Unlocking an Internal System User
Scenario
If the service is abnormal, the internal user of the system may be locked. Please unlock the user promptly. Otherwise, the proper running of the cluster will be affected. For the list of system internal users, see User Information Overview. The internal user of the system cannot be unlocked using FusionInsight Manager.
Prerequisites
Obtain the default passwords of LDAP administrators cn=root, dc=hadoop, and dc=com based on the User Information Overview information list.
Procedure
- Use the following method to confirm whether the internal system username is locked:
- oldap port number obtaining method:
- Log in to the FusionInsight Manager, select System > OMS > oldap > Modify Configuration.
- The LDAP Listening Port parameter value is oldap port.
- Query domain name obtaining method:
- Log in to the FusionInsight Manager, select System > Permission > Domain and Mutual Trust.
- The Local Domain parameter value is the domain name.
For example, the current system domain name is 9427068F-6EFA-4833-B43E-60CB641E5B6C.COM.
- Run the following command on each node in the cluster as user omm to query the number of password authentication failures:
ldapsearch -H ldaps://OMS_FLOAT_IP address:OLdap port -LLL -x -D cn=root,dc=hadoop,dc=com -b krbPrincipalName=internal system username@domain name,cn=domain name,cn=krbcontainer,dc=hadoop,dc=com -w Password of LDAP administrator cn=root,dc=hadoop,dc=com -e ppolicy | grep krbLoginFailedCount
For example, query the number of password authentication failures for user oms/manager.
ldapsearch -H ldaps://10.5.146.118:21750 -LLL -x -D cn=root,dc=hadoop,dc=com -b krbPrincipalName=oms/manager@9427068F-6EFA-4833-B43E-60CB641E5B6C.COM,cn=9427068F-6EFA-4833-B43E-60CB641E5B6C.COM,cn=krbcontainer,dc=hadoop,dc=com -w LdapChangeMe@123 -e ppolicy | grep krbLoginFailedCount
krbLoginFailedCount: 5
- Log in to the FusionInsight Manager, select System > Permission > Security Policy > Password Policy.
- View the Number of Password Retries parameter value, if the value is smaller than or equal to krbLoginFailedCount, the user is locked.
You can also check whether internal users are locked by viewing operations logs.
- oldap port number obtaining method:
- Log in to active management node as user omm, run the following command to unlock the user.
sh ${BIGDATA_HOME}/om-server/om/share/om/acs/config/unlockuser.sh --userName internal system username
For example,
sh ${BIGDATA_HOME}/om-server/om/share/om/acs/config/unlockuser.sh --userName oms/manager
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot