HPE Community
Operating System - HP-UX
1824958 Members
3478 Online
109678 Solutions
New Discussion юеВ

root account disabled - how to enable

 
SOLVED
Go to solution
Steve Grantham_1
New Member

тАО01-04-2005 03:11 AM

тАО01-04-2005 03:11 AM

root account disabled - how to enable

All,

My company operates a development shop, and one of our HP-UX 11.11 servers is configured as a trusted system to mirror client configurations. In our testing, the root account has become disabled--when I su or attempt to login, I get a message informing me of that fact.

Complicating this problem is the fact that this server is located across the country from our (my) office, but there is a (non technical) person located there who can follow directions.

How do I resolve this?

Thanks in advance,
Steve Grantham
0 Kudos
Reply
11 REPLIES 11
Patrick Wallek
Honored Contributor

тАО01-04-2005 03:16 AM

тАО01-04-2005 03:16 AM

Solution

Re: root account disabled - how to enable

Is there a console attached to the machine? Does it have a web console?

If it has a web console you should be able to login that way and re-enable root.

If there is a direct attached console, then have the person at the location log in from the console and the reactivate root.

To reactivate once logged in do:

/usr/lbin/modprpw -k root
Reply
Steve Grantham_1
New Member

тАО01-04-2005 06:40 AM

тАО01-04-2005 06:40 AM

Re: root account disabled - how to enable

Some further info on this: I've tried Patrick's solution of having someone at the console login as root and run the
/usr/lbin/modprpw -k root
command, but he isn't able to login. The message is that the account is locked in the commercial security database.

Assuming that we boot into single user and mount /usr read-write, what needs to be changed to allow root's account to be enabled again?

Thanks,
Steve Grantham

0 Kudos
Reply
bhoopathi_1
Frequent Advisor

тАО01-04-2005 05:57 PM

тАО01-04-2005 05:57 PM

Re: root account disabled - how to enable

Hi Steve

If you are able to log into single user mode, then it won't ask for a root password. Since this is a trusted system, you can either edit the /tcb/auth/files/r/root file and remove the entry against the lock keyword or use sam and enable the account.
Reply
Chris Vail
Honored Contributor

тАО01-05-2005 02:50 AM

тАО01-05-2005 02:50 AM

Re: root account disabled - how to enable

Instead of console, have you tried logging in via secure web console, or dumb terminal attached to serial port A? That'd be my first choice.
The last ditch effort to fix this is to boot the system from the CDROM. You can then escape to a shell, and mount the /usr filesystem to a temporary directory. Once there, you can restore the /usr/tcb directory from a backup tape.
Alternatively, you can mount the various and sundry filesystems to the RAM disk and mess with modprpw to fix the root account.

Chris
0 Kudos
Reply
Edward McCouch
Frequent Advisor

тАО01-05-2005 07:22 AM

тАО01-05-2005 07:22 AM

Re: root account disabled - how to enable

If root on a trusted system becomes disabled you can always log in as root from the serial console.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО01-05-2005 02:10 PM

тАО01-05-2005 02:10 PM

Re: root account disabled - how to enable

Are you sure that the remote user is using the "REAL" system console, and not a telnet or Xwindow connection from a PC in the office? This can be any type of terminal (including a Windows-based emulator) connected to the serial console port in the computer room. The disabled status is overridden by the fact that the user has access to the console. For a standard HP server, the terminal would be a 700/92 or 700/96. If the user is on the real console, typing CTRL-B will bring up a CM> prompt which comes from the processor ROMs. There are a couple of exceptions for CTRL-B...what model HP server do you hve?

Very important: you don't want to go into single user mode unless the user is on the real console--you'll lose control of the system.


Bill Hassell, sysadmin
0 Kudos
Reply
Thomas Lee_1
Advisor

тАО01-05-2005 05:41 PM

тАО01-05-2005 05:41 PM

Re: root account disabled - how to enable

Steve,

In extreme case,
use /usr/lbin/tsconvert -r to revert from
trusted system, so you can change password in single user mode.

Thomas
0 Kudos
Reply
Steve Grantham_1
New Member

тАО01-06-2005 12:51 AM

тАО01-06-2005 12:51 AM

Re: root account disabled - how to enable

To all who've responded,

Thanks very much for your input so far. The remote user swears he is sitting at "the system console" when he tries to log in. No way I can check that, since he's 3000 miles away, but he's a savvy developer and undoubtedly knows what console I'm referring to.

The 'server' is a j5000 running hp-ux 11.11. My understanding of hp web console is that it has to have been installed and configured prior to losing the root account, which--alas--wasn't the case.

We've scheduled time today to boot into single-user and I'll walk him through either a manual fix on /tcb/auth/files/r/root or by using sam to unlock the account. I'll post the results of this endeavor later today.

Thanks again for your help,
Steve
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО01-06-2005 01:08 AM

тАО01-06-2005 01:08 AM

Re: root account disabled - how to enable

OK, since a J5000 is technically a workstation, that may make a bit of a difference.

If the default is to log into CDE, then that might be part of the problem.

At the main CDE login panel, from the SESSIONS (I think) button choose "Command Line login" and then try logging in again as root.
0 Kudos
Reply
Chris Vail
Honored Contributor

тАО01-06-2005 01:47 AM

тАО01-06-2005 01:47 AM

Re: root account disabled - how to enable

Even though a J5000 is a workstation, the serial console is still the best place to login. Try to hook some sort of serial terminal to that port. It doesn't have to be a dumb terminal, but could be a PC running hyperterm. You'll need a PC, the appropriate cables (the HP box has 9 pin connectors, your PC could have either 9 pin, 25 pin, or both) and a null modem. The null modems are widely available at any number of computer cable suppliers. Set the communication parameters for 9600 baud, 8 bits, 1 stop bit, no parity. Choose either ttyA or ttyB (whichever you have the cable on) and vt100 emulation. You should get a login prompt.

The secure web console DOES NOT have to be configured prior to losing root. Configuring one means that you need a ethernet crossover cable connected to it, and another system running a web browser. The SWC is, for all intents and purposes, a serial console running inside a browser. If you can get this up and running, then you can do everything as though you're sitting in front of the console.

Chris
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО01-06-2005 04:53 AM - last edited on тАО09-05-2023 02:27 AM by

тАО01-06-2005 04:53 AM - last edited on тАО09-05-2023 02:27 AM by

Re: root account disabled - how to enable

Aha, it's not a server, it is an Xwindow workstation...very different animal. The "console" is actually a video card and display, not a "real" terminal at all. The J5000 doesn't have the independent Guardian Service Processor (a separate computer that talks directly to the hardware like a server). In this case, the workstation would indeed lockout root and there is no easy provision for recovering. Here are some choices:

1. As mentioned, hook a real terminal to the serial port on the J5000. Be sure to use a crossover (aka, printer or null-modem) cable and make sure you can send data to the terminal. Then reboot, interrupt the boot process and change the console from the video card to the serial port. That will then be useable to recover from a root lockout.

2. reboot into single user mode. Not a good choice for a true server but it will work to recover root's account. You just mount /usr and then use the modprpw -k command, then reboot.

3. Install sudo so specific users can run specific commands as root. Since sudo doesn't login, it can be used to run modprpw -k and fix root's account without a reboot--probably the simplest solution. Get a copy from HP at the Software Depot. It's part of the Internet Express collection (this is a recent and very welcom addition). Internet Express is found at:

https://support.hpe.com/connect/s/product?language=en_US&kmpmoid=3367813&tab=manualsAndGuides

[Moderator edit: Updated the broken link.]



Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.