Cannot create user using SMITTY

thecobra151 · June 6, 2011, 11:05am

i'm using smitty to create user...what happen is it prompt me "failed" with error

3004-703 Check "/etc/security/login.cfg" file. 
3004-691 Error changing "shell". 
3004-703 Check "/usr/lib/security/mkuser.default" file. 
3004-721 Could not create user. 
3004-703 Check "/usr/lib/security/mkuser.sys" file. 
: THE FILE ACCESS PERMISSIONS DO NO ALLOW THE SPECIFIED ACTION.

in the machin that i have problem
ls -lrt /usr/lib/security/mkuser.sys
-rwxr-x---    1 root     security       1947 Jun 23 2007  /usr/lib/security/mkuser.sys

in other machin thats working fine 
ls -lrt /usr/lib/security/mkuser.sys
lrwxrwxrwx    1 root     security         24 Jul 09 2010  /usr/lib/security/mkuser.sys -> /etc/security/mkuser.sys

rn1 · June 6, 2011, 11:18am

stupid question but you are running smitty as root, right?

thecobra151 · June 6, 2011, 11:19am

yes i am

rn1 · June 6, 2011, 11:53am

what about /etc/security/login.cfg. has it been changed? The first error appears to be related to this file and the rest are probably just a consequence of the failure of that one.

thecobra151 · June 6, 2011, 12:42pm

no the /etc/security/login.cfg. did not changed

more information

i can modify and delete any user account but creating user is what i have problem with it

kah00na · June 6, 2011, 2:38pm

Can you create a user with the "mkuser" command like this:

host:/:$ lsuser user1
3004-687 User "user1" does not exist.
host:/:$ mkuser user1
host:/:$ lsuser user1
user1 id=221 pgrp=staff groups=staff home=/home/user1 shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0 pwdwarntime=5 account_locked=false minage=0 maxage=0 maxexpired=8 minalpha=2 minother=2 mindiff=0 maxrepeats=8 minlen=0 histexpire=26 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=-1 stack=-1 core=-1 rss=-1 nofiles=-1 roles=
host:/:$

thecobra151 · June 6, 2011, 2:45pm

dear kah00na its gives me this error agine

 
>mkuser khaled
3004-703 Check "/etc/security/audit/config" file.
3004-691 Error changing "auditclasses".
3004-703 Check "/usr/lib/security/mkuser.default" file.
3004-721 Could not create user.
3004-703 Check "/usr/lib/security/mkuser.sys" file.
 : The file access permissions do not allow the specified action.

bakunin · June 7, 2011, 3:46am

Have you auditing turned on? (Check with audit query as root.)

If so, could you please expand about its configuration?

bakunin

thecobra151 · June 7, 2011, 3:55am

 
audit>audit on
** auditing enabled already
A system call received a parameter that is not valid.

