Root account locked
please tell me if the root account is locked and also
unlocking it
By default on a regular install on a Solaris system, the root login is definitely not locked. If your root login is locked, you can unlock it by:
- booting from a Solaris install CD
- mounting the root directory
- modifying the /etc/shadow file and clear the second field (e.g. the crypted password field)
- reboot
You will now be able to login as root without a password. You should then immediately set the root password to something.
Similar Messages
-
Root account locked out after 3 login attempts
I've connected to a 280R (Solaris 9) machine through the console (null modem cable). After trying 3 failed login attempts, it reported that the root account has been locked out. When can I do now to re-enable it?
VincentThe usual dance. :-)
1. Put in a Solaris install CD
2. "boot -s " at the "ok" prompt.
3. mount /dev/c<your boot partition> /mnt
4. edit /mnt/etc/passwd
5. Reboot the system.
6. login as root
7. Set your password.
8. write it on a post-it.
9. place post-it on monitor.
I'm kidding with steps 8 and 9.
HTH,
Roger S.
PS - Happy T-day -
Hi all,
since a few weeks, my root account lock every 5 days but I can't figure out why.
I've look in log file but can't see anything that help me figure out what or why the root account lock.
My question is, where can I look to figure out what lock me root account or is there a log that I need to activate to be able to see what's hapening to the root account.
Thx all.
DougDoes your system log all root login attempts via syslog to auth.log or something similar? If so, do you see any attempts by any user to login? If it is every five days, do you have any scheduled jobs that run some process that tries to log in as root but is failing? Are you running BART or something similar which checks manifests - perhaps you have malware that is editing your /etc/shadow and locking your root for malicious purposes.
-
Locking root account causes account to expire
If I lock the root account using passwd -l root, PAM prevents me from adding users or groups, saying that root's account has expired. This wouldn't be so bad, except that PAM continues to prevent me from adding users/groups even after I unlock the root account and create a new password for it. What is causing this, and how can I fix it so that I'm able to install hal, dbus, etc. and administer users and groups again?
Okay, found a workaround... Using usermod instead of passwd should apparently work. For anyone having problems with this: first, use passwd --unlock to unlock the root account, and then usermod --lock to lock its password.
-
I first will admit: I am stupid stupid stupid for doing this...
My question is it possible to recover my root account if:
1) it has been locked with:
passwd -l root
which normally just locks the root account and should be undo-able by
sudo passwd -u root
2) my root login has been disabled with:
Defaults timestamp_timeout=0,rootpw
in my /ect/sudoers
so now i fully understand how to make a system completely void of an accessable root account
EVEN when i tried booting into single user mode, it prompts for my root passwd on boot but since i diabled root login, it seems this doesnt work either.
So im reinstalling soon, unless there is a quick fix i cant think of. help
P.S. dont try the above commands (together) at home, its baaad news kidsEdit /etc/passwd from a live CD and set the second field to 'x', then edit /etc/shadow and set the second the second field to blank. That will set you root password to empty: After that, reboot and login to a console as root and change the password as normal with passwd.
EDIT: Actually, all you need to do is remove the '!' from the front of the hash (second field) in /etc/shadow and the old password should work again.
Last edited by Bolts (2010-06-14 22:13:56) -
I am trying to activate the root account on my new Mac Book Pro. The instructions that I have found do not match what I have in System Preferences. What is the process when using Users and Groups. When I click on Join the Network Account Server- Open Directory Utility I don't see a option to activate root user as the instructions say at http://support.apple.com/kb/HT1528
OS X Lion
From the Apple menu choose System Preferences....
From the View menu choose Users & Groups.
Click the lock and authenticate as an administrator account.
Click Login Options....
Click the "Edit..." or "Join..." button at the bottom right.
Click the "Open Directory Utility..." button.
Click the lock in the Directory Utility window.
Enter an administrator account name and password, then click OK.
Choose Enable Root User from the Edit menu.
Enter the root password you wish to use in both the Password and Verify fields, then click OK.Do you mean you cannot select "Enable Root User" from the "Edit" menu as shown below?
