07-10-2013
PAM password change failed, pam error 20
Hi,
I use a software which can create account on many system or application.
One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3.
This application which is an IBM application use ssh to launch command to create account in context defined in it.
I have some problem to manage this server and the application display an error of kind Can not set the password useradd fail.
I have displaye the log /var/log/messages that you will find bottom :
Quote:
Jul 10 13:49:26 infra-041 sshd[8694]: Accepted keyboard-interactive/pam for itim from 10.70.10.50 port 2651 ssh2
Jul 10 13:49:26 infra-041 sudo: itim : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/useradd -u 1192 FRY9AN94
Jul 10 13:49:26 infra-041 useradd[8715]: new account added - account=FRY9AN94, uid=1192, gid=100, home=/home/FRY9AN94, shell=/bin/bash, by=0
Jul 10 13:49:26 infra-041 useradd[8715]: account added to group - account=FRY9AN94, group=video, gid=33, by=0
Jul 10 13:49:26 infra-041 useradd[8715]: account added to group - account=FRY9AN94, group=dialout, gid=16, by=0
Jul 10 13:49:26 infra-041 useradd[8715]: running USERADD_CMD command - script=/usr/sbin/useradd.local, account=FRY9AN94, uid=1192, gid=100, home=/home/FRY9AN94, by=0
Jul 10 13:49:27 infra-041 sshd[8717]: Accepted keyboard-interactive/pam for itim from 10.70.10.50 port 2652 ssh2
Jul 10 13:49:27 infra-041 sudo: itim : TTY=pts/4 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/passwd FRY9AN94
Jul 10 13:49:27 infra-041 passwd[8722]: pam_unix2(passwd:chauthtok): conversation failed
Jul 10 13:49:27 infra-041 passwd[8722]: User root: Authentication token manipulation error
Jul 10 13:49:27 infra-041 passwd[8722]: password change failed, pam error 20 - account=FRY9AN94, uid=1192, by=0
Jul 10 13:49:27 infra-041 sshd[8720]: Received disconnect from 10.70.10.50: 10: General disconnection
Jul 10 13:49:27 infra-041 sudo: itim : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/userdel FRY9AN94
Jul 10 13:49:27 infra-041 shadow[8723]: running USERDEL_PRECMD command - script=/usr/sbin/userdel-pre.local, account=FRY9AN94, uid=1192, gid=100, home=/home/FRY9AN94, by=0
Jul 10 13:49:27 infra-041 crontab[8725]: (root) DELETE (FRY9AN94)
Jul 10 13:49:27 infra-041 shadow[8723]: account removed from group - account=FRY9AN94, group=video, gid=33, by=0
Jul 10 13:49:27 infra-041 shadow[8723]: account removed from group - account=FRY9AN94, group=dialout, gid=16, by=0
Jul 10 13:49:27 infra-041 shadow[8723]: account deleted - account=FRY9AN94, uid=1192, by=0
Jul 10 13:49:27 infra-041 shadow[8723]: running USERDEL_POSTCMD command - script=/usr/sbin/userdel-post.local, account=FRY9AN94, uid=1192, gid=100, home=/home/FRY9AN94, by=0
Jul 10 13:49:28 infra-041 sshd[8703]: Received disconnect from 10.70.10.50: 10: General disconnection
In this log if i understood, the application create the account in three action :
first ssh to create the account which is succeeded
second ssh to set the password, but it seemes there is a problem with pam module
third ssh to delete the account, because the application cannot change the passwd.
I have some difficulties to know where the problem is exactly met, perhaps you could help me.
I'm sorry for my english but it's not my first language.
Best regards
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
Hi,
I have CVSNT installed on my Linux machine and sometimes the server goes down with the following error in /var/log/messages. Does anyone know the approach that need to followed to investigate to resolve the same. If so , please let me know.
Nov 23 05:57:43 <server ip> cvsnt(pam_unix):... (7 Replies)
Discussion started by: bsandeep_80
7 Replies
2. Solaris
Here's the issue. Currently when I run passwd -f "username" on any account, when I try to login with said account I don't get prompted to change my password I just keep getting prompted to input a password. (Of course this works just fine with telnet)Is there something i need to add to... (7 Replies)
Discussion started by: woodson2
7 Replies
3. Solaris
Hi Experts,
Appended is the pam.conf file in my Sol 5.10 client which uses AD for authentication(Followed scott Lowe's blog on AD-Solaris integration):
bash-3.00# cat /etc/pam.conf
##ident "@(#)pam.conf 1.31 07/12/07 SMI"
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.... (9 Replies)
Discussion started by: Hari_Ganesh
9 Replies
4. Solaris
Pam Module sending a cannot get password enry after certain period in /var/adm/message.
pam_login_limit(auth): Cannot get Password entry for user 'dbsnmp'
What is dbsnmp? Also if account is locked does pam module checks for this locked account at regular interval and keeps on posting... (2 Replies)
Discussion started by: student2009
2 Replies
5. UNIX for Dummies Questions & Answers
Hi, on a lab computer another user (who is a sudoer) changed my password without my permission. I'm pretty positive it was her, though I can't conclusively prove it. I had my friend, who is another sudoer on the machine, fix it and make me a sudoer now too.
So everything is fine, but I want... (0 Replies)
Discussion started by: declannalced
0 Replies
6. Solaris
Hi Admins,
I am facing an issue with Solaris 10 sitting on vmware workstation...
When I start it, it gives me an error : "Error opening PAM libraries, contact system administrator"
Also I can reach it via putty, but none of the id/passwd working.
