AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.

 View Only

  • 1.  3004-503 Cannot set process credentials?

    Posted Thu April 19, 2007 01:04 PM

    Originally posted by: SystemAdmin


    I'm in a process of migrating users from an old aix 4.3.2 microchannel system
    to a modern aix 5.3 platform. (oslevel -s returns 5300-05-06)

    Here are my findings and I am looking for some help:
    One of the groups in /etc/group has 2101 users in it.
    I've read a single group can hold a maximum of 2000 members and
    also found a definition in /usr/include/grp.h

    Having more than 2000 members in the old system didn't cause problems.
    Having more than 2000 members in the new system prevents anyone in that
    group from logging in. Cannot even "su - username" from root account.

    "su - username" fails with error:
    3004-503 Cannot set process credentials.

    Telnetting from another machine fails with error:
    3004-010 Failed setting terminal ownership and mode.
    Connection closed.

    SSH from another machine fails in similar manner:
    Connection to xxx.xxx.xxx.xxx closed by remote host.
    I did play with the /etc/group file... and the very moment
    I had 2000 users in the group, su/telnet/ssh worked fine.

    Is there a known fix available for me to raise the cap from 2000?

    Thanks,
    I.A.M.


  • 2.  Re: 3004-503 Cannot set process credentials?

    Posted Thu April 19, 2007 04:51 PM

    Originally posted by: SystemAdmin


    Why doesn't "grpck" point out groups with more than 2000 users in them
    since that kind of configuration does not work?

    "usrck -y ALL" locked all 2101 accounts - time to import the files again.

    I.A.M.


  • 3.  Re: 3004-503 Cannot set process credentials?

    Posted Mon April 23, 2007 10:24 AM

    Originally posted by: SystemAdmin


    I don't know of a fix for this, but I've seen people create a second group with the same GID and add the users that are over 2000 to this group.


  • 4.  Re: 3004-503 Cannot set process credentials?

    Posted Mon April 23, 2007 01:27 PM

    Originally posted by: SystemAdmin


    Duplicate GID might just work... However, it does make "grpck" to complain:
    3001-229 Group id "250" for group "telerep" is not unique.
    3001-229 Group id "250" for group "telerep1" is not unique.

    but most importantly "grpck -y ALL" will not attempt to fix it,
    which means nobody can break it accidentally.

    I'll have to analyze and test, maybe it is an acceptable workaround.

    Appreciate it,
    I.A.M.

    Watching 6 MCSEs around an AIX box looks a lot like the opening scenes of 2001:Space Odyssey and the monkeys with the monolith.


  • 5.  Re: 3004-503 Cannot set process credentials?

    Posted Fri November 11, 2011 06:34 AM

    Originally posted by: shwetsonly


    I faced the same issue. But for me the reason was somehow the primary group for the user was not set. I set it again then su to the user worked.


Related Content