Saturday, January 29, 2011

Corruption With the User Password History File in AIX

Corruption With the User Password History File

The below error occurs when changing password for users:
3004-622 An error occurred updating the password database.
3004-709 Error changing password for <UserName> : Value is invalid. 


Cause

Corruption with user password history file occurs due to various reasons and
causes users and administrators not to allow a change to user passwords.


pwdhist File

Purpose
Contains password history information.

Description

The /etc/security/pwdhist.dir and /etc/security/pwdhist.pag files are database files created and maintained by Database Manager (DBM) subroutines. The files maintain a list of previous user passwords.

The pwdhist files store information by user name. User names are the keys of the DBM subroutines. The password list contains multiple pairs of a lastupdate value and an encrypted, null-terminated password. This password list is a key's associated content and the lastupdate value is a 4-byte, unsigned long. The encrypted password is the size of the PW_CRYPTLEN value. Thus, an entry in the database file is of the following format:

lastupdatepasswordlastupdatepasswordlastupdatepasswor
d...

The password list is in descending chronological order, with the most recent password appearing first in the list.

Resolving the password history corruption problem:


Backup password history files:
cd to /etc/security
cp pwdhist.dir pwdhist.dir.bak
cp pwdhist.pag pwdhist.pag.bak

Zero-out the two original files:
> pwdhist.dir
> pwdhist.pag

Attempt to change the user password:
passwd <UserName>

This will allow a change to the users password, however does
not log any information to the history files (they will
still be zero bytes until a password change is done again).

No comments:

Post a Comment