Operating System - HP-UX
1833828 Members
2050 Online
110063 Solutions
New Discussion

Converted to trusted mode - problems

 
Kim Kendall
Regular Advisor

Converted to trusted mode - problems

I converted an 11i system to trusted mode & set the policies.

Later I could't log in, either as root or my personal account. Tried logging in as root at the console, but it acted like the accounts were locked.

Booted to single user, reset root's password, then brought the system back up... still locked.

Back to single user, and tried to vi a file...it said it couldn't because /var/tmp didn't exist. Looked under /var and there was nothing there. Tried to run SAM, but couldn't because /var/sam wasn't there either.

Recreated these subdirectories. vi worked. Ran SAM again to unconvert the system. It complained some more, but when I went out of SAM and back in, it wasn't in trusted mode anymore... and everything under /var was back!

Very unusual behavior!
8 REPLIES 8
hpuxrox
Respected Contributor

Re: Converted to trusted mode - problems

If the root account is locked out, you can connect to the system console and gain access. From there you can then unlock any of the accounts that are locked out, including root.

If there is still issue, you can try to convert back

Hope you have a recent ignite image.

good luck..
Steven E. Protter
Exalted Contributor

Re: Converted to trusted mode - problems

I think there may be a conflict in your policy setup. Need to know more, but perhaps go back to defaults.

IF you null out the password line in /tcb/files/auth/r/root

You can temporarily have no password on the account so you can get on and resolve your issues.

Tell me about the policies you set. More detail means better chance of resolution.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Kim Kendall
Regular Advisor

Re: Converted to trusted mode - problems

I did convert back to untrusted and everything looks like it is back to normal. I just can't figure out why I couldn't even log in at the console, or why /var was empty!
hpuxrox
Respected Contributor

Re: Converted to trusted mode - problems

When you booted into single user did you mount your file systems?

whenever I go single user i use,

mount -a
. /etc/profile
etc..
etc..
Patrick Wallek
Honored Contributor

Re: Converted to trusted mode - problems

First, when you convert to trusted mode it AUTOMATICALLY expires ALL passwords. You MUST do a '/usr/lbin/modprpw -V' to reactivate them.

Second, when you go into single-user mode NONE of you filesystems are mounted. That is perfectly normal. If you want to use things like vi and sam, then you should do a 'mount -a'. If you have other VGs/LVs in /etc/fstab, it will complain, but all of your VG00 stuff will get mounted.

You can also use the '/usr/lbin/tsconvert' command to trust / untrust your system.

Uday_S_Ankolekar
Honored Contributor

Re: Converted to trusted mode - problems

Also look for /etc/nsswitch.conf file whether it has compat infornt of passwd and group entry. If yes then change to files

passwd: compat
group: compat

Replace with



passwd: files
group: files

Goodluck,
-USA..
Good Luck..
Kim Kendall
Regular Advisor

Re: Converted to trusted mode - problems

DOH!!! I pulled a Homer. Thx Patrick & Yates, I totally blew that part off! (mount -a)

I'll give it another shot and use :
/usr/lbin/modprpw -V

...BEFORE I log out this time!

Thx
Bill Hassell
Honored Contributor

Re: Converted to trusted mode - problems

And MOST IMPORTANT: a non-Trusted system ignores characters beyond 8 for a password. This is a big problem because when you trust the system, the old passwords are converted as 8-char maximum length and if you type more than 8 characters (which works on non-Trusted because the extras are ignored), the Trusted system will not authenticate the longer password. You can change the old password to a longer one but you must always type in 8 or less characters on a Trusted system to use the current passwords. You can then set a new password that is longer than 8.

The man pages for modprpw (and getprpw) are available in 11.11 and you'll find some very useful commands to fixup user accounts without having to use SAM. See the options for -e -E -k -v and for specific security settings, the -m option.


Bill Hassell, sysadmin