VMware vCenter Server Appliance 5.5 root密码锁定问题

 Symptoms

• Unable to log in to the root account for the VMware vCenter Server Appliance (vCSA).

• The root account for the vCSA is locked.

Purpose

This article provides information on preventing the forced lockout of the root account and on unlocking a locked root account.    

Cause

The vCSA 5.5 release enforces local account password expiration after 90 days by default. This policy locks out the root account when the password expiration date is reached.    

Resolution

This behavior affects vCenter Server Appliance 5.5.    
   
    Note: As of vCenter Server appliance 5.5 Update 1, the password will expire after 90 days. After that time, the user will be able to log in through the console to change the password for the expired user.    
   
   

Prevent forced lockout when the root account is still active

If the root account is still accessible through the vCSA console or via the secure shell (SSH), you can prevent this issue from occurring by modifying the           /etc/cron.daily/pass-expiration      script.    
   
To prevent the forced lockout when the root account is still active:    
   
   

1. Log in to the vCSA as the root user.

2. Open the /etc/cron.daily/pass-expiration script in a text editor.

3. Delete these commands:
   
   # disable the password if it's time and not already done.
   # don't rely on the pam account facility. prepend an x in the shadow file.
   if [ $TODAY -ge $DEADLINE ] && ! grep -q 'root:x' $SHADOW; then
   sed -e 's/^root:\(.*\)/root:x\1/' $SHADOW -i
   fi
   
   

4. Enter these commands to replace the forced lockout with a forced password change:
   
   # force a password change for root if we've reached the password expiration date.
   # pam.unix2 doesn't do this the way we would like, so we do this instead.
   if [ $TODAY -ge $DEADLINE ]; then
   chage –d 0 root
   fi
   
   

5. Save and close the file.

   

Unlocking a locked out root account

If the root account is not accessible via the console, the secure shell, and the Virtual Appliance Management Interface (VAMI), the root account has been inactivated due to password expiration. To reactivate the root account, the vCSA must be rebooted and the kernel option modified in the GRUB bootloader to obtain a root shell.    
   
To reactivate the root account:    
   
   

1. Reboot the vCSA using the vSphere Client.

2. When the GRUB bootloader appears, press the spacebar to disable autoboot.
   
   Note: If the time between when you power on the virtual machine and when it exits the BIOS or EFI and launches the guest operating system is too short, you can adjust the delay. For more information, see Delay the Boot Sequence in the VMware vSphere 5.5 Documentation guide.
   
   
   
   
   

3. Type p to access the appliance boot options.

4. Enter the GRUB password.
   
   Note:
        
   

• If the vCSA was deployed without editing the root password in the Virtual Appliance Management Interface (VAMI), the default GRUB password is vmware.

• If the vCSA root password was reset using the VAMI, then the GRUB password is the password last set in the VAMI for the root account.

Use the arrow keys to highlight VMware vCenter Server Appliance and type e to edit the boot commands.

Scroll to the second line displaying the kernel boot parameters.

Type e to edit the boot command.

Append init=/bin/bash to the kernel boot options.

Press Enter. The GRUB menu reappears.

Type b to start the boot process. The system boots to a shell.

Reset the root password by running the passwd root command.

Restart the appliance by running the reboot command.

Important: Follow the instructions in the Prevent forced lockout when the root account is still active section of this article to prevent future root account lock out and retain password expiration functionality.

Additional Information

The vCSA allows you to establish your own password expiration and warning email policies by using the           Admin      tab of the Virtual Appliance Management Interface (VAMI).    
   
       
   
By default, the password expiration on the local root account in the vCSA is set to 90 days after the password has been changed. This typically occurs at first boot. If the password is not changed on installation, there is a 90-day period before expiration.    
   
Email addresses configured in the           Admin      tab in the VAMI (     https://IP_address:5480      or           https://VAMI_host_name:5480) receive email notifications each day for seven days prior to password expiration. The email settings, such as relay SMTP server, are configured through the vSphere Client in the vCenter Server mail settings.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the   Request a Product Feature  page.

转载于:https://my.oschina.net/u/437851/blog/347346