Symptoms: You will see admin password expired on the following components: NSX-T Manager (WEB UI + SSH) NSX-T Edge Node VMs NSX Intelligence Node You can run the following command on NSX Manager to see the days to password expiration: nsx-manager> get user admin password-expiration Password expires 90 days after last change
Below are the NSX Manager logs, showing when passwords will expire:
Auth.log <87>1 2019-06-11T05:47:33.495576+00:00 nsxmgrT-A2 sshd 7437 - - pam_unix(sshd:account): password for user admin will expire in 1 days <87>1 2019-06-11T05:48:01.614870+00:00 nsxmgrT-A2 CRON 7771 - - pam_unix(cron:account): password for user root will expire in 1 days
You will see the following messages when you SSH into Intelligence VM: You are required to change your password immediately (password aged) Changing password for root. (current) UNIX password: New password: Retype new password:
If you are running Enterprise PKS with NSX-T, you will see see that new PKS clusters cannot be created and messages similar to the following are seen when reviewing the Bosh logs for a failed PKS cluster creation task:
Task 724 | 10:05:52 | Preparing deployment: Preparing deployment (00:00:36) Task 724 | 10:06:08 | Preparing package compilation: Finding packages to compile (00:00:00) Task 724 | 10:06:08 | Compiling packages: nsx-cni/26cdfdb5b844958f7247dc981925693c965353e6 Task 724 | 10:06:08 | Compiling packages: openvswitch/a88c3d7c14994a1aec0ce49e4eccb92b1b7e08ee Task 724 | 10:06:08 | Compiling packages: ncp_rootfs/da9eb7910f5777dc862841985ced01e18201e9b4 Task 724 | 10:09:16 | Compiling packages: nsx-cni/26cdfdb5b844958f7247dc981925693c965353e6 (00:03:08) L Error: Unknown CPI error 'Unknown' with message 'The credentials were incorrect or the account specified has been locked.' in 'set_vm_metadata' CPI method (CPI request ID: 'cpi-873816') Task 724 | 10:09:20 | Compiling packages: ncp_rootfs/da9eb7910f5777dc862841985ced01e18201e9b4 (00:03:12) L Error: Unknown CPI error 'Unknown' with message 'The credentials were incorrect or the account specified has been locked.' in 'set_vm_metadata' CPI method (CPI request ID: 'cpi-718377') Task 724 | 10:09:21 | Compiling packages: openvswitch/a88c3d7c14994a1aec0ce49e4eccb92b1b7e08ee (00:03:13) L Error: Unknown CPI error 'Unknown' with message 'The credentials were incorrect or the account specified has been locked.' in 'set_vm_metadata' CPI method (CPI request ID: 'cpi-459103') Task 724 | 10:09:21 | Error: Unknown CPI error 'Unknown' with message 'The credentials were incorrect or the account specified has been locked.' in 'set_vm_metadata' CPI method (CPI request ID: 'cpi-873816')
Environment
VMware NSX-T Data Center VMware NSX-T Data Center 2.x VMware PKS 1.x
Cause
Password expiration (90 day by default) was introduced in NSX-T 2.4.0, because of security requirements. By default, password expiration is configured for 90 days. Since 2.4.0 Password Policy Enhancements: Enforces minimum password length of 12 characters for default passwords. Introduces ability to set password expiration times and generates alarms when password is about to expire. For more details, please refer VMware NSX-T Data Center 2.4 Release Notes
Resolution
If the password of the NSX Manager is already expired, you can reclaim the password by running the following command from nsxcli: set user <username> [password <password> [old-password <old-password>]] From nsxcli you can run the below command to have password expire to a maximum of 9999 days. Example below: nsxtmgr> set user admin password-expiration <password-expiration> Number of days password valid after change (1 - 9999) nsxtmgr> set user admin password-expiration 9999 We can also disable password expiry via CLI using the example below nsxtmgr> clear user audit password-expiration Please refer NSX-T 2.4 CLI Reference Guide for more details
Alternatively, using the API, under NodeUserProperties, you can also configure expiration time or disable it. ("set to 0 to set no password change"). Please refer NSX-T 2.4 API Guide for more details
Additional Information
Since 2.4.0 Password Policy Enhancements: Enforces minimum password length of 12 characters for default passwords. Introduces ability to set password expiration times and generates alarms when password is about to expire.
Impact/Risks:
Once the password expires, you will be unable to log in and manage NSX-T components.
Additionally, any task or API call that requires the NSX-T Admin password to be executed will fail.
You might not see any warning in the UI that your password is going to or already expired.
You might be unable to create new clusters in Enterprise PKS.