Locking root account causes account to expire

If I lock the root account using passwd -l root, PAM prevents me from adding users or groups, saying that root's account has expired. This wouldn't be so bad, except that PAM continues to prevent me from adding users/groups even after I unlock the root account and create a new password for it. What is causing this, and how can I fix it so that I'm able to install hal, dbus, etc. and administer users and groups again?

Okay, found a workaround... Using usermod instead of passwd should apparently work. For anyone having problems with this: first, use passwd --unlock to unlock the root account, and then usermod --lock to lock its password.

Similar Messages

  • Recover locked root account

    I first will admit: I am stupid stupid stupid for doing this...
    My question is it possible to recover my root account if:
    1) it has been locked with:
    passwd -l root
    which normally just locks the root account and should be undo-able by
    sudo passwd -u root
    2) my root login has been disabled with:
    Defaults timestamp_timeout=0,rootpw
    in my /ect/sudoers
    so now i fully understand how to make a system completely void of an accessable root account
    EVEN when i tried booting into single user mode, it prompts for my root passwd on boot but since i diabled root login, it seems this doesnt work either. 
    So im reinstalling soon, unless there is a quick fix i cant think of.  help
    P.S. dont try the above commands (together) at home, its baaad news kids

    Edit /etc/passwd from a live CD and set the second field to 'x', then edit /etc/shadow and set the second the second field to blank.  That will set you root password to empty:  After that, reboot and login to a console as root and change the password as normal with passwd.
    EDIT: Actually, all you need to do is remove the '!' from the front of the hash (second field) in /etc/shadow and the old password should work again.
    Last edited by Bolts (2010-06-14 22:13:56)

  • Root account locked out after 3 login attempts

    I've connected to a 280R (Solaris 9) machine through the console (null modem cable). After trying 3 failed login attempts, it reported that the root account has been locked out. When can I do now to re-enable it?
    Vincent

    The usual dance. :-)
    1. Put in a Solaris install CD
    2. "boot -s " at the "ok" prompt.
    3. mount /dev/c<your boot partition> /mnt
    4. edit /mnt/etc/passwd
    5. Reboot the system.
    6. login as root
    7. Set your password.
    8. write it on a post-it.
    9. place post-it on monitor.
    I'm kidding with steps 8 and 9.
    HTH,
    Roger S.
    PS - Happy T-day

  • Root account locked

    please tell me if the root account is locked and also
    unlocking it

    By default on a regular install on a Solaris system, the root login is definitely not locked. If your root login is locked, you can unlock it by:
    - booting from a Solaris install CD
    - mounting the root directory
    - modifying the /etc/shadow file and clear the second field (e.g. the crypted password field)
    - reboot
    You will now be able to login as root without a password. You should then immediately set the root password to something.

  • ALL Accounts are EXPIRED & LOCKED. How do I reset them?

    I downloaded Oracle9i about a month ago to test out. I finally
    got time to do so and all the accounts say EXPIRED & LOCKED 25-
    Oct-2001.
    Do I have to reinstall and start over, or can I reset them?
    Thanks,
    CHris

    Which graphics display card do you have?
    If you have an ATI card with Catalyst drivers then try to disable "Morphological Filtering" in the Catalyst drivers:
    * Catalyst Control Center > 3D Settings > Disable Morphological Filtering

  • Mobile accounts not expiring

    Hi everyone,
    We have all of our Macs (running 10.7) bound to AD through the native plugin. We have the AD plugin set to create mobile accounts. We create three local groups on each machine and add the equivilent AD groups to the local groups. For instance, we have a local group called Students which has the member DOMAIN\AD Students. We then use local managed preferences to launch a login script to map drives for these accounts, which works correctly based on group membership.
    We've now set these same three local groups to have mobile account expiration. On a test machine, we set it to 2 days. We then logged in with a test account and rebooted, logged in again, and rebooted. After waiting all week, the account is still there (along with all of the other mobile accounts, but we don't know exactly when those students had logged in).
    Is there any place to check where the last time a user logged in? Does our setup sound like it should even work?
    Thanks!
    -MRCUR

    When logging in with an AD user, the "lastLoginTime" is not set on the mobile account. This seems to be the root cause of the accounts not expiring as expected, as the lastLoginTime is used to determine when the account should expire.
    This unfortunately seems like expected behavior when using AD accounts as opposed to local or OD accounts.

