HPE Community
Operating System - HP-UX
1830466 Members
2551 Online
110005 Solutions
New Discussion

HPUX - root account lock

 
walter crasto_1
Frequent Advisor

‎01-01-2004 05:41 PM

‎01-01-2004 05:41 PM

HPUX - root account lock

Hi,
I am not able to login as root on my HPUX 11i server; it is giving me error that root account is disable please contact system administrator.

I have tried booting in single user mode & modified /etc/passwd file & now my root entry in /etc/passwd file look like this
root::0:3::/:/sbin/sh

But still I am facing same problem. Please suggest the solution.

Regards
Varian
0 Kudos
Reply
13 REPLIES 13
Elmar P. Kolkman
Honored Contributor

‎01-01-2004 05:47 PM

‎01-01-2004 05:47 PM

Re: HPUX - root account lock

Have you tried su to get to the account?
Is your system converted to a trusted system by any chance? In that case you need to look for /tcb/auth/r/root I think for the password of root.

If su works, you could reset the root account using SAM...
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
T G Manikandan
Honored Contributor

‎01-01-2004 06:01 PM

‎01-01-2004 06:01 PM

Re: HPUX - root account lock

if your system is trusted.

Login into single user mode

Untrust the system

Remove the encrypted entry from the /etc/passwd file as before.

Trust the system again.

Thanks
0 Kudos
Reply
walter crasto_1
Frequent Advisor

‎01-01-2004 06:36 PM

‎01-01-2004 06:36 PM

Re: HPUX - root account lock

Hi,

I am not able to su.
Regarding trusted system; I can see that /tcb/files/auth/r/root file but don't know how to verify whether my system is trusted or not.
Also let me know what type of entry I need to check in /tcb/files/auth/r/root for the trusted system.

Thanks in advance,

Varian
0 Kudos
Reply
T G Manikandan
Honored Contributor

‎01-01-2004 06:52 PM

‎01-01-2004 06:52 PM

Re: HPUX - root account lock

/tcb/files/auth/r/root

having this I think the system is trusted.

you can also do a

#getprpw

it not trusted you get a message not trusted.

0 Kudos
Reply
G. Vrijhoeven
Honored Contributor

‎01-01-2004 06:53 PM

‎01-01-2004 06:53 PM

Re: HPUX - root account lock

Varian,

Strange, the file looks ok.

Are the rights on the passwd file ok?
Do you have a trusted system? /etc/tcb
Do you have a file called /etc/securetty?
Did you try makeing a second root account ( id 0)

Gideon
0 Kudos
Reply
Elmar P. Kolkman
Honored Contributor

‎01-01-2004 07:08 PM

‎01-01-2004 07:08 PM

Re: HPUX - root account lock

If you have another system which is trusted too, you might try to replace /tcb/file/auth/r/root on your problem-server with the file from the working machine... But you will have to do this in single user mode. So copy the file to a place you can access when only / and /stand are mounted, reboot the machine in single user mode and copy it to the right place, since you need root access to change files in /tcb/files/...

Or run the first solution from T G Manikandan.

BTW: if you have /tcb/...., your system is converted to trusted and passwords in /etc/passwd will be ignored. That's why your change to /etc/passwd didn't work.
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
walter crasto_1
Frequent Advisor

‎01-01-2004 07:57 PM

‎01-01-2004 07:57 PM

Re: HPUX - root account lock

Hi,

Can anybody let us know how to untrust the system. I can boot machine in single user mode.

Thanks & Regards

Varian
0 Kudos
Reply
Elmar P. Kolkman
Honored Contributor

‎01-01-2004 08:11 PM

‎01-01-2004 08:11 PM

Re: HPUX - root account lock

First check the tcb file for root. If it contains a field with u_lock, remove it and you should be able to login as root again.

Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
Alan Turner
Regular Advisor

‎01-01-2004 08:27 PM

‎01-01-2004 08:27 PM

Re: HPUX - root account lock

It sounds as if your root account is locekd out on a trusted system. The default on conversion to a trusted system is that accounts will be locked out after 3 failed attmepts - even root. You can, though, change this limit. I've only ever done this using sam:
Accounts for Users and Groups --> Users
choose the root account
choose Actions --> Modify Security Policies --> General User Acc. Policies, then change "Unsuccessful Login Tries Allowed" from 3 to another number (max 99).
By the way, you also ought to be able to use sam to unlock the root account, provided that you can sucessfully "su". If you can't "su", then lets hope the direct edit to remove the u_lock entry works.
By the way - you can also set the system to require entry of a password before booting to single user mode - just as well that this was not enabled, or you would not have been able to get in in single user mode.
0 Kudos
Reply
T G Manikandan
Honored Contributor

‎01-01-2004 08:49 PM

‎01-01-2004 08:49 PM

Re: HPUX - root account lock

# /usr/lbin/tsconvert -r
Change the passwd and again make the system trusted
# passwd root
# /usr/lbin/tsconvert
0 Kudos
Reply
walter crasto_1
Frequent Advisor

‎01-01-2004 11:31 PM

‎01-01-2004 11:31 PM

Re: HPUX - root account lock

Hi All,

Thanks a lot for your prompt suggestions,
My problem has been resolved by /usr/lbin/tsconvert -r command & by removing u_lock entry in /tcb/files/auth/r/root file.

Thanks & Regards
Varian
0 Kudos
Reply
Carlos Fernandez Riera
Honored Contributor

‎01-01-2004 11:41 PM

‎01-01-2004 11:41 PM

Re: HPUX - root account lock

Once you know it is a trusted system, you must read man pages for modprpw and getprpw.

There are available on 11.11 only.

I guess you was able to recover root access and avoid to convert passwd files twice with that commands.

getpr and modpr is under /usr/lbin.

unsupported
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎01-02-2004 12:33 AM

‎01-02-2004 12:33 AM

Re: HPUX - root account lock

Some clarifications:

- When root is locked out, you can always login through the 'real' system console.

- /tcb is present only when your system is trusted (unless someone arbitrarily created the directory) and it will contain a /tcb/files directory.

- you don't have to un-trust the system to fix the root entry. You can unlock any account using /usr/lbin/modprpw -k .. However, for root, you'll need to be in single user mode, and you must mount /usr first. That is the preferred way rather than trying to edit the /tcb/files/auth/r/root file directly

- The man pages for prpwd, modprpw and getprpw are available at http://docs.hp.com


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.