We probably assumed that when you said you turned off tcb, you meant to say that you ran the tsconvert command. You cannot turn off the Trusted System environment by removing the /tcb directory (or any other method except using tsconvert). The tsconvert is a 'backend' command which means it is not documented and designed only to be used by SAM. But it can be called directly with -u and -c which un-trusts and trusts respectively. NOTE: tsconvert always expires all passwords when converting to Trusted, which is why (without using SAM) you must run modprpw (another backend command) to reset the expiration time for all users.
Now after conversion to Trusted, there are a couple of possible messages for failed logins. One is that the password has expired (see the above comment about modprpw) and the other says the user is not logging in correctly, probably due to the wrong password. If the user tries too many times, the user ID will be disabled (which is not the same as expired). Even though the user is sure of the password, if the password is longer than 8 characters, it will not work in the Trusted system. The reason is that an untrusted "throws away" all characters after 8 no matter how many the user types. So only the first 8 are significant. But a Trusted system honors all password characters. So in a Trusted system, users should only type up to 8 characters for their OLD password. Once they login, they can change their password to a longer one and it will be honored.
And as you might expect, if users change to a longer password, conv erting back to untrusted means their password will never work and a new one must be created by the root user.
Bill Hassell, sysadmin
