PM

‎04-18-2005 11:14 PM

Account is disabled - see Account Administrator

i try to telnet a hp-ux machine by the root user i get the following error:
Account is disabled - see Account Administrator.

connection with other users is good. what should be the problem?

0 Kudos
Reply
7 REPLIES 7
Peter Godron
Honored Contributor

‎04-18-2005 11:18 PM

‎04-18-2005 11:18 PM

Re: Account is disabled - see Account Administrator

Nabil,
I would suspect either too many attempts were made to log on as root or the account was disabled due to a policy violation (password age etc.)
If you can not su from another user, you'll have to log on via the console and enable the account.
Also (0 points to 17 answers ):
http://forums1.itrc.hp.com/service/forums/helptips.do?#34
Regards
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎04-18-2005 11:18 PM

‎04-18-2005 11:18 PM

Re: Account is disabled - see Account Administrator

Hi Nabil,

The problem is that your trusted system has disabled the root account due to one of the "rukes" being broken - such as:

Too many unsuccessful tries
Too long inactivity
etc.

Your only recourse is to log in as root from the *console* because even when root account is disabled console access will still be allowed.
Once in then run

/usr/lbin/modprpw -l -k root

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Nabil Boussetta
Frequent Advisor

‎04-18-2005 11:25 PM

‎04-18-2005 11:25 PM

Re: Account is disabled - see Account Administrator

console login is also disabled
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎04-18-2005 11:28 PM

‎04-18-2005 11:28 PM

Re: Account is disabled - see Account Administrator

Well - it shouldn't be - but if it is then the only other thing you can do is reboot into single-user mode, mount the filesystems - at least /usr & run the command I gave you earlier.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Devender Khatana
Honored Contributor

‎04-18-2005 11:34 PM

‎04-18-2005 11:34 PM

Re: Account is disabled - see Account Administrator

Hi,

Try if "su -" is working from any normal user. If not then you need to try some root equivalent user if you have created one. Check /etc/password through vipw and see if user_ID is set to Zero for some other user except root. Having login as that user you can change root password.
Another option is if your system in configurd for rlogin as root from some other system in your network. Having rlogin to this also you can change password.

If none of the above help then you will have to reboot system in single user mode. At PDC give "hpux -is" and system will come to a prompt without password. Here you can change root password and can then reboot.

HTH,
Devender
Impossible itself mentions "I m possible"
0 Kudos
Reply
Rick Garland
Honored Contributor

‎04-19-2005 01:50 AM

‎04-19-2005 01:50 AM

Re: Account is disabled - see Account Administrator

setup a simple sodoers so that only the SAs have root access via sudo if this situation happens again.

prevents having to go to the console as well.
0 Kudos
Reply
Joe Harrison_1
Advisor

‎04-19-2005 02:23 AM

‎04-19-2005 02:23 AM

Re: Account is disabled - see Account Administrator

Lock down root access and give SA the ability to unlock accounts (including root).

1) create unlock script (/usr/local/bin/unlock)

#!/bin/sh

quitnice()
{
# This function exits with a message, and confirmation.
echo $MSG
echo Command completed successfully
echo "Press Enter to continue --> " ; read
exit 0
}
viewlock()
{
LOCKED=`/usr/lbin/getprpw -m alock,lockout $STRING|grep -e YES -e 1`
}

# Read argument or get input:
if [ -z "$1" ] ; then
echo "Please enter a username to unlock --> " ; read STRING
else STRING=$1
fi

# Parse argument:
if [ -z "$STRING" ] ; then
MSG="Invalid argument" && quitnice
else viewlock
fi

# Unlock!
if [ -z "$LOCKED" ] ; then
MSG="Account was not locked" && quitnice
else /usr/lbin/modprpw -m alock=NO $STRING
/usr/lbin/modprpw -k $STRING
fi

# Check results
viewlock
if [ -z "$LOCKED" ] ; then
MSG="Account was unlocked successfully" && quitnice
else
MSG="Account could not be unlocked" && quitnice
fi

exit 0

# --------------------------

2) edit sudoers

$ visudo

Cmnd_Alias SYSADMIN = /bin/su -d - root, \
/usr/local/bin/unlock

%sysadmin ALL= NOPASSWD: SYSADMIN

# NOTE: replace 'sysadmin' with appropriate SA group name

3) change permissions on su (BE CAREFUL!!)

$ chown root:bin /bin/su
$ chown root:bin /usr/bin/su
$ chmod 4550 /bin/su
$ chmod 4550 /usr/bin/su



To log in as root:

$ sudo /bin/su -d - root


To unlock account:

$ sudo /usr/local/bin/unlock




0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.