ERROR: Failed to update USER USER1 (10023) Cannot add/update/delete an untouchable user (5122)
search cancel

ERROR: Failed to update USER USER1 (10023) Cannot add/update/delete an untouchable user (5122)

book

Article ID: 52644

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM) CA Virtual Privilege Manager CA Privileged Access Manager (PAM)

Issue/Introduction

When trying to update root's or other system user's passwords on all machines configured to our master PMD, some remote nodes fail to update the password with the error "ERROR: Failed to update USER USER1 (10023) Cannot add/update/delete an untouchable user (5122). Many other account passwords are updated appropriately.

 

 

Cause

An untouchable user is considered any system user that has a UID or GID not found within the allowed range defined in the seos.ini and seos service will not modify these users.

 

Default range is

AllowedUidRange = 100, 30000

AllowedGidRange = 100, 30000

Resolution

Edit the seos.ini on the specific endpoint to increase the range of UID/GID that seos services can administrator using one of the following methods.

 

The following two tokens can be updated to include root user UID "0" using a "-1" as the starting value.

Modify the seos.ini directly 

   [passwd]

   AllowedUidRange = -1,30000
   AllowedGidRange = -1,30000

 

To update the seos.ini without stopping seos services

   $SEOSDIR/bin/seini -s passwd.AllowedUidRange -1,30000
   $SEOSDIR/bin/seini -s passwd.AllowedGidRange -1,30000

 

The following rules can be added to be pushed to all endpoints in the PMD structure

   env config; er config seos.ini section(passwd) token(AllowedzUidRange) value("-1,30000")

   env config; er config seos.ini section(passwd) token(AllowedGidRange) value("-1,30000")

 

 

 

Additional Information

As documented in the product manuals, the applied lower limit for any number is +1 of the specified lower limit. For example, if AllowedGidRange = 100, 30000, then 101 is treated as the lower limit.