Login accounts don't work after update to 7.1

[Bert-Jan]

> "Bert-Jan" <info at bert-jan.com> writes:
>
>> Hi Folks,
>>
>> I just updated one of my servers from 7.0-RC1 to 7.1-RELEASE.
>>
>> During the first freebsd-update install, before rebooting, I was
>> surprised
>> to find that it was going to change my /etc/passwd (deleting all my
>> accounts, keeping only the built-in accounts) and /etc/pwd.db and
>> /etc/spwd.db. I was quite suspicious so I made copies of them.
>
> freebsd-update should merge master.passwd, and re-generate all of those
> files from there.  What did you do with master.passwd?

I didn't do anything with it. I didn't know about it (linux experience
talking here, only been using freebsd for a year or so). Now that I'm
looking at it all the accounts are there, so it was successfully merged
indeed.

>
> Note that backup copies of master.passwd are kept in /var/backup.  None
> of the other files, because they're generated from there.
>
>> After rebooting the machine came back online perfectly. I checked
>> /etc/passwd but there were no changes yet. Then, as the docs says, I ran
>> freebsd-update install again and it took quite a while. *Then* my
>> /etc/passwd was changed, so I replaced it with the spare copy I made. Of
>
> That spare copy doesn't help at all; /etc/passwd is only there as a
> convenience to users, and isn't consulted by the system for anything.

I noticed, but after logging out as root unfortunately.

>
>> course I had to test it now so I exitted from root back to my own
>> account,
>> and you guessed it: I can't su anymore:
>>
>> $ su -
>> su: who are you?
>>
>> I started up a second session and found my own account doesn't work
>> anymore either. So all I have now is an open session with my own
>> account.
>> I should probably also have copied the two db files back and of course I
>> should have left my running root session open and started another one.
>> Not
>> a very bright moment..
>
> Does the root account itself have a password?  If you installed a
> generic password file, it may be unprotected, and you could log in (but
> not su, as that requires you first be logged in as a wheel user, of
> which you may have none left) as root without a password if you have a
> local terminal (a serial console, for example), and fix things from there.

Yes, root has a password. The account I was still logged in with is a
wheel user but trying a second session showed I couldn't login with that
account anymore either. I really made a mess of it :)

>
>> Is there a way I can recover the server from this ?
>> Of course I can put in a cd and change some passwords, but the server is
>> in a datacenter and I don't really have the time to go there and fix it.
>> I'm looking for a remote solution.
>
> I guess you don't have any out-of-band access to the machine, then.  You
> may be stuck with having to go to it physically, then.

Yes, I have been there the day before yesterday, the same day I screwed it
up. I logged in as root and didn't even get a password prompt. It was
obviously reset to the default password database. I fixed the logins by
copying the backups I made of /etc/pwd.db and /etc/spwd.db back.
Everything returned to normal. It reminded me that freebsd-update had told
me it wanted to change things in both those files, but since they're
binary it didn't show me a diff. My error thus was that I logged out as
root before restoring those. Very nasty, having to drive to the datacenter
(about 100km from my home) just to copy two files. But now I know for sure
this won't happen to me again :)

I do find it strange though, that freebsd-update replaced those files,
even though it tells you it's going to change them.
What is the proper way to handle this ? Can I run a command after the
update finishes that regenerates the account databases from the
master.passwd ? I checked the history and *I* never touched it during the
update, so it was merged like it should.

>
>> It's probably not much help but there's one jail running on it that's
>> still working fine. I can login and su on that one, but I don't know if
>> I
>> can use it to repair the main system.
>
> I sure hope that won't help.  That would defeat the point of jails,
> wouldn't it? ;-)

Yes indeed ;)

Thanks for the explanations. I still have a lot to learn of freebsd,
having been a Slackware Linux user for about 7 years, I've started my
first freebsd server about a year ago. So far I like it very much. Keeping
the whole system updated with freebsd-update and the whole ports system is
just a breeze.
Sometimes like this things get screwed up, but the same has happened to me
several times with Linux, so no hard feelings :)

>
> --
> Lowell Gilbert, embedded/networking software engineer, Boston area
> 		http://be-well.ilk.org/~lowell/
>