Saturday, January 29, 2011

Invalid Login for all users after 5.3 migration

Invalid Login for all users after 5.3 migration
.
System Model: 9117
System Serial Number: 00-xxxxxxx
Operating System:  AIX 5L
Product Group:  AIX Base Operating System 5L V530 R530 (5765G0300)
.
Environment:
Migrated from 5.2 to 5.3-05
Root and all users get 3004-007 Invalid Login ... after migration.
.
Problem:
Able to ssh to server.  The oslevel is 5300-05 now.  I have not found key differences in /etc/security files.

I reset root password but cannot login via console window.  I reset my userid password but get the same error message.

telnet fails with error though ssh works.

 usrck -l ALL
The system is inaccessible to daemon, due to the following:
        User account is expired.
        User has no password.
        User password is expired and only system administrator can change it.
The system is inaccessible to bin, due to the following:
        User account is expired.
        User has no password.
        User password is expired and only system administrator can change it.
The system is inaccessible to sys, due to the following:
        User account is expired.
        User has no password.
        User password is expired and only system administrator can change it.
The system is inaccessible to adm, due to the following:
        User has no password.
        User password is expired and only system administrator can change it.
The system is inaccessible to guest, due to the following:
        User has no password.
        User password is expired and only system administrator can change it.
        User denied access by login, rlogin applications.
The system is inaccessible to nobody, due to the following:
        User account is expired.
        User has no password.
        User password is expired and only system administrator can change it.
The system is inaccessible to lpd, due to the following:
        User account is expired.
        User has no password.
        User password is expired and only system administrator can change it.


Your getting allot of different errors for each user. User denied access
by login rlogin applications, User password is expired, User has too
many consecutive failed login attempts, Some of these errors might be
expected. For example, you might not want an ID to be able to login
remotely. Some ID's are getting more than one error.
There are multiple things to try. If you can, ssh in as root and do a
test on one of the id's, mtaylor for example. Change the password for
mtaylor and see if the user for mtaylor can login using the new
password.
To do that, as root run the command, passwd mxxxxr

For users getting the error: User has too many consecutive failed login attempts, edit /etc/security/user and change, loginretries to 0 in the stanza for sxxxxxxxxi and see if sxxxxxxxi can login.

If there's no way you can login as root, what your going to have to do is boot into maintenance mode to make changes.

Start from here first and let me know what happens.


Here is what it turned out to be.  Back in the 5.2 days, I implemented an ?su only? script per instructions by IBM for a slick post-authentication method to force su?s for service accounts.  I ran into problems getting this to work on 5.3 and it turns out there are workarounds in smit with 5.3 ( so I no longer used this approach).

default:
        admin = false
        login = true
        su = true
        daemon = true
        rlogin = true
        sugroups = ALL
        admgroups =
        ttys = ALL
        auth1 = SYSTEM,auth_method
        auth2 = NONE

The key variable is auth1.  It specifies SYSTEM by default but I added an ?auth_method? which runs another script at login.  I had forgotten that this method does not work in 5.3 and in fact results in the behavior mentioned: ?3004-007 Invalid login or password ??.

It would be good for IBM to document this error code with this setting in auth1 in 5.3.

No comments:

Post a Comment