ONTAP Discussions

7-Mode User Administration

ASUNDSTROM
13,436 Views

How do you manage user accounts in 7 mode given the following scenarios:

Enable disabled user account:

Controller1> useradmin user list Test3

Name: Test3

Info:

Rid: 111111

Groups: Group1

Full Name:

Allowed Capabilities: login-snmp

Password min/max age in days: 1/4294967295

Status: disabled

Change user password for first login:

When security.passwd.firstlogin.enable is set to on and using the principal of least privilege, how do you change the intial password?  Or let me ask, what is required to allow a user to change their password on first login if you are configuring SNMPv3 and only granting login-snmp?  Do they need the ability to login through SSH, if so what other capabilities are required for the user to change their password.  Let’s say the user only has login-snmp, login-ssh how would they change their password? There is no prompt when I login and I can login through SSH with the account with a status of expired. When I have these capabilities and try passwd , system log states that test needs the cli-passwd capability. If you grant that capability then that account can change any password.

Name: test

Info: Rid: 11112

Groups: Group1

Full Name:

Allowed Capabilities:

Password min/max age in days: 0/4294967295

Status: expired

5 REPLIES 5

crocker
13,333 Views

Hi,

Since you have not gotten an answer, you may want to ask this question in the NetApp Support Community.  The current customers, partners and internal Subject Matter Experts are addressing technical product questions there.

Mike

CHRIS_K_AU
13,333 Views

I'm seeking an answer to this 'problem' also. The closest workarounds I can see are the RSH syntax for passwd or setting the ...passwd.firstlogon.enable off before creating the accounts then turning it back on again.

bondbhola
13,333 Views

Try to delete the test1 account and recrate it.

Thanks,

Bhola Gond

RichardSopp
13,333 Views

The capability cli-passwd only provides the privileges to change the password on the users own account.

It does not provide the ability to change the password on other users accounts.

In order to change the password of other users accounts you need the security context privilege of security-passwd-change-others.

CHRIS_K_AU
13,333 Views

I noted that fact in the man pages Richard, I felt that as I was logged in as root I wouldn't have a problem.

bondbhola, yes deleting and recreating with ...passwd.firstlogon.enable=off set works fine as expected.

Public