HPE Community
Operating System - HP-UX
1832965 Members
2496 Online
110048 Solutions
New Discussion

Re: Trusted Systems problem-can't log in or change passwords

 
SOLVED
Go to solution
support_5
Super Advisor

‎05-15-2002 07:26 PM

‎05-15-2002 07:26 PM

Trusted Systems problem-can't log in or change passwords

Hi all,

I have just started to see something strange on my system. When the system (HP-UX 11 L class) is running as a trusted system, the user accounts are all locked or something, because we can't log in. eg:
[palau]:/root # telnet nauru
Trying...
Connected to nauru.workcover.qld.gov.au.
Escape character is '^]'.
Local flow control on
Telnet TERMINAL-SPEED option ON

HP-UX nauru B.11.00 A 9000/800 (td)

login: root
Password:
Connection closed by foreign host.
[palau]:/root #

the same happens for other users on the system.

Also, I can't change a users password: eg

As root:
$ useradd andy1234
$ passwd andy1234
Changing password for andy1234
Last successful password change for andy1234: NEVER
Last unsuccessful password change for andy1234: NEVER

Current user has no Protected Password entry.

So I unconvert the system to an UN-trusted system in sam. All of a sudden, everything is okay. The users can log in, and root can change andy1234's passwd.

so I decided to change back to a trusted system (in sam). sam doesn't report an error: authck -p returns no problems.

but once I have converted it to a trusted system, the problems all come back again! What is causing this?

Any help would be much appreciated!

Thanks.

- Andy Gray

0 Kudos
Reply
7 REPLIES 7
Michael Tully
Honored Contributor

‎05-15-2002 07:38 PM

‎05-15-2002 07:38 PM

Re: Trusted Systems problem-can't log in or change passwords

Hi,

I'm not sure exactly what your problem could be, but the first place, I would suggest that you look, is at patches.
Do you have any other server with a similar problem? If you have a test server with a different patch level, why not copy the /etc/passwd file across to it and test it to see if it occurs there.

HTH
~Michael~
Anyone for a Mutiny ?
0 Kudos
Reply
Roger Baptiste
Honored Contributor

‎05-15-2002 07:57 PM

‎05-15-2002 07:57 PM

Solution

Re: Trusted Systems problem-can't log in or change passwords

hi,

After you untrusted the system, was the /tcb directory totally removed or not? It helps to make sure the /tcb directory is not present when the system is not trusted. This seems like some tcb corrupted issue. Or it could be a Patch related issue. (can be only confirmed by verifying with another system which is ok).

Here is a link which seems to solve ,tHe error message you get when changing a password:

http://us-support.external.hp.com/cki/bin/doc.pl/sid=f18dfad00fbf8215d5/screen=ckiDisplayDocument?docId=200000057272443

It points to the /etc/nsswitch.conf file.

HTH
raj
Take it easy.
Reply
support_5
Super Advisor

‎05-15-2002 08:00 PM

‎05-15-2002 08:00 PM

Re: Trusted Systems problem-can't log in or change passwords

Hi,

Thanks for the reply.

Okay, I unconverted the machine (nauru) and the machine I was going to experiment on (tonga was already a successful trusted system), then I copyied the /etc/passwd and /etc/group files over to another simmilarly configured machine (tonga) and then converted that machine to a trusted system. it converted okay according to sam. then tried to log in and change passwords as I tried on nauru initially. The difference this time is that each time it actually worked! So it's not the /etc/passwd or /etc/group file that is corrupted....something else is. good idea though. So I unconverted tonga back and moved the original /etc/passwd and /etc/group file back in place and converted that back to a trusted system..

I then tried it in reverse. ie I copied the passwd file from tonga onto nauru and converted it to a trusted system, knowing that the passwd and group files from tonga are good. But alas, after converting nauru to a trusted system, it came up with the same problems.

one thing I noticed is this: after converting nauru to a trusted system, whenever I try to rlogin in from another machine, it doesn't seem to matter whether I type the password in correctly or not, I still get the same message:
rlogin: connection closed.
actually, it shouldn't even ask me for a password since I have .rhosts entries which should take care of that. I don't know whether this bit of information helps or not.

Any other ideas people?

- Andy Gray



0 Kudos
Reply
S.K. Chan
Honored Contributor

‎05-15-2002 08:04 PM

‎05-15-2002 08:04 PM

Re: Trusted Systems problem-can't log in or change passwords

The key error message here is "..has no protected password entry". This is just my "guess" though it seems strange what you're experiencing. It has got to do with how the password is being authenticated in /etc/nsswitch.conf file. Can you post the content of that file , particularly the entry that has the "passwd:" line. The search order should be ..
passwd: files nis
Reply
support_5
Super Advisor

‎05-15-2002 08:07 PM

‎05-15-2002 08:07 PM

Re: Trusted Systems problem-can't log in or change passwords

yes, the tcb files were all deleted and no longer existed.

I had a look at the /etc/nsswitch.conf file, it said that for passwd and group lookup, "compat" was the method. I changed this to "files" and tried to convert it to a trusted system and guess what:

IT WORKS!!!!!

So compat in /etc/nsswitch.conf was the issue at hand. When going to trusted system, you must use "files" in your /etc/nsswitch.conf file (perhaps if you're using NIS+ or someting you use something else...dunno) and not "compat". great!

Thank you all. problem solved!

- Andy Gray

0 Kudos
Reply
S.K. Chan
Honored Contributor

‎05-15-2002 08:34 PM

‎05-15-2002 08:34 PM

Re: Trusted Systems problem-can't log in or change passwords

Just FYI ... the "compat" method means it enforces the +/- syntax that we use in passwd file.
0 Kudos
Reply
Stan Sieler
Respected Contributor

‎11-01-2006 12:15 PM

‎11-01-2006 12:15 PM

Re: Trusted Systems problem-can't log in or change passwords

Re:
S K Chan said:
Just FYI ... the "compat" method means it enforces the +/- syntax that we use in passwd file.

"compat" seems to mean "don't let anyone
logon, and don't report why". We also
broke our system today (2006-11-01) by
specifying "compat" ... and fixed it by
specifying "files". Thanks, Andy!
sieler@allegro.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.