I have created several Application accounts on servers that run cron jobs but should not allow direct logins. These accounts have a password set but have been modified with 'passwd -N'.
Now my users are complaining that they cannot become that application account with /bin/su. They are entering the correct password for the account but are getting the access to the account.
Privileged User Options
Only a privileged user can use the following options:
-N
Makes the password entry for name a value that cannot be used for login, but does not lock the account. See the -d option for removing the value, or to set a password to allow logins.
Locking an account (-l option) does not allow its use for password based login or delayed execution (such as at(1), batch(1), or cron(1M)). The -N option can be used to disallow password based login, while continuing to allow delayed execution.