Operating System - HP-UX
1833793 Members
2237 Online
110063 Solutions
New Discussion

Unable to login after converted to Trusted System

 
SOLVED
Go to solution
g700304
Super Advisor

Unable to login after converted to Trusted System

Hi,

I tried to used Trusted System but failed.
I convert using sam and the conversion said successful

When i tried to login using any existing users...its FAILED.

Also when i tried to change the passwd, its failed to showing....
"The command "/isr/lbin/modprpw" could not find the user's entry in the protected password database. Failed to update proctected database for user "".

Please help, now no user can login to the server

FRom

William

26 REPLIES 26
RAC_1
Honored Contributor

Re: Unable to login after converted to Trusted System

pwck and grpck
does it return ok?? IS /tcb dir structure created after you converted to trusted system??

After you convert to trusted mode from command line, all passwords will expire. USer modprpw -V to avoid that. If convert to trusted system using SAM, this is taken care of by SAM.

Anil
There is no substitute to HARDWORK
Denver Osborn
Honored Contributor

Re: Unable to login after converted to Trusted System

This box isn't an NIS client, is it?

If not, then run pwconv to "refresh" the protected passwd db and try your passwd change again.

One other thing to check for if your users access the box via ssh... you may need to set "UseLogin yes" in your /opt/ssh/etc/sshd_config and restart sshd for them to login after converting to a trusted system.

Hope this info helps,
-denver
g700304
Super Advisor

Re: Unable to login after converted to Trusted System

Hi

Im still not able to login or change any user password, Its prompt for "Current user has no Protected Password entry".

root@ovzeus(hpux):/# passwd william
Changing password for william
Last successful password change for william: NEVER
Last unsuccessful password change for william: NEVER

Any clue?
Steven E. Protter
Exalted Contributor

Re: Unable to login after converted to Trusted System

You need to convert the system back from trusted to non-trusted mode.

Then you need to run pwck and grpck and make sure there is integrity in the /etc/passwd file.

If you are using NIS, you need to NOT go to trusted mode, because I think that is not supported.

Once you are sure /etc/passwd is good, make sure no user id's are locked and try the trusted coversion again.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Greg Vaidman
Respected Contributor

Re: Unable to login after converted to Trusted System

if you have a current root login onto the system, you could do "/usr/lbin/tsconvert -r" to change back to a non-trusted system. this will at least get your users back in. then you can do the conversion when you have more time to test...

also, one thing to be aware of, if your password was more than 8 characters before you converted to trusted, enter only the first 8 characters after the system is trusted. this always catches somebody. that's because the untrusted system only encrypts the first 8 characters and allows/ignores any characters after the first 8 in your password; while the trusted system no longer allows you to enter the extra characters and have them ignored. you can change your password to be longer than 8 characters, but any converted passwords are "truncated" to 8 characters.

--Greg
g700304
Super Advisor

Re: Unable to login after converted to Trusted System

I have performed the pwck and grpck, looks good

But I do have some of the userid are locked like

daemon:*:1:5::/:/sbin/sh
bin:*:2:2::/usr/bin:/sbin/sh
sys:*:3:3::/:
adm:*:4:4::/var/adm:/sbin/sh
uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico
lp:*:9:7::/var/spool/lp:/sbin/sh

Is that means I have to unlocked all of it before I can convert to Trusted System?

Please help
RAC_1
Honored Contributor

Re: Unable to login after converted to Trusted System

Those are systeam daemon logins. Do not do anything. In addition to pwck and grpck do logins -d

Does it report anything problematic?? Also do you have enough space on / FS??

Now convert to trusted system using SAM. Check now. Is it reporting any problems??

Anil
There is no substitute to HARDWORK
g700304
Super Advisor

Re: Unable to login after converted to Trusted System

After logins -d
I have the following


logins -d
root 0 sys 3
sysadmin 0 users 20 System Administrator

No error prompted when I convert using sam I have plenty for disk space on my /

Any clue?
g700304
Super Advisor

Re: Unable to login after converted to Trusted System

Also why

It always complained "Current user has no Protected Password entry.
"???

# passwd william
Changing password for william
Last successful password change for william: Fri Jun 3 10:19:13 2005
Last unsuccessful password change for wiliam: NEVER

Current user has no Protected Password entry.
Hilary Nicholson
Frequent Advisor

Re: Unable to login after converted to Trusted System

What messages do you get when trying to login?

If you look at an account through SAM, has it been disabled?

Regards,

Hilary
Patrick Wallek
Honored Contributor

Re: Unable to login after converted to Trusted System

Is the machine REALLY trusted? Does the /tcb directory structure exist? Does the file /tcb/files/auth/w/william exist? It sounds like SAM thinks the conversion was successful, but it actually wasn't.

I would be tempted to try from the command line.

Unconvert trusted:

# /usr/lbin/tsconvert -r

Convert to trusted again:

# /usr/lbin/tsconvert

Unexpire all passwords after conversion:

# /usr/lbin/modprpw -V
g700304
Super Advisor

Re: Unable to login after converted to Trusted System

Here is what happened when i do it on command line:

# /usr/lbin/tsconvert
Creating secure password database...
Directories created.
Making default files.
System default file created...
Terminal default file created...
Device assignment file created...
Moving passwords...
secure password database installed.
Converting at and crontab jobs...
At and crontab files converted.

