Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 12650 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to login to Sophos UTM Virtual Machine after issues with AD - Password reset from CLI not working

Travis Grenell

I do have CLI access. So I found guides from here: https://community.sophos.com/kb/en-us/115346

And I followed the sections entitled: "WebAdmin password reset procedure" and "Local network is missing in the allowed networks of the WebAdmin"

I get the password change GUI prompt, and set the admin password. However when I try to login with the admin account and the new password, I get "Invalid username or password".

 

So I though I likely had removed admin from the superusers group, so found this: https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/73721/using-cli-to-add-allowed-users and followed the steps to add admin back to the superusers group in CLI.

 

I then used the "WebAdmin password reset procedure" again and tried to login. No dice. I then tried from a different machine, figuring I had locked out the IP. No Dice.

 

I know others have these methods work, and the password resets are obviously partly working but I still cannot gain access. Any ideas? Could the admin account be disabled or locked?

As a last resort I tried resetting all passwords from the above guide, and then lost CLI access. I have restored from backup and regained CLI, but still cannot login even retrying all the above. This is the most frustrating thing I have ever had to deal with using Sophos UTMs, and it's not the first time I've seen this failure to reset happen.

 

My only other idea is : Is there is a way to add a new user from CLI and then make them the new superadmin? 

 

I GREATLY appreciate help regaining access!



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Travis, and welcome to the UTM Community!

    Do you see your network in the response to the following?

    cc get webadmin allowed_networks

    I would expect that to include 'REF_DefaultInternalNetwork'.  You can then confirm that that object contains the correct address and netmask with:

    cc get_object 'REF_DefaultInternalNetwork'

    You can then check whether the admin user is active by confirming that the 'status' is 1 with:

    cc get_user_by_name admin

    That will also show you the REF_ for admin which is probably 'REF_DefaultSuperAdmin'.  If the admin user is not enabled, you can do that with:

    cc change_object 'REF_DefaultSuperAdmin' 'status' 1

    If that returns the REF_, the command was successful.  If 0, something was incorrect in your command.

    My impression was that you misread the section on resetting a password.  Change the password for admin to AbCd1#2#3#4 with:

    cc passwd AbCd1#2#3#4

    Any better luck now?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob,

    Thanks for the help. Here's the results of each command:

    cc get webadmin allowed_networks
    [
    'REF_NetworkAny'
    ]

     

    cc get_object 'REF_DefaultInternalNetwork'
    {
    'autoname' => 0,
    'class' => 'network',
    'data' => {
    'address' => '192.168.1.0',
    'address6' => '::',
    'comment' => 'Internal Network',
    'name' => 'Internal (Network)',
    'netmask' => 24,
    'netmask6' => 64,
    'resolved' => 1,
    'resolved6' => 0
    },
    'hidden' => 0,
    'lock' => 'user',
    'nodel' => '',
    'ref' => 'REF_DefaultInternalNetwork',
    'type' => 'interface_network'
    }

     

    cc get_user_by_name admin
    0

     

    cc change_object 'REF_DefaultSuperAdmin' 'status' 1
    0

     

    No, I didn't misread the password reset section. And I'm logging in from the Internal Network. I am pretty sure the problem is that I deleted the "admin" user. What now?

    I have another local user which I verified with the "cc get_user_by_name myadmin". Can I reset the password for myadmin?

     cc get_user_by_name myuser
    {
    'autoname' => 0,
    'class' => 'aaa',
    'data' => {
    'acc_managed' => 0,
    'allowed_networks' => [
    'REF_NetworkAny'
    ],
    'authentication' => 'local',
    'backend_update' => 0,
    'clearpass' => '',
    'comment' => '',
    'email_primary' => '',
    'email_secondary' => [],
    'enabled' => 1,
    'lastauth_backend' => '',
    'lastauth_facility' => '',
    'lastauth_time' => 0,
    'loc' => 'english',
    'md4hash' => 'fa5870ca4b4b37asdf03fdb',
    'name' => 'myuser',
    'network' => 'REF_NetAaaMyuseUserNetwo',
    'pop3_accounts' => [],
    'ras_ip' => '0.0.0.0',
    'ras_online' => 0,
    'realname' => '',
    'sender_blacklist' => [],
    'sender_whitelist' => [],
    'status' => 1,
    'use_ras_ip' => 0,
    'user_preferences' => '',
    'x509_cert' => 'REF_IpsX5033',
    'x509_cert_gost' => ''
    },
    'hidden' => 0,
    'lock' => '',
    'nodel' => '',
    'ref' => 'REF_AaaUsemyuser',
    'type' => 'user'