Why do you think you need to enable the root user? I've never needed it in the history of OS X. -
How to unlock Root Account in non-global zone on Solaris 10 Branded Zone
Hello All,
I have a phsical x86 server running Solaris 11. On top of that, I have 3 Solaris 10 branded zones configured. Due to security policy the root account has been locked by 5 failed login attempts.
Is there a way by which I can unlock root account in non-global zone.
I have the root access of global zone.
Pls help as these are production servers.
RegardsHey,
It worked. Actually i forgot to save the file.
I changed the /<zonepath>/root/etc/shadow
Removed *LK* & then from global zone did zlogin -l root zonename
Thanks lot. -
How can I determine which account is the root account? After upgrading computer and moving data via time machine, I have two accounts listed as admin, however the new one I created on new computer does not act like root account.
kflau,
As Nerowolfe suggested keep the spare admin account. Test it for functionality occasionally and keep it in reserve. If your main admin should 'break' you may be able to use the reserve to fix it, or do some other admin task. You should also use a non admin as your day to day browser login. You can switch stuff about using the "Shared" user.
Root is a an admin but more than, and it is best kept in the cupboard. I do on rare occasions see apps telling me when in an admin,'You don't have enough privileges to do "X" and have resorted to root, but that is rare and probably idiosyncratic to the procedure concerned.
Try this; open the Utility app, 'Directory Utility". Click on the lock and enter an admin name and password. Put your mouse on 'Edit" tab and look at the drop down. If it says , 'enable root', then root is disabled. If it says 'disable root' then root is currently enabled. To enable root you enter a password for it. You can give root a password (and any other user for that matter) by booting from the install disk, navigating to the utilities menu (choose a language click to install but don't go the full distance) For most users assign PWs in the user pane in Sys Prefs and for root , in said app Directory utility.
There have been cases reported here where root , and maybe other users have been effectively lost that's once in a blue moon. -
Service accounts locked out issue.
Hi,
While monitoring production servers, I noticed that all the Host Instances were stopped. In the Event log, I could see several Account Locked notifications (Service accounts for Hosts). Below are the relevant error messages that I could see in the event
log for this exception.
"The BTSSvc$My_Host service was unable to log on as mydomain\SvcAccount with the currently configured password due to the following error:
The referenced account is currently locked out and may not be logged on to."
"Windows saved user mydomain\SvcAccount registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account."
I am not able to figure out the root cause and the possible remedy. Please let me know your thoughts about the issue.
Thanks and Regards,
Ujjwal
-UjjwalIf this is the first time this has occured then it is possible that someone did change the service account passwords. Can you logon onto the BizTalk Machine using the Account & Password? If someone has changed the passwords you will need to go to each
machine, services.mmc and manually enter the password for each of the affected services.
If this is a recurring problem, it may be because of a Downadup.B infection and you'd need to take it up with the AntiVirus control team to help identify/rectify this.
Regards. -
Windows 2008- Account Lock not working and getting Domain Policy access denied
Hi
Windows 2008 Root Domain we tried to Edit the policy and we were getting the error "Access Denied on the Domain Policy template" we resolved by giving Write permission for authenticated user on the Template. later we applied account lock out policy.
but it is not applying and automatically reset to 0 in account lockout tool.
Error:"Access Denied:\\sysvol\Domain.com\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Windows NT\SecEdit\GPTmpl.inf.Make sure that you have the right permission to this object.Hi,
The error message is Access Denied, so it should be a permission issue.
You mentioned that you tested the account lockout in isolated network, it was working fine without any problem, by which did you mean that you didn’t get the Access Denied error message, or account wasn’t lockout out?
If you are facing account lockout problem, here are some troubleshooting articles below for you:
Troubleshooting Account Lockout
http://technet.microsoft.com/en-us/library/cc773155(v=WS.10).aspx
Troubleshooting account lockout the PSS way
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
Appendix Two: Gathering Information to Troubleshoot Account Lockout Issues
http://technet.microsoft.com/en-us/library/cc778156(v=WS.10).aspx
Best Regards,
Amy -
Database account locked as it tries to connect different ports for 16 times
I need a help in answering one of the issue encountered last week.
