HPE Community
Operating System - HP-UX
1752278 Members
4742 Online
108786 Solutions
New Discussion юеВ

Re: Account/password problem on J2240 and J6000 series workstations.

 
Mark Stewart
Frequent Advisor

тАО02-23-2004 03:41 AM

тАО02-23-2004 03:41 AM

Account/password problem on J2240 and J6000 series workstations.

Running 11.x on both systems. The security settings we were forced to implement last year are apparently causing the root(and some user) accounts to be locked. The message when you try to login is:

"Account locked in the commercial security database."

I could simply reactivate normal user accounts, but the root is locked on a couple of the machines as well. In addition, the secure flag is set to on, so I can't just go to single user mode either. Anyway to fix this for root?
0 Kudos
Reply
8 REPLIES 8
Sridhar Bhaskarla
Honored Contributor

тАО02-23-2004 03:59 AM

тАО02-23-2004 03:59 AM

Re: Account/password problem on J2240 and J6000 series workstations.

Hi,

By default, if you enabled trustedness on the system, the number of unsuccessful attempts would be set to 3 which is in most of the cases too less. So, you will often find the accounts being disabled. You can increase this number.

modprpw -m umaxlntr=10 root

About single user mode, you can disable it by running the command

modprpw -m bootpw=NO root

modprdef will change the system wide parameters which means all the users will inherit these values if they were not customized.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО02-23-2004 04:01 AM

тАО02-23-2004 04:01 AM

Re: Account/password problem on J2240 and J6000 series workstations.

This is not a standard message from trusted systems.

When my root account gets locked the message is Account diabled

Nothing more.

I suspect the presenece of third party software or scripting that you have not told us about yet.

You can if you have root access null out the root password.

Assuming the system is trusted, this is done like this:
vi /etc/files/auth/r/root
erase the data between the = and : on the u_pwd line.

Now root has no password.

Very quickly run the passwd command as root.

You also might have an unauthorized login attempt as root, such as a hacker, external or internal. I'm attaching a script that checks that.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Mark Stewart
Frequent Advisor

тАО02-23-2004 04:15 AM

тАО02-23-2004 04:15 AM

Re: Account/password problem on J2240 and J6000 series workstations.

There is no third party script or anything that I am aware of.. If I try to rlogin into the machine as root from another machine, I do get the Account Disabled - See Administrator (which I find terribly ironic) message.

It has always been the case that accounts would display this message when locked, when trying to login via the CDE. It just magically happened with the password expirations on multiple machines over the weekend for root, which I've never had happen before. I caught the rest and preventatively changed their passwords so I wasn't totally shut out.

And yes, all machines are trusted systems. I will try your suggestions and see what happens. My normal login has root privlidges, but can't modify user accounts(that I know of) like root can - especially root's password. It seems like your trick just uses this privlidge to get to see/edit the password file.. Correct?
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО02-23-2004 05:32 AM

тАО02-23-2004 05:32 AM

Re: Account/password problem on J2240 and J6000 series workstations.

Hi,

No. These parameters are not specified in /etc/passwd file. There is a seperate trusted database under the tree of /tcb. You can find each account in the directory structure /tcb/files/auth//login

But I suggest you don't trick it by editing these files. modprpw/modprdef are for this purpose.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Mark Stewart
Frequent Advisor

тАО02-23-2004 06:32 AM

тАО02-23-2004 06:32 AM

Re: Account/password problem on J2240 and J6000 series workstations.

well, the problem was that I don't think that anyone TRIED logging in before they were locked.. it just locked it when they expired.. so i don't know what getting more attempts gives me..
0 Kudos
Reply
Mark Stewart
Frequent Advisor

тАО03-17-2004 07:25 AM

тАО03-17-2004 07:25 AM

Re: Account/password problem on J2240 and J6000 series workstations.

anyone have any other ideas on this? still having this problem..
0 Kudos
Reply
Floyd Curtis
Frequent Advisor

тАО03-17-2004 09:28 AM

тАО03-17-2004 09:28 AM

Re: Account/password problem on J2240 and J6000 series workstations.

See if you can login at the system console.
It may say account locked but login possible in no windows mode ... it should let you in
then try:

#modprpw -k root
#passwd root

good luck
fwc
0 Kudos
Reply
Mark Stewart
Frequent Advisor

тАО03-18-2004 08:05 AM

тАО03-18-2004 08:05 AM

Re: Account/password problem on J2240 and J6000 series workstations.

i ended up having to take the machine apart, boot to the boot menu system and turn secure mode off. I then reconnected the hard drives, booted to single user mode and changed the password(since it had expired). Then I rebooted back to the normal CDE login screen and opted to login on the command line. When you do this as root, it will actually let you login despite the account being disabled. I then went into sam and reactivated all accounts. For posterity, I temporarily disabled password aging until I could figure out what the proper settings should be.

Thanks for your help everyone though..
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.