HPE Community
Operating System - HP-UX
1833052 Members
2610 Online
110049 Solutions
New Discussion

root account disabled. Can't change password via GSP either

 
SOLVED
Go to solution
Joe Profaizer
Super Advisor

‎08-17-2005 03:33 AM

‎08-17-2005 03:33 AM

root account disabled. Can't change password via GSP either

I have an L2000 and the root account is disabled, so I logged in through the GSP and when I type my password it returns:
Console Login: root
Password:
Account is disabled but console login is allowed.
Last successful login for root: Tue Aug 16 13:00:08 CST6CDT 2005 on pts/5
Last unsuccessful login for root: Wed Aug 17 10:23:12 CST6CDT 2005
Your password has expired.
Choose a new password.
Changing password for root
Old password:
Sorry.
Login aborted due to no password.

So when I enter the old password, you see that I get the "Sorry" message. This is a trusted system by the way.

Any suggestions other than booting into single user mode?
0 Kudos
Reply
12 REPLIES 12
Mel Burslan
Honored Contributor

‎08-17-2005 03:37 AM

‎08-17-2005 03:37 AM

Re: root account disabled. Can't change password via GSP either

if you have another system that exists in the root's .rhosts file as root equivalent, you can try coming form this system and see if it works but I am sure if you had such a system you would have tried it already.

Other than that, boot to single user unfortunately.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎08-17-2005 03:40 AM

‎08-17-2005 03:40 AM

Re: root account disabled. Can't change password via GSP either

Is the account locked?

grep root /etc/passwd

is there an * in the passwd field?

If yes, try

passwd -d root

Then try setting the password

passwd

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
DCE
Honored Contributor

‎08-17-2005 03:41 AM

‎08-17-2005 03:41 AM

Re: root account disabled. Can't change password via GSP either

If you have sudo installed, you should able to sudo su - and get in as root. Once there you can reset roots account with the modprpw -k root command. If no sudo, then you will have to come up in single user mode.
0 Kudos
Reply
Joe Profaizer
Super Advisor

‎08-17-2005 04:20 AM

‎08-17-2005 04:20 AM

Re: root account disabled. Can't change password via GSP either

If I were to create a share via SAMBA, can I untrust the system by moving files or renaming them instead of using SAM. Root is the only username we can access sam with.
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎08-17-2005 05:09 AM

‎08-17-2005 05:09 AM

Re: root account disabled. Can't change password via GSP either

"If I were to create a share via SAMBA, can I untrust the system by moving files or renaming them instead of using SAM. Root is the only username we can access sam with."

Uh...why would you want to do that? Very dangerous and could result in an unbootable system....

Isn't your issue "root account locked"?

As far as sam goes, you can setup Resticted SAM for other users...with sam -r

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Pat Lieberg
Valued Contributor

‎08-17-2005 06:37 AM

‎08-17-2005 06:37 AM

Re: root account disabled. Can't change password via GSP either

If you have no alternate means of accessing the system (i.e. ssh, sudo, etc) then you will most likely need to boot into single user mode.

It sounds like your root password is expired, but the account is disabled. Perhaps there is a bug which prevents console access in just this kind of situation?
0 Kudos
Reply
Joe Profaizer
Super Advisor

‎08-17-2005 06:56 AM

‎08-17-2005 06:56 AM

Re: root account disabled. Can't change password via GSP either

Could be a bug indeed. We even restored the file /tcb/files/auth/r/root from 7/30. The account was reenabled, but indeed expired again and I couldn't reset the password from the GSP when prompted for "Old Password"
0 Kudos
Reply
RAC_1
Honored Contributor

‎08-17-2005 07:02 AM

‎08-17-2005 07:02 AM

Re: root account disabled. Can't change password via GSP either

If you alternate means of logging in as root, do as follows as a root user.

# /usr/lbin/getprpw -r -m lockout username

To decode what is returned, note that the position (left to right) represents:

1 past password lifetime

2 past last login time

3 past absolute account lifetime

4 exceeding unsuccessful login attempts

5 password required and a null password

6 admin lock

7 password is a *

NOTE: If 0000000 is returned proceed to step 2. If not try the steps

below.

If the following is returned

0100000 (means "past last login time")

use the modprpw command to correct this as follows:

# /usr/lbin/modprpw -m llog=0 username

Now, the getprpw command, should get back a response of:

0000000

The account is now re-activated. Skip step 2. You are done.

Do the following to NULL out the passwd field on this account and change the passwd. It will NOT prompt for the old passwd.

2. # /usr/sam/lbin/usermod.sam -F -p "" root
There is no substitute to HARDWORK
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎08-17-2005 07:04 AM

‎08-17-2005 07:04 AM

Re: root account disabled. Can't change password via GSP either

I think you are mis-perceiving the password expiration. Your 7/30 dated file does not have any different information than what it is today. the encrypted password hash has the date of last password change and when you login, or try to login, there is a calculation made to figure out, depending on your password aging policy, if your password has expired as of today or not. So, it is quite expected that you had not been successful logging in and changing your password. But again, when you login from the console, none of these checks should have taken place at all. I think your security policies, regarding root accounts were too tight in my opinion.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎08-17-2005 01:36 PM

‎08-17-2005 01:36 PM

Solution

Re: root account disabled. Can't change password via GSP either

How many characters are you typing for the root password? Idf this system was recently converted to Trusted and the root password was 9 or more characters, the extra characters were silently ignored in the un-trusted system. But when converted to Trusted, all passwords must be entered as 8 characters or less until you change the password, at which point the additional characters become significant.


Bill Hassell, sysadmin
Reply
Ranjith_5
Honored Contributor

‎08-17-2005 01:49 PM

‎08-17-2005 01:49 PM

Re: root account disabled. Can't change password via GSP either

Hi Joe,

Check if your old password contains special character like @, # etc. in that case you will need to use \ just before typing such characters in your password.on console it wont allow you to directly login with root account if the password contains special characters.

Try login in with some other user name. Do an su - root. Then here change the password.


Regards,
Syam
0 Kudos
Reply
Joe Profaizer
Super Advisor

‎08-17-2005 01:51 PM

‎08-17-2005 01:51 PM

Re: root account disabled. Can't change password via GSP either

Bill,
I remember meeting you at HP World. Thanks......You 'da Man!!!

Thank you very very much
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.