Updated on 2024-11-29 GMT+08:00

Internal an Internal System User

Scenario

If the service is abnormal, the internal user of the system may be locked. Unlock the user promptly, or the cluster cannot run properly. System internal users cannot be unlocked using FusionInsight Manager.

Prerequisites

You have obtained the default password of the LDAP administrator cn=root,dc=hadoop,dc=com.

Procedure

  1. Use the following method to confirm whether the internal system username is locked:

    1. OLdap port number obtaining method:
      1. Log in to FusionInsight Manager, choose System > OMS > oldap > Modify Configuration.
      2. The LDAP Listening Port parameter value is oldap port.
    2. Domain name obtaining method:
      1. Log in to FusionInsight Manager, choose System > Permission > Domain and Mutual Trust.
      2. The Local Domain parameter value is the domain name.

        For example, the domain name of the current system is 9427068F-6EFA-4833-B43E-60CB641E5B6C.COM.

    3. Run the following command on each node in the cluster as user omm to query the number of password authentication failures:

      ldapsearch -H ldaps://OMS Floating IP Address:OLdap port -LLL -x -D cn=root,dc=hadoop,dc=com -b krbPrincipalName=Internal system username@Domain name,cn=Domain name,cn=krbcontainer,dc=hadoop,dc=com -w Password of LDAP administrator -e ppolicy | grep krbLoginFailedCount

      For example, run the following command to check the number of password authentication failures for user oms/manager:

      ldapsearch -H ldaps://10.5.146.118:21750 -LLL -x -D cn=root,dc=hadoop,dc=com -b krbPrincipalName=oms/manager@9427068F-6EFA-4833-B43E-60CB641E5B6C.COM,cn=9427068F-6EFA-4833-B43E-60CB641E5B6C.COM,cn=krbcontainer,dc=hadoop,dc=com -w Password of user cn=root,dc=hadoop,dc=com -e ppolicy | grep krbLoginFailedCount

      krbLoginFailedCount: 5
    4. Log in to FusionInsight Manager, choose System > Permission > Security Policy > Password Policy.
    5. Check the value of the Password Retries parameter. If the value is less than or equal to the value of krbLoginFailedCount, the user is locked.

      You can also check whether internal users are locked by viewing operations logs.

  2. Log in to the active management node as user omm and run the following command to unlock the user:

    sh ${BIGDATA_HOME}/om-server/om/share/om/acs/config/unlockuser.sh --userName Internal system username

    Example: sh ${BIGDATA_HOME}/om-server/om/share/om/acs/config/unlockuser.sh --userName oms/manager