I have created a database link and tried to access the information from a table using the program written in another language. The password provided was incorrect for that user while creating database link. So we expected that,while retrieving the data, Database connection has to be errored out as password provided is incorrrect.
But unfortunately, user account was locked out. When i checked with DBAs they mentioned that it tries to connect 16 ports with in a min of time.we were shocked as it STOPS another scheduled jobs with that user. and affects production badly.
As per the program, it has to connect only one time and yesterday we tried to execute the program in DBAs observation and it errored out as expected. Didn't tried for multiple ports.
Now the question is, WHY the database connection established 16 times last week and caused user account locked. DBAs are unable to answer it. Any EXPERTs opinion on this would greatly appreciated.
I have verified managing ports in oracle documentation, it was mentioned that if one port is busy it will try to connect to another port in the range of ports mentioned during the installtion. DBAs verified ports related file and it was blank. and they are not agreeing with this reason. Please HELP me in finding the correct REASON for this.
is it a NETWORK issue or issue with DATABASE SERVER only?
Thanks
SSP
Edited by: 960738 on Sep 22, 2012 9:13 PM960738 wrote:
I need a help in answering one of the issue encountered last week.
I have created a database link and tried to access the information from a table using the program written in another language. The password provided was incorrect for that user while creating database link. So we expected that,while retrieving the data, Database connection has to be errored out as password provided is incorrrect.
But unfortunately, user account was locked out. When i checked with DBAs they mentioned that it tries to connect 16 ports with in a min of time.we were shocked as it STOPS another scheduled jobs with that user. and affects production badly.
As per the program, it has to connect only one time and yesterday we tried to execute the program in DBAs observation and it errored out as expected. Didn't tried for multiple ports.
Now the question is, WHY the database connection established 16 times last week and caused user account locked. DBAs are unable to answer it. Any EXPERTs opinion on this would greatly appreciated.
I have verified managing ports in oracle documentation, it was mentioned that if one port is busy it will try to connect to another port in the range of ports mentioned during the installtion. DBAs verified ports related file and it was blank. and they are not agreeing with this reason. Please HELP me in finding the correct REASON for this.
is it a NETWORK issue or issue with DATABASE SERVER only?
Thanks
SSP
Edited by: 960738 on Sep 22, 2012 9:13 PMDBLINK is 100% oblivious to the fact any port exists.
DBLINK only contains username, password & TNS Alias.
can you post actual SQL & results? -
How can I transfer the root account on my computer to a regular account?
Not sure if this in the correct category, but anyway...
Back in October 2010, I installed a Java update or something on my regular account, and it broke the account for some reason. I had no other account to use except for the root user that I enabled previously (just for testing). I logged into it and used it as my regular account, checking every so often to check if my regular account fixed itself. Sadly, it didn’t (at the time), but after a while, I upgraded my computer to Snow Leopard (I was previously running Leopard), I found that my old account finally fixed itself. Immediately, I attempted to copy over all of my files from the root account to the other account. I went onto the account, and it seemed to be a fresh account, so I assumed that it didn’t register the account files as legitimate and I guess it made it into a new account. I gave up after fiddling with it for a bit. To this day, I’m still using the root user as my main account, but a lot of things are broken (like Spotlight, Mail search, some other things) and I’d just like to know a clean way I could easily transfer all of the stuff from the root user to my old account (including all of the Library files and such). Please don’t say “You shouldn’t have used the root user because it’s really dangerous,” or whatever. I’ve been responsible with it for almost 2 years and I don’t think I could’ve done anything else. Thanks for any help.Its doable with Terminal. Log into your new userfolder in the /Users/ folder and open Terminal and say:
whoami
This is the owner of your newly transferred files.
Log into your root account and Launch Terminal. You will use the scp (secure copy) command to copy your files over to the new userfolder, replacing PathToNewFolder with the path to your new folder:
cd /PathToNewFolder
scp -r /private/var/root/* .
