Locking root account causes account to expire
If I lock the root account using passwd -l root, PAM prevents me from adding users or groups, saying that root's account has expired. This wouldn't be so bad, except that PAM continues to prevent me from adding users/groups even after I unlock the root account and create a new password for it. What is causing this, and how can I fix it so that I'm able to install hal, dbus, etc. and administer users and groups again?
Okay, found a workaround... Using usermod instead of passwd should apparently work. For anyone having problems with this: first, use passwd --unlock to unlock the root account, and then usermod --lock to lock its password.
Similar Messages
-
I first will admit: I am stupid stupid stupid for doing this...
My question is it possible to recover my root account if:
1) it has been locked with:
passwd -l root
which normally just locks the root account and should be undo-able by
sudo passwd -u root
2) my root login has been disabled with:
Defaults timestamp_timeout=0,rootpw
in my /ect/sudoers
so now i fully understand how to make a system completely void of an accessable root account
EVEN when i tried booting into single user mode, it prompts for my root passwd on boot but since i diabled root login, it seems this doesnt work either.
So im reinstalling soon, unless there is a quick fix i cant think of. help
P.S. dont try the above commands (together) at home, its baaad news kidsEdit /etc/passwd from a live CD and set the second field to 'x', then edit /etc/shadow and set the second the second field to blank. That will set you root password to empty: After that, reboot and login to a console as root and change the password as normal with passwd.
EDIT: Actually, all you need to do is remove the '!' from the front of the hash (second field) in /etc/shadow and the old password should work again.
Last edited by Bolts (2010-06-14 22:13:56) -
Root account locked out after 3 login attempts
I've connected to a 280R (Solaris 9) machine through the console (null modem cable). After trying 3 failed login attempts, it reported that the root account has been locked out. When can I do now to re-enable it?
VincentThe usual dance. :-)
1. Put in a Solaris install CD
2. "boot -s " at the "ok" prompt.
3. mount /dev/c<your boot partition> /mnt
4. edit /mnt/etc/passwd
5. Reboot the system.
6. login as root
7. Set your password.
8. write it on a post-it.
9. place post-it on monitor.
I'm kidding with steps 8 and 9.
HTH,
Roger S.
PS - Happy T-day -
please tell me if the root account is locked and also
unlocking itBy default on a regular install on a Solaris system, the root login is definitely not locked. If your root login is locked, you can unlock it by:
- booting from a Solaris install CD
- mounting the root directory
- modifying the /etc/shadow file and clear the second field (e.g. the crypted password field)
- reboot
You will now be able to login as root without a password. You should then immediately set the root password to something. -
ALL Accounts are EXPIRED & LOCKED. How do I reset them?
I downloaded Oracle9i about a month ago to test out. I finally
got time to do so and all the accounts say EXPIRED & LOCKED 25-
Oct-2001.
Do I have to reinstall and start over, or can I reset them?
Thanks,
CHrisWhich graphics display card do you have?
If you have an ATI card with Catalyst drivers then try to disable "Morphological Filtering" in the Catalyst drivers:
* Catalyst Control Center > 3D Settings > Disable Morphological Filtering -
Hi everyone,
We have all of our Macs (running 10.7) bound to AD through the native plugin. We have the AD plugin set to create mobile accounts. We create three local groups on each machine and add the equivilent AD groups to the local groups. For instance, we have a local group called Students which has the member DOMAIN\AD Students. We then use local managed preferences to launch a login script to map drives for these accounts, which works correctly based on group membership.
We've now set these same three local groups to have mobile account expiration. On a test machine, we set it to 2 days. We then logged in with a test account and rebooted, logged in again, and rebooted. After waiting all week, the account is still there (along with all of the other mobile accounts, but we don't know exactly when those students had logged in).
Is there any place to check where the last time a user logged in? Does our setup sound like it should even work?
Thanks!
-MRCURWhen logging in with an AD user, the "lastLoginTime" is not set on the mobile account. This seems to be the root cause of the accounts not expiring as expected, as the lastLoginTime is used to determine when the account should expire.
This unfortunately seems like expected behavior when using AD accounts as opposed to local or OD accounts. -
I am trying to activate the root account on my new Mac Book Pro. The instructions that I have found do not match what I have in System Preferences. What is the process when using Users and Groups. When I click on Join the Network Account Server- Open Directory Utility I don't see a option to activate root user as the instructions say at http://support.apple.com/kb/HT1528
OS X Lion
From the Apple menu choose System Preferences....
From the View menu choose Users & Groups.
Click the lock and authenticate as an administrator account.
Click Login Options....
Click the "Edit..." or "Join..." button at the bottom right.
Click the "Open Directory Utility..." button.
