HPE Community
Operating System - HP-UX
1831645 Members
3302 Online
110029 Solutions
New Discussion

SAM error with account security policies

 
SOLVED
Go to solution
Mike Smith_33
Super Advisor

‎05-25-2007 02:02 AM

‎05-25-2007 02:02 AM

SAM error with account security policies

Just a few days ago I started getting an error message from SAM that has me concerned. I was under Accounts for User and Groups when I selected an account and clicked Actions then selected Modify Security Policy.

The Modify User's Security Policies screen pops up and then immediately an Error screen with the following:

There was an unknown error in "/usr/lbin/getprpw". The output from the this command was:

Next it appears to go through all the system's users with the following line for each

/usr/lbin/getprpw: username: not found.

Just before it outputs the last user, I get:

sshd re-exec requires execution with an absolute path

Finally at the end I get

Failed to read protected password database for user "selectedusername".

I am running 11i trusted pretty well patched. HP initially had me untrust and retrust with no luck. Next I added to patches, PHCO_35520 and PHCO_35732 with no luck. Has anyone seen anything similar to this before? Any suggestions?

Thanks for all responses.
0 Kudos
12 REPLIES 12
Dave Hutton
Honored Contributor

‎05-25-2007 02:12 AM

‎05-25-2007 02:12 AM

Re: SAM error with account security policies

Is the /tcb/files/auth/d/dave (whatever the user name is) there?

What if you run this command manually?
/usr/lbin/getprpw username

/etc/passwd file look good if you cat it?

does pwck turn up any errors?

0 Kudos
Patrick Wallek
Honored Contributor

‎05-25-2007 02:13 AM

‎05-25-2007 02:13 AM

Re: SAM error with account security policies

What happens if you run /usr/lbin/getprpw for a user manually?

# /usr/lbin/getprpw root

Do you still get the error?

I would also try running 'pwck' and 'pwck -s' to check /etc/passwd and the /tcb structures.
0 Kudos
Mike Smith_33
Super Advisor

‎05-25-2007 02:38 AM

‎05-25-2007 02:38 AM

Re: SAM error with account security policies

The files under /tcb/file/auth/x/xuser are there.

Running command line does reveal something interesting which I shared with HP but no one seemed to pay any attention to it. I get the same errors but at the end I get:

sshd re-exec requires execution with an absolute path
usage: tftp [options] [host-name] [port]
tftp>

It leaves me in the tftp prompt.

pwck -s comes back with login directories not found for some system related accounts but that is about it.
0 Kudos
Patrick Wallek
Honored Contributor

‎05-25-2007 02:44 AM

‎05-25-2007 02:44 AM

Re: SAM error with account security policies

I'm not sure why you would be getting ssh and tftp errors when running getprpw. That makes no sense.

Is this a pure trusted system? Are you using anything like NIS+, LDAP, or any other similar mechanism?

What does your /etc/nsswitch.conf file look like? Do you have a line like "passwd: files" in it? If so, is it just "passwd: files" or is there anything else? Make sure you do NOT have "passwd: compat" as they is really only useful with NIS.

0 Kudos
Patrick Wallek
Honored Contributor

‎05-25-2007 02:47 AM

‎05-25-2007 02:47 AM

Re: SAM error with account security policies

One other thing -- Are you using the correct 'getprpw' executable?

What does 'll /usr/lbin/getprpw' look like? What about 'what /usr/lbin/getprpw'?

Here is the output for 2 of my machines.

HP-UX 11.0:
# ll /usr/lbin/getprpw
-r-xr-xr-x 1 bin bin 24576 Oct 27 1997 /usr/lbin/getprpw*

# what /usr/lbin/getprpw
/usr/lbin/getprpw:
$Revision: 80.3 $

HP-UX 11.11:
# ll /usr/lbin/getprpw
-r-xr-xr-x 1 bin bin 20480 Nov 14 2000 /usr/lbin/getprpw*

# what /usr/lbin/getprpw
/usr/lbin/getprpw:
$Revision: B.11.11_LR
Wed Nov 8 19:52:26 PST 2000 $
0 Kudos
Dave Hutton
Honored Contributor

‎05-25-2007 02:47 AM

‎05-25-2007 02:47 AM

Re: SAM error with account security policies

I agree, odd that it's happening under sam and what not. Theres no real need unless as stated above your using some password management type software for it to go out to the network.

There were quite a few hits for your message you have searching on google for example. They are for other flavors of unix. But might shed some light on what your looking for.

But still doesn't make sense why it would be using tftp or ssh.
0 Kudos
Mike Smith_33
Super Advisor

‎05-25-2007 03:07 AM

‎05-25-2007 03:07 AM

Re: SAM error with account security policies

This is a pure trust system. No NIS LDAP or any of that stuff.

nsswitch.conf
passwd: files
group: files
#hosts: files
hosts: files [NOTFOUND=continue UNAVAIL=continue] dns [NOTFOUND=return UNAVAIL=]
services: files
networks: files
protocols: files
rpc: files
publickey: files
netgroup: files
automount: files
aliases: files

root@node$ ll /usr/lbin/getprpw
-r-xr-xr-x 1 bin bin 513 May 4 10:15 /usr/lbin/getprpw
root@node$ what /usr/lbin/getprpw
/usr/lbin/getprpw:

The revision information does not show up for me. It is odd that the date is May 4. I will follow up on that.

0 Kudos
Dave Hutton
Honored Contributor

‎05-25-2007 03:13 AM

‎05-25-2007 03:13 AM

Re: SAM error with account security policies

The size of your getprpw is very small compaired to what I have.

Can you more getprpw? Any chance someone redirected something or overwrote your file with something related to tftp or ssh?
0 Kudos
Patrick Wallek
Honored Contributor

‎05-25-2007 03:13 AM

‎05-25-2007 03:13 AM

Solution

Re: SAM error with account security policies

OK, there is your problem. Your getprpw is HOSED!!!!

It's size is only 513 bytes. That is way too small. If you do a 'file getprpw' I bet it will say some sort of 'text' file. If you do a 'cat /usr/lbin/getprpw' then I bet it is some sort of script.

Do you have any other admins with root access? I would question them about what they did and why.
0 Kudos
Mike Smith_33
Super Advisor

‎05-25-2007 03:19 AM

‎05-25-2007 03:19 AM

Re: SAM error with account security policies

When I cat getprpw it is a listing of my accounts and the names of the owners.


When I logged in to my other box that does not have the problem I get

getprpw: PA-RISC1.1 shared executable dynamically linked

-r-xr-xr-x 1 bin bin 20480 Nov 14 2000 getprpw

There is no one else with access to root except me. I am going to copy the one from the other system and see if that fixes it.
0 Kudos
Mike Smith_33
Super Advisor

‎05-25-2007 03:25 AM

‎05-25-2007 03:25 AM

Re: SAM error with account security policies

The getprpw executable was hosed. I am thankful for the dedication of the unpaid support that actually listened to me and gave me such good direction.

I was able to resolve this by copying the executable from a system that was working correctly. How this occurred is another issue.
0 Kudos
Patrick Wallek
Honored Contributor

‎05-25-2007 03:28 AM

‎05-25-2007 03:28 AM

Re: SAM error with account security policies

It really tells a lot about the current state of HP support when they could not solve this issue. This really should have been a no-brainer for them.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.