IBM Support

3004-503 Cannot set process credentials error

Troubleshooting


Problem

One or more users in a particular group cannot log in nor can they be switched to with the su command.
 

Symptom

The error "3004-503 Cannot set process credentials." is displayed when trying to su to the user.
 

Cause

This error occurs if the authentication subsystem is unable to validate a user's membership of a group. Processing of the errant group stops at the point of the syntax error.  Most commonly, this is either a space character (0x20) or a newline character (0x0A). The error also occurs if the /etc/passwd or /etc/group files were manually edited, resulting in mismatched GIDs.
 

Diagnosing The Problem

Running the lsuser command on the user will usually show
  • No primary group listed, or "pgrp" attribute is missing from output
  • No groups listed in the "groups" attribute
  • One or more groups will be missing from the groups list. 
Check the pgrp and groups for the user.
# grep localuser /etc/passwd
localuser:*:237:222::/home/localuser:/usr/bin/ksh
# lsgroup ALL | grep 222
(null)
# usrck -n localuser
3001-607 User localuser has a non-existent primary group 222.
3001-657 Unable to set process credentials for user localuser.
3001-612 User localuser has a non-existent
         or inaccessible home directory /home/localuser.
3001-657 Unable to set process credentials for user localuser.
3001-611 User localuser has a non-existent
         or nonexecutable login shell /usr/bin/ksh.
# id localuser
uid=237(localuser) gid=222 groups=1(staff),223(localgroup)
Note there is not group name for gid 222 . In this case, the localuser pgrp is non-existent GID 222. The group must be created, or the user's pgrp must be reassigned to an existing GID.
If the groups and ids look correct, visually inspect the /etc/group file for space or newline characters in one of the group lines.
 

Resolving The Problem

Resolve the group issues for the user.
For example:
  • Create missing groups
  • Reassign the primary group (pgrp) to an existing group
  • Remove spaces or newline characters from the line of the problem group in the /etc/group file.
     

SUPPORT:

If additional assistance is required after completing all of the instructions provided in this document, please follow the step-by-step instructions below to contact IBM to open a case for software under warranty or with an active and valid support contract.  The technical support specialist assigned to your case will confirm that you have completed these steps.

a.  Document and/or take screen shots of all symptoms, errors, and/or messages that might have occurred

b.  Capture any logs or data relevant to the situation.

c.  Contact IBM to open a case:

   -For electronic support, please visit the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, please visit the web page:
      https://www.ibm.com/planetwide/

d.  Provide a good description of your issue and reference this technote

e.  Upload all of the details and data to your case

   -You can attach files to your case in the IBM Support Community
   -Or Upload data to IBM testcase server analysis:

    http://www.ibm.com/support/docview.wss?uid=ibm10733581

f.  Click here to submit feedback for this document.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
03 February 2024

UID

ibm10795734

Page Feedback