Troubleshooting
Problem
PowerVM VIOS padmin user fails to log in.
Symptom
IBM Virtual I/O Server
login: padmin
padmin's Password:
[compat]: 3004-327 Your password has been expired for too long.
3004-321 Please see the system administrator to change your password.
login: padmin
padmin's Password:
[compat]: 3004-327 Your password has been expired for too long.
3004-321 Please see the system administrator to change your password.
Cause
padmin user attribute, maxexpired, was likely changed from the default value, -1.
From padmin chuser command documentation:
| maxexpired | Defines the maximum time (in weeks) beyond the maxage value that a user can change an expired password. The value is a decimal integer string. The default value is -1, indicating that the restriction is set. If the maxexpired attribute is 0, the password expires when the maxage value is met. If the maxage attribute is 0, the maxexpired attribute is ignored. The value can be in the range 0 - 52. |
Environment
VIOS 3.1 and 4.1
Diagnosing The Problem
If the error occurs after upgrading VIOS from version 3.1 to 4.1, see recommended action noted in HIPER APAR IJ50326 Unable to login as padmin after VIOS 4.1 upgrade.
Otherwise, read the rest of this document.
Resolving The Problem
When padmin's Password is Lost
The only recovery method supported is to schedule a maintenance window to boot the VIOS into maintenance mode and reset the password.
For how-to details, see Recovering the padmin password in VIOS.
When padmin's Password is Known
You can determine whether padmin's maxexpired attribute value was changed. This can be done from the HMC by using "viosvrcmd" command with --admin option to run commands on the VIOS, as root. The HMC will run oem_setup_env immediately before running the command.
In this scenario, viosvrcmd can be ran against the VIOS partition to list padmin's current maxexpired attribute value using lsuser command from oem_setup_env (root) shell:
lsuser -a maxexpired padmin
lsuser -a maxexpired padmin
If maxexpired value is greater than 0, change it to "-1" by running AIX chuser command to clear the password expiration error:
chuser maxexpired=-1 padmin
Since viosvrcmd runs commands on the VIOS from the oem_setup_env shell, the following support document may be need depending on the HMC version: HMC viosvrcmd fails with HSCL2970
chuser maxexpired=-1 padmin
Since viosvrcmd runs commands on the VIOS from the oem_setup_env shell, the following support document may be need depending on the HMC version: HMC viosvrcmd fails with HSCL2970
To list the HMC version, login to the HMC as hscroot and run:
~> lshmc -v
For HMC versions higher than V8R8.5.0.0, run the commands after the section titled "To create the VIOS Admin task role" in the support document mentioned above:
~> mkaccfg -t taskrole -i "name=VIOS_Admin,parent=hmcsuperadmin,"resources=lpar:ViosAdminOp""
~> mkhmcusr -u viosadminuser -a VIOS_Admin --passwd vios-admin -M 3
Then, SSH to the HMC as the new user and run:
~> command="lsuser -a maxexpired padmin"
~> viosvrcmd -m <managed_system_name> -p <VIOS_LPAR_name> -c "$command" --admin
where <managed_system_name> is the name of the managed system where the VIOS LPAR resides and <VIOS_LPAR_name> is the VIOS partition name.
~> lshmc -v
For HMC versions higher than V8R8.5.0.0, run the commands after the section titled "To create the VIOS Admin task role" in the support document mentioned above:
~> mkaccfg -t taskrole -i "name=VIOS_Admin,parent=hmcsuperadmin,"resources=lpar:ViosAdminOp""
~> mkhmcusr -u viosadminuser -a VIOS_Admin --passwd vios-admin -M 3
Then, SSH to the HMC as the new user and run:
~> command="lsuser -a maxexpired padmin"
~> viosvrcmd -m <managed_system_name> -p <VIOS_LPAR_name> -c "$command" --admin
where <managed_system_name> is the name of the managed system where the VIOS LPAR resides and <VIOS_LPAR_name> is the VIOS partition name.
To list all managed system names, login as hscroot and run:
~> lssyscfg -r sys -F name
If the value of X in "maxexpired=X" in the output of the lsuser command is greater than 0, run:
~> command="chuser maxexpired=-1 padmin"
~> viosvrcmd -m <managed_system_name> -p <VIOS_LPAR_name> -c "$command" --admin
Then, retry padmin's log in.
~> lssyscfg -r sys -F name
If the value of X in "maxexpired=X" in the output of the lsuser command is greater than 0, run:
~> command="chuser maxexpired=-1 padmin"
~> viosvrcmd -m <managed_system_name> -p <VIOS_LPAR_name> -c "$command" --admin
Then, retry padmin's log in.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\/O Server"},"ARM Category":[{"code":"a8mKe000000TN3LIAW","label":"AUTHENTICATION"}],"ARM Case Number":"TS017066616","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1.3;3.1.4;4.1.0"}]
Was this topic helpful?
Document Information
Modified date:
27 August 2024
UID
ibm17166667