Solaris 11 Express Root Password Gotcha

/solaris-11-express-root-password-gotcha 2010-11-16T08:14:53+00:00

This one is definitely going to bite a few people, especially those that have got used to pfexec on OpenSolaris.

With the first build of Solaris 11 Express, the installer has been configured to do the following when the OS is installed (taken from OpenSolaris defect 4885) :

  1. Remove the root password prompt
  2. Require an initial user login name and password
  3. Set the root password to the initial user password
  4. The root user is type=role
  5. The initial user is granted the root role (type=normal;roles=root)
  6. The initial user is put in /etc/sudoers -- presumable with all commands
  7. The initial use is no longer granted the Primary Administrator Rights Profile
  8. The password hash algorithm is sha256
  9. The root account password is installed as expired (passwd -f).

If you've used OpenSolaris, you'll notice this differs from OpenSolaris at steps 6 and 7. However, this change has revealed one teeny weeny issue:

Gksu Does Not Report Expired Password (6995127). (Requires My Oracle Support access)

This IS documented in the Solaris 11 Express release notes, but I can guarantee this will be missed by most people and the first they'll know of it is when they're prompted by a GUI app to enter the root password and it fails saying the password is wrong. The release notes also don't detail the workaround. For that you need to view the CR referenced.

Until such time as this issue is resolved, you need to login as the user created during installation, fire up a terminal and run "su". You'll be prompted for the old root password (your current user login password) and then asked to set a new password for root.

Before you get all excited about sudo(1m) now being included in Solaris, take note of the following excerpt from it's man page:

     sudo does not create audit(2) records; for a Role Based
     administration solution that performs auditing of all
     actions, please refer to rbac(5).

So if auditing is important, use RBAC and not sudo. If you're used to doing everything using pfexec, you can currently still add the "Primary Administrator" profile to your username in /etc/user_attr, but apparently this is due to change in a later release when this profile is EOLd.

Copyright © 2005 - 2018 Colin Seymour All rights reserved. Privacy Policy.
Check out the feed if you do the RSS/Atom thing.