HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

"/usr/lbin/modprpw -m acctexp=0" doesn't set account to no expiration

 
SOLVED
Go to solution
Stuart Allan
Occasional Contributor

"/usr/lbin/modprpw -m acctexp=0" doesn't set account to no expiration

I used the modprpw -m acctexp=0 to set an account to not expire (along with setting the aging fields to all be zeros) but what I found was that the acctexp=0 sets an expiry value in it's field and also locks the account with the "past absolute account lifetime" bit set.

I ran:
/usr/lbin/modprpw -m mintm=0,exptm=0,lftm=0,acctexp=0,llog=0,expwarn=0 testexp

and:
/usr/lbin/getprpw -m mintm,exptm,lftm,acctexp,llog,expwarn,alock,lockout testexp

which returns:
mintm=0, exptm=0, expwarn=0, lftm=0, acctexp=1100578598, llog=0, alock=NO, lockout=0010000

The modprpw man page seems to indicate that this shouldn't be the case; it states:
"acctexp=value database u_acct_expire=(value*86400+now).
Set account expiration time interval (days).
This interval is added to "now" to form the value in the database (database 0 = no expiration)."

We worked around this by editing the /tcb/files/auth/t/testexp entry and setting the u_acct_expire value to 0.

Setting the acctexp to -1 seems to work but the man page states:
"If the value -1 is specified, the numeric value in the database is removed, allowing the system default value to be used."

but I couldn't see what the system default for acctexp is; getprdef doesn't seem to have it as an option.

What is the best method and/or value for setting an account to never expire ?

5 REPLIES
Con O'Kelly
Honored Contributor

Re: "/usr/lbin/modprpw -m acctexp=0" doesn't set account to no expiration

Hi Stuart

I think the confusion is with the "acctexp" value. I believe this is only used to set a specific expiry time for the account.

If you want to disable password aging (ie account will never expire) then you only need to use:
usr/lbin/modprpw -l -m mintm=0,exptm=0,exp
warn=0,lftm=0

You can use SAM to test this and see what commands it runs by looking in its logfile (/var/sam/log/samlog).

Cheers
Con
Stuart Allan
Occasional Contributor

Re: "/usr/lbin/modprpw -m acctexp=0" doesn't set account to no expiration

Hi Con,

Thanks; I'm clear on the the password expiry options (and use the same command options that you posted) but it's specifically the account expiry option that I'm wanting to confirm how/and what to set it to.
Con O'Kelly
Honored Contributor
Solution

Re: "/usr/lbin/modprpw -m acctexp=0" doesn't set account to no expiration

Hi Stuart

OK my understanding is that acctexp is used explicitly to set a specific expiry time for the account ie you can set the account to expire in "x" number of days using acctexp=
For example to expire in 60 days:
/usr/lbin/modprpw -l -m acctexp=60 .

The value '0' is not valid for acctexp. You can confirm this using SAM. Look in SAM under "General User Account Policies" -> Account Lifetime.

The value -1 means it uses the default which means there is no specific expiry time. ie the account has an infinite expiry time.

So if you want an account never to expire check the value of acctexp. It should be acctexp=-1. If not use:
/usr/lbin/modprpw -l -m acctexp=-1

You can test all of this using sam as it logs all the modprpw commands it uses to /var/sam/log/samlog.

Cheers
Con
Stuart Allan
Occasional Contributor

Re: "/usr/lbin/modprpw -m acctexp=0" doesn't set account to no expiration

Thanks Con.
thrubovc
Advisor

Re: "/usr/lbin/modprpw -m acctexp=0" doesn't set account to no expiration

this ancient thread just saved me, I managed to expire my account on 80 servers by setting acctexp=0, which means expire in 0 days (today). so the correct setting is acctexp=-1. thanx!