audit query
auditing on
bin processing off
audit events:
        realsecure - ACCT_Disable,ACCT_Enable
        general - USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir,USER_Login,USER_Logout,USER_Change,USER_Remove,USER_Create,USER_Locked,USER_Unlocked,GROUP_Create,GROUP_Remove
        objects - AUD_CONFIG_WR,S_USER_WRITE,S_PASSWD_READ,S_PASSWD_WRITE,S_LOGIN_WRITE,S_LIMITS_WRITE,S_GROUP_WRITE,S_ENVIRON_WRITE
        SRC - SRC_Start,SRC_Stop,SRC_Addssys,SRC_Chssys,SRC_Delssys,SRC_Addserver,SRC_Chserver,SRC_Delserver
        ALL - AUD_CONFIG_WR,S_USER_WRITE,S_PASSWD_READ,S_PASSWD_WRITE,S_LOGIN_WRITE,S_LIMITS_WRITE,S_GROUP_WRITE,S_ENVIRON_WRITE,ACCT_Disable,ACCT_Enable,USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir,USER_Login,USER_Logout,USER_Change,USER_Remove,USER_Create,USER_Locked,USER_Unlocked,GROUP_Create,GROUP_Remove,SRC_Start,SRC_Stop,SRC_Addssys,SRC_Chssys,SRC_Delssys,SRC_Addserver,SRC_Chserver,SRC_Delserver,AUD_It,FILE_Write,PROC_Delete,SHM_Detach,SHM_Open,FILE_Close,FILE_Open,FILE_Stat,FILE_Dupfd,FILE_Read,FILE_Owner,FILE_Accessx,PROC_SetGroups,PROC_RealGID,PROC_Limits,PROC_SetUserIDs,WLM_assign,AUD_Proc,PROC_Privilege,TCP_ksocket,TCP_kconnect,TCP_kclose,PROC_Execute,FILE_Pipe,PROC_Create,TCB_Exec,PROC_LoadMember,PROC_LoadError,TCP_ksetopt,TCP_kbind,PROC_Load,WLM_set,TCP_klisten,FILE_Mknod,FILE_Mode,PROC_Sysconfig,PROC_Setpgid,SEM_Create,PROC_Environ,TCP_kaccept,TCP_kshutdown,INIT_Start,FILE_Utimes,MSG_Create,SHM_Create,SEM_Op,FILE_Fchmod,RTSEM_Init,SEM_Delete,RTSEM_Destroy,PROC_Setpri,FILE_Symlink,INIT_End,FILE_ReadXacl,FILE_WriteXacl,PROC_Kill,RTSEM_Post,RTSEM_Wait,RTSEM_TryWait,TCP_ksocketpair,MSG_Write,MSG_Read,MSG_Mode,FILE_Fchown,PROC_SetPri,CRON_Start,CRON_Finish,FILE_StatAcl,SHM_Mode,SHM_Close,FS_Fchdir,PROC_Adjtime,SENDMAIL_Config,MAIL_ToUser,USER_Chpass,PASSWORD_Flags,PROC_SysParm,DEV_Configure,DEV_Create,DEV_Change,FILE_StatPriv,FILE_FReadXacl,FILE_FWriteXacl,TCPIP_connect,TCPIP_access,TCPIP_data_out,TCP_kreceive,TCPIP_data_in,FILE_Acl,USER_Check,PASSWORD_Check,GROUP_User
audit objects:
        /etc/security/audit/config:
                 w = AUD_CONFIG_WR
        /etc/security/group:
                 w = S_GROUP_WRITE
        /etc/security/environ:
                 w = S_ENVIRON_WRITE
        /etc/security/limits:
                 w = S_LIMITS_WRITE
        /etc/security/passwd:
                 r = S_PASSWD_READ
                 w = S_PASSWD_WRITE
        /etc/security/login.cfg:
                 w = S_LOGIN_WRITE
        /etc/security/user:
                 w = S_USER_WRITE

bakunin · June 7, 2011, 4:35am

Ok, there is no "out-of-the-book" solution so the only way to solve the problem is methodical exclusion of possible culprits. Some *possible* reasons:

Usually "/usr/lib/security/mkuser.sys" is a link to "/etc/security/mkuser.sys". Are the two files different? What about their permissions? What is the content of the file(s)?
in "/etc/security/login.cfg" is a "usw:" stanza with a line "shells = [...]". This is a list of allowed login shells - do the entries in "mkuser.sys" maybe contradict this? (like in: defining a shell as login shell which is not in the allowed login shells)
Maybe the auditing is causing the troubles. Try shutting down auditing ( audit shutdown ) and then try to create the user.

I hope this helps.

bakunin

thecobra151 · June 7, 2011, 6:16am

bakunin:

Ok, there is no "out-of-the-book" solution so the only way to solve the problem is methodical exclusion of possible culprits. Some *possible* reasons:

Usually " /usr/lib/security/mkuser.sys" is a link to " /etc/security/mkuser.sys". Are the two files different? What about their permissions? What is the content of the file(s)?

in AIX 5.3 the /usr/lib/security/mkuser.sys
is not linked to /etc/security/mkuser.sys and i double check with other AIX 5.3 machin and its not linked too but the audit works fine there .

ls -lrt /usr/lib/security/mkuser.sys
-rwxrwxrwx 1 root security 1947 Jun 23 2007 /usr/lib/security/mkuser.sys

more /etc/security/mkuser.sys
/etc/security/mkuser.sys: A file or directory in the path name does not exist.

in "/etc/security/login.cfg" is a "usw:" stanza with a line "shells = [...]". This is a list of allowed login shells - do the entries in "mkuser.sys" maybe contradict this? (like in: defining a shell as login shell which is not in the allowed login shells)

usw:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/us
r/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd,/usr/bin/fal
se,/home/bin/security,/usr/bin/smitty
maxlogins = 32767
logintimeout = 30
auth_type = STD_AUTH

Maybe the auditing is causing the troubles. Try shutting down auditing ( audit shutdown ) and then try to create the user.

even i shutdown the audit and i can't create the user .

I hope this helps.

bakunin

tanvi22 · June 20, 2011, 11:00am

Let's see your "/etc/security/login.cfg" file and check if anything's wrong with it.

kaancerit · June 21, 2011, 3:12am

can u attach output of "truss mkuser khaled"? if there is a permission problem we can see.

thecobra151 · June 22, 2011, 2:56am

dears i solve the problem by copying the config file from node b to node a and ist works fine

thanks all