  • I am trying to activate root account on my MAC.  The directions I've seen do not match what is in System Preference for Accounts or Users

    I am trying to activate the root account on my new Mac Book Pro.  The instructions that I have found do not match what I have in System Preferences.  What is the process when using Users and Groups.  When I click on Join the Network Account Server- Open Directory Utility I don't see a option to  activate root user as the instructions say at http://support.apple.com/kb/HT1528
    OS X Lion
    From the Apple menu choose System Preferences....
    From the View menu choose Users & Groups.
    Click the lock and authenticate as an administrator account.
    Click Login Options....
    Click the "Edit..." or "Join..." button at the bottom right.
    Click the "Open Directory Utility..." button.
    Click the lock in the Directory Utility window.
    Enter an administrator account name and password, then click OK.
    Choose Enable Root User from the Edit menu.
    Enter the root password you wish to use in both the Password and Verify fields, then click OK.

    Do you mean you cannot select "Enable Root User" from the "Edit" menu as shown below?
    Why do you think you need to enable the root user? I've never needed it in the history of OS X.

  • How to unlock Root Account in non-global zone on Solaris 10 Branded Zone

    Hello All,
    I have a phsical x86 server running Solaris 11. On top of that, I have 3 Solaris 10 branded zones configured. Due to security policy the root account has been locked by 5 failed login attempts.
    Is there a way by which I can unlock root account in non-global zone.
    I have the root access of global zone.
    Pls help as these are production servers.
    Regards

    Hey,
    It worked. Actually i forgot to save the file.
    I changed the /<zonepath>/root/etc/shadow
    Removed *LK* & then from global zone did zlogin -l root zonename
    Thanks  lot.

  • System failure during locking GL account "co.code" by "GL a/c"

    HI Experts,
    When posting an excise invoice in J1IIN we are getting the following error.
    "system failure during locking GL account 1800 by 13113910"
    Any one have idea why we get this error?
    Thanks and Regards
    Om Prakash RA
    FI/CO Consultant

    Hi ,
    This error could be caused because of many reasons,                                                                               
    As per my understanding, the error is encountered only                    
    when multiple user press the SAVE button simultaneously(the error         
    is not encountered when multiple users run the transaction J1IIN).                                                                               
    While creating the excise invoice, at the time of saving system tries to  
    lock the GL account that is getting updated with the new balances.        
    Probably some one else could be changing the GL account data  at that     
    point of time. This is a very short phenomena and is meant to keep the    
    data consistency.It is the intended behaviour of the system. Two users    
    cannot perform simultaneously on the same G/L account.                                                                               
    Also, Please note that while saving the Excise invoice through J1iin      
    you must click on the save icon only once even if you get any messages    
    Just  press 'enter' key, instead of clicking again on the save icon.                                                                               
    This will not give the GL account locking error.                          
    If you press the save icon the GL account will be locked and if you click 
    on the save icon again it tries to lock the GL account again and since
    the GL is already locked this error will come.                                                                               
    So please do not click on the save icon more than once                    
    Regards
    V V

  • How to find out the last time login for a locked login account?

    In ASE 15.4,there are many login account show as locked and unlocked. How to find out the last login time for those locked login account?