    Thanks!

    Thank you,
    Travis Grenell
    Certified Sophos UTM Architect

Reply
  • 0 in reply to BAlfson

    Bob,

    Thanks for the help. Here's the results of each command:

    cc get webadmin allowed_networks
    [
    'REF_NetworkAny'
    ]

     

    cc get_object 'REF_DefaultInternalNetwork'
    {
    'autoname' => 0,
    'class' => 'network',
    'data' => {
    'address' => '192.168.1.0',
    'address6' => '::',
    'comment' => 'Internal Network',
    'name' => 'Internal (Network)',
    'netmask' => 24,
    'netmask6' => 64,
    'resolved' => 1,
    'resolved6' => 0
    },
    'hidden' => 0,
    'lock' => 'user',
    'nodel' => '',
    'ref' => 'REF_DefaultInternalNetwork',
    'type' => 'interface_network'
    }

     

    cc get_user_by_name admin
    0

     

    cc change_object 'REF_DefaultSuperAdmin' 'status' 1
    0

     

    No, I didn't misread the password reset section. And I'm logging in from the Internal Network. I am pretty sure the problem is that I deleted the "admin" user. What now?

    I have another local user which I verified with the "cc get_user_by_name myadmin". Can I reset the password for myadmin?

     cc get_user_by_name myuser
    {
    'autoname' => 0,
    'class' => 'aaa',
    'data' => {
    'acc_managed' => 0,
    'allowed_networks' => [
    'REF_NetworkAny'
    ],
    'authentication' => 'local',
    'backend_update' => 0,
    'clearpass' => '',
    'comment' => '',
    'email_primary' => '',
    'email_secondary' => [],
    'enabled' => 1,
    'lastauth_backend' => '',
    'lastauth_facility' => '',
    'lastauth_time' => 0,
    'loc' => 'english',
    'md4hash' => 'fa5870ca4b4b37asdf03fdb',
    'name' => 'myuser',
    'network' => 'REF_NetAaaMyuseUserNetwo',
    'pop3_accounts' => [],
    'ras_ip' => '0.0.0.0',
    'ras_online' => 0,
    'realname' => '',
    'sender_blacklist' => [],
    'sender_whitelist' => [],
    'status' => 1,
    'use_ras_ip' => 0,
    'user_preferences' => '',
    'x509_cert' => 'REF_IpsX5033',
    'x509_cert_gost' => ''
    },
    'hidden' => 0,
    'lock' => '',
    'nodel' => '',
    'ref' => 'REF_AaaUsemyuser',
    'type' => 'user'

    Thanks!

    Thank you,
    Travis Grenell
    Certified Sophos UTM Architect

Children
  • +1 in reply to Travis Grenell

    Yeah, it looks like that's the problem, Travis.  Oops!

    Try the two following commands to see if there's any user allowed WebAdmin access:

    cc get_object REF_DefaultSuperAdminGroup
    cc get_object REF_SuperadminRole

    If there's no one allowed access and you have a user 'travis' where you know the password, get the REF_ for that user:

    cc get_user_by_name travis

    Say you find it's REF_AaaUseTravis.  Add this REF_ to REF_DefaultSuperAdminGroup and add REF_DefaultSuperAdminGroup to the Role object:

    cc change_object REF_DefaultSuperAdminGroup members REF_AaaUseTravis
    cc change_object REF_SuperAdminRole members REF_DefaultSuperAdminGroup

    Any better luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