I did revert pam.conf. But still no... (2 Replies)
Discussion started by: snchaudhari2
2 Replies
7. Solaris
Hi
I wanted to convert my pam libraries to 64 bit. so recently compiled my pam_banner and pam_wheel to 64 bit.
I got the following error...
sshd: dlsym failed pam_sm_authenticate:error ld.so.1 : sshd fatal: pam_sm_authenticate: can't find symbol
thnaks (8 Replies)
Discussion started by: chinchao
8 Replies
8. Solaris
Hello All,
I have Sun DSEE7 (11g) on Solaris 10.
I have run idsconfig and initialized ldap client with profile created using idsconfig.
My ldap authentication works. Here is my pam.conf
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login ... (3 Replies)
Discussion started by: pandu345
3 Replies
9. Linux
Hi
We have a requirement to vary the minimum password criteria by the group to which a user belongs.
For example a standard user should have a password with a minimum length of 12 and containing a mix of characters whereas an administrator should have a password with a minimum length of 14... (1 Reply)
Discussion started by: gregsih
1 Replies
10. OS X (Apple)
Hi Folks,
I've install 389 Directory Server on a Centos 7.0 server. Over the last two days I've been trying to connect a MacBook running 10.10.5 to the server as a client and I'm having only partial success.
I've "Joined" to my network Account Server, and set my LDAP Mappings to... (2 Replies)
Discussion started by: jlh
2 Replies
useradd(8) System Manager's Manual useradd(8)
NAME
useradd - create a new user account
SYNOPSIS
useradd [-D binddn] [-P path] [-c comment] [-d homedir]
[-e expire] [-f inactive] [-G group,...] [-g gid]
[-m [-k skeldir]] [-o] [-p password] [-u uid]
[-U umask] [-r] [-s shell] [--service service] [--help]
[--usage] [-v] [--preferred-uid uid] account
useradd --show-defaults
useradd --save-defaults [-d homedir] [-e expire] [-f inactive]
[-g gid] [-G group,...] [-k skeldir] [-U umask] [-s shell]
DESCRIPTION
useradd creates a new user account using the default values from /etc/default/useradd and the specified on the command line. Depending on
the command line options the new account will be added to the system files or LDAP database, the home directory will be created and the
initial default files and directories will be copied.
The account name must begin with an alphabetic character and the rest of the string should be from the POSIX portable character class ([A-
Za-z_][A-Za-z0-9_-.]*[A-Za-z0-9_-.$]).
OPTIONS
-c, --comment comment
This option specifies the users finger information.
-d, --home homedir
This option specifies the users home directory. If not specified, the default from /etc/default/useradd is used.
-e, --expire expire
With this option the date when the account will be expired can be changed. expiredate has to be specified as number of days since
January 1st, 1970. The date may also be expressed in the format YYYY-MM-DD. If not specified, the default from /etc/default/useradd
is used.
-f, --inactive inactive
This option is used to set the number of days of inactivity after a password has expired before the account is locked. A user whose
account is locked must contact the system administrator before being able to use the account again. A value of -1 disables this
feature. If not specified, the default from /etc/default/useradd is used.
-G, --groups group,...
With this option a list of supplementary groups can be specified, which the user should become a member of. Each group is separated
from the next one only by a comma, without whitespace. If not specified, the default from /etc/default/useradd is used.
-g, --gid gid
The group name or number of the user's main group. The group name or number must refer to an already existing group. If not speci-
fied, the default from /etc/default/useradd is used.
-k, --skel skeldir
Specify an alternative skel directory. This option is only valid, if the home directory for the new user should be created, too. If
not specified, the default from /etc/default/useradd or /etc/skel is used.
-m, --create-home
Create home directory for new user account.
-o, --non-unique
Allow duplicate (non-unique) User IDs.
-p, --password password
Encrypted password as returned by crypt(3) for the new account. The default is to disable the account.
-U, --umask umask
The permission mask is initialized to this value. It is used by useradd for creating new home directories. The default is taken from
/etc/default/useradd.
-u, --uid uid
Force the new userid to be the given number. This value must be positive and unique. The default is to use the first free ID after
the greatest used one. The range from which the user ID is chosen can be specified in /etc/login.defs.
--preferred-uid uid
Set the new userid to the specified value if possible. If that value is already in use the first free ID will be chosen as described
above.
-r, --system
Create a system account. A system account is an user with an UID between SYSTEM_UID_MIN and SYSTEM_UID_MAX as defined in
/etc/login.defs, if no UID is specified. The GROUPS entry in /etc/default/useradd is ignored, too.
-s, --shell shell
Specify user's login shell. The default for normal user accounts is taken from /etc/default/useradd, the default for system accounts
is /bin/false.
--service service
Add the account to a special directory. The default is files, but ldap is also valid.
-D, --binddn binddn
Use the Distinguished Name binddn to bind to the LDAP directory. The user will be prompted for a password for simple authentica-
tion.
-P, --path path
The passwd and shadow files are located below the specified directory path. useradd will use this files, not /etc/passwd and
/etc/shadow.
--help Print a list of valid options with a short description.
--usage
Print a short list of valid options.
-v, --version
Print the version number and exit.
FILES
/etc/passwd - user account information
/etc/shadow - shadow user account information
/etc/group - group information
/etc/default/useradd - default values for account creation
/etc/skel - directory containing default files
SEE ALSO
passwd(1), login.defs(5), passwd(5), shadow(5), userdel(8), usermod(8)
AUTHOR
Thorsten Kukuk <kukuk@suse.de>
pwdutils May 2010 useradd(8)