cancel
Showing results for 
Search instead for 
Did you mean: 

Problema cambiando la contraseña de usuario de un appliance N5230 (2.6.0.2)

Juannillus
Level 4
Partner Accredited

Buenos días,

El dominio es un master N5230, en version 2.6.0.2.

He creado una serie de usuarios desde el CLISH

  • Manage>NetbackupCLI>Create

He puesto que expire la password inmediatamente para que la proxima vez que inicien sesion los usuarios les pida un cambio de contraseña

  • Manage>NetbackupCLI>PasswordExpiry now username

Cuando voy a iniciar sesion a traves de SSH en el appliance, me deja iniciar sesion con la contraseña que he configurado inicialmente, despues me pide cambiarla. Introduzco la contraseña actual, y la nueva (dos veces) y sale el siguiente mensaje de error:

 

login as: username
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Password change requested. Choose a new password.
Old Password:
Using keyboard-interactive authentication.

You can now choose the new password or passphrase.

A valid password should be a mix of upper and lower case letters,
digits, and other characters.  You can use an 8 character long
password with characters from at least 3 of these 4 classes, or
a 7 character long password containing characters from all the
classes.  An upper case letter that begins the password and a
digit that ends it do not count towards the number of character
classes used.

A passphrase should be of at least 3 words, 12 to 40 characters
long and contain enough different characters.

Enter new password:
Using keyboard-interactive authentication.
Re-type new password:
Cannot create backup file of /etc/shadow: Permission denied
Password changed.
Last login: Tue Dec 16 11:50:29 2014 from host.domain

**********************************************************************
*** Welcome NetBackup CLI Administrator to the NetBackup Appliance ***
**********************************************************************

username@appliance:~>

A pesar de que aparece "Password Changed", esta no se cambia, y solo puedo validar con la contraseña original.

Esta operación falla debido al IPS. Si desactivo el IPS el usuario puede cambiar la contraseña sin problemas. La pregunta es: ¿Como puedo hacer esto sin tener que desactivar el IPS cada vez que me toque cambiar las contraseñas de los usuarios? ¿Es el comportamiento esperado o se trata de un bug de esta versión?

 

Un saludo,

Juan

4 REPLIES 4

RiaanBadenhorst
Moderator
Moderator
Partner    VIP    Accredited Certified

Since sounds like a bug, I'd raise a support case. It tested it on 7.6.0.1 but that is before they started to look down and use IPS more aggresively.

I_De_Pedro
Level 4
Employee Accredited Certified

 

English version below

¿Como estaba configurando IPS por defecto?

 

Efectivamente con IPS desactivado en 2.6.0.2, funciona acabo de hacer la misma prueba en un entorno de demo:

Creación usuario:

nb5220-01.NetBackupCLI> Create nacho
 >> Enter password:
 >> Confirm password:
name:nb5220-01:
- [Info] NetBackup CLI user 'nacho' has been created successfully.

Expiración contraseña:

nb5220-01.NetBackupCLI> PasswordExpiry Now nacho
name:nb5220-01:
- [Info] The password of NetBackup CLI user 'nacho' has been expired.

Login vía ssh:

login as: nacho
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Password change requested. Choose a new password.
Old Password:
Using keyboard-interactive authentication.

You can now choose the new password or passphrase.

A valid password should be a mix of upper and lower case letters,
digits, and other characters.  You can use an 8 character long
password with characters from at least 3 of these 4 classes, or
a 7 character long password containing characters from all the
classes.  An upper case letter that begins the password and a
digit that ends it do not count towards the number of character
classes used.

A passphrase should be of at least 3 words, 12 to 40 characters
long and contain enough different characters.

Enter new password:
Using keyboard-interactive authentication.
Re-type new password:

Password changed.

**********************************************************************
*** Welcome NetBackup CLI Administrator to the NetBackup Appliance ***
**********************************************************************

nacho@nb5220-01:~>

Versión Appliance:


Thu Dec 18 06:05:22 EST 2014
=============================

Appliance Model is NetBackup Appliance 5220VM.

