NSX-T Manager/Edge node user password is incorrectly reported to have expired
Article ID: 316668
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
- NSX Manager or Edge node, admin, root and/or audit account password has been set to never expire with the following command:
#clear user <user> password-expiration
- Log alerts are triggered indicating the password has expired for these accounts.
Reviewing the nsx-event.log you can see alerts like the following:
<179>1 2019-10-10T00:00:01.758Z edge1 NSX 10171 - [nsx@6876 comp="nsx-edge" subcomp="passwd_monitor" username="root" level="ERROR" eventId="vmwNSXPlatformPasswordExpiryStatus"] {"event_state": -114, "event_src_comp_id": "b406b7a7-d359-4c92-abbc-bf991f327e07", "event_sources": {"user_name": "root", "user_id": "0"}}
<179>1 2019-10-10T00:00:02.020Z edge1 NSX 10171 - [nsx@6876 comp="nsx-edge" subcomp="passwd_monitor" username="root" level="ERROR" eventId="vmwNSXPlatformPasswordExpiryStatus"] {"event_state": -2, "event_src_comp_id": "b406b7a7-d359-4c92-abbc-bf991f327e07", "event_sources": {"user_name": "admin", "user_id": "10000"}}
<179>1 2019-10-10T00:00:01.758Z edge1 NSX 10171 - [nsx@6876 comp="nsx-edge" subcomp="passwd_monitor" username="root" level="ERROR" eventId="vmwNSXPlatformPasswordExpiryStatus"] {"event_state": -114, "event_src_comp_id": "b406b7a7-d359-4c92-abbc-bf991f327e07", "event_sources": {"user_name": "root", "user_id": "0"}}
<179>1 2019-10-10T00:00:02.020Z edge1 NSX 10171 - [nsx@6876 comp="nsx-edge" subcomp="passwd_monitor" username="root" level="ERROR" eventId="vmwNSXPlatformPasswordExpiryStatus"] {"event_state": -2, "event_src_comp_id": "b406b7a7-d359-4c92-abbc-bf991f327e07", "event_sources": {"user_name": "admin", "user_id": "10000"}}
- Aria Operations for Networks raises alarms indicating NSX user passwords have expired
Environment
VMware NSX-T Data Center 2.x
VMware NSX-T Data Center
VMware NSX-T Data Center
Cause
The code logic which generates these alerts, incorrectly flags accounts with password policy set to never expire, as expired.
To validate the user password expiration settings:
And to check for current alarms raised, you can use the following API:
To validate the user password expiration settings:
#get user <user> password-expiration
For more details, run the following API:
GET /api/v1/node/users
...
{
"username": "root",
"status": "ACTIVE",
"password_change_frequency": 0, -->> 0 here indicates the password is set to never expire
"userid": 0,
"last_password_change": 97,
"full_name": "root"
},
{
"username": "admin",
"status": "ACTIVE",
"password_change_frequency": 0, -->> 0 here indicates the password is set to never expire
"userid": 10000,
"last_password_change": 97,
"full_name": ""
},
{
"username": "audit",
"status": "PASSWORD_EXPIRED", -->> here we can see the password for audit has expired
"password_change_frequency": 90,
"userid": 10002,
"last_password_change": 97,
"full_name": ""
}
...
And to check for current alarms raised, you can use the following API:
GET /api/v1/hpm/alarmsResolution
This issue is resolved in NSX-T Data Center 2.5.0.
Please note even though no new alerts will be raised, alerts triggered prior to upgrade to NSX-T Data Center 2.5.0 will persist.
NSX-T Data Center 2.5.1 automatically removes legacy alerts as part of the upgrade process.
Workaround:
If an upgrade is not possible; please contact Broadcom Support by opening a Support Request and a workaround can be applied to clear the alerts
Feedback
Yes
No
Powered by
