Recently, I discovered strange messages in a servers system log. The cron daemon was complaining about an expired user account, but there are no user accounts on this server, which should ever expire.
Apr 10 08:25:01 server17 CRON: User account has expiredApr 10 08:25:01 server17 CRON: User account has expiredNo hint, which user or cron line but also no successful cron starts.
There are two accounts actually used on this server: My personal one and a locked root account (because Ubuntu is using sudo and no root password at all preventing the root account from being hacked by password). My account is used only for administration and I was able to log in, the problem clearly has to affect the root account:
$ sudo passwd -S rootroot L 11/26/2011 0 99999 7 -1Looks like the root account expired in 2011? Wrong! The last password change has been in 2011, the expire time is the last value. "-1" means "never expires" - but the cron daemon reports something else.
The root account shouldn't have any password, but some recovery issue a long time ago forced me to set a root password for a very short time. I set a new one and locked the account again (because I don't use it for login):
$ sudo passwd -u rootPassword changed.$ sudo passwd rootEnter new UNIX password: Retype new UNIX password: passwd: password updated successfully$ sudo passwd -S rootroot P 04/10/2013 0 99999 7 -1$ sudo passwd -l rootPassword changed.$ sudo passwd -S rootroot L 04/10/2013 0 99999 7 -1Fresh date, but the cron daemon log was still complaining. I started a Google journey and tried out some thing - always being afraid because I might lock myself out from this server while playing around with the root account settings. I should have started another ssh session and start a root shell there as a backup.
It took some time until I realized that the root account shouldn't be locked at all. It should be enabled and valid and have a password - but an invalid one.
Linux passwords are stored as crypted (hashed) values. One can't enter "12345" in the password file and log in using "12345" as the password. The file contains the hashsum of "12345" which will be compared to the hashsum of the password entered during login. The hashsums need to match, not the passwords.
The root account should have an exclamation mark "!" as password hashsum in /etc/shadow, because there is no cleartext password which will result in a "!" as hashsum. I updated root's line in /etc/shadow:
root:!:12345:0:99999:7:::The important thing is the ! in the second column (the ":" is used as column separator in this file).
The root account is active now, but can't login - which is perfectly fine.
Notice that passwd -S still treads it as "locked", but the cron daemon is happy now:
$ sudo passwd -S root[sudo] password for sewi:root L 04/10/2013 0 99999 7 -1
Thanks to the Ubuntu forum for pointing me in the right direction.