Appliance Version is 2.6.0.2.

Appliance is configured as master appliance.

Y si se utiliza IPS, lo que ocurre es que no puede utilizar el fichero /etc/shadow al no tener permisos de root:

Enter new password:
Using keyboard-interactive authentication.
Re-type new password:

Cannot create backup file of /etc/shadow: Permission denied
Password changed.

Realizando el test en un entorno 2.6.0.3 el comportamiento es el mismo.

Y leyendo las release notes de versión 2.6.0.3, podemos ver:

For NetBackup Appliance 2.6.0.3 the security implementation has been improved with the addition of the following features:

■ You can now configure the Active Directory server to register users and user groups with the appliance. The feature is currently available only from the NetBackup Appliance Shell Menu, using the Settings > Security > Authentication > Active Directory command.

■ You can grant the NetBackup CLI user role to users and user groups to grant them the permissions to run all the NetBackup commands through the NetBackup Appliance Shell Menu.

 

Sobre-escribir la politica de IPS es una acción no recomendada.

 

************************************************************************************************************************************************************************************

 

How was IPS configured by default?

 

With IPS deactivated in 2.6.0.2 version it works, I’ve done the test in a demo environment:

 

User creation:

nb5220-01.NetBackupCLI> Create nacho
 >> Enter password:
 >> Confirm password:
name:nb5220-01:
- [Info] NetBackup CLI user 'nacho' has been created successfully.

Expiración contraseña:

nb5220-01.NetBackupCLI> PasswordExpiry Now nacho
name:nb5220-01:
- [Info] The password of NetBackup CLI user 'nacho' has been expired.

Login vía ssh:

login as: nacho
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Password change requested. Choose a new password.
Old Password:
Using keyboard-interactive authentication.

You can now choose the new password or passphrase.

A valid password should be a mix of upper and lower case letters,
digits, and other characters.  You can use an 8 character long
password with characters from at least 3 of these 4 classes, or
a 7 character long password containing characters from all the
classes.  An upper case letter that begins the password and a
digit that ends it do not count towards the number of character
classes used.

A passphrase should be of at least 3 words, 12 to 40 characters
long and contain enough different characters.

Enter new password:
Using keyboard-interactive authentication.
Re-type new password:

Password changed.

**********************************************************************
*** Welcome NetBackup CLI Administrator to the NetBackup Appliance ***
**********************************************************************

nacho@nb5220-01:~>

Appliance version:


Thu Dec 18 06:05:22 EST 2014
=============================

Appliance Model is NetBackup Appliance 5220VM.

Appliance Version is 2.6.0.2.

Appliance is configured as master appliance.

Y si se utiliza IPS, lo que ocurre es que no puede utilizar el fichero /etc/shadow al no tener permisos de root:

Enter new password:
Using keyboard-interactive authentication.
Re-type new password:

Cannot create backup file of /etc/shadow: Permission denied
Password changed.

Making the test in a 2.6.0.3 environment, the behavior is the same. 

Reading the 2.6.0.3 release note you can see:

For NetBackup Appliance 2.6.0.3 the security implementation has been improved with the addition of the following features:

■ You can now configure the Active Directory server to register users and user groups with the appliance. The feature is currently available only from the NetBackup Appliance Shell Menu, using the Settings > Security > Authentication > Active Directory command.

■ You can grant the NetBackup CLI user role to users and user groups to grant them the permissions to run all the NetBackup commands through the NetBackup Appliance Shell Menu.

 

Override the IPS policy is not a recommended practice.

 

Juannillus
Level 4
Partner Accredited

Hola Ignacio,

por defecto el IPS viene activado en esta version.

 

I_De_Pedro
Level 4
Employee Accredited Certified

Juan,

Estoy chequeando internamente, debido a las fechas puede demorarse un poco la respuesta.