Internal an Internal System User
Scenario
If the service is abnormal, the internal user of the system may be locked. Unlock the user promptly, or the cluster cannot run properly. For the list of system internal users, see User Account List in . The internal user of the system cannot be unlocked using FusionInsight Manager.
Prerequisites
Obtain the default password of the LDAP administrator cn=root,dc=hadoop,dc=com by referring to User Account List in .
Procedure
- Use the following method to confirm whether the internal system username is locked:
- OLdap port number obtaining method:
- Log in to FusionInsight Manager, choose .
- The LDAP Listening Port parameter value is oldap port.
- Domain name obtaining method:
- Log in to FusionInsight Manager, choose System > Permission > Domain and Mutual Trust.
- The Local Domain parameter value is the domain name.
For example, the domain name of the current system is 9427068F-6EFA-4833-B43E-60CB641E5B6C.COM.
- Run the following command on each node in the cluster as user omm to query the number of password authentication failures:
ldapsearch -H ldaps://OMS Floating IP Address:OLdap port -LLL -x -D cn=root,dc=hadoop,dc=com -b krbPrincipalName=Internal system username@Domain name,cn=Domain name,cn=krbcontainer,dc=hadoop,dc=com -w Password of LDAP administrator -e ppolicy | grep krbLoginFailedCount
For example, run the following command to check the number of password authentication failures for user oms/manager:
ldapsearch -H ldaps://10.5.146.118:21750 -LLL -x -D cn=root,dc=hadoop,dc=com -b krbPrincipalName=oms/manager@9427068F-6EFA-4833-B43E-60CB641E5B6C.COM,cn=9427068F-6EFA-4833-B43E-60CB641E5B6C.COM,cn=krbcontainer,dc=hadoop,dc=com -w Password of user cn=root,dc=hadoop,dc=com -e ppolicy | grep krbLoginFailedCount
krbLoginFailedCount: 5
- Log in to FusionInsight Manager, choose System > Permission > Security Policy > Password Policy.
- Check the value of the Password Retries parameter. If the value is less than or equal to the value of krbLoginFailedCount, the user is locked.
You can also check whether internal users are locked by viewing operations logs.
- OLdap port number obtaining method:
- Log in to the active management node as user omm and run the following command to unlock the user:
sh ${BIGDATA_HOME}/om-server/om/share/om/acs/config/unlockuser.sh --userName Internal system username
Example: sh ${BIGDATA_HOME}/om-server/om/share/om/acs/config/unlockuser.sh --userName oms/manager
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot