Can't unlock linux user account

I've got a Linux box (OpenSuSE 11.3) with a locked-out user account. I logged in as the root account to unlock it with passwd -u <user>, but I get a message 'Cannot unlock the password for <user>!'

I tried changing the password to something new via passwd, but attempting to log in with this new password still gives the 'account has been locked due to x failed attempts' error message.

passwd -S gives status flags of 'PS' for the account. I don't recognise 'S', but at any rate it's not showing either 'L' (locked) or 'NP' (no password). /etc/shadow doesn't contain any weird characters like ! at the front of the line for this account. Looking at it in this distro's management app (YaST) appears to show that it isn't locked (the 'disable account' button is unchecked).

Where else do I need to check to see how and why this account is refusing to unlock/login?


Solution 1:

I had this issue today. This was the fix.

pam_tally --user= --reset

Example

pam_tally --user=cyberninja --reset

I hope this helps someone.


I found this post looking for an answer to this exact question. I had the same error but on a SLES 11 SP2 server. My co-worker reset my password and tried to unlock my account with the command passwd -u. One of my other co-workers said I needed clear account in PAM and gave me the command. Which I have posted above.


Update,

I now have a fix that keeps this from happening again. It seems that there are two PAM files that where in conflict. These files are; /etc/pam.d/login and /etc/pam.d/sshd. Both files have this line.

auth required pam_tally.so onerr=fail deny=3

You must commit out, this line from one of the files listed above. We commented the line out in the /etc/pam.d/sshd file.

After you do this you should never have this issue again.

Solution 2:

I have been facing the same issue today with one user account in a server running SUSE Linux Enterprise Server 11 SP2, even after resetting the password and changing the age to 0 (chage -d 0 userID)

[me@mordor ~]$ ssh frodo@mordor

Welcome to SUSE Linux Enterprise Server 11 SP2  (x86_64) - Kernel \r (\l).


Account locked due to 29 failed logins
Password:
Account locked due to 30 failed logins
Password:

With the same escenario described by @Jam in his original post. Nothing showing the account locked neither on "/etc/passwd" nor on "/etc/shadow". Commands such as "passwd -S -a | grep frodo" shown that the ID was not locked (LK)

me@mordor:~> sudo passwd -S -a | grep frodo
frodo PS 01/01/1970 1 90 7 180

Also "pam_tally2" show that the ID was NOT locked:

me@mordor:~> sudo /sbin/pam_tally2 --user frodo
Login           Failures Latest failure     From
frodo             0

But the problem was in fact with "pam_tally"

me@mordor:~> sudo /sbin/pam_tally --user frodo
User frodo    (500)   has 32

After unlocking the userID password, I was able to login with the new credentials and avoid the error message.

me@mordor:~> sudo /sbin/pam_tally --user frodo --reset
User frodo    (500)   had 32
me@mordor:~> sudo /sbin/pam_tally --user frodo
User frodo    (500)   has 0

Hope this helps someone else to avoid breaking his/her head as I did in the last hour or so... So to make a long story short be aware to check both "pam_tally" and "pam_tally2" when the account is locked in SuSE!!

Regards, Hernan.

Solution 3:

You can type:

pam_tally2 -r -u user_name

to unlock the account.

Solution 4:

Try

usermod --expire 9999

to disable inactivity for the account (this sets the expire date to 1/1/9999). passwd -u only works if the password is "locked", but not for disabled accounts.