Click the lock in the Directory Utility window.
Enter an administrator account name and password, then click OK.
Choose Enable Root User from the Edit menu.
Enter the root password you wish to use in both the Password and Verify fields, then click OK.Do you mean you cannot select "Enable Root User" from the "Edit" menu as shown below?
Why do you think you need to enable the root user? I've never needed it in the history of OS X. -
How to unlock Root Account in non-global zone on Solaris 10 Branded Zone
Hello All,
I have a phsical x86 server running Solaris 11. On top of that, I have 3 Solaris 10 branded zones configured. Due to security policy the root account has been locked by 5 failed login attempts.
Is there a way by which I can unlock root account in non-global zone.
I have the root access of global zone.
Pls help as these are production servers.
RegardsHey,
It worked. Actually i forgot to save the file.
I changed the /<zonepath>/root/etc/shadow
Removed *LK* & then from global zone did zlogin -l root zonename
Thanks lot. -
System failure during locking GL account "co.code" by "GL a/c"
HI Experts,
When posting an excise invoice in J1IIN we are getting the following error.
"system failure during locking GL account 1800 by 13113910"
Any one have idea why we get this error?
Thanks and Regards
Om Prakash RA
FI/CO ConsultantHi ,
This error could be caused because of many reasons,
As per my understanding, the error is encountered only
when multiple user press the SAVE button simultaneously(the error
is not encountered when multiple users run the transaction J1IIN).
While creating the excise invoice, at the time of saving system tries to
lock the GL account that is getting updated with the new balances.
Probably some one else could be changing the GL account data at that
point of time. This is a very short phenomena and is meant to keep the
data consistency.It is the intended behaviour of the system. Two users
cannot perform simultaneously on the same G/L account.
Also, Please note that while saving the Excise invoice through J1iin
you must click on the save icon only once even if you get any messages
Just press 'enter' key, instead of clicking again on the save icon.
This will not give the GL account locking error.
If you press the save icon the GL account will be locked and if you click
on the save icon again it tries to lock the GL account again and since
the GL is already locked this error will come.
So please do not click on the save icon more than once
Regards
V V -
How to find out the last time login for a locked login account?
In ASE 15.4,there are many login account show as locked and unlocked. How to find out the last login time for those locked login account?
Thank you. The version of my ASE is 12.5.4.
This is what I got from select * from syslogins:
suid status accdate totcpu totio spacelimit timelimit resultlimit dbname name password language pwdate audflags fullname srvname logincount procid
1
30 2 10/25/2012 11:41:10.430 AM 0 0 0 0 0 . . ... us_english 02/24/2.0.08 12:55:38.640 PM 0 [NULL] [NULL] [NULL] [NULL]
this is what I got from exec sp_displaylogin 'mylogin':
1 Suid: 46
2 Loginame: mylogin
3 Fullname: FN LN
4 Default Database: mydb
5 Default Language: us_english
6 Auto Login Script:
7 Configured Authorization:
8 Locked: YES
9 Date of Last Password Change: Apr 17 2010 2:36PM
10 Password expiration interval: 0
11 Password expired: NO
12 Minimum password length: 6
13 Maximum failed logins: 0
14 Current failed login attempts:
15 Authenticate with: AUTH_DEFAULT
which one is for last login time? -
Hi all,
since a few weeks, my root account lock every 5 days but I can't figure out why.
I've look in log file but can't see anything that help me figure out what or why the root account lock.
My question is, where can I look to figure out what lock me root account or is there a log that I need to activate to be able to see what's hapening to the root account.
Thx all.
DougDoes your system log all root login attempts via syslog to auth.log or something similar? If so, do you see any attempts by any user to login? If it is every five days, do you have any scheduled jobs that run some process that tries to log in as root but is failing? Are you running BART or something similar which checks manifests - perhaps you have malware that is editing your /etc/shadow and locking your root for malicious purposes.
-
How can I determine which account is the root account? After upgrading computer and moving data via time machine, I have two accounts listed as admin, however the new one I created on new computer does not act like root account.
kflau,
As Nerowolfe suggested keep the spare admin account. Test it for functionality occasionally and keep it in reserve. If your main admin should 'break' you may be able to use the reserve to fix it, or do some other admin task. You should also use a non admin as your day to day browser login. You can switch stuff about using the "Shared" user.
Root is a an admin but more than, and it is best kept in the cupboard. I do on rare occasions see apps telling me when in an admin,'You don't have enough privileges to do "X" and have resorted to root, but that is rare and probably idiosyncratic to the procedure concerned.
