Sunday, February 24, 2008

Troubleshooting the "su: No shell" error

The other day we had a problem with a system account. At first we did not notice the “su: No shell” error on the console (headless server) but after a few reboots it was fairly evident. The message gave us enough feedback to determine the substitute user or su command was having a problem with a particular account. To ascertain which system account, we invoked a sequential step-through of the startup scripts.

In the end, it appears that a third party application used to manage NIS+ had locked and changed the account’s shell to something unknown (by design) due to multiple login failures. The account was restored to its original shell.

# su - esofthub -c "myscript"
su: No shell

View locked account
# niscat passwd.org_dir | grep esofthub
esofthub:*LK*:1005:10:esofthub test:/home/esofthub:/bin/sh.locked:13933::::::

Modify with third party application
After the modification
# su - esofthub -c "myscript"
Visit Ucertify's challenge winners' blogs: Ax0N and armando

For Files Only

If you are using the files repository and no third party software to manage your user information, modify the /etc/passwd file.

View locked account
# less /etc/shadow | grep esofthub
esofthub:*LK*:13933::::::
# less /etc/passwd | grep esofthub
esofthub:x:1005:10:esofthub test:/home/esofthub:/bin/sh.locked

Modify the account manually or admintool
# vi /etc/passwd
...
esofthub:x:1005:10:esofthub test:/home/esofthub:/bin/sh
...
:wq!

Change shell to C shell or any other shell if so desired
# passwd -r files -e esofthub
Old shell: /bin/sh
New shell: /bin/csh

Or
# admintool &

After the modification
# su - esofthub -c "myscript"
Visit Ucertify's challenge winners' blogs: Ax0N and armando

2 comments:

Eric Valliere said...

You got my hopes up that I was going to find out why my root user doesn't get a shell when I su - into it, just to find out it's a different problem and you're using NIS and not Kerb/LDAP :)

esofthub said...

Eric,

Sorry about that. I'm actually using NIS+ (tables) vs NIS (maps).