root loggin in to console without network?
This is a discussion on root loggin in to console without network? within the AIX Operating System forums, part of the Unix Operating Systems category; --> Hi, we have an AIX 5.1 installation here which we (due to lack of network ports in machine room, ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-05-2008, 04:22 AM
| ||||
| ||||
 root loggin in to console without network? Hi, we have an AIX 5.1 installation here which we (due to lack of network ports in machine room, don't ask) occasionaly have to unhook from the network. At this times, even root on console is not able to log in to the system. The system asks for the username, I enter root and then there is a long delay (even a few days if we let it at it) with several "NIS domain xxx.yyy.zzz not responding", or similar messages before the password prompt appear. So I have to plug in the network cable, type root password and then unplug the cable. Password for root is in /etc/security/passwd, all other users are via NIS. This is obviously not a satisfactory situation. On other Unices, I know that I have to play with /etc/nsswitch.conf, but there is no /etc/nsswitch.conf on AIX. I have tried changing /etc/security/user to use SYSTEM=files for root, (default is compat) but that seem not to be enough -- or do I need to do something else as well (like, God forbid, reboot the system)? I am not very familiar with AIX, so I can use all the help I can get. Thanks a lot in advance. Dragan -- Dragan Cvetkovic, To be or not to be is true. G. Boole No it isn't. L. E. J. Brouwer !!! Sender/From address is bogus. Use reply-to one !!!      |
|
01-05-2008, 04:22 AM
| |||
| |||
| Re: root loggin in to console without network? Dragan Cvetkovic wrote: [..] > Password for root is in > /etc/security/passwd, all other users are via NIS. Are you sure? Verify in /etc/passwd if the entry for `root' is before the NIS entry, which is +::0:0::: (or similar) just a thought.. |
|
01-05-2008, 04:22 AM
| |||
| |||
| Re: root loggin in to console without network? mgrd <mgrd@gmx.net> writes: > Dragan Cvetkovic wrote: > [..] >> Password for root is in >> /etc/security/passwd, all other users are via NIS. > > Are you sure? > Verify in /etc/passwd if the entry for `root' is before the NIS entry, > which is +::0:0::: (or similar) > > just a thought.. It is there: $ grep -n root /etc/passwd 1:root:!:0:0::/:/usr/bin/ksh $ grep -n '+::' /etc/passwd 11:+::0:0::: i.e. root entry is at line 1, '+::0:0' is at line 11 (there are some other entries after that but no root). Besides ypcat passwd | grep root returns nothing (i.e. we don't publish root password via NIS). Dragan -- Dragan Cvetkovic, To be or not to be is true. G. Boole No it isn't. L. E. J. Brouwer !!! Sender/From address is bogus. Use reply-to one !!! |
|
01-05-2008, 04:22 AM
| |||
| |||
| Re: root loggin in to console without network? Dragan Cvetkovic wrote: > mgrd <mgrd@gmx.net> writes: > > >>Dragan Cvetkovic wrote: >>[..] >> >>>Password for root is in >>>/etc/security/passwd, all other users are via NIS. >> >>Are you sure? >>Verify in /etc/passwd if the entry for `root' is before the NIS entry, >>which is +::0:0::: (or similar) >> >>just a thought.. > > > It is there: > > $ grep -n root /etc/passwd > 1:root:!:0:0::/:/usr/bin/ksh > $ grep -n '+::' /etc/passwd > 11:+::0:0::: > > i.e. root entry is at line 1, '+::0:0' is at line 11 (there are some other > entries after that but no root). Besides > > ypcat passwd | grep root > > returns nothing (i.e. we don't publish root password via NIS). > > Dragan > hmm .. I'm really not sure but you may have a look at /etc/security/ouser , esp. the value of the key `registry" for root. If it's registry = NIS set it to registry = files Also: Can you login as root when you stop the NIS client? |
|
01-05-2008, 04:22 AM
| |||
| |||
| Re: root loggin in to console without network? maybe `smitty' (it's the admin tool) helps: - Security & User -> Users -> Change / Show Characteristics of a User - type `root' for `User NAME' - have a look at key `Password REGISTRY' and give `files' as the value - hit ENTER to let it run HTH |
|
01-05-2008, 04:22 AM
| |||
| |||
| Re: root loggin in to console without network? mgrd <mgrd@gmx.net> writes: > Dragan Cvetkovic wrote: >> mgrd <mgrd@gmx.net> writes: >> >>>Dragan Cvetkovic wrote: >>>[..] >>> >>>>Password for root is in >>>>/etc/security/passwd, all other users are via NIS. >>> [snip] >> ypcat passwd | grep root >> returns nothing (i.e. we don't publish root password via NIS). >> Dragan >> > > hmm .. I'm really not sure but you may have a look at /etc/security/ouser , > esp. the value of the key `registry" for root. > > If it's > registry = NIS > set it to > registry = files I always thought that /etc/security/ouser contains the backup (old) version of /etc/security/user The only difference between them is that ouser contains the previous entry for root as SYSTEM = "compat" whereas the /etc/security/user has it as SYSTEM = "files". > Also: > Can you login as root when you stop the NIS client? Yes, I can. Both via network and directly on console. It seems that only if the network connection is down I have problems loging in to the console. Dragan -- Dragan Cvetkovic, To be or not to be is true. G. Boole No it isn't. L. E. J. Brouwer !!! Sender/From address is bogus. Use reply-to one !!! |
|
01-05-2008, 04:22 AM
| |||
| |||