    Thank you.  The version of my ASE is 12.5.4.
    This is what I got from select * from syslogins: 
    suid status accdate totcpu totio spacelimit timelimit resultlimit dbname name password language pwdate audflags fullname srvname logincount procid
    1
    30 2 10/25/2012 11:41:10.430 AM 0 0 0 0 0 . . ... us_english 02/24/2.0.08 12:55:38.640 PM 0 [NULL] [NULL] [NULL] [NULL]
    this is what I got from exec sp_displaylogin 'mylogin':
    1 Suid: 46                               
    2 Loginame: mylogin   
    3 Fullname: FN LN
    4 Default Database: mydb
    5 Default Language: us_english   
    6 Auto Login Script:    
    7 Configured Authorization:   
    8 Locked: YES                              
    9 Date of Last Password Change: Apr 17 2010  2:36PM    
    10 Password expiration interval: 0            
    11 Password expired: NO                               
    12 Minimum password length: 6            
    13 Maximum failed logins: 0            
    14 Current failed login attempts:    
    15 Authenticate with: AUTH_DEFAULT                     
    which one is for last login time?

  • Root account Lockout

    Hi all,
    since a few weeks, my root account lock every 5 days but I can't figure out why.
    I've look in log file but can't see anything that help me figure out what or why the root account lock.
    My question is, where can I look to figure out what lock me root account or is there a log that I need to activate to be able to see what's hapening to the root account.
    Thx all.
    Doug

    Does your system log all root login attempts via syslog to auth.log or something similar? If so, do you see any attempts by any user to login? If it is every five days, do you have any scheduled jobs that run some process that tries to log in as root but is failing? Are you running BART or something similar which checks manifests - perhaps you have malware that is editing your /etc/shadow and locking your root for malicious purposes.

  • Determine the Root Account

    How can I determine which account is the root account? After upgrading computer and moving data via time machine, I have two accounts listed as admin, however the new one I created on new computer does not act like root account.

    kflau,
    As Nerowolfe suggested keep the spare admin account. Test it for functionality occasionally and keep it in reserve. If your main admin should 'break' you may be able to use the reserve to fix it, or do some other admin task. You should also use a non admin as your day to day browser login. You can switch stuff about using the "Shared" user.
    Root is a an admin but more than, and it is best kept in the cupboard. I do on rare occasions see apps telling me when in an admin,'You don't have enough privileges to do "X" and have resorted to root, but that is rare and probably idiosyncratic to the procedure concerned.
    Try this; open the Utility app, 'Directory Utility". Click on the lock and enter an admin name and password. Put your mouse on 'Edit" tab and look at the drop down. If it says , 'enable root', then root is disabled. If it says 'disable root' then root is currently enabled. To enable root you enter a password for it. You can give root a password (and any other user for that matter) by booting from the install disk, navigating to the utilities menu (choose a language click to install but don't go the full distance) For most users assign PWs in the user pane in Sys Prefs and for root , in said app Directory utility.
    There have been cases reported here where root , and maybe other users have been effectively lost that's once in a blue moon.

  • My account is expired

    Hi everyone,
    During my vacations abroad my Adobe Connection account is expired cause my credit card was blocked.
    I'd like to activate my account again, to go on with my webinars and to regain the access to all former webinars I've led.
    What should I do?????

    Hi Rduncan78,
    Can you try launching the Creative Cloud app and signing out and back in with Illustrator closed. Afterwards try relaunching Illustrator again and see if you get the same behavior.

