"Authentication token expired" error when switching to postgres user
search cancel

"Authentication token expired" error when switching to postgres user

book

Article ID: 435345

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

When attempting to perform database maintenance or troubleshooting on an Aria Suite Lifecycle (LCM) appliance, administrators must switch to the postgres service account. When executing the command su - postgres, the system throws the following warning:

  • "Your account has expired; please contact your system administrator. su: Authentication token expired (Ignored)."

While the system may still allow access to the postgres prompt (indicated by "Ignored"), this expired token state can interfere with executing background scripts, automated tasks, or direct database commands.

Environment

  • VMware Aria Suite Lifecycle (LCM) 8.x
  • Photon OS
  • vPostgres (PostgreSQL)

Cause

The underlying Photon OS applies a default, global password expiration security policy. In some versions, this policy inadvertently affects local, non-interactive service accounts like postgres.

Because postgres is a backend daemon account—meaning an administrator never interactively logs in as this user to receive a "please change your password" prompt—the password token silently expires in the background once the OS lifecycle timer (typically 90 or 365 days) runs out.

Resolution

There are two ways to resolve this, depending on your organization's internal security and compliance policies.

Option 1: Disable Expiration for the Service Account (Broadcom Recommended)

Because postgres is an internal service account that cannot be used to SSH into the appliance or log into the web UI, the standard vendor resolution is to set the account token to never expire.

Log into the LCM appliance via SSH as root and run the following command:

chage -I -1 -m 0 -M 99999 -E -1 postgres

This permanently resolves the issue for the life of the appliance.

Option 2: Reset the Password Timer (Strict Compliance Environments)

If your organization utilizes automated security auditing tools that flag any account with a non-expiring password, you can manually reset the password to restart the expiration timer.

Log into the LCM appliance via SSH as root and run:

passwd postgres

Enter a new password when prompted.

Note: Choosing this method means you will encounter the "token expired" error again once the local Photon OS password rotation timer runs out, requiring you to repeat this step in the future.
Powered by Wolken Software