On Tuesday 15 July 2008 07:25:06 am Nigel Wade wrote: > Ben Kevan wrote: > > And just to make me feel bad.. > > > > chage -d 0 does what my script does.. but for some reason when you su > > username in RHEL 4 it does not look for the expiration in /etc/shadow > > It does here. > # chage -d 0 testuser2 > ... > > $ su - testuser2 > Password: > You are required to change your password immediately (root enforced) > Changing password for testuser2 > (current) UNIX password: > > Maybe you have modified some configuration which breaks it. Check > /etc/pam.d/su and system-auth. $ sudo sh createuser -u5000 -c"Test User" tuser This is what is to be added - ok? (^C if not) tuser::5000:100:Test User:/home/tuser:/bin/bash User has been added to system! Remind them to change password after first logon $ su - tuser Password: [tuser]$ Here is /etc/pam.d/su #%PAM-1.0 auth sufficient /lib/security/$ISA/pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required /lib/security/$ISA/pam_wheel.so use_uid auth required /lib/security/$ISA/pam_stack.so service=system-auth account sufficient /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid quiet account required /lib/security/$ISA/pam_stack.so service=system-auth password required /lib/security/$ISA/pam_stack.so service=system-auth # pam_selinux.so close must be first session rule session required /lib/security/$ISA/pam_selinux.so close session required /lib/security/$ISA/pam_stack.so service=system-auth # pam_selinux.so open and pam_xauth must be last two session rules session required /lib/security/$ISA/pam_selinux.so open session optional /lib/security/$ISA/pam_xauth.so here is /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so What do you think? Or how are yours configured? -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
