Hi,
I locked down my system and after a month of not using the system, the root password or account became disabled. I thought it was an expired password so I went through the root password recovery routine:
I booted in single user mode with the firmware password via cdrom and blanked the root password. No problem there.
I reboot in normal mode and get back to the login prompt. Now I get an incorrect login message after entering root as the user name. The error comes before I can enter the blank password. I think this is because I set the account to lock or expire after inactivity. Any ideas?

You're going to have to give more detail.

What tools are you using and what files are you editing?

Did you make the password field blank in /etc/shadow? I presume when you booted from cdrom you mounted the root disk partition and went into that and edited it? backing it up first, and double checking your work? A mistake here can break the system badly.

Lose your firmware password and you're really in trouble. On another front, can you ssh in and sudo? Getting a system too locked down can get you in trouble, as you've found.

Here is exactly what I did:
STOP-A
boot cdrom -s
I entered my firmware password that worked
mount /dev/dsk/c0t0d0s0 /a
cd /a/etc
TERM=sun; export TERM
vi shadow (I edited the shadow file by erasing the root password - root::...)
cd /
umount /a
reboot
During this process I encountered no error messages.
After the system boots up, I see the graphical login prompt as usual. I type root for username and press enter. The system gives me the incorrect login error message. It doesn't even ask for a password. That is why I think the account is locked or disabled. A few months ago I locked down the system so accounts would expire after a long time of inactivity (Yes I do realize that I fell on my own sword). Has anyone ran into this problem before?

it sounds like you setup/are in mode with no root entry via gui but your user name and then su - to go into root user.
But I faced it once in Ubuntu Linux not on Solaris..

I also blanked the password of a regular user account so I could try su. I get the same problem at the login prompt. I enter the user name and get an incorrect login message before I can enter the password.

What else have you done to lock down the system with respect to logging in, passwords, etc?

Also, the third field in /etc/shadow, which you don't show, is the number of days between January 1, 1970 and the date that the password was last changed. If you have an account that works, perhaps you could copy the other fields from it. You can do a `man shadow` to see what all the other fields are. Or, if there is an account that you know the login password to, and that works, you could copy the hash for that password into the root password entry in /etc/shadow, and then reboot and login as root using that password. Possibly inflating the last entry (number of days of inactivity allowed) would do it. The login checks the lastlog file and compares it to this field.

However, it kind of goes back to my question at the beginning of this post. Unless someone with a lot of experience has an inspiration, I think you'll need to come up with what else you did in order for us to help more.

I don't know how important this machine is to you. On all of my servers, I keep a separate log book. In that log book I enter everything I do on that server. I put the date at the beginning of each entry, and I highlight keywords so that I can scan through the logbook very quickly. I often cross reference entries, and occasionally, I will even index them. For one of my servers, I have about 120 pages in the log book. The entries are succinct with lots of unix and not so much English. When I can't remember what I did configuring something, I can scan back through and see.

Have you tried booting from a LiveCD (like Slax, Knoppix, DSL, etc. ?) and just backing up your data? Then you could try. You could also try replacing the bad files wih files from the install cd...

This is extremely non standard. What was done in the first place for that to happen ?
root's password shouldn't expire.
did you backup the shadow file ?
What was its original content and what is its current one ?

I realize this is extremely non-standard. I work in a non-standard organization that sets security policy and I just implement.

The root's password can expire if you set it to.

I restored the original shadow file to no avail. I believe the policy in the shadow file expired or disabled the accounts. Even after restoring the file, I need a way to tell the OS to restore the accounts.

Has anyone received a bad login error message after entering the user name?

A couple of people have asked for more details. We can't help you unless you can provide them. Give us a step by step of what you did to "secure" the root password. There may also have been some other related things that you did to secure accounts in general. What were they?

Definitively true. Many details are missing here.

What was the /etc/shadow root entry looking like before and after the change ?

Are passwordless accounts authorized on this system (PASSREQ in /etc/default/login) ?

Has the /etc/pam.conf been customized ?

I modified the /etc/shadow. For two users - including root - I modified the 5th and 7th fields in the colon delimited entry. I set the max days for password change to 60 and days after expiration to inactivate account to 30.
username (root):
password (encrypted password):
last password change:
min days for password change:
max days for password change (60):
warn days for password change:
number of days to inactivate account after password expiration (30):
date to disable account

After I booted in single mode from the CD, I cleared these entries along with the password. Still no luck. Before I made these changes I was able to clear the password and set a new one at login. I think Solaris made the accounts inactive due to these settings and I need to figure out how to reactivate them.

You failed to properly answer to my first question and you missed the remaining ones ...

It's hard to help without clues.

Another question: what is specified about password in /etc/nsswitch.conf ?