  • Exchange User Account Managment Task locking AD account

    User's AD account is locking within minutes. Windows logs show calling computer as the Exchange 2010 CAS server ( which is part of the CAS array).  We have disabled all mailbox features ( Active Sync, Mapi, OWA, POP, IMAP)  The
    account still locks up within minutes and with same Windows event. There are no 1035 events on the CAS showing any brute force attacks and no other Logs referencing this event at all . The ISS logs show an old Samsung Phone that the user
    had months ago and it broke. It doesn't make sense that it will  be blocking the account even when Active Sync is disabled for testing. I have gone ahead and blocked it anyway and removed it from the mailbox using MAPI MFC. I did check server
    for Conflicker but did not see any thing odd in the registry. What can be causing this lockout ? Also the user does not have any tasks configured or passwords saved on the computer.
    Windows Log:
    og Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          9/17/2014 9:09:03 AM
    Event ID:      4740
    Task Category: User Account Management
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      DOmainController.DOmain.local
    Description:
    A user account was locked out.
    Subject:
     Security ID:  SYSTEM
     Account Name:  DOMAINCONTROLLER$
     Account Domain:  Domain Name
     Logon ID:  0x3e7
    Account That Was Locked Out:
     Security ID:  Domain Name\User
     Account Name:  windows user name
    Additional Information:
     Caller Computer Name: Exchange 2010 CAS server
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54878625-5237-4999-A5DA-4t567j328C30G}" />
        <EventID>4740</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>13824</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2014-09-17T13:09:03.021253500Z" />
        <EventRecordID>331284493</EventRecordID>
        <Correlation />
        <Execution ProcessID="492" ThreadID="1036" />
        <Channel>Security</Channel>
        <Computer>DomainController.domain.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="TargetUserName">Username</Data>
        <Data Name="TargetDomainName">Exchange 2010 CAS Server</Data>
        <Data Name="TargetSid">S-1-5-21-4059915145-90934678-67520089-8930</Data>
        <Data Name="SubjectUserSid">S-1-5-18</Data>
        <Data Name="SubjectUserName">DomainControler$</Data>
        <Data Name="SubjectDomainName">DOmain Name</Data>
        <Data Name="SubjectLogonId">0x3e7</Data>
      </EventData>
    </Event>
    IIS Log Entry for the Old Phone which was removed now using MAPI MFC and Blocked. Note 10.88.11.2 is Load Balancers IP (changed in this post)
    ault.eas Cmd=Sync&User=DomainName%5CDomainUserName&DeviceId=SEC1772877030523&DeviceType=SAMSUNGSCHI535 80 Domain\Username 10.88.11.2 SAMSUNG-SCH-I535/101.403 401 1 1909 0

    Hello,
    Ad replication has been tested with no issues.
    The Test account locks up only if we intentionally enter the bad password. This was done to see that if our disabling of the Mailbox feature on the actuall production account would prevent locks due to request coming to exchange for that feature,
    with a bad password. Apparently account will lock even if the mailbox feature is disabled. For example: if OWA if disabled for a mailbox entering the incorrect password for the account will lock the account.
    So, currently we have done a work around; since the user has no pc to log in to - only uses Ipad and Iphone - we have changed the user name in AD. The account is not locking in but I am still seeing these eneteries in the IIS logs coming from his old phone
    for the old username ( which broke and was trashed- this also tells us that if we revert to the actual username for the account it will lock). Also, disabling active sync for the user when user name was not changed did not have
    any impact and request coming to active sync would still lock the account.
    What should we do to prevent exchange from trying to respond to this request to active sync, from an old device ?   - the device was blocked on the account and removed through MFC when the issue surfaced but it did not fix the situation:
    Request on IIS logs:
    2014-09-18 00:01:07 10.97.10.20 POST /Microsoft-Server-ActiveSync/default.eas Cmd=Sync&User=Domain Name%5CUsername&DeviceId=SEC1342789030523&DeviceType=SAMSUNGSCHI535 80 DOmain Name\Username 10.1.10.46 SAMSUNG-SCH-I535/101.403 401 1 1909 0
    Block Command Used:
    [PS] C:\Windows\system32>Set-CASMailbox -Identity: "[email protected]" -ActiveSyncBlockedDeviceIDs: "SEC1342789030523"
    Confirmed its listed as blocked:Get-CASMailbox Username | Select ActiveSyncAllowedDeviceIDs, ActiveSyncBlockedDeviceIDs
    Note: ( Allowed devices are non since at that time we had removed all current active sync devices attached to the account to see if any of them were responsible for the bad request )
    ActiveSyncAllowedDeviceIDs                                  ActiveSyncBlockedDeviceIDs
     {SEC1342789030523}

  • System failure during locking GL account 5555 by 13113910 Message no. 8I076  and the time of saving out going excise invoice.

