Data Domain: How to Reset Sysadmin or Security Officer Password

Data Domain sysadmin or Security Officer (Secoff | SO) accounts requiring a password reset no longer require Tech Support intervention. 

• This method of password reset does not apply to DDVE and DDMC; for those, contact Tech Support.
• The DD3300 model doesn't support this method either as it is a DDVE system.
• DO NOT reset passwords on a DD Highly Available (HA) system in a DEGRADED state.
• Sysadmin and SecOff accounts cannot be reset using the Web-UI (DD System Manager)

Prerequisites:

• DDOS version 7.10.1.40 | 7.13.1.10 | 8.3.x… (or newer)
• SSH or Serial Console access
• Preset recovery email address (# user recovery-email set <email address>)
• USB-Drive (Any Size: Formatted as FAT32, ext2, ext3, ext4, MSDOS, or iso9660)
• Physical access to the Data domain to insert the USB-Drive

Password Reset Procedure:

1. After 3x failed login attempts using CLI (SSH or Serial Console), the system will display an error: "Too many authentication failures" and the session is disconnected.

ssh -l sysadmin datadomain
(sysadmin@datadomain) Password: <attempt1>
(sysadmin@datadomain) Password: <attempt2>
(sysadmin@datadomain) Password: <attempt3>
Received disconnect from <IP> port 22: Too many authentication failures
Disconnected from <IP>

2. Immediately RE-ESTABLISH the CLI connection, and the 'reset password' prompt appears; Enter 'Yes' to reset the password when prompted.

# ssh -l sysadmin <datadomain>
Data Domain OS
(sysadmin@datadomain) Do you want to reset password [ yes | no ] ? yes
Password reset token is sent to registered email address: <s****e@somewhere.com>

3. An email containing a token file <recovery_token.txt> is sent to the 'recovery email' account.
4. Copy the <recovery_token.txt> file in the email to a USB drive, ensuring the filename remains unchanged. Supported filesystems for USB are FAT32, ext2, ext3, ext4, MSDOS, and iso9660.
5. Insert the USB drive into any available USB port on the affected PowerProtect DD System.
6. Log in as sysadmin or security officer to access the PowerProtect DD CLI and follow the prompts to reset the sysadmin or security officer password.

# ssh -l sysadmin <datadomain>
Data Domain OS
Do you want to reset password [ yes | no] ? yes   
USB drive with valid token is found.   (**)
Enter new password:
Re-enter new password:
sysadmin password changed successfully.
Please remove USB with token.

(**) If a USB-Drive is NOT inserted (or has an invalid token) then a new Token gets generated by the recovery script (as seen in Step 2.)

References and Supplemental content:

• DDOS Admin or Command Reference Guides - Dell PowerProtect Data Domain Info Hub
• Data Domain: Connecting to the Data Domain System with a Serial Cable

The feature must have been configured BEFORE the password was lost or forgotten, using the command:

# user recovery-email set <email id>

To check if a recovery account is configured: 
# user recovery-email show
Password recovery email address for sysadmin is: someone@somewhere.com