My original question is below.
Thanks to
Coleman Cathy <CaColeman_at_hq.row.com>
Robert Mulley <gnscon_at_one.net.au>
"O'Brien, Pat" <pobrien_at_mitidata.com>
for their suggestions. Although they didn't come up with the exact
reason for my problem, they did set me on the right path and I managed
to dig up the real answer on my own.
My problem was that I had set the "Max Login Interval" parameter in the
account's security settings. I had set it to 30 days. This means that
the user is not able to log in after 30 since his last successful login.
When I set the parameter I had assumed that I would be able to "unlock"
an account locked for this reason using the usual methods that I have
used before. Apparently that is not the case. The account is disabled,
but not "locked" in the sense meant by, for example
usermod -x administrative_lock_applied=0 <username>
To be honest, I'm still not sure exactly how to convince the system to
let the user on anyway. However, now that I have a better understanding
of what that parameter does, I decided that I don't want to use it. I
thus blanked out the value in dxaccounts and the user's account started
working again. (Actually it's lucky that I'm using templates to set my
security parameters... I was able to change all user accounts at once
that way. Pretty cool).
Anyway, I learned a lot about how enhanced security worked today after
digging around in the man pages for edauth, prpasswd, and the C function
locked_out_es(). Indeed the description of what constitutes a "disabled
account" is very nicely spelled out in the locked_out_es() man page.
Peter
-----> Original Question <-----
I'm administering a Tru64 v5.0A, patch level 2 system. The system is
running with enhanced security. One of my users is having problems
logging onto the system. In particular after he enters his password he
is told that his account is disabled. This is not too unusual on this
sytem (people forget passwords and keep guessing until the "maximum
attempts" limit is reached, etc).
After I execute the command
# usermod -x administrative_lock_applied=0 <username>
His account is still disabled. This is odd. Normally the command above
unlocks user accounts just fine.
When I go into dxaccounts and look at the status of his account, the
"Lock Account" checkbox is checked. If I uncheck it and then apply the
modification, there is no error. I get "User <username> modified
successfully". However if I then immediately open the status of his
account again I see that the "Lock Account" checkbox is still checked.
I notice that the "Unlock Interval" parameter (as displayed in
dxaccounts) is set to 1 hour. I understand that to mean that his account
can't be unlocked until an hour or more has passed since it got locked.
However, I am very confident that I tried the usermod command above long
after an hour after his account might possibily have been locked.
So far, no other users are having this problem. What should I look at to
resolve this?
Thanks.
Peter
Received on Tue Jan 16 2001 - 15:55:53 NZDT