-   Linux - Security (
-   -   RHEL 5.8 Cluster: Nodes keep prompting to change PW (

Enochs 12-12-2012 10:17 AM

RHEL 5.8 Cluster: Nodes keep prompting to change PW

I have a RHEL cluster with 9 nodes. Nodes 1-7 keep prompting me to reset my password. We reset it and try to log-in but it AGAIN asks us to reset our password. Of course we can't because you can only change your password once every 24 hours. Essentially I'm looked out of the 7 nodes completely!

I can't log-in as root on nodes 1-7 because authentication is controlled by Kerberos.

I have no problem using the Master node (as myself or root). I have the root password and Kerberos password (I don't know jack about how to manage Kerberos)for the Master node.

Any idea how I can regain access to my nodes?

Enochs 12-13-2012 04:54 PM

I figured out the problem.

1. A recent change to the PAM configuration changed the password policy. This change required all users to change their password on next log-in.
2. My user profile was added to the system incorrectly in July when I started working here (still trying to figure out how and fix it). When I change my password, it only updates my Kerberos password and not my local password on each node. When anyone else changes their password, it changes their Kerberos password and their local password on all nodes (password synchronization across the entire cluster). I have to log onto each of the 9 nodes and change my local password independently from my Kerberos pw (still troubleshooting).
3. The problem in step 2 was hard to figure out because we must ssh to these classified systems. Using ssh causes a different log-on behavior in that once you change your password, it logs you out and makes you log back in. Since my pw updated only my Kerberos password, the system kept prompting me to change the pw...of course Kerberos would only let me do a pw change once a day.

To fix this I had to:

1. Gain access to the room that contained these systems so that I could log in at the console instead of ssh. This is to prevent me from being logged out after the initial password change.
2. Log-in using my Kerberos password.
3. Change my local password using the passwd command so that it matches my Kerberos password. (My profile only)
4. Repeat steps 1-3 on all nine nodes in the cluster (my profile only). This is because I still haven't fixed the problem with my profile that's preventing synchronization of my Kerberos and local passwords across the entire cluster.
5. Have each user ssh in and change their pw. Others only had to do this once (any node) and the entire cluster is updated properly.

All times are GMT -5. The time now is 06:38 AM.