# /usr/lbin/modprpw -V

When I tried to login

HP-UX ovzeus B.11.11 U 9000/800 (tb)

login: william
Password:
Login incorrect

Wait for login retry: ..
login:

login: william
Password:
Login incorrect

Wait for login retry: ..
login:
login: william
Password:
Login incorrect

Wait for login retry: ..
login:

Patrick Wallek
Honored Contributor

Re: Unable to login after converted to Trusted System

How long is the password for the user william? Was it originally more than 8 characters? If so, just try the first 8 characters of the password after converting to trusted.

If I recall correctly, a non-trusted system will allow passwords longer than 8 characters, but it silently ignores anything after the first 8. When converting to trusted the passwords are truncated to 8 characters.
g700304
Super Advisor

Re: Unable to login after converted to Trusted System

Well, all my user passwd are less than 8 character long. I knew this is part of the requirement, But still doesnt work. :<
RAC_1
Honored Contributor

Re: Unable to login after converted to Trusted System

Does password has any special chars such as @, # etc?? Exclude that.

/usr/lbin/getprpw -m "user_name"
Do you get anything?? Do you see user file under /tcb dir for that user??

Anil
There is no substitute to HARDWORK
g700304
Super Advisor

Re: Unable to login after converted to Trusted System

Strange...

when i do
#usr/lbin/getprpw -m "william"
user password file not found: william

when i cd to /tcb/files/auth

cd /tcb/files/auth# ls
A D G J M P S V Y b e h k n q system v y
B E H K N Q T W Z c f i l o r t w z
C F I L O R U X a d g j m p s u x
#/tcb/files/auth# cd w
#/tcb/files/auth/w# ls
william www

#/tcb/files/auth/w# more william
william:u_name=william:u_id#1006:\
:u_pwd=alEMOwID4hUJk:\
:u_auditid#14:\
:u_auditflag#1:\
:u_succhg#1117814386:u_pswduser=william:u_suclog#1117814378:u_lock@:\
:chkent:

????


RAC_1
Honored Contributor

Re: Unable to login after converted to Trusted System

Are the perms on /tcb
/tcb/files/auth and
/tcb/files/auth and all files/dirs under that. OK??

Anil
There is no substitute to HARDWORK
Denver Osborn
Honored Contributor

Re: Unable to login after converted to Trusted System

If you wouldn't mind, please post the output from...

# /usr/lbin/getprpw -l william

# grep passwd /etc/nsswitch.conf

# swlist -l product ShadowPassword

thanks,
-denver
g700304
Super Advisor

Re: Unable to login after converted to Trusted System

Hi As requested, here is my output again

# /usr/lbin/tsconvert
Creating secure password database...
Directories created.
Making default files.
System default file created...
Terminal default file created...
Device assignment file created...
Moving passwords...
secure password database installed.
Converting at and crontab jobs...
At and crontab files converted.

# /usr/lbin/modprpw -V

# /usr/lbin/getprpw -l william
uid=1006, bootpw=NO, audid=14, audflg=1, mintm=-1, maxpwln=-1, exptm=-1, lftm=-1, spwchg=Fri Jun 3 12:26:40 2005, upwchg=-1, acctexp=-1, llog=-1, expwarn=-1, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Fri Jun 3 12:26:35 2005, ulogint=-1, sloginy=-1, culogin=-1, uloginy=-1, umaxlntr=-1, alock=NO, lockout=0000000

# grep passwd /etc/nsswitch.conf
passwd: compat

# swlist -l product ShadowPassword
# Initializing...
# Contacting target "ovzeus"...
ERROR: Software "ShadowPassword" was not found on host "ovzeus:/".

# /usr/lbin/tsconvert -r
Restoring /etc/passwd...
/etc/passwd restored.
Deleting at and crontab audit ID files...
At and crontab audit ID files deleted.

is that mean I am missing the
ShadowPassword?
Uday_S_Ankolekar
Honored Contributor
Solution

Re: Unable to login after converted to Trusted System

I don't know if you have already checked this out.

If your /etc/nsswitch.conf file has
passwd compat
then chage to: passwd files

-USA..
Good Luck..
Denver Osborn
Honored Contributor

Re: Unable to login after converted to Trusted System

No you're not missing anything, I just wanted to make sure it wouldn't be a problem caused by the shadow passwords product...

Is this box an NIS client?

change the "passwd" line in /etc/nsswitch.conf to read "passwd: files" if it's not an NIS client, this will fix it... if it's a nis client then trusted system isn't supported.

-denver

Uday_S_Ankolekar
Honored Contributor

Re: Unable to login after converted to Trusted System

You need to put "files" instead of compat in nsswitch files for passwd.

-USA..
Good Luck..
RAC_1
Honored Contributor

Re: Unable to login after converted to Trusted System

Denver and Uday,

I am bit confused. Even passwd compact does
files first and then nis. And as william is local user even "passwd compact" should also work. Isn't that right?? Or Am I missing something.

For William,

What does command "nsquery passwd william"
say??

Anil
There is no substitute to HARDWORK
Denver Osborn
Honored Contributor

Re: Unable to login after converted to Trusted System

yes, compat says look to files then nis... but we don't want nis w/ TCB.

not exactly sure of the what/why/how, but I can duplicate the problem by setting "passwd: compat" in my /etc/nsswitch.conf, the problem goes away as soon as I set it back to files.

-denver