SUMMARY: lock on shadow file

From: Wolfgang Schwurack <>
Date: Thu Aug 11 2005 - 16:39:20 EDT
Thanks to William Cole for giving the insight to look at the pam.conf 
file. This is were the problem was, long before I started here. The SA 
at that time made changes to the pam.conf file. We use cfengine to 
custom configure all of our new servers which would push out the 
pam.conf file

This missing line in the pam.conf file, with out this line I would get 
prompt for a password if the users account had a *LK* in the shadow file.

passwd  auth required   /usr/lib/security/

To all

I guess I should have ask this question in a different way. All of the 
replys did not answer my question, they just gave other options of ways 
to create a new user which I already know.  I have  look at the man 
pages, used the -d option to unlock the account, but it still ask for 
the Password.

What I would like to know is *What Password is it looking for when the 
user has *LK* in the shadow file.  The root password fails.  *Yes I can 
vi the shadow file and remove this *LK* from the user's account to fix 
the problem. But I seem you should be able to just enter "passwd -d 
user" to unlock a user. The man pages said to unlock a user account you 
need to do this
# passwd  -d tyler
passwd: Sorry, wrong passwd
Permission denied

but It still ask for a Password.

*Here is the first email*

When I create a new user I get a lock on the account in the shadow file


Now when I try to create the password I get this

coral / 465 # passwd tyler
passwd: Sorry, wrong passwd
Permission denied

What Password is it asking for? I am root, I try the root password but 
it fails.
I have in the passed just removed *LK* from the shadow file and then was 
able to enter a new password. But I would like to know the correct way 
to do this.

*Some reply's*

Check your /etc/nsswitch.conf file and see if the entry is "passwd: files"
You can also try "passwd -r files tyler"

How, exactly, are you creating the new user.  There is a 'useradd' utility
that does everything correctly.

I guess a lot depends on how you create the new user. I use useradd, or
admintool (yeah it's a GUI, but it keeps things simple), or SMC.
In any case, read the manpage for passwd, which is quite informative.

two possible solutions...
   use admintool to create the password
     (that is, edit the user account)
   vi /etc/shadow and remove the lock
   change the password in single user mode
   delete and recreate the user account
     (without destroying the home directory)
sun wants users created in the admintool now.  (it is part of their 
marketing to management: sysadmins with a smaller skill set and, 
therefore, cheaper.)  we use admintool for creation and manipulation for 
user accounts per sun's preference.  (it isn't really faster than useradd.)


      0___      Wolfgang Schwurack
     c/  /'_    Unix System Administrator
    (*)  \(*)   University of Utah/Utah Education Network
                Tel: (801) 587-9444
sunmanagers mailing list
Received on Thu Aug 11 16:39:50 2005

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:50 EST