Root password expired - not your typical case
Hello everyone,
I apologize for asking what is a very FAQ, but I am unable to find an appropriate answer anywhere on the interweb.
The facts of my unfortunate situation are:
1. I am a newbie in the SA world.
2. I am even more of a newbie in the Solaris world.
3. I am administering a Production Database system on Solaris 9.
4. Within the last couple days the root password expired.
5. When I attempt to login at the console as root, I receive the following message. "Roles can only be assumed by authorized users."
It seems to me that root ought to be authorized to login to the console.
I've read that I can boot from the CD to resolve this issue, but the system in question has the CD drive disabled. If only I could figure out how to login to the console as root, I'm sure that it would let me update the password, but I don't know how to work around the "Roles can only be assumed by authorized users" issue.
Please help!
Thanks in advance for your assistance. It is greatly appreciated.
# 1
how was the cdrom drive disabled?
sounds like you need rbac cleaned up -
if you can somehow get to boot to cdrom, you'll want to inspect either the cdrom's /etc/security/*attr* and /etc/user_attr files for differences
I'm sure there's diffs between OS releases and probably patches based on signature, but the meat of what you're looking for should be there
the key is booting to media (cdrom or network) or pulling the drive and putting it in another working system so you can modify the drives contents - for that matter, when you have it there, you can fix the root password as well :-)
Hope this helps - jeff
# 2
Thank you for your reply Jeffrey!
I'm not sure how the CDRom drive was disabled. I inherited this system, and the SA before me was a bit of a security freak. I'll have to do some research online to see if I can determine the different methods for disabling a drive. Hopefully I can put it back online without root access!
# 3
if you can't get the cdrom re-enabled, you can still (if you have another similar enough system at your disposal) take the root drive from your working system and try to attach it to another system, device reconfigure, then mount the root partition and correct the root password <mnt>/etc/shadow and also clean out / restore back to normal (or simply review) the rbac changes in the /etc/security directory
did the previous admin set security-mode on the machine you're working on - so you can't boot to some other device except if you know the password to enter OBP?
as non-root in the booted environment, you should be able to
eeprom |grep security
to at least determine that - if the answer is no, then you may still be able to shut the machine down and try a boot, stop-a, and see if you can at least recognize the cdrom drive -
stop-a
setenv auto-boot? false
reset-all
probe-scsi-all - or whichever command is availble to you - (sifting probe)
hth - jeff
# 4
Thanks again Jeffrey. Its reassuring to feel that I have found some help on this.
I did a eeprom |grep security and received the following output.
security-mode=command
security-password: data not available.
security-#badlogins=5
I'm doing some reading right now to learn more about Role Based Access Control. It seems like the best course of action would be to:
1. Boot from CDRom.
2. Change RBAC to allow console login by Root.
3. Reboot, and login to console as root.
At that point, it should prompt me to update my password right?
# 5
Well, I've learned an awful lot in the process of trying to resolve this issue. I'm still not there, but I'm getting close.
I have done a ton of research on the net, and I am unable to find any specific detailed instructions on how to fix the root password expired issue. So, I figured I would paraphrase what I believe are the detailed steps to be taken. If you see an error in my logic, or my syntax please let me know, as I will be beginning this process soon.
So, we have RBAC or Role Based Access Control on the Solaris 9 box, and the root password has expired. This is a pretty annoying situation to be in, but it can be fixed easily enough.
First, we'll want to gracefully shutdown all the processes which are currently running on the system. This is accomplished by executing the following command which will put the system into single user mode:
init -1
Determine where your root file system (e.g. c1t0d0s0) is located by typing the following command (you'll want to make note of the result):
/etc/vfstab
Next, we need to access the EEPROM. Before doing this, you should do execute the following command to see if your EEPROM is password protected.
eeprom |grep security
Look for the line that reads "security-mode=" If security mode is set to "none" or "none-secure" you're golden, proceed with the next step. If security mode is set to "command" "command-secure" "fully" or "fully-secure" you want to make sure you have your EEPROM password, otherwise you'll be in worse shape than when you started.
Assuming that you either have the EEPROM password, OR the system is set to "security-mode=none" you can proceed to the EEPROM prompt by pressing the following key combination:
Stop + A
You should now have an OK> prompt. Insert the Solaris 9 Installation CD into the CDRom drive. At the prompt type the following command to boot from your CD rom:
boot cdrom -sw
Once the boot sequence is complete, execute the following command to mount your root filesystem.
mount /dev/dsk/<root filesystem device file> /mnt
Once you have mounted the root file system, you will need to change the /etc/user_attr file to allow console access by root. Open /etc/user_attr with your editor of choice. On the line beginning with root::::type=role; etc etc change the setting type=role to type=normal and save the user_attr file.
Enter the following command to go back to the OK prompt:
halt
Then enter boot -s to reboot your system. You should now be able to login to the console with root, which will allow you to update your password. Once you have done so, do an init -3 to bring the user back up to the standard mode of operation.
Thanks again Jeffery for your help in this matter. I hope to have this situation resolved soon, but I want to make sure that all my ducks are in a row before I start playing Russian Roulette with my server. Does the above walkthrough sound accurate? Is there anything that I have misuderstood or overlooked?
# 6
a few years ago I tried a work around for security-mode and know it was posted
basically it says, remove the rootdisk from the system whose eeprom is set to "security-mode=command" or whatever, and put that drive in another machine (either as rootdisk or as a secondary disk - depending if you know the root password or not - again it doesn't have to be exact architecture, just similar)
once there, you boot to single or media or whatever is appropriate - it is likely that because you're putting the disk into different hardware, something isn't going to be recognized correctly and you probably won't be able to get out of single user anyway.
null out the root password, in your case, reset rbac as well
shut down that temp system
take the disk out of the temp machine, and put it back into the original machine
boot normally and login as root
as root on the machine with security-mode set, type in
eeprom "security-mode=none"
going forward, you'll be able to break out of the OS boot sequence and boot to other media as needed
if you need more help, please send email to seul@alcatel-lucent.com, and I'll try to help - thanks! - jeff
# 7
Just wanted to take a moment to thank you once again Jeff! The root password has been updated, and we're back in business!
