Data Domain: DDBoost user shows locked status

           

   Article Number:     520213                                   Article Version: 7     Article Type:    Break Fix 
   

 


Product:

 

Data Domain,Data Domain Boost

 

Issue:

 

 

Issues Seen   

         
  •         The ddboost user has status of "locked" on web GUI System Manager.     
  •      
  •         Backup Applications such as Avamar, Networker and Netbackup will encounter backup failures to DD     
  •      
  •         Backup Application will complain as having no communication with storage server Data Domain     
  •    
   
         
  •         You can see this status in "DD Boost" or "Access -> Local Users" tab on left hand menu     
  •    
   
      User-added image     
      User-added image   
                                                             

 

 

Cause:

 

 

Root Cause   
    The root cause of ddboost user becoming locked is because the Password has expired.   
   
    Reason   

         
  •         Run the command # user password aging show     
  •      
  •         You will most likely see the "Maximum Days Between Change" is set to 90      
  •      
  •         Also on the web GUI, you can see this under "Access -> Local Users (shown in red in picture above)     
  •    
        
      User-added image   
   
         
  •         This is because after DDOS upgrades to 5.6 or above, the Maximum Days Between Change is set to default of 90 days     
  •      
  •         Even if you change password aging to higher than 90 days, on subsequent upgrades (i.e from 6.0 to 6.1), it will be set back to default of 90 days again     
  •    
                                                             

 

 

Change:

 

 

How to Verify   
   
    The only way you can see that password has expired or within 7 days of expiry is to SSH to the DD system using the ddboost user from backup application.   
    As such it is hard to verify that password age is close to being expired or expired.   
   
    Example   
    ssh ddboost@"testdd.emc.com"   
    Data Domain OS   
    You are required to change your password immediately (password aged)   
    Last login: Thu Apr 21 13:41:18 PDT 2016 from testavamar.emc.com on ssh   
    WARNING: Your password has expired.   
    You must change your password now and login again!   
    Changing password for ddboost.   
    (current) UNIX password:   
   
     
                                                           

 

 

Resolution:

 

 

Temporary   
   
    When ddboost user gets locked;   

         
  1.         Login to the Data Domain system as sysadmin user (or any other user with admin roles)      
  2.      
  3.          Enable the ddboost user      
  4.    
   
      # user enable <ddboost-user>   
   
         
  1.          Verify that the ddboost user is now enabled     
  2.    
   
      # user show list   
   
    After you perform above action, you should have access again and no further issues for another 90 days.   
   
   
    Resolution   
   
    1. Set a reminder on your side to change your ddboost password within every 90 days if you wish to keep the 90 day default value.   
    (Remember, the only way you get a warning to change from DD is if you SSH to the system using ddboost user within 7 days of password expiry)   
   
    This may not be very practical so a better solution is to;   
   
    2Modify the max-days-between-change value of 90 to a much higher value on your DD system;   
    # user password aging set ddboost max-days-between-change 99999     
      # user password aging show 
   
   
    The value provided above means that you do not need to change the ddboost password ever (273 years to be exact!).   
    However you can modify to any length of time you prefer.   
   
    Important Note: Please remember to check and set this again after future DDOS upgrades   
   
    Additional Information   
   
    If you still cannot access or backup to DD using ddboost user after the actions above you may have hit a timeout due to multiple attempts by backup application to access the DD and therefor the ddboost account would remain locked for a period of time (dependent on how many failed login attempts).   
   
    Please open an SR with Data Domain Support if you are still having issues after performing the actions outlined in this KB.