Try this; open the Utility app, 'Directory Utility". Click on the lock and enter an admin name and password. Put your mouse on 'Edit" tab and look at the drop down. If it says , 'enable root', then root is disabled. If it says 'disable root' then root is currently enabled. To enable root you enter a password for it. You can give root a password (and any other user for that matter) by booting from the install disk, navigating to the utilities menu (choose a language click to install but don't go the full distance) For most users assign PWs in the user pane in Sys Prefs and for root , in said app Directory utility.
There have been cases reported here where root , and maybe other users have been effectively lost that's once in a blue moon. -
Hi everyone,
During my vacations abroad my Adobe Connection account is expired cause my credit card was blocked.
I'd like to activate my account again, to go on with my webinars and to regain the access to all former webinars I've led.
What should I do?????Hi Rduncan78,
Can you try launching the Creative Cloud app and signing out and back in with Illustrator closed. Afterwards try relaunching Illustrator again and see if you get the same behavior. -
Exchange User Account Managment Task locking AD account
User's AD account is locking within minutes. Windows logs show calling computer as the Exchange 2010 CAS server ( which is part of the CAS array). We have disabled all mailbox features ( Active Sync, Mapi, OWA, POP, IMAP) The
account still locks up within minutes and with same Windows event. There are no 1035 events on the CAS showing any brute force attacks and no other Logs referencing this event at all . The ISS logs show an old Samsung Phone that the user
had months ago and it broke. It doesn't make sense that it will be blocking the account even when Active Sync is disabled for testing. I have gone ahead and blocked it anyway and removed it from the mailbox using MAPI MFC. I did check server
for Conflicker but did not see any thing odd in the registry. What can be causing this lockout ? Also the user does not have any tasks configured or passwords saved on the computer.
Windows Log:
og Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 9/17/2014 9:09:03 AM
Event ID: 4740
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: DOmainController.DOmain.local
Description:
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: DOMAINCONTROLLER$
Account Domain: Domain Name
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: Domain Name\User
Account Name: windows user name
Additional Information:
Caller Computer Name: Exchange 2010 CAS server
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54878625-5237-4999-A5DA-4t567j328C30G}" />
<EventID>4740</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2014-09-17T13:09:03.021253500Z" />
<EventRecordID>331284493</EventRecordID>
<Correlation />
<Execution ProcessID="492" ThreadID="1036" />
<Channel>Security</Channel>
<Computer>DomainController.domain.local</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">Username</Data>
<Data Name="TargetDomainName">Exchange 2010 CAS Server</Data>
<Data Name="TargetSid">S-1-5-21-4059915145-90934678-67520089-8930</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DomainControler$</Data>
<Data Name="SubjectDomainName">DOmain Name</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
</EventData>
</Event>
IIS Log Entry for the Old Phone which was removed now using MAPI MFC and Blocked. Note 10.88.11.2 is Load Balancers IP (changed in this post)
ault.eas Cmd=Sync&User=DomainName%5CDomainUserName&DeviceId=SEC1772877030523&DeviceType=SAMSUNGSCHI535 80 Domain\Username 10.88.11.2 SAMSUNG-SCH-I535/101.403 401 1 1909 0Hello,
Ad replication has been tested with no issues.
The Test account locks up only if we intentionally enter the bad password. This was done to see that if our disabling of the Mailbox feature on the actuall production account would prevent locks due to request coming to exchange for that feature,
with a bad password. Apparently account will lock even if the mailbox feature is disabled. For example: if OWA if disabled for a mailbox entering the incorrect password for the account will lock the account.
So, currently we have done a work around; since the user has no pc to log in to - only uses Ipad and Iphone - we have changed the user name in AD. The account is not locking in but I am still seeing these eneteries in the IIS logs coming from his old phone
for the old username ( which broke and was trashed- this also tells us that if we revert to the actual username for the account it will lock). Also, disabling active sync for the user when user name was not changed did not have
any impact and request coming to active sync would still lock the account.
What should we do to prevent exchange from trying to respond to this request to active sync, from an old device ? - the device was blocked on the account and removed through MFC when the issue surfaced but it did not fix the situation:
Request on IIS logs:
2014-09-18 00:01:07 10.97.10.20 POST /Microsoft-Server-ActiveSync/default.eas Cmd=Sync&User=Domain Name%5CUsername&DeviceId=SEC1342789030523&DeviceType=SAMSUNGSCHI535 80 DOmain Name\Username 10.1.10.46 SAMSUNG-SCH-I535/101.403 401 1 1909 0
Block Command Used:
[PS] C:\Windows\system32>Set-CASMailbox -Identity: "[email protected]" -ActiveSyncBlockedDeviceIDs: "SEC1342789030523"
Confirmed its listed as blocked:Get-CASMailbox Username | Select ActiveSyncAllowedDeviceIDs, ActiveSyncBlockedDeviceIDs
Note: ( Allowed devices are non since at that time we had removed all current active sync devices attached to the account to see if any of them were responsible for the bad request )
ActiveSyncAllowedDeviceIDs ActiveSyncBlockedDeviceIDs
{SEC1342789030523} -
Hi SAP Gurus,
We are configuring the CIN Settings for our client and at the time of testing, while saving the Out going excise invoice the system is giving the error as “Balance in Transaction Error” and when pressed enter the system displays the error as “ system failure during locking GL account 5555 by 13113910.”
We have configured Out going excise duty condition types in the SD pricing procedure
and
also maintained the same condition types as mentioned below in the path IMG / LOGISTICS GENERAL / TAX ON GOODS MOVEMENT / INDIA / BASIC SETTINGS/ DETERMINATION OF EXCISE DUTY / MAINTAIN EXCISE DEFAULTS
under the headings
AR BED Cond – JEXP
AR Cess Cond – JECS
ECS AR – JHEC
And also maintained the settings in the Path IMG / LOGISTICS GENERAL / TAX ON GOODS MOVEMENT / INDIA / SPECIFY EXCISE ACCOUNTS PER EXCISE TRANSACTION and also in SPECIFY G/L ACCOUNTS PER EXCISE TRANSACTION .
But still the above mentioned error is comming.
Note : error in not coming when I am removing the JHEC condition type from the path IMG / LOGISTICS GENERAL / TAX ON GOODS MOVEMENT / INDIA / BASIC SETTINGS/ DETERMINATION OF EXCISE DUTY / under the heading ECR AR, But we need the JHEC(ie. Higher education cess) also in out going excise invoice.
Please let me know what is the issue and how to resolve it.
Thanks & Regards
ShashiDear We faced the same issue and almost for 20 days to get it resolved.
For this kind of error firstly Check have you activated the Liable for AT1 indicator in(IMG>>Log.General>>Tax on goods Movement>>India>>Basic Settings>>Maintain Excise registrations)
Also Have you assigned Proper GL account in (IMG>>Log.General>>Tax on Good Movement>>>India>>>Account Determination>>Account determination per Excise transaction type.
Here pl check the relevant GL has been assigned for
1.RG23A BED(for Both incoming and outgoing excise invoice updations against your ETT)
2 RG23C BED, (for Both incoming and outgoing excise invoice updations against your ETT)
3 .OFF SET,(for Both incoming and outgoing excise invoice updations against your ETT)
4 MODVAT.CLEARING, (for Both incoming and outgoing excise invoice updations against your ETT)
5 PLA BED& AED & SED,(for Both incoming and outgoing excise invoice updations against your ETT at the time of utilizations)
6 PLA CESS(for Both incoming and outgoing excise invoice updations against your ETT at the time of utilizations)
7 CENVAT ON HOLD(for Both incoming and outgoing excise invoice updations against your ETT at the time of utilizations)
8.CENVAT SUSPENSE(for Both incoming and outgoing excise invoice updations against your ETT at the time of invoice posting)
9.PLA ON HOLD((for Both incoming and outgoing excise invoice updations against your ETT at the time of TR6c)
10. CENVAT REVERSAL(For cancellations vs ETT)
11. RG23A ECS(for Both incoming and outgoing excise invoice updations against your ETT)
12. RG23C ECS(for Both incoming and outgoing excise invoice updations against your ETT)
13. PLA ECS(for Both incoming and outgoing excise invoice updations against your ETT )
14. RG23A AT1(check this more carefully)
15. RG23C AT1(check this more carefully)
16. PLA AT1(check this more carefully)
Hope this helps you...
Phanikumar
Maybe you are looking for
-
printers wireless radio is not functioning
-
How can i get icloud to synch between outlook on my pc and my iphone 5?
I have loaded icloud on my PC and it's on my i5 phone. However, I can't get my calendar and contacts to synch between my PC and phone. Any suggestions?
-
Movement type 101 for receiving plant for returning stock
all, This may sound a silly question, but I just want to double check and double confirm. Our plant supplying stock to another plant (let's call plant B), however, sometimes the plant B will return back unacceptable stock back to us. What plant B do
-
Battery runs down quickly and case is hot
I've developed a problem with the battery running down quickly after a full overnight charge and I notice the case is getting hot. I had a Mophie battery pack on it and it needs to be switched to the battery pack every day, now. This was not an issue
-
Hi, I have created an order, delivery and billing document. Billing doc has been released to accounting. However though the accounting doc has been generated, the excise invoice is not generated and also BED, EDCESS & VAT amount not disable. When I w