| Re: root loggin in to console without network? mgrd <mgrd@gmx.net> writes: > maybe `smitty' (it's the admin tool) helps: > - Security & User -> Users -> Change / Show Characteristics of a User > - type `root' for `User NAME' > - have a look at key `Password REGISTRY' and give `files' as the value > - hit ENTER to let it run > Actually, this was the first thing I did (before posting to the usenet). It does have files as Password REGISTRY. Is there a system in a world where compat works? On all systems I have encoutered so far (be it AIX or Linux or anything else), compat doesn't work (and no, it's not always the same setting, and no, it was not configured by me). Thanks for your help so far. Any other ideas? Dragan -- Dragan Cvetkovic, To be or not to be is true. G. Boole No it isn't. L. E. J. Brouwer !!! Sender/From address is bogus. Use reply-to one !!! |
|
01-05-2008, 04:22 AM
| |||
| |||
| Re: root loggin in to console without network? Dragan Cvetkovic <me@privacy.net> wrote: > Hi, > > we have an AIX 5.1 installation here which we (due to lack of network > ports in machine room, don't ask) occasionaly have to unhook from the > network. At this times, even root on console is not able to log in to the > system. The system asks for the username, I enter root and then there is a > long delay (even a few days if we let it at it) with several > "NIS domain xxx.yyy.zzz not responding", or similar messages before the > password prompt appear. So I have to plug in the network cable, type root > password and then unplug the cable. Password for root is in > /etc/security/passwd, all other users are via NIS. > > This is obviously not a satisfactory situation. On other Unices, I know > that I have to play with /etc/nsswitch.conf, but there is no > /etc/nsswitch.conf on AIX. I have tried changing /etc/security/user to use > SYSTEM=files for root, (default is compat) but that seem not to be enough > -- or do I need to do something else as well (like, God forbid, reboot the > system)? > > I am not very familiar with AIX, so I can use all the help I can get. Check /etc/security/user. It should not only have SYSTEM = files in the [root] stanza, but also registry = "files" HTH, Erik |
|
01-05-2008, 04:22 AM
| |||
| |||
| Re: root loggin in to console without network? news@elaan.dds.nl writes: > Dragan Cvetkovic <me@privacy.net> wrote: >> Hi, >> >> we have an AIX 5.1 installation here which we (due to lack of network >> ports in machine room, don't ask) occasionaly have to unhook from the >> network. At this times, even root on console is not able to log in to the >> system. The system asks for the username, I enter root and then there is a >> long delay (even a few days if we let it at it) with several >> "NIS domain xxx.yyy.zzz not responding", or similar messages before the >> password prompt appear. So I have to plug in the network cable, type root >> password and then unplug the cable. Password for root is in >> /etc/security/passwd, all other users are via NIS. >> [snip] > Check /etc/security/user. It should not only have SYSTEM = files in the > [root] stanza, but also > > registry = "files" Here is the complete section for root in /etc/security/user: root: admin = true SYSTEM = "files" loginretries = 0 account_locked = false registry = files Bye, Dragan -- Dragan Cvetkovic, To be or not to be is true. G. Boole No it isn't. L. E. J. Brouwer !!! Sender/From address is bogus. Use reply-to one !!! |
|
01-05-2008, 04:22 AM
| ||||
| ||||
| Re: root loggin in to console without network? On Wed, 29 Sep 2004 11:06:21 -0400, Dragan Cvetkovic wrote: > Hi, > > we have an AIX 5.1 installation here which we (due to lack of network > ports in machine room, don't ask) occasionaly have to unhook from the > network. At this times, even root on console is not able to log in to the > system. The system asks for the username, I enter root and then there is a > long delay (even a few days if we let it at it) with several "NIS domain > xxx.yyy.zzz not responding", or similar messages before the password > prompt appear. So I have to plug in the network cable, type root password > and then unplug the cable. Password for root is in /etc/security/passwd, > all other users are via NIS. > > This is obviously not a satisfactory situation. On other Unices, I know > that I have to play with /etc/nsswitch.conf, but there is no > /etc/nsswitch.conf on AIX. I have tried changing /etc/security/user to use > SYSTEM=files for root, (default is compat) but that seem not to be enough > -- or do I need to do something else as well (like, God forbid, reboot the > system)? How about: disabling NIS (set domainname to "" and stop ypbind) before unplugging the cable; logging on before unplugging the cable? After all the unplugging isn't an unplanned failure is it? And *don't* reboot an AIX NIS client with its network unplugged! You'll never be able to log in at all. Another possibility is to put a NIS slave server on the machine itself. Then it'll bind to itself if the network doesn't work (and often when it does too, and other clients may bind to it, so make sure it's good). This may be the best option in your peculiar situation, if not the simplest. It's checking NIS to see if root has any supplementary groups by virtue of the NIS netid (an AIX special which does indeed speed login in a NIS complex with many users, as long as NIS is working properly, it's keyed on userid and lists the groups by number) map before it completes the login process. And as you have noted, it will wait until the end of the universe if it has to. There is no solution to this lockout that I know of except providing a NIS server which can be contacted which responds for the domain name. A laptop running Linux with a NIS server which serves the domain (it just needs the directory under /var/yp) with no maps connected by a crossover cable will suffice to break the lock in an emergency. AIX's implementation of NIS is the worst I have ever seen. And it used to be even worse than it is now. Count yourself lucky  And I have no down onAIX in general, I like most of it. But I have suffered from its NIS deficiencies for many years. This one is probably the worst. Regards, Ian |
Linear Mode