    Hi SAP Gurus,
    We are configuring the CIN Settings for our client and at the time of testing, while saving the Out going excise invoice the system is giving the error as “Balance in Transaction Error” and when pressed enter the system displays the error as “ system failure during locking GL account 5555 by 13113910.”
    We have configured Out going excise duty condition types  in the SD pricing procedure
    and
    also maintained the same condition types  as mentioned below  in the path IMG / LOGISTICS GENERAL  / TAX ON GOODS MOVEMENT  /  INDIA / BASIC SETTINGS/ DETERMINATION OF EXCISE DUTY / MAINTAIN EXCISE DEFAULTS
    under the headings
    AR BED Cond – JEXP
    AR Cess Cond – JECS
    ECS AR – JHEC
    And also maintained the settings in the Path IMG / LOGISTICS GENERAL  / TAX ON GOODS MOVEMENT  / INDIA  / SPECIFY  EXCISE ACCOUNTS PER  EXCISE  TRANSACTION and also in SPECIFY G/L ACCOUNTS  PER EXCISE TRANSACTION .
    But still the above mentioned error is comming.
    Note : error in not coming when I am removing the  JHEC condition type  from the path IMG / LOGISTICS GENERAL  / TAX ON GOODS MOVEMENT  / INDIA / BASIC SETTINGS/ DETERMINATION OF EXCISE DUTY / under the heading ECR AR, But we need the JHEC(ie. Higher education cess) also in out going excise invoice.
    Please let me know what is the issue and how to resolve it.
    Thanks & Regards
    Shashi

    Dear We faced the same issue and  almost for 20 days to  get it resolved.
    For this kind of error firstly Check have you activated the Liable for AT1 indicator in(IMG>>Log.General>>Tax on goods Movement>>India>>Basic Settings>>Maintain Excise registrations)
    Also Have you assigned Proper GL account in (IMG>>Log.General>>Tax on Good Movement>>>India>>>Account Determination>>Account determination per Excise transaction type.
    Here pl check the relevant GL has been assigned for
    1.RG23A BED(for Both incoming and outgoing excise invoice  updations against your ETT)
    2 RG23C BED, (for Both incoming and outgoing excise invoice updations against your ETT)
    3 .OFF SET,(for Both incoming and outgoing excise invoice  updations against your ETT)
    4 MODVAT.CLEARING, (for Both incoming and outgoing excise invoice updations against your ETT)
    5 PLA BED& AED & SED,(for Both incoming and outgoing excise invoice updations against your ETT at the time of utilizations)
    6 PLA CESS(for Both incoming and outgoing excise invoice updations against your ETT at the time of utilizations)
    7 CENVAT ON HOLD(for Both incoming and outgoing excise invoice updations against your ETT at the time of utilizations)
    8.CENVAT SUSPENSE(for Both incoming and outgoing excise invoice updations against your ETT at the time of invoice posting)
    9.PLA ON HOLD((for Both incoming and outgoing excise invoice updations against your ETT at the time of TR6c)
    10. CENVAT REVERSAL(For cancellations vs ETT)
    11. RG23A ECS(for Both incoming and outgoing excise invoice  updations against your ETT)
    12. RG23C ECS(for Both incoming and outgoing excise invoice  updations against your ETT)
    13. PLA ECS(for Both incoming and outgoing excise invoice  updations against your ETT )
    14. RG23A AT1(check this more carefully)
    15. RG23C AT1(check this more carefully)
    16. PLA AT1(check this more carefully)
    Hope this helps you...
    Phanikumar

Maybe you are looking for