Linux – How to find all ways in which a Unix user account is locked

authenticationlinuxunixuser-accounts

I occasionally find myself in a situation where an undermaintained system has an account that's been locked out. The problem is that there are a variety of ways in which an account can be locked out, each with their own method of being unlocked.

It's not that the account is being locked improperly, just unexpectedly, but finding the correct lock to reset is difficult.

My most recent attack of this problem was on a SUSE system, and it turned out that the password had expired (which wasn't initially known because the login attempts were not through a system that provided that sort of feedback), and then also locked due to failed login attempts.

Is there a list somewhere of all of the different possible account locks and how to disable them? I'm intending for actual brokenness, such as home directory access problems, corrupt PAM libraries, etc., to be out of scope for this question.

Best Answer

You can use passwd to gather some information e.g. if an account is locked

passwd -S user
user LK 2012-11-06 0 99999 7 -1 (Password locked.) (CentOS)
user L 01/22/2013 0 99999 7 -1 (Ubuntu)

The chage utility will provide information about the various timers on an account e.g. for an unexpired password

chage -l user
Last password change                                    : Nov 12, 2012
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

for an expired password

chage -l user
Last password change                                    : password must be changed
Password expires                                        : password must be changed
Password inactive                                       : password must be changed
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 22
Number of days of warning before password expires       : 33

The passwd and chage utilities also list many of the account locks.

You can use getent to pull the information directly from the relevant database for examination

getent passwd user
user:x:505:505::/home/passtest:/sbin/nologin  <-- denied login
getent shadow user
user:!!:0:0:22:33:44::   <-- this is locked

This:

date +%s

will return the number of seconds since the epoch.

This:

date +%s%N

returns the seconds and current nanoseconds.

So:

date +%s%N | cut -b1-13

will give you the number of milliseconds since the epoch - current seconds plus the left three of the nanoseconds.

and from MikeyB - echo $(($(date +%s%N)/1000000)) (dividing by 1000 only brings to microseconds)

Windows – How to disable account lockout policy for one user in a Windows domain

As MichelZ, says, your manager is correct if you're on a 2003 domain. Though, regardless of that, I ideally wouldn't want to alter my policy for one single account, either. The real issue is that the service is attempting to log on with an incorrect password.

I'm posting this as an answer because the solution is to stop the issue altogether and figure out why a service is attempting to log in with the wrong password. If it's due to the password expiring then this can be sorted in AD Users and Computers rather than by reconfiguring the password policy:

enter image description here

This is standard practice for service accounts

Best Answer

Related Solutions

Bash – How to get the current Unix time in milliseconds in Bash

This:

This:

So:

Windows – How to disable account lockout policy for one user in a Windows domain

Related Topic