This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to login to Sophos UTM Virtual Machine after issues with AD - Password reset from CLI not working

I do have CLI access. So I found guides from here: https://community.sophos.com/kb/en-us/115346

And I followed the sections entitled: "WebAdmin password reset procedure" and "Local network is missing in the allowed networks of the WebAdmin"

I get the password change GUI prompt, and set the admin password. However when I try to login with the admin account and the new password, I get "Invalid username or password".

 

So I though I likely had removed admin from the superusers group, so found this: https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/73721/using-cli-to-add-allowed-users and followed the steps to add admin back to the superusers group in CLI.

 

I then used the "WebAdmin password reset procedure" again and tried to login. No dice. I then tried from a different machine, figuring I had locked out the IP. No Dice.

 

I know others have these methods work, and the password resets are obviously partly working but I still cannot gain access. Any ideas? Could the admin account be disabled or locked?

As a last resort I tried resetting all passwords from the above guide, and then lost CLI access. I have restored from backup and regained CLI, but still cannot login even retrying all the above. This is the most frustrating thing I have ever had to deal with using Sophos UTMs, and it's not the first time I've seen this failure to reset happen.

 

My only other idea is : Is there is a way to add a new user from CLI and then make them the new superadmin? 

 

I GREATLY appreciate help regaining access!



This thread was automatically locked due to age.
  • Hi Travis,

     

    Have a look at this Forum post for commands to add SuperAdmin role via CLI: https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/73721/using-cli-to-add-allowed-users

    Hope that helps.

    Thanks,
    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • Karlos,

     

    That is the Link I posted in my original troubleshooting :-( did you not review what I said I already did? Additionally it does not answer my question nor does it address my problem. Here's a restate, hopefully more clearly of my questions, with one added:

     

    1) I asked how to Add a NEW GUI user from CLI.

    2) Why is the password reset failing to work when I reset the admin password, and add ANY network to the allowed login, and add Admin user to the Superuser role? Why would it continue to fail?

    3) From CLI, how do I disable the account lockout threshold so I can try more password attemtps without being locked out?

    4) Do you realize its possible to delete the admin user? I just tested and it is on the latest UTM version. So obviously the UTM needs a better method for the GUI user password reset than is provided! Please forward to development so they can work to ensure this ridiculousness and poor design gets resolved in the future! See more at these two links:

    Here: https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/73721/using-cli-to-add-allowed-users/351894#351894 

    And here: https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/96903/cli-commands-to-change-the-loginuser-and-root-account-do-not-work 

     

    Thank you,

    Travis Grenell

    Certified Sophos UTM Architect

  • Hi, Travis, and welcome to the UTM Community!

    Do you see your network in the response to the following?

    cc get webadmin allowed_networks

    I would expect that to include 'REF_DefaultInternalNetwork'.  You can then confirm that that object contains the correct address and netmask with:

    cc get_object 'REF_DefaultInternalNetwork'

    You can then check whether the admin user is active by confirming that the 'status' is 1 with:

    cc get_user_by_name admin

    That will also show you the REF_ for admin which is probably 'REF_DefaultSuperAdmin'.  If the admin user is not enabled, you can do that with:

    cc change_object 'REF_DefaultSuperAdmin' 'status' 1

    If that returns the REF_, the command was successful.  If 0, something was incorrect in your command.

    My impression was that you misread the section on resetting a password.  Change the password for admin to AbCd1#2#3#4 with:

    cc passwd AbCd1#2#3#4

    Any better luck now?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    Thanks for the help. Here's the results of each command:

    cc get webadmin allowed_networks
    [
    'REF_NetworkAny'
    ]

     

    cc get_object 'REF_DefaultInternalNetwork'
    {
    'autoname' => 0,
    'class' => 'network',
    'data' => {
    'address' => '192.168.1.0',
    'address6' => '::',
    'comment' => 'Internal Network',
    'name' => 'Internal (Network)',
    'netmask' => 24,
    'netmask6' => 64,
    'resolved' => 1,
    'resolved6' => 0
    },
    'hidden' => 0,
    'lock' => 'user',
    'nodel' => '',
    'ref' => 'REF_DefaultInternalNetwork',
    'type' => 'interface_network'
    }

     

    cc get_user_by_name admin
    0

     

    cc change_object 'REF_DefaultSuperAdmin' 'status' 1
    0

     

    No, I didn't misread the password reset section. And I'm logging in from the Internal Network. I am pretty sure the problem is that I deleted the "admin" user. What now?

    I have another local user which I verified with the "cc get_user_by_name myadmin". Can I reset the password for myadmin?

     cc get_user_by_name myuser
    {
    'autoname' => 0,
    'class' => 'aaa',
    'data' => {
    'acc_managed' => 0,
    'allowed_networks' => [
    'REF_NetworkAny'
    ],
    'authentication' => 'local',
    'backend_update' => 0,
    'clearpass' => '',
    'comment' => '',
    'email_primary' => '',
    'email_secondary' => [],
    'enabled' => 1,
    'lastauth_backend' => '',
    'lastauth_facility' => '',
    'lastauth_time' => 0,
    'loc' => 'english',
    'md4hash' => 'fa5870ca4b4b37asdf03fdb',
    'name' => 'myuser',
    'network' => 'REF_NetAaaMyuseUserNetwo',
    'pop3_accounts' => [],
    'ras_ip' => '0.0.0.0',
    'ras_online' => 0,
    'realname' => '',
    'sender_blacklist' => [],
    'sender_whitelist' => [],
    'status' => 1,
    'use_ras_ip' => 0,
    'user_preferences' => '',
    'x509_cert' => 'REF_IpsX5033',
    'x509_cert_gost' => ''
    },
    'hidden' => 0,
    'lock' => '',
    'nodel' => '',
    'ref' => 'REF_AaaUsemyuser',
    'type' => 'user'

    Thanks!

    Thank you,
    Travis Grenell
    Certified Sophos UTM Architect

  • Yeah, it looks like that's the problem, Travis.  Oops!

    Try the two following commands to see if there's any user allowed WebAdmin access:

    cc get_object REF_DefaultSuperAdminGroup
    cc get_object REF_SuperadminRole

    If there's no one allowed access and you have a user 'travis' where you know the password, get the REF_ for that user:

    cc get_user_by_name travis

    Say you find it's REF_AaaUseTravis.  Add this REF_ to REF_DefaultSuperAdminGroup and add REF_DefaultSuperAdminGroup to the Role object:

    cc change_object REF_DefaultSuperAdminGroup members REF_AaaUseTravis
    cc change_object REF_SuperAdminRole members REF_DefaultSuperAdminGroup

    Any better luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That wasn't an Oops, it was on purpose for security to prevent internal user password guessing. There was another admin user it just wasn't documented. That was the real oops.

    Yes, that was able to get me logged in, I was able to guess the password, thanks!

     

    But for other reference, is there any way to change a local user's password? Exploring CLI a bit and it seems you can modify the objects; it's just not always easy to figure out the syntax. I assume if I had the Password Hash for a known password I could put that into another user's object? Thoughts?

     

    Now that I'm back in the device I have learned what screwed me: The License! It's gone! So AD integration self-disabled. That's garbage! BOO Sophos!

    Thank you,
    Travis Grenell
    Certified Sophos UTM Architect