I'm trying to set up my AIX 5.3 machines so that certain non-root users (which I call user admins) can perform the following administrative tasks:
1) Unlock other non-administrative users
2) Reset other non-administrative users' failed login count
3) Change other non-administrative users' passwords
However, the these user admins should NOT be able to do anything of the following:
1) They should not be allowed to modify administrative users in any way (change passwords, etc)
2) They should not be allowed to remove users
3) They should not be allowed to add users
I tried to do this by putting my user admins in the security group, and giving them the ManageBasicPasswds role. That seems to work, except for one thing: when they change other users' passwords with smitty, they get the following message:
3004-315 The password database was successfully updated, but an
error occurred when updating the password history database.
3004-691 Error changing "(username)".
The password history database, which apparently failed to update, is in two files:
/etc/security/pwdhist.dir
/etc/security/pwdhist.pag
Both of these files are owned by root:system, and their permissions are 600 (-rw-------). I suspect they should be root:security and 660 (-rw-rw----) instead, so that my user admins (who are in the group security) would be able to update them. But I don't feel comfortable changing group and permissions unless I know I won't mess something other up.
Please advice.
1) Unlock other non-administrative users
2) Reset other non-administrative users' failed login count
3) Change other non-administrative users' passwords
However, the these user admins should NOT be able to do anything of the following:
1) They should not be allowed to modify administrative users in any way (change passwords, etc)
2) They should not be allowed to remove users
3) They should not be allowed to add users
I tried to do this by putting my user admins in the security group, and giving them the ManageBasicPasswds role. That seems to work, except for one thing: when they change other users' passwords with smitty, they get the following message:
3004-315 The password database was successfully updated, but an
error occurred when updating the password history database.
3004-691 Error changing "(username)".
The password history database, which apparently failed to update, is in two files:
/etc/security/pwdhist.dir
/etc/security/pwdhist.pag
Both of these files are owned by root:system, and their permissions are 600 (-rw-------). I suspect they should be root:security and 660 (-rw-rw----) instead, so that my user admins (who are in the group security) would be able to update them. But I don't feel comfortable changing group and permissions unless I know I won't mess something other up.
Please advice.