The copied files will all have ownership of root account, so you will then set ownership of all the files to your new username that you remember from above, replacing "NewName" with your new username:
$USER=NewName
find . -exec chown $USER:admin {} \;
find . -type d -exec chmod 750 {} \;
find . -type f -exec chmod 640 {} \;
chmod 755 Library
find Library -type d -exec chmod 755 {} \;
find Library -type f -exec chmod 600 {} \;
chmod 755 Library/Autosave\ Information Library/Application\ Support Library/Keychains Library/Application\ Support/Terminal
chmod 644 Library/Preferences/QuickTime\ Preferences Library/Keychains/* Library/Favorites/* Library/Caches/com.apple.preferencepanes.cache Library/Caches/com.apple.preferencepanes.searchindexcache
chmod 755 Public ~/Sites
chmod 733 Public/Drop\ Box
find Sites -type d -exec chmod 755 {} \;
find Sites -type f -exec chmod 644 {} \;
Then you can login to your new account with all your stuff hopefully intact. If anything doesn't work respond here and it can be fixed. -
How to allow users to launch SMC; login to SMC without root account
I've very familliar with how to create accounts and assign members to groups and assign privliges in Solairs 10 using SMC. I want a user to review the audit logs using the SMC console since the logs are GUI but I don't want the user to use the root account to login to SMC. I know the user can use the su command but I can only login with root after typing su and then launch SMC.
Bottom line what is the best way a user can use the SMC console without having the root password to execute SMC and then login to SMC and view the audit logs?
A million thanks
JohnI found the best solution is to use a Role Based Access Control (RBAC). Using SMC as root go the the Role Icon and setup a Role using the wizzard. Next have the user login to the system, go to the terminal and type:
/usr/sadm/bin/smc &
The individual user will be prompted to login with his specific user name and password and then prompted to use the Role Login Name and Password you provided in the above paragraph.
Now the user can perform SMC functions without the need for root. -
[SOLVED] Mouse Acting Up When Using Cinnamon In Non-Root Accounts
I have recently installed Arch linux on my computer, alongside Ubuntu and Windows. I installed cinnamon and xorg from the official repositories, and was happy with the experience. However, I wanted to transition from a root account to a normal user account, because certain software (e.g. Chrome) refuses to run under root. So, I created my user, home directory, and password, and was able to login. I copied my .xinitrc from my root home directory to my normal user accounts' home directory. The contents were this:
exec gnome-session-cinnamon
So, I type startx on the command line, expect everything to work normally, and I find that my mouse is not working properly:
1. I am unable to drag windows around
2. Applications with a scroll bar automatically scroll down to the bottom of page, and you can't scroll back up again
3. I cannot click anything on the sidebar of the cinnamon menu (which contains things like logoff and shutdown, so I had to kill the x server)
However, when logged in on root, none of this happens. At first, I thought this problem was due to me using a display manager (I used gdm and slim). This, however, is not the case. There isn't much out there on the internet for the problem I have, and I assume that this doesn't happen very often. What I did find, however, was to install the following packages:
sudo pacman -S xf86-input-evdev
sudo pacman -S xf86-input-mouse
The problem was still not fixed. I do not have an xorg.conf, but I do have a 50-vmmouse.conf in /etc/X11/xorg.conf.d (I don't know if that's helpful, though):
Section "InputClass"
Identifier "vmmouse"
MatchIsPointer "on"
MatchTag "vmmouse"
Driver "vmmouse"
EndSection
Edit: I have a (I think) slightly more useful file: 10-evdev.conf in the same directory:
# Catch-all evdev loader for udev-based systems
# We don't simply match on any device since that also adds accelerometers
# and other devices that we don't really want to use. The list below
# matches everything but joysticks.
Section "InputClass"
Identifier "evdev pointer catchall"
MatchIsPointer "on"
MatchDevicePath "/dev/input/event*"
Driver "evdev"
EndSection
Section "InputClass"
Identifier "evdev keyboard catchall"
MatchIsKeyboard "on"
MatchDevicePath "/dev/input/event*"
Driver "evdev"
EndSection
Section "InputClass"
Identifier "evdev touchpad catchall"
MatchIsTouchpad "on"
MatchDevicePath "/dev/input/event*"
Driver "evdev"
EndSection
Section "InputClass"
Identifier "evdev tablet catchall"
MatchIsTablet "on"
MatchDevicePath "/dev/input/event*"
Driver "evdev"
EndSection
Section "InputClass"
Identifier "evdev touchscreen catchall"
MatchIsTouchscreen "on"
MatchDevicePath "/dev/input/event*"
Driver "evdev"
EndSection
Last edited by iandun (2013-07-26 13:42:05)I have fixed it! After my mouse started automatically moving to the left side of the screen, even when logged in as root, I thought I would have to go back to Ubuntu, but I was able to read another forum thread about someone who was having the same issue (about the mouse moving left), and said that when he unplugged his joystick, everything worked. I realized that I had a joystick, so I unplugged mine and now everything is working like a charm!
