Hello,

I have a system set up with an administrator account aside from root.

I've lost the ability to su to that administrator account, even from root. It was working fine a week ago.

When I log in as root, I get the following:

[root@localhost root]# su admin
su: incorrect password

I can su to any other account just fine.

[root@localhost root]# su user
bash-2.05b$

I've tried changing the root password and admin password, but nothing has helped. I've removed the admin entries from /etc/passwd and /etc/shadow and tried, and system says the account doesn't exist, which is expected. However, when I add them back, same problem.

Not sure if this matters or not, but the admin account password was set to expire after 60 days. I've checked the config files the account is not locked.

Is there a way to repair the admin account?

Thanks,
Ryan

Look at the "passwd -u" option to unlock the account - it probably got locked due to expiration. You can also use the "chage" command to deal with setting expiration values.

I had checked everything concerning the /etc/passwd and /etc/shadow files, everything seemed to be ok. I tried locking and unlocking with 'passwd -l' and 'passwd -u', but still no go.

As it turns out, there were cron jobs that did a su to the admin account.

When the password expired, the cron job was being prompted for the password. After 3 login failures, the account was getting locked by PAM. This was due to using the pam_tally.so module.

To fix the problem, I removed deny= argument from /etc/pam.d/system-auth.

Before:
account required /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset

After:
account required /lib/security/$ISA/pam_tally.so per_user no_magic_root reset

hello,

I use Mandriva 2009 on a Toshiba laptop.

As a user, if I run 'su', I get 'su: incorrect password'. The password is correct because I can login as root.

I do not see anything like "deny=" in my system.auth file.

Any idea?


alam--

Please do not append to old threads. You'll get much more visibility by starting a new one.

so that it looks like

[root@localhost ~]# ls -l /bin/su
-rwsr-xr-x 1 root root 24120 May 24 2008 /bin/su

Hi Ryanitus,

Am having the same problem ..using RHEL 4 U 7.

Tried with locking unlocking passwd but no luck.

Have you managed to solve it ?

Hi all,

The account faillog count for the user was above threshold and this caused the pam denies the login.

Mine is got solved by ,

As a root

Step 1. Changing the entries in file /etc/pam.d/system-auth

password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
password required /lib/security/pam_unix.so remember=4 use_authtok md5 shadow

Change the required and sufficient to optional.

Step 2. remove the deny entry
account required /lib/security/pam_tally.so deny=5 reset no_magic_root

Remove the deny=5 entry from the above line.

Step 3. Save and quit.

Step 4. Su to user

step 5. Verify your failog for count is back to 0.By executing faillog -u user
Out will be similar like
Username Failures Maximum Latest
user 0 0

step 6. back to root

step 7. roll back all the changes done for /etc/pam.d/system-auth.

Hope it helped
Thanks and regards.
Vysakh Chandran.

quicker/easier, use the -r (reset) option
http://linux.die.net/man/8/faillog

In my case , I had tried the Failog -r and was no exception ..

But yes. its worth a try before proceeding ahead with editing pam file.