# [SOLVED] Cannot login as user (after logout from root)

## GetLinux

I created a regular user account for myself, but if I logout of the root account and try to login as the user, it keeps telling me the login is incorrect.

This is how I created the account:

(The "-mk" options tell Linux to create a home directory automatically for the username, and to insert some default folders as in /etc/skel. This has nothing to do with login. )

```
useradd -c SOMECOMMENT -G wheel -mk -u 1234 -p SOMEPASSWORD SOMEUSERNAME
```

I check, and my user account is listed properly in /etc/passwd and /etc/group and the password is as I intended to type it, which I can see in /etc/shadow. However, I logout of my root account and try to log in as user, but after it prompts me for the password and I type it, it keeps saying "login incorrect"!!!

I have created and deleted this account several times, and yes, every time I deleted the account from /usr/passwd and /usr/group I did remember to run "pwconv" to make sure the entry was removed from /etc/shadow.

I even tried creating an account without the password, thinking it would prompt the user to create a password or just plain not ask for one, but if I logout of root and try to login as user it asks me for the password and won't let me create one (trying to enter a new password just brings up "login incorrect", and I see the account is listed in "/etc/shadow" with an exclaimation point).

I also tried creating the account without adding it to the wheel group and without anything unnecessary at all:

```
useradd -c SOMECOMMENT -u 1234 SOMEUSERNAME
```

The problem is the same.

This is really strange!

----------

## ultraViolet

Hi,

On my gentoo box, I don't need to use the -mk option to create the special folders from /etc/skel, it is automatic. -m is sufficient. and as -k is supposed to be followed by a directory path, if you don't want to use the default path . So I think your command should be :

```
useradd -c SOMECOMMENT -G wheel -m -u 1234 -p SOMEPASSWORD SOMEUSERNAME
```

because if you don't do that, so the -u will be considered as the path of your skel directory, and 1234 as your user.

The fact that your gentoo box says to you that the password is uncorrect just means that the association between pass and user is uncorrect, it doesn't prove that it is the one or the other which is wrong (probably for evident security goals).

 *Quote:*   

>  man useradd :
> 
>  -m     The  user's home directory will be created if it does not exist.
> 
>               The files contained in skeleton_dir will be copied to  the  home
> ...

 

----------

## GetLinux

 *ultraViolet wrote:*   

> The fact that your gentoo box says to you that the password is uncorrect just means that the association between pass and user is uncorrect

 

So what do I do? It's still not working. In /etc/shadow it associates the correct username with the correct password, so where is Gentoo messing up?

BTW, regarding the -mk vs. -m thing, I also tried it without those options at all, as shown in my previous post. Thanks for your clarity on that item though, because I did get confused about that. Still, as you know that has nothing to do with loggin in.

The default shell /bin/bash is also correctly listed in the appropriate files.

----------

## ultraViolet

It is perhaps a problem of groups. Default users are supposed to be members of the 'users' group.

You said before that you can see the association between user and password, but in my /etc/shadow, passwords are encrypted and not readable. Perhaps that your user add don't encrypt password but that your system try to decrypt it for connection purpose, resulting in a fail.

Another things could be that you have set security at a too high level ?

----------

## GetLinux

 *ultraViolet wrote:*   

> It is perhaps a problem of groups. Default users are supposed to be members of the 'users' group.

 Will you actually see every username in /etc/groups after ":users:"??? Reason I ask is I thought new users are all automatically part of the "users" group (I just figured it didn't bother listing everyone).

 *ultraViolet wrote:*   

> You said before that you can see the association between user and password, but in my /etc/shadow, passwords are encrypted and not readable. Perhaps that your user add don't encrypt password but that your system try to decrypt it for connection purpose, resulting in a fail.

 That must be it. How do I fix it?

 *ultraViolet wrote:*   

> Another things could be that you have set security at a too high level ?

 I haven't changed any security settings.

----------

## ultraViolet

 *GetLinux wrote:*   

> Will you actually see every username in /etc/groups after ":users:"??? Reason I ask is I thought new users are all automatically part of the "users" group (I just figured it didn't bother listing everyone).

 

from http://www.gentoo.org/doc/en/faq.xml#useradd :

 *Quote:*   

> 
> 
> The command adduser username will add a user called "username". However, this method does not give the user many of the rights you might want to grant him, so the following command is preferred:
> 
> Code Listing 3.1: Using useradd
> ...

 

So i will guess that if the gento guide says that we have to precise the users group, it is probably not automatic  ?

