Recently I was asked by Avamar support to gather some data for a possible storage expansion. One of the first CLI commands they needed me to run was “mccli group show –recursive”. This command will list all of Avamar’s current backup groups that have been configured on the Avamar. The problem I ran into was I received this error when I ran the command.
admin@avamar:~/>: mccli group show --recursive
1,22801,User login failure.I then ran a modified version of the same command and received the reason for the failure.
admin@avamar:~/>: mccli group show
1,22801,User login failure.
Attribute Value
--------- --------------------
reason Locked user account. So we have a locked user account and from my experience this is usually the MCUser account, but we need to validate this. Let’s look at the logs to find the correct account by running the “grep locked /usr/local/avamar/var/mc/server_log/mcserver.log.0” command.
admin@avamar:~/>: grep locked /usr/local/avamar/var/mc/server_log/mcserver.log.0
WARNING: The user MCUser@/ is locked. Product MCCLI
FINE: query = insert into events (date_time, code, eid, source, data, ts, category, type, severity, swSource, summary, remedy, notes, description, audience, domain ) values ('2022-11-04 16:02:48.782+00',22803,884057,'<event-source NodeID="avamar.domain.local" ProgramName="com.avamar.mc.security.mgmt.LoginManager" ddr-id="" ddr-name="" gsan-version="19.2.0-155" hardware-id="UNKNOWN" source-hardware-id="UNKNOWN"/>','<data><entry key="requestor" type="xml" value="&lt;requestor domain=&quot;/&quot; host=&quot;10.20.30.40&quot; product=&quot;MCCLI&quot; role=&quot;Unknown&quot; user=&quot;MCUser&quot;/&gt;" version=""/></data>',1667577768782,'SECURITY','AUDIT','USER','MCS:AvmgrLoginModule::USER::LOGON','The user account was locked.',NULL,NULL,NULL,NULL,'/')
WARNING: The user MCUser@/ is locked. Product avamar We now see that the log points to “WARNING: The user MCUser@/ is locked“.
Resolution
Because we now know precisely what account is locked, let’s open a CLI Putty session and unlock this account. We will need to elevate to root with the “su –” command, type in the root password and then issue the “change-passwords” command. We will type “y” for yes and hit enter.
admin@avamar:~/>: su --
Password:
root@avamar:/home/admin/#: change-passwords
[change-passwords version 2.1]
Identity added: /root/.ssh/rootid (/root/.ssh/rootid)
Identity added: /root/.ssh/rootid (/root/.ssh/rootid)
Do you wish to specify one or more additional SSH passphrase-less
private keys that are authorized for root operations?
Answer n(o) here unless there are known inconsistencies in
~root/.ssh/authorized_keys files among the various nodes.
Note that the following key will be used automatically (i.e., there is
no need to re-specify it here):
/root/.ssh/rootid
y(es), n(o), h(elp), q(uit/exit): yThe output of the yes above brings us to this:
--------------------------------------------------------
Please enter a list of paths to SSH private keys,
one per line. These keys should be passphrase-less.
Tilde references are permitted in the paths.
Example: ~/.ssh/dpnid.orig
Press Enter or Return after each response.
An empty response (a blank line) ends the list.
[00] Here you will not enter any information and just click enter. It will ask if this was intended and we type “y” and the enter.
You entered nothing.
Is that what you intended?
y(es), n(o), q(uit/exit): yWe then receive the following output and we are asked, “Change OS (login) passwords?” which we enter “n” and then press enter.
--------------------------------------------------------
The following is a test of OS root authorization with the currently
loaded SSH key(s).
If the authorization test fails, then you might be missing an
appropriate private key, e.g., rootid or dpnid.
-> In that event, re-run this program and, when prompted,
specify as many SSH private key files as are necessary
in order to complete root operations.
Starting root authorization test with 600 second timeout...
End of root authorization test.
--------------------------------------------------------
Change OS (login) passwords?
y(es), n(o), q(uit/exit): nWe enter “n” to the SSH Keys and click enter.
--------------------------------------------------------
Generate new SSH keys?
y(es), n(o), h(elp), q(uit/exit): nWe enter “y” for “Change Avamar Server passwords?” and press enter.
--------------------------------------------------------
Change Avamar Server passwords?
y(es), n(o), q(uit/exit): y
Enter the root password.
--------------------------------------------------------
Please enter the CURRENT server password for "root"
(Entering an empty (blank) line twice quits/exits.)
> We enter “y” for Change Avamar Server password for “MCUser”?
Checking Avamar Server root password (1200 second timeout)...
Avamar Server current root password accepted.
--------------------------------------------------------
Change Avamar Server password for "MCUser"?
y(es), n(o), q(uit/exit): yYou can either add a new password of use the existing password, but you must enter it twice. It will then prompt to “Change Avamar Server password for “root”?”, “repluser”, and the “viewuser” password all with a “n” response.
Please enter a new Avamar Server password for user "MCUser".
(Entering an empty (blank) line twice quits/exits.)
>
Enter the same Avamar Server password again.
(Entering an empty (blank) line twice quits/exits.)
>
Accepted Avamar Server password for "MCUser".
--------------------------------------------------------
Change Avamar Server password for "root"?
y(es), n(o), q(uit/exit): n
--------------------------------------------------------
Change Avamar Server password for "repluser"?
y(es), n(o), q(uit/exit): n
--------------------------------------------------------
Change the viewuser password?
y(es), n(o), h(elp), q(uit/exit): n
We are now prompt with, “Do you wish to proceed with your changes of the selected node?” where we answer “y” and the Avamar will make the changes permanent.
--------------------------------------------------------
Do you wish to proceed with your changes on the selected node?
Answering y(es) will proceed to make changes.
Answering n(o) or q(uit) will not proceed.
y(es), n(o), q(uit/exit): y
Changing Avamar Server passwords...
Suspending maintenance cron jobs
Checking Administrator Server status...
Stopping Administrator Server...
Starting process of updating Administrator and Enterprise Manager configurations...
Running script to update Administrator and Enterprise Manager configurations on node 0.s...
[Logging to /usr/local/avamar/var/change-passwords.log...]
Done with updating Administrator configuration on node 0.s...
Starting process of updating mccli configuration files...
Running script to update mccli configuration files on node set "0.0"...
[Logging to /usr/local/avamar/var/change-passwords.log...]
Done with updating mccli configuration files on node 0.0...
Checking Administrator Server status...
Starting Administrator Server...
[sudo] password for admin:
WC^H^HResuming maintenance cron jobs
--------------------------------------------------------
Done.
NOTES:
- If mccli (the Administrator command line interface)
is used from any remote user accounts, then please update
the password in each remote account's copy of the mccli
preferences/configuration file, typically
~USER/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml.
- Please be sure to resume schedules via the
Administrator GUI or via 'dpnctl start sched'.
root@avamar:/home/admin/#:If we repeat the command given by support we see that the command now succeeds.
admin@avamar:~/>: mccli group show
0,23000,CLI command completed successfully.
Group Domain Type Auto Proxy Mapping Rule Rule Enabled
----------------------------- ------ ----------- ------------------ ---------- ------------
Non-DB / Normal true Empty Rule false
DB-OS / Normal true Empty Rule false
Default Group / Normal false Empty Rule false
Default Proxy Group / Normal false Empty Rule false
Default Virtual Machine Group / Normal false Empty Rule false
DB-Drive_Monthly / Normal true Empty Rule false
Report-Server / Normal true Empty Rule false
Rep-Server1 / Replication false Empty Rule false
Rep-Server2 / Replication false Empty Rule false
admin@avamar:~/>: As always let me know what you think by dropping a comment below.
