SEO

From time to time, I see some strange pw things when handling accounts.
For instance on an E250 box with the latest Sol-8 installed from scratch
with the latest Patch cluster (as of March '04).

I create an account, and when trying to change the account password as
root I get:
root@host:/# >useradd -d /home/test/ test
root@host:/# >
root@host:/# >passwd test
Password:
passwd: Sorry, wrong passwd
Permission denied

We don't use NIS at all, /etc/nsswitch.conf is set up with:
passwd: files

The file attributes for /etc/passwd and /etc/shadow are:
-r--r--r-- 1 root sys 616 May 4 10:09 /etc/passwd
-r-------- 1 root sys 375 May 4 10:09 /etc/shadow
The /etc/passwd entry is:
test:x:105:1::/home/test/:/bin/sh and the /etc/shadow entry is:
test:*LK*:::::::

Now if I remove *LK*: from /etc/shadow, I can change the password, but
if I try changing it again I get permission denied. Nothing turns up in
the logs and this is extremely annoying (although I have the
aforementioned workaround) because I can't figure out what's wrong.

Anyone has an idea?

--
Stig Bull
| remove .no.spam from my email address to reply by mail |
No animals were hurt or killed in the process of creating this
electronic message. To reduce download time, this message is made of
100% recycled bytes.

Stig Bull wrote:

> The /etc/passwd entry is:
> test:x:105:1::/home/test/:/bin/sh and the /etc/shadow entry is:
> test:*LK*:::::::
>
> Now if I remove *LK*: from /etc/shadow, I can change the password, but
> if I try changing it again I get permission denied. Nothing turns up in
> the logs and this is extremely annoying (although I have the
> aforementioned workaround) because I can't figure out what's wrong.
>
> Anyone has an idea?

The LK string means "locked", the account is closed. See manpage for
"passwd" in section 1 for more explanation. The 'x' in passwd means
it's using the shadow file for passwords.

After you change the password, does the shadow file get updated with
the encrypted password string?

/Marcin

In article <yXJlc.15401$k4.313371@news1.nokia.com>,
Marcin.Dobrucki@TAKETHISAWAY.nokia.com says...

> The LK string means "locked", the account is closed. See manpage for
> "passwd" in section 1 for more explanation. The 'x' in passwd means
> it's using the shadow file for passwords.

Yes, I know, I've read the man pages for passwd and shadow but haven't
found anything which indicates what I'm doing wrong. Or not doing wrong,
I've set up every single Solaris box the same way and I've never
encountered this problem before. /etc/pam.conf is untouched and
identical on two servers, one has this problem, the other one doesn't.

> After you change the password, does the shadow file get updated with
> the encrypted password string?

If I remove the *LK*: part first, yes, but if I try to change the
password once more after that I get permission denied.

--
Stig Bull
| remove .no.spam from my email address to reply by mail |
No animals were hurt or killed in the process of creating this
electronic message. To reduce download time, this message is made of
100% recycled bytes.

Stig Bull wrote:

> Yes, I know, I've read the man pages for passwd and shadow but haven't
> found anything which indicates what I'm doing wrong. Or not doing wrong,
> I've set up every single Solaris box the same way and I've never
> encountered this problem before. /etc/pam.conf is untouched and
> identical on two servers, one has this problem, the other one doesn't.
>
>> After you change the password, does the shadow file get updated with
>>the encrypted password string?
>
> If I remove the *LK*: part first, yes, but if I try to change the
> password once more after that I get permission denied.

Perhaps it is the opasswd and oshadow files. Try changing the
password using passwd and not deleting the "*LK*" string. Also look at
the man pages for 'passmgnt'

/Marcin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stig Bull <stig.bull.no.spam@broadpark.no> writes:

>From time to time, I see some strange pw things when handling accounts.
>For instance on an E250 box with the latest Sol-8 installed from scratch
>with the latest Patch cluster (as of March '04).

>I create an account, and when trying to change the account password as
>root I get:
>root@host:/# >useradd -d /home/test/ test
>root@host:/# >
>root@host:/# >passwd test
>Password:
>passwd: Sorry, wrong passwd
>Permission denied

>We don't use NIS at all, /etc/nsswitch.conf is set up with:
>passwd: files

Maybe when it asks for "Password:", just hit enter. Then perhaps it
will ask for the root password. After giving that, it might work.

This seems to be some misfeature of PAM, apparently introduced
for the sole purposes of making life difficult for system
administrators. At least that is my reading of "bug" 4805635
in the sun patch problem description for 108993.

Here, we do use nisplus.

As root, I was once able to change user passwords.

I probably still can, but it would require that I give the root
password. I am unwilling to do that. Instead, I now use a script
that updates the nis+ tables directly with the new encrypted
password.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SunOS)

iD8DBQFAl5JTvmGe70vHPUMRAkoVAKCFMkRsEVa02lJH8KsNq9 9EhdEc7QCfVGxR
T9Cq+N+xNTnTxE2xHAOKAFQ=
=SPqN
-----END PGP SIGNATURE-----

In article <3KKlc.15407$k4.313668@news1.nokia.com>,
Marcin.Dobrucki@TAKETHISAWAY.nokia.com says...

> Perhaps it is the opasswd and oshadow files. Try changing the
> password using passwd and not deleting the "*LK*" string. Also look at
> the man pages for 'passmgnt'

No, I don't think you understand me: I cannot change the password using
passwd *unless* I delete the LK string. If I try I get permission
denied, no matter what.

--
Stig Bull
| remove .no.spam from my email address to reply by mail |
No animals were hurt or killed in the process of creating this
electronic message. To reduce download time, this message is made of
100% recycled bytes.

In article <c783om$sav$1@usenet.cso.niu.edu>, rickert+nn@cs.niu.edu
says...
> Maybe when it asks for "Password:", just hit enter. Then perhaps it
> will ask for the root password. After giving that, it might work.

Tried it, but unfortunately didn't work, though.

>
> This seems to be some misfeature of PAM, apparently introduced
> for the sole purposes of making life difficult for system
> administrators. At least that is my reading of "bug" 4805635
> in the sun patch problem description for 108993.

Hmmmm, I got 108993-33 installed, could it have broken something?

--
Stig Bull
| remove .no.spam from my email address to reply by mail |
No animals were hurt or killed in the process of creating this
electronic message. To reduce download time, this message is made of
100% recycled bytes.