 *GetLinux wrote:*   

> 
> 
> That must be it. How do I fix it?
> 
> 

 

I would guess that it is a problem of use flag. have you enabled "crypt pam" in you make.conf ?It would probably be a good idea to post your /etc/make.conf here. Or perhaps that the fact that your user is not in the users group means that the password is not encrypted ? (only an hypothesis)

Did you have the crypt command on your system ?

----------

## ultraViolet

Another thing : could you post your /etc/pam.d/passwd please ? mine is like that :

```

auth       include      system-auth

account    include      system-auth

password   include      system-auth

```

My /etc/pam.d/system-auth :

```

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

```

----------

## GetLinux

Re: groups

 *ultraViolet wrote:*   

> So i will guess that if the gento guide says that we have to precise the users group, it is probably not automatic ? 

 

Per "man useradd", defaults are stored in /etc/default/useradd; you can see them by typing "useradd -D":

```
GROUP=100

HOME=/home

INACTIVE=-1

EXPIRE=

SHELL=/bin/bash

SKEL=/etc/skel
```

(group "100" is "users") These are the actual contents of /etc/default/useradd.

Anything you do not explicitly specify will be set to these values.

The -m flag creates a home directory if it doesn't exist, which will be "/home/username" (username appended to the default value of "HOME").

The default initial group is "100" ("users"), you only have to specify additional groups with the -G flag (such as "wheel"). In any case, the -g flag is what sets a particular user's initial group, if you want it to be different from the default. The initial group is the group whose permissions a user is running under when they log in. Even if I needed to specify the "users" group (which I don't), I would put it in the "-g" flag, not the "-G" flag. <EDIT>(I see the Gentoo docs have this different. But I am using the actual man pages.)</EDIT>

Just to make sure everything was working right, what I was asking is if /etc/group will actually show the names of all users in this group?

BTW, /etc/passwd shows that USERNAME is a member of group 100!

```
username:x:1000:100::/home/shortstuff:/bin/bash
```

Re: passwords, shadow, etc

The man pages say the -p flag is where you put "The encrypted password, as returned by crypt(3). The default is to disable the account". This seems to follow what ultraViolet said: *ultraViolet wrote:*   

> Perhaps that your user add don't encrypt password but that your system try to decrypt it for connection purpose, resulting in a fail.

 The manual pages for "crypt" tell me nothing useful (except it seems that when a user tries to login, it prompts them for their old password, and if they can correctly enter that, they can change it). Neither the "crypt" nor "useradd" man pages specifically mention if you can create an account without a password and let the user create it instead. Nor do they mention how to encrypt a password when actually logged in as root and creating a user's account.

I'll see about the contents of those other files. But please keep in mind that "useradd" is supposed to automatically set every user's default group to "100" ("users"), and per the /etc/passwd file, it shows that this has been done.

----------

## GetLinux

Posting contents as requested.

/etc/make/conf:

```
# These settings were set by the catlyst build script that automatically built this stage

# Please consult /etc/make.conf.example for a more detailed example

CFLAGS="-02 -march=i686"

CHOST="i686-pc-linux-gnu"

CXXFLAGS="$(CFLAGS)"

#

# Lines below this point are changes I made

SYNC="rsync://namerica.gentoo.org/gentoo-portage"

GENTOO_MIRRORS="http://cudlug.cudenver.edu/gentoo http://gentoo.cs.lewisu.edu/gentoo http://gentoo.mirrors.tds.net/gentoo"

# These use flags will be considered on top of "make.defaults" files

USE="a52 acc acl audiofile canna cdr cjk clamav exif flatfile freewnn ftp imap java javscript ldap maildir mailwrapper mbox mcal milter mozilla mysql mysqli pcre portaudio scanner spl svg svga tidy tiff tokenizer unicode usb vhosts xine xpm xml xsl xvid -emboss -fortran"
```

/etc/pam.d/passwd:

```
#%PAM-1.0

auth        include         system-auth

account     include         system-auth

password    include         system-auth
```

/etc/pam.d/system-auth

```
#%PAM-1.0

auth        required        pam_env.so

auth        sufficient      pam_unix.so likeauth nullok

auth        required        pam_deny.so

account     required        pam_unix.so

password    required        pam_cracklib.so retry=3

password    sufficient      pam_unix.so nullok md5 shadow use_authtok

password    required        pam_deny.so

session     required        pam_limits.so

session     required        pam_unix.so
```

----------

## GetLinux

(bump)

<EDIT>Refer back 2 posts ago....I think the problem is, how do I make an encrypted password when creating a user account?</EDIT>

----------

## ultraViolet

Hi,

Thanks for the notes about users group. For the encryption, I think you have to activate pam and crypt USE flag, and try an emerge sys-apps/shadow which contains the useradd apps. I feel like you pam package is installed, but that your shadow is compiled without pam support...

