ONTAP Discussions
ONTAP Discussions
How do you manage user accounts in 7 mode given the following scenarios:
Enable disabled user account:
Controller1> useradmin user list Test3
Name: Test3
Info:
Rid: 111111
Groups: Group1
Full Name:
Allowed Capabilities: login-snmp
Password min/max age in days: 1/4294967295
Status: disabled
Change user password for first login:
When security.passwd.firstlogin.enable is set to on and using the principal of least privilege, how do you change the intial password? Or let me ask, what is required to allow a user to change their password on first login if you are configuring SNMPv3 and only granting login-snmp? Do they need the ability to login through SSH, if so what other capabilities are required for the user to change their password. Let’s say the user only has login-snmp, login-ssh how would they change their password? There is no prompt when I login and I can login through SSH with the account with a status of expired. When I have these capabilities and try passwd , system log states that test needs the cli-passwd capability. If you grant that capability then that account can change any password.
Name: test
Info: Rid: 11112
Groups: Group1
Full Name:
Allowed Capabilities:
Password min/max age in days: 0/4294967295
Status: expired
Hi,
Since you have not gotten an answer, you may want to ask this question in the NetApp Support Community. The current customers, partners and internal Subject Matter Experts are addressing technical product questions there.
Mike
I'm seeking an answer to this 'problem' also. The closest workarounds I can see are the RSH syntax for passwd or setting the ...passwd.firstlogon.enable off before creating the accounts then turning it back on again.
Try to delete the test1 account and recrate it.
Thanks,
Bhola Gond
The capability cli-passwd only provides the privileges to change the password on the users own account.
It does not provide the ability to change the password on other users accounts.
In order to change the password of other users accounts you need the security context privilege of security-passwd-change-others.
I noted that fact in the man pages Richard, I felt that as I was logged in as root I wouldn't have a problem.
bondbhola, yes deleting and recreating with ...passwd.firstlogon.enable=off set works fine as expected.