--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools



Recently Changed Pages:

View All Pages

View All Tags

WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.

Pages with comments

2019/11/18 13:52 1 Comment

View All Comments


AIX User Management


When working on the AIX LDAP authentication on eDirectory project we came to a point where there was also need for local users to which we could su. This proved a little problematic because of the su configuration on AIX. I did manage to solve the problem and the need for this page was born, I needed a place to store my new information about AIX User Management.


According to this IBM Document users who are a LDAP user cannot su to a local user due to the group membership. The fix is pretty simple, use smitty to set the “SU GROUPS” attribute to ALL:

  • sudo smitty users
    • Change / Show Characteristics of a User
    • Select the local user
    • Set the “SU GROUPS” attribute to “ALL”. You can't select this option, you'll have to type it.

Allow SU

Due to our security policies on AIX boxes new users are created without the possibility to su to the user, with the issue above in mind that's not what we want.

  • sudo smitty users
    • Change / Show Characteristics of a User
    • Select the local user
    • Set the “Another user can SU TO USER?” to “true”.

Reset User Account

When this message is received you'll have to reset the account:

3004-303 There have been too many unsuccessful login attempts; please see
        the system administrator.

Procedure to reset the account:

chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s <username>
chuser "account_locked=false" <username>

Chsec is the command needed to change an user's security attributes. I tried to do this with my own user account, using sudo but then I received this error:

Error committing changes to "<username>".

The solution was to issue the command as root, so I first had to SU to root and then the command succeeded.

This might be solved with AIX 6.1 when ROLES have LDAP integration:
The AIX 5L Security Expert was introduced with Technology Level 5 of AIX V5.3 OS, it provides clients with the capability to manage more than 300 system security settings from a single interface and the ability to export and import those security settings between systems. In AIX V6.1 OS it includes an enhancement to store security templates in a Lightweight Directory Protocol (LDAP) directory for use across a client's enterprise to help centralize its administration.

Change User Password

If you've changed a password for a local user and you don't want to force to change the password again clear the 'ADMCHG' flag of the user account:

aixbox:/>sudo passwd user-2
Changing password for "user-2"
user-2's New password:
Re-enter user-2's new password:
aixbox:/>sudo pwdadm -c user-2

Create User Script

This is an example to create a user using variables and setting different user attributes:

mkuser id="${_userid}" pgrp="${_groupname}" groups="${_groupname},users" \
home="$(userhome "${_teller}")" shell='/bin/bash' gecos="User (Number ${_teller})" \
umask='002' rlogin='false' sugroups='ALL' su='true' loginretries='10' maxage='0' \
maxrepeats='8' minlen='5' minother='1' maxexpired='-1' minalpha='3' minage='0' \
histsize='0' histexpire='0' "${_username}"

Create Account Overview Excel

Although there is no out of the box way to import account details into Excel there is an easy way. It consists of these steps:

  1. Query for the data
  2. Copy the output into a text editor
  3. Replace delimiter by a comma
  4. Import the text file with excel

Query Data

Determine the data you need. For me it's the name of the user, some account information and the User information. The last attribute is a bit tricky. It's not a required field and can be empty, so be sure to request the attribute as the last attribute:

lsuser -c -a account_locked login rlogin gecos ALL | grep '^[a-z]'

This will give you output to the screen which you can copy to a text editor which can replace the delimiter ':' with the delimiter ','. Save the file with the extension '.csv' and open the file with excel. Save the new file as a normal excel file.


Enter your comment. Wiki syntax is allowed:
aixusers.txt · Last modified: 2019/11/18 12:21 (external edit)