Data Domain

Last reply by 05-17-2022 Unsolved
Start a Discussion
Anonymous
Not applicable
2671

Data Domain Security user locked

Hi guys,

i created a user with "security role" using sysadmin, at that moment i didn't know that i can't handle it with sysadmin anymore. after some time, as the "security user" was not used, it was locked, and i'm not even sure about his password.

so the issue i'm facing is:

how to Unlock this security user ? is it possible ?

and if yes, how can i reset his password in case i forgot it ? 

thanks by advance for the help.

Replies (4)
4 Ruthenium
2657

I suppose you cannot even login any longer to change anything.

At this point the only solution I see is to contact Dell/EMC support.

 

Anonymous
Not applicable
2649

exactly, i cannot do anything related to "security" role. I even tried using pam_tally without success (in test environment).

hope that support can resolve it without negatif impact like reinstalling or something 

2 Bronze
2 Bronze
1013

Did you get this resolve? I have the same issue.

please let me know so I can work on this.

Thank you

817

KB article https://www.dell.com/support/kbdoc/en-us/000039610/data-domain-security-user-is-locked-and-retention... states some of the procedures but also this note:

If the security user password is lost or forgotten and security user is locked, ONLY way to set new password is through single user mode on DDR.

Case-1: Security user account is locked because password is expired

There are some scenarios where the security user account is locked. If security officer account's status is shown as locked in "user show list" output,
then its password is expired. Security user password expires every 90 days (by default).
Steps to set new password for security officer (i.e., unlock security officer):
1. Login as security officer using the current password (even if this is expired).
2. Customer will be prompted to provide password again. We will see prompts "Current UNIX password" or "Enter current password"
(Based on DDOS version). Here we need to provide the current password again i.e., same value as step #1.
3. Customer will now be prompted to provide new password twice. This password must comply with password strength policy on DD-system.
4. If password doesn't comply with password strength policy, customer will be see prompt "Password:". Here, they need to provide current expired
password. And, then continue with setting new password. If a weak password (which doesn't meet password strength policy) is provided again, SSH
session exits.
Once a new password is set for security officer, “user show list” should display security user’s status as “enabled”.

THIS IS NOT RECOMMENDED SECURITY PRACTICE!! But, to avoid the password expiration scenario use the following commands (this example is for
max. days at 99999):
#user password aging set security_user max-days-between-change 99999
#user password aging show

Case-2: Security user account is locked because of too many failed login attempts.

Security user MUST wait for unlock-timeout, which is 120 seconds by default to attempt to login again. Only after unlock-timeout, user will get a chance to
enter correct password to login. If incorrect password is provided after the wait, then user need to wait again for unlock-timeout to get a chance to login
again with correct password. As soon as user is able to login with correct password, failed attempts count will be reset to 0.
During troubleshooting, waiting for 120 seconds could be a hassle. For the duration of troubleshooting, we can configure login-unlock-timeout to “1” using
following steps:
1. Login into DDR as SE Mode
2. Run the following command:
#reg set config_master.services.login_unlock_timeout 1
3. Every 1 second, user will get opportunity to enter correct password.
Once user account is unlocked with correct password, please reset login-unlock-timeout to customer desired value.

 

But if indeed you don't know the security user password, then you might be stuck really, unless you'd go for the single user mode procedure, which I'd leave up to Dell sup[port also instead of meddling with this yourself. Also the KB articles for how to actually do that, is not even accessible for all various DD versions (for example the one for DDVE I cannot access myself, neither a few others).

But with the regsitry setting, by overruling the default minimal timeout to wait once the account is locked to 1 sec, you could even use a tool that would try to hammer the DD with a password each second trying to get to know what it might be.

The security admin is REALLY, REALLY important. We created multiple ones, but when getting rid of a DD, you cannot even delete the last remaining one (or rather not the one that was created as the first security officer user according to some KB remarks here and there) .

Latest Solutions
Top Contributor