Can't unlock linux user account

I had this issue today. This was the fix.

pam_tally --user= --reset

Example

pam_tally --user=cyberninja --reset

I hope this helps someone.


I found this post looking for an answer to this exact question. I had the same error but on a SLES 11 SP2 server. My co-worker reset my password and tried to unlock my account with the command passwd -u. One of my other co-workers said I needed clear account in PAM and gave me the command. Which I have posted above.


Update,

I now have a fix that keeps this from happening again. It seems that there are two PAM files that where in conflict. These files are; /etc/pam.d/login and /etc/pam.d/sshd. Both files have this line.

auth required pam_tally.so onerr=fail deny=3

You must commit out, this line from one of the files listed above. We commented the line out in the /etc/pam.d/sshd file.

After you do this you should never have this issue again.


I have been facing the same issue today with one user account in a server running SUSE Linux Enterprise Server 11 SP2, even after resetting the password and changing the age to 0 (chage -d 0 userID)

[me@mordor ~]$ ssh frodo@mordor

Welcome to SUSE Linux Enterprise Server 11 SP2  (x86_64) - Kernel \r (\l).


Account locked due to 29 failed logins
Password:
Account locked due to 30 failed logins
Password:

With the same escenario described by @Jam in his original post. Nothing showing the account locked neither on "/etc/passwd" nor on "/etc/shadow". Commands such as "passwd -S -a | grep frodo" shown that the ID was not locked (LK)

me@mordor:~> sudo passwd -S -a | grep frodo
frodo PS 01/01/1970 1 90 7 180

Also "pam_tally2" show that the ID was NOT locked:

me@mordor:~> sudo /sbin/pam_tally2 --user frodo
Login           Failures Latest failure     From
frodo             0

But the problem was in fact with "pam_tally"

me@mordor:~> sudo /sbin/pam_tally --user frodo
User frodo    (500)   has 32

After unlocking the userID password, I was able to login with the new credentials and avoid the error message.

me@mordor:~> sudo /sbin/pam_tally --user frodo --reset
User frodo    (500)   had 32
me@mordor:~> sudo /sbin/pam_tally --user frodo
User frodo    (500)   has 0

Hope this helps someone else to avoid breaking his/her head as I did in the last hour or so... So to make a long story short be aware to check both "pam_tally" and "pam_tally2" when the account is locked in SuSE!!

Regards, Hernan.


You can type:

pam_tally2 -r -u user_name

to unlock the account.