PS : if it fails perhaps you would like to have a look at this thread :

https://forums.gentoo.org/viewtopic-t-351313-highlight-sysapps+shadow.html

----------

## GetLinux

Thank you, ultraViolet, I have an appointment, but I'll have a look later.

----------

## ultraViolet

In

https://forums.gentoo.org/viewtopic-t-89507-highlight-pam+sysapps+shadow.html

chutzpah said :

 *Quote:*   

> 
> 
> Here's the working /etc/pam.d/login (luckily I didnt logout, and I have access to, oh 8 or 9 other gentoo boxen)
> 
> Anyway, here it is
> ...

 

perhaps you got problems with this file ?

----------

## Monkeh

Run passwd user as root and set the password again. It should turn out encrypted. I encountered this problem once with Slackware, and that fixed it.

Also, emerge superadduser. It's a script from Slackware (and I believe Pat borrowed it from one of the BSDs) which makes adding users very quick, and very simple  :Wink: 

----------

## GetLinux

 *Monkeh wrote:*   

> Run passwd user as root and set the password again. It should turn out encrypted. I encountered this problem once with Slackware, and that fixed it.

 That fixed it for now!

 *Monkeh wrote:*   

> Also, emerge superadduser. It's a script from Slackware (and I believe Pat borrowed it from one of the BSDs) which makes adding users very quick, and very simple 

 Will see about that after checking on the PAM thing.

----------

## GetLinux

 *ultraViolet wrote:*   

> For the encryption, I think you have to activate pam and crypt USE flag, and try an emerge sys-apps/shadow which contains the useradd apps.

  The crypt and pam USE flags were in /usr/portage/profiles/default-linux/x86/2005.1/make.defaults, and I did not subtract them in /etc/make.conf so that should be fine. I'll re-emerge sys-apps/shadow, which appears to have worked for a few people. (There was a bug in a pam ebuild in portage.)

----------

## Monkeh

It shouldn't be anything to do with PAM.. I had the same issue in Slackware, and Pat despises PAM (in other words, Slackware does not and will never use PAM).

----------

## GetLinux

 *Azarah wrote:*   

> Hi guys, slight screwup my side - did not notice that /etc/pam.d/login
> 
> there, sorry.  Another way will be to delete it, and remerge sys-apps/shadow.

 

BE CAREFUL ABOUT THIS!!! I followed this (had a problem where creating a normal user with useradd did not encrypt the password, but shadow did, therefore user could not log in), and re-emerging sys-apps/shadow did not re-create this file. Now I can't even log onto my machine as root (it doesn't even ask me for the password, just says "incorrect login" when I type "root" at the prompt!)

Silly me for deleting a file without first testing to see if it was even necessary to do so...I could have tried "emerge sys-apps/shadow" without deleting the file and see if the problem was fixed first. Darn.  :Neutral: 

Hopefully I can solve this by chrooting with the live CD and re-creating /etc/pam.d/login.

----------

## GetLinux

 *chutzpah wrote:*   

> 
> 
> Here's the working /etc/pam.d/login (luckily I didnt logout, and I have access to, oh 8 or 9 other gentoo boxen)
> 
> Anyway, here it is
> ...

 

I chrooted with the Gentoo live CD and created /etc/pam.d/login using the above example instead of my old one. At least that fixed the problem I created after deleting /etc/pam.d/login where nobody could log in. I didn't have to re-create my root account or anything. Let's see if creating a new user with useradd properly encrypts the password now.

<EDIT>Nope. In spite of the new /etc/pam.d/login and the newly emerged sys-apps/shadow, I am still having the problem where the password is put into /etc/shadow in plain text.

I'll try emerging superadduser and see what happens!

----------

## GetLinux

I get this message after emerge:

```
IMPORTANT: 1 config files in /etc need updating
```

I hate how it never tells you what file needs to be updated...is it OK as is, or do I actually need to update something? (Sometimes I know you don't, really.)

----------

## GetLinux

superadduser works fine. It just prompts you to create all the fields to pass to useradd, but it obviously passes the password already encrypted, as it's supposed to. No tweaking appears to be necessary at all. User was able to log in and password was shown encrypted in /etc/shadow instead of plain text. Perfect!

----------

## Monkeh

It tells you how to get help on finding those files. I've had 90 odd files needing updating after major work, and displaying that at the end of an emerge would be bad.

I use this alias:

```
alias findetc="sudo find /etc -iname '._cfg????_*'"
```

And yes, that's exactly what superadduser does. It's quite a simple little thing, but it's just quicker and easier.

----------

