Re: can't change an expired password account

SOLVED

Hi guys,

I've got an HP-UX 11.11 box that is Trusted. I'm experiencing something weird today.

When a user that is password has experied tries to login, he is prompted for is Old password, then the system says Sorry. and ask again for the Password:

Your password has expired.
Changing password for jcaplett
Old password:
Sorry.

Password:
Changing password for jcaplett
Old password:
Sorry.

Password:

It just don't stop looping and asking for Old password... I tried this with my account, and I'm positively sure that I type correctly my password. The account is not disable, neither locked...

Any idea on what can cause that?

Regards
Jonathan

13 REPLIES 13

Execute "/usr/lbin/getprpw -m lockout user" and note the position of each '1' in this 7 character string. Next do a man getprpw and pay attention to the "lockout" section. That will identify exactly which condition is triggering your lockout. I suspect that all passwords have been expired. You can clear this condition by executing "/usr/lbin/modprpw -k user". Note: If all account have been expired, you will need to bring the box up in single-user and then mount /usr to fix this.

If it ain't broke, I can fix that.

By the way, you can also execute /sbin/passwd as it doesn't do the checking that /usr/bin/passwd does.

If it ain't broke, I can fix that.

The problem is that the accounts aren't locked...

# /usr/lbin/getprpw -m lockout jcaplett
lockout=0000000

Ok, do this:

/usr/lbin/getprpw user

and then cat /tcb/files/auth/system/default.

You may have a system-wide default that is killing you.

If it ain't broke, I can fix that.

Here it is...

# /usr/lbin/getprpw jcaplett
uid=109, bootpw=NO, audid=21, audflg=1, mintm=2, maxpwln=-1, exptm=45, lftm=90, spwchg=Wed Dec 31 19:00:00 1969, upwchg=Mon Nov 19 10:47:26 2007, acctexp=-1, llog=90, expwarn=14, usrpick=DFT, syspnpw=NO, rstrpw=YES, nullpw=DFT, admnum=-1, syschpw=NO, sysltpw=DFT, timeod=-1, slogint=Mon Nov 19 10:46:51 2007, ulogint=Mon Nov 19 10:47:26 2007, sloginy=console, culogin=-1, uloginy=-1, umaxlntr=-1, alock=NO, lockout=0000000

# cat /tcb/files/auth/system/default
default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:u_auditflag#-1:\
:u_minchg#0:u_maxlen#15:u_exp#0:u_life#0:\
:u_llogin#0:u_pw_expire_warning#0:u_pswduser=root:u_pickpw:\
:u_genpwd@:u_restrict@:u_nullpw@:u_genchars@:\
:u_genletters@:u_suclog#0:u_unsuclog#0:u_maxtries#3:\
:u_lock:\
:t_logdelay#2:t_maxtries#3:t_login_timeout#60:\
:chkent:

Note this entry:

spwchg=Wed Dec 31 19:00:00 1969

When adjusted for your timesone that is 1-Jan-1970 00:00:00 UTC (the zero epoch second) and it means change the password at the first login. In effect, passwd -f has been run on all users. There is no facility in modprpw to set the spwchg field (time of last sucessfull password change) although the putprpwnam() function can be used to set it or you could write some Perl, sed, or awk to edit the /tcb entry for each user to substitute a more recent password change timestamp.

If it ain't broke, I can fix that.

OK I see...

Is this happened only on users that have there password expired?

And will this happen evrey time change that we have? Last time change have been done on November 4th 2007..

Jonathan

No time changes have nothing to do with this. The /tcb database stores all times in epoch seconds which are timezone insensitive. I suspect this happened as a side-effect of converting your system to Trusted or you ran a script which did a passwd -f for all users.

If it ain't broke, I can fix that.

Unfortunaly I'm not a Perl expert... Any way I can change that value without using perl?

Notice a gave you a C/C++, Perl, sed, or awk option so I can probably surmise that you aren't an expert in any of those as well.

The attached, UNTESTED shell script should work. The step that copies the temporary file back to the tcb file is intentionally commented out. Uncomment it after you are satisfied.

Before doing anything else be logged in as root in at least two sessions so that you can get yourself out of trouble almost as fast as you got yourself in.

Next:
cd /
find ./tcb -print | cpio -ocv > /aaa/bbb/tcb.cpio # a backup of the tcb database

To run the script, simply "fixit.sh". It will look for all UID's >= 101 and then edit each tcb file saving it to a temporary file. When uncommented the temporary file is copied to the original for each user with a current timestamp.

If it ain't broke, I can fix that.

Thanks it work fine...

I now have to look why that date have been changed...

regards
Jonathan

now closing this tread

closed

changing spwchg can be done by:
/usr/lbin/modprpw -v [username]