Issue Description


This issue mostly occurs in cases where the account being changed is a system or functional account, and where there are multiple instances of the account in the BoKS database. The condition is usually triggered when the account password expires, and users are set to use the account password (vs. their own password) when switching (ie. su).

For example, an organization might have several root accounts:

OS_SOLARIS_HOSTS:root
OS_AIX_HOSTS:root
OS_LINUX_HOSTS:root
BOKS_OS_HOSTS:root

In this example, the administrator wants to change the root password for the BoKS Master and Replicas. With the Master and Replicas all running on Solaris, the administrator changes the OS_SOLARIS_HOSTS:root password. When the administrator tries to login to the Master and switch to root, it fails.

The problem is that the administrator mistakenly changed the wrong root password. The administrator should have changed the BOKS_OS_HOSTS:root instead of the OS_SOLARIS_HOSTS:root password.

Resolution / Workaround


In this example, the Master and Replicas share a common root account. The Master's hostname is "master".

To fix the problem, the administrator must correctly identify the account that needs to be changed. This is easily done by determining the Host Groups where the Master is a member:

BoKS# hgrpadm -l | grep master | awk '{print $1}'
BOKS_OS_HOSTS
BOKS_ADMIN_USERS_HOSTS
TIVOLI_MONITORED_HOSTS

From this output we can see that the Master is in the BOKS_OS_HOSTS Host Group. If we then look for the root accounts:

BoKS# lsbks -l *:root
OS_SOLARIS_HOSTS:root
OS_AIX_HOSTS:root
OS_LINUX_HOSTS:root
BOKS_OS_HOSTS:root

We can see that there is a match with BOKS_OS_HOSTS. From there, we can change the password of the correct root account:

BoKS# passwd BOKS_OS_HOSTS:root

NOTES:

This example used the root account, but this kind of issue can also occur with other functional accounts, for example oracle, apache, websphere, db2, and so on. The solution is the same: identify the correct account and make the appropriate change.

If there are overlapping Host Groups, ie. Host Groups that contain users with the same name on the same hosts, there will be problems with password file updates. There should never be a user defined in more than one Host Group if those Host Groups contain any of the same hosts. This condition can be guarded against by ensuring that the OVERLAPPING_ACCOUNT_CHECK variable is activated in the ENV file. Please see the BoKS Manager Administration Guide for more information on Overlapping User Accounts.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: June 28, 2019