Updated on 2022-08-12 GMT+08:00

Unlocking an Internal System User

Scenario

If the service is abnormal, the internal user of the system may be locked. Please unlock the user promptly. Otherwise, the proper running of the cluster will be affected. For the list of system internal users, see User Account List. The internal user of the system cannot be unlocked using FusionInsight Manager.

Prerequisites

Obtain the default passwords of LDAP administrators cn=root, dc=hadoop, and dc=com based on the User Account List information list.

Procedure

  1. Use the following method to confirm whether the internal system username is locked:

    1. oldap port number obtaining method:
      1. Log in to the FusionInsight Manager, select System > OMS > oldap > Modify Configuration.
      2. The LDAP Listening Port parameter value is oldap port.
    2. Query domain name obtaining method:
      1. Log in to the FusionInsight Manager, select System > Permission > Domain and Mutual Trust.
      2. The Local Domain parameter value is the domain name.

        For example, the current system domain name is 9427068F-6EFA-4833-B43E-60CB641E5B6C.COM.

    3. Run the following command on each node in the cluster as user omm to query the number of password authentication failures:

      ldapsearch -H ldaps://OMS_FLOAT_IP address:OLdap port -LLL -x -D cn=root,dc=hadoop,dc=com -b krbPrincipalName=internal system username@domain name,cn=domain name,cn=krbcontainer,dc=hadoop,dc=com -w Password of LDAP administrator cn=root,dc=hadoop,dc=com -e ppolicy | grep krbLoginFailedCount

      For example, query the number of password authentication failures for user oms/manager.

      ldapsearch -H ldaps://10.5.146.118:21750 -LLL -x -D cn=root,dc=hadoop,dc=com -b krbPrincipalName=oms/manager@9427068F-6EFA-4833-B43E-60CB641E5B6C.COM,cn=9427068F-6EFA-4833-B43E-60CB641E5B6C.COM,cn=krbcontainer,dc=hadoop,dc=com -w cn=root,dc=hadoop,dc=com User Password -e ppolicy | grep krbLoginFailedCount

      krbLoginFailedCount: 5
    4. Log in to the FusionInsight Manager, select System > Permission > Security Policy > Password Policy.
    5. View the Number of Password Retries parameter value, if the value is smaller than or equal to krbLoginFailedCount, the user is locked.

      You can also check whether internal users are locked by viewing operations logs.

  2. Log in to active management node as user omm, run the following command to unlock the user.

    sh ${BIGDATA_HOME}/om-server/om/share/om/acs/config/unlockuser.sh --userName internal system username

    For example,

    sh ${BIGDATA_HOME}/om-server/om/share/om/acs/config/unlockuser.sh --userName oms/manager