-
J_security_check, JAAS, password expiration, account locking and portals
J2EE form-based authentication will redirect an unauthenticated user trying to connect to a secured resource to a login page and will 1) send the user to the originally requested page upon successful authentication OR 2) send the user to the error page in the event of authentication failure. There are a couple of problems that I have with this implementation - not with j_security_check specifically, but with the pattern generally.
There are several events that a Portal must manage beyond simple authentication validation. Specifically
- Notify a user after successful authentication that their account has been locked and they must contact someone to get it unlocked.
- Notify a user after successful authentication that their password is about to expire and offer them a choice between changing their password immediately or proceeding to the requested resource.
- Notify a user after successful authentication that their password has expired and require that they change it before proceeding to the requested resource.
- Notify a user after successful authentication that they don't have rights to access to the requested resource even though they've been successfully authenticated and offer to redirect them to a page that they are authorized to access.
I am currently investigating a scheme to solve these problems by using servlets for the login and error 'pages', having these servlets forward to different .JSP's based on roles, and writing some sort of JAAS module to add an access (authorization) role based on the password and account lock status.
Has anyone else worked on this kind of problem? Are there any efforts to extend the J2EE specifications to handle these alternate flows in the j_security_check activity.
I'm frustrated with each of the different container providers handling the JAAS Authorization differently. Further, since the j_security_check doesn't discuss how the server tracks the original request, each container provider has used a custom mechanism for keeping the original URI as j_security_check activity proceeds.
One final gripe, since the J2EE specification does not specify how to deal with JAAS, and further define a mechanism to getting the Subject associated with the current ServletRequest, all providers have done this differently too. Perhaps this was avoided as a 'non-goal', but wouldn't it have been nice to state that 'should a provider decide to offer JAAS based security, the implementation must...'?I understand this problem... I dont know whether I have term this as a "Feature" or a "Drawback".
I have handled this problem differently in my project.
Scenario: When user does normal login
1. User is displayed a home page. During this process, I create a session variable "Initialized".
2. I check for this session variable in all the pages. If this session variable is missing then I redirect to the home page which in turn creates the "Initialize" variable in the session.
Scenarion: Session time out happens in Page 3
1. User will be taken to login page.
2. Typically scenarion, when user is authenticated successfully, Page 3 is displayed.
3. I check for the session variable "Initialize" in Page 3. This "Initialize" variable will not be available due to session expiry.
4. I redirect my page to "Home Page" which inturn creates session variable "Initialize".
5. This solution solved the problem of showing home page when user does the login
Maybe you are looking for
-
The tab will not crash if I right-click, open in new tab, or middle click. Other sites with target="_blank" seem to be ok with left click (Google+ links for example). But Google Reader links seem to be completely broken.
-
Hi Everybody, I use an Epson Stylus Office BX320FW printer with my IMac. Since upgrading OSX, I have lost the ability to print and scan. I have downloaded printer drivers from both Epson and Apple. I am using the printer in wifi mode but can not g
-
What is the best way to transfer contacts from Android (Note 3) to iPhone 6?
I have a back-up of my iPhone 5 in iTunes, but it is about a year old. I would like to use the restore, for apps, pics, etc. and also transfer my current contacts from my Samsung Note 3. What is the best way to do that?
-
Hi, I am learning IDocs. But I am getting confused with basic concept only. Can any one clear me following points in simple manner: 1. What is Inbound proceesing? In which senario we use it? 2. What is Outbound proceesing? In which senario we use it?
-
Just realised I can import icons into Logic, can anyone recommend a good website where I can pick some nice new ones up? Thanks.