HPE Community
Operating System - HP-UX
1851258 Members
3465 Online
104057 Solutions
New Discussion

"/usr/lbin/modprpw -m acctexp=0" doesn't set account to no expiration

 
SOLVED
Go to solution
Stuart Allan
Occasional Contributor

‎11-15-2004 03:55 PM

‎11-15-2004 03:55 PM

"/usr/lbin/modprpw -m acctexp=0" doesn't set account to no expiration

I used the modprpw -m acctexp=0 to set an account to not expire (along with setting the aging fields to all be zeros) but what I found was that the acctexp=0 sets an expiry value in it's field and also locks the account with the "past absolute account lifetime" bit set.

I ran:
/usr/lbin/modprpw -m mintm=0,exptm=0,lftm=0,acctexp=0,llog=0,expwarn=0 testexp

and:
/usr/lbin/getprpw -m mintm,exptm,lftm,acctexp,llog,expwarn,alock,lockout testexp

which returns:
mintm=0, exptm=0, expwarn=0, lftm=0, acctexp=1100578598, llog=0, alock=NO, lockout=0010000

The modprpw man page seems to indicate that this shouldn't be the case; it states:
"acctexp=value database u_acct_expire=(value*86400+now).
Set account expiration time interval (days).
This interval is added to "now" to form the value in the database (database 0 = no expiration)."

We worked around this by editing the /tcb/files/auth/t/testexp entry and setting the u_acct_expire value to 0.

Setting the acctexp to -1 seems to work but the man page states:
"If the value -1 is specified, the numeric value in the database is removed, allowing the system default value to be used."

but I couldn't see what the system default for acctexp is; getprdef doesn't seem to have it as an option.

What is the best method and/or value for setting an account to never expire ?

0 Kudos
Reply
5 REPLIES 5
Con O'Kelly
Honored Contributor

‎11-15-2004 04:22 PM

‎11-15-2004 04:22 PM

Re: "/usr/lbin/modprpw -m acctexp=0" doesn't set account to no expiration

Hi Stuart

I think the confusion is with the "acctexp" value. I believe this is only used to set a specific expiry time for the account.

If you want to disable password aging (ie account will never expire) then you only need to use:
usr/lbin/modprpw -l -m mintm=0,exptm=0,exp
warn=0,lftm=0

You can use SAM to test this and see what commands it runs by looking in its logfile (/var/sam/log/samlog).

Cheers
Con
0 Kudos
Reply
Stuart Allan
Occasional Contributor

‎11-15-2004 04:35 PM

‎11-15-2004 04:35 PM

Re: "/usr/lbin/modprpw -m acctexp=0" doesn't set account to no expiration

Hi Con,

Thanks; I'm clear on the the password expiry options (and use the same command options that you posted) but it's specifically the account expiry option that I'm wanting to confirm how/and what to set it to.
0 Kudos
Reply
Con O'Kelly
Honored Contributor

‎11-15-2004 05:01 PM

‎11-15-2004 05:01 PM

Solution

Re: "/usr/lbin/modprpw -m acctexp=0" doesn't set account to no expiration

Hi Stuart

OK my understanding is that acctexp is used explicitly to set a specific expiry time for the account ie you can set the account to expire in "x" number of days using acctexp=
For example to expire in 60 days:
/usr/lbin/modprpw -l -m acctexp=60 .

The value '0' is not valid for acctexp. You can confirm this using SAM. Look in SAM under "General User Account Policies" -> Account Lifetime.

The value -1 means it uses the default which means there is no specific expiry time. ie the account has an infinite expiry time.

So if you want an account never to expire check the value of acctexp. It should be acctexp=-1. If not use:
/usr/lbin/modprpw -l -m acctexp=-1

You can test all of this using sam as it logs all the modprpw commands it uses to /var/sam/log/samlog.

Cheers
Con
Reply
Stuart Allan
Occasional Contributor

‎11-16-2004 02:25 PM

‎11-16-2004 02:25 PM

Re: "/usr/lbin/modprpw -m acctexp=0" doesn't set account to no expiration

Thanks Con.
0 Kudos
Reply
thrubovc
Advisor

‎07-18-2012 01:31 AM

‎07-18-2012 01:31 AM

Re: "/usr/lbin/modprpw -m acctexp=0" doesn't set account to no expiration

this ancient thread just saved me, I managed to expire my account on 80 servers by setting acctexp=0, which means expire in 0 days (today). so the correct setting is acctexp=-1. thanx!

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.