Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-1952: ypcat returns !! in the password field for users instead of password hash

Authentication Service ,  

12 April,16 at 11:12 AM

Applies to: All versions of Centrify DirectControl

Centrify NIS users are unable to login as their accounts are showing "disabled" when adquery command is run. The command ypmatch or ypcat password returns "!!" in the password field for user accounts instead of password hash. Is there any reason?

There are several reasons but in this case, it can happen if the version of Centrify DirectControl (adinfo -v) does not match the version of Centrify NIS server adnisd (adnisd -v). When the script (or native OS commands) is run to upgrade Centrify agent, it is highly recommeded that customers should upgrade the adnisd component as well to avoid issues like this.

Additional info:
When implementing adnisd, the initial password hash is only generated when the user changes his password. Customer should force users to change their password at the next logon to get the password set at the earliest opportunity. Client authentication requests may fail for users who do not have a password hash available. If the password hash field in the passwd.byname or passwd.byuid map displays a single exclamation point (!), it indicates that the user’s password hash has not been set.

If a user account is new, disabled, locked, requires a password change, or is not enabled for a zone, the Centrify Suite NIS server sets the user’s hash field to “!”

Depending on the OS, the following are some of the codes ypcat or ypmatch returns. As always, customers should contact support to run additional commands. 

1) If it is <blank> then there is no password set.

2) If it is !!, it means the "Account disabled"

3) If it is ! or x, customer should look in /etc/shadow