SEMI-SUMMARY: strange login problem.

From: Frank Pardo (fpardo@tisny.com)
Date: Thu Aug 21 1997 - 09:25:05 CDT


Dear Colleagues,

I labelled this message SEMI-SUMMARY because I don't yet have a solid
answer to the question. But I don't think it merits any more time and
effort. The workaround worked, so I'll shelve the matter for now.

Many and sincere thanks to the people who took the trouble to respond.
Their suggestions, with some comments by me, are reproduced below.

-fp

========================================================================
THE ORIGINAL QUERY
========================================================================
Date: Tue, 19 Aug 1997 15:54:24 -0400 (EDT)
Subject: strange login problem

Our mail hub is a Sparc 2 running (unpatched) Solaris 2.4. Following an
excellent suggestion that came from several members of this list, I
created POP3 user accounts on the mail hub with /bin/passwd as their
login shell.

So the POP3 users can say "telnet://MAIL" to their browsers, and easily
change their e-mail passwords. It works beautifully, with exactly one
exception.

One of the POP3 users was unable to telnet into the mail hub, no matter
what kind of gyrations we put him through. It kept rejecting his login.

The workaround we came up with was to change his UID from 6019 to 6020.

We experimented with a number of variations: changing the login name,
changing the UID, changing his position in the passwd and shadow files,
and so on and so forth. As far as we can tell, it was the UID of 6019
that caused the login problem.

This doesn't make a whole lot of sense to me, I must say. Does anybody
out there have a better explanation, and/or hints on avoiding the
problem in future?
========================================================================
THE REPLIES
========================================================================
Date: Tue, 19 Aug 1997 17:33:45 -0600
From: Michael Loftis <mjl@tcbbs.net>
Organization: The Trash Can BBS
Did you check for a duplicate UID? That could be the problem...
........................................................................
The script checks for duplicates; see below.
========================================================================
Date: Tue, 19 Aug 1997 22:24:48 -0400
From: Jim Harmon <jharmon@telecnnct.com>
Organization: The Telephone Connection
Perhaps 6019 is in a group that doesn't have permission to use any of
the rsh commands? (rlogin, rcp, etc.)
........................................................................
All POP3 users are in group #40, "mailuser", and all have "/bin/passwd"
as their login shell. They use "telnet", not "rlogin", to change their
passwords. User #6019 was no different from the other POP3 users.
========================================================================
Date: Wed, 20 Aug 1997 10:17:39 +0200
From: Casper Dik <casper@holland.Sun.COM>
This is probably due to soem information in /var/adm/lastlog.
When a user hasn't logged in for quiet a while, logins will be refused
because the password is "expired"
........................................................................
The expiration value is specified in the "/etc/shadow" file, where user
accounts are identified by login name, not by UID number. So our ability
to sidestep the problem by changing the UID number, while keeping the
same login name, proves that the "/etc/shadow" expiration field couldn't
have been the source of our troubles.
========================================================================
Date: Wed, 20 Aug 1997 16:49:49 -0600
From: Michael Hill <Hill.Michael@tci.com>
I don't mean to patronize, but are you sure 6019 wasn't already in use?
That's what these symptoms would suggest to me.
........................................................................
The script checks for duplicates; see below.
========================================================================
THE SCRIPT
========================================================================
#!/bin/ksh
UID="${1:?}"
UNAME="${2:?}"
FULLNAME="${3:?}"
ANS=$( cut -d: -f1,3,5 /etc/passwd | grep ":${UID}:" )
if [ "$ANS" ]
then
  print - uid nbr already exists: "$ANS"
  exit 1
fi
useradd -f333 -g40 -s /bin/passwd -d /tmp -c "$FULLNAME" -u $UID $UNAME
passwd -d -n 0 -w 14 -x 666 "$UNAME"
print - ''
print - Creating temporary initial password for "$UNAME"...
passwd "$UNAME"
print - ''
========================================================================

--
  Frank Pardo  <fpardo@tisny.com>
  Transaction Information Systems
  New York City

Chi fila ha una camicia e chi non fila ne ha due. -- Italian proverb



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:01 CDT