Help Center > > User Guide> FusionInsight Manager Operation Guide (Applicable to 3.x)> Security Management> Account Management> Account Security Settings> Unlocking an Internal System User

Unlocking an Internal System User

Updated at: Oct 21, 2021 GMT+08:00


If the service is abnormal, the internal user of the system may be locked. Please unlock the user promptly. Otherwise, the proper running of the cluster will be affected. For the list of system internal users, see User Account List. The internal user of the system cannot be unlocked using FusionInsight Manager.


Obtain the default passwords of LDAP administrators cn=root, dc=hadoop, and dc=com based on the User Account List information list.


  1. Use the following method to confirm whether the internal system username is locked:

    1. oldap port number obtaining method:
      1. Log in to the FusionInsight Manager, select System > OMS > oldap > Modify Configuration.
      2. The LDAP Listening Port parameter value is oldap port.
    2. Query domain name obtaining method:
      1. Log in to the FusionInsight Manager, select System > Permission > Domain and Mutual Trust.
      2. The Local Domain parameter value is the domain name.

        For example, the current system domain name is 9427068F-6EFA-4833-B43E-60CB641E5B6C.COM.

    3. Run the following command on each node in the cluster as user omm to query the number of password authentication failures:

      ldapsearch -H ldaps://OMS_FLOAT_IP address:OLdap port -LLL -x -D cn=root,dc=hadoop,dc=com -b krbPrincipalName=internal system username@domain name,cn=domain name,cn=krbcontainer,dc=hadoop,dc=com -w Password of LDAP administrator cn=root,dc=hadoop,dc=com -e ppolicy | grep krbLoginFailedCount

      For example, query the number of password authentication failures for user oms/manager.

      ldapsearch -H ldaps:// -LLL -x -D cn=root,dc=hadoop,dc=com -b krbPrincipalName=oms/manager@9427068F-6EFA-4833-B43E-60CB641E5B6C.COM,cn=9427068F-6EFA-4833-B43E-60CB641E5B6C.COM,cn=krbcontainer,dc=hadoop,dc=com -w cn=root,dc=hadoop,dc=com User Password -e ppolicy | grep krbLoginFailedCount

      krbLoginFailedCount: 5
    4. Log in to the FusionInsight Manager, select System > Permission > Security Policy > Password Policy.
    5. View the Number of Password Retries parameter value, if the value is smaller than or equal to krbLoginFailedCount, the user is locked.

      You can also check whether internal users are locked by viewing operations logs.

  2. Log in to active management node as user omm, run the following command to unlock the user.

    sh ${BIGDATA_HOME}/om-server/om/share/om/acs/config/ --userName internal system username

    For example,

    sh ${BIGDATA_HOME}/om-server/om/share/om/acs/config/ --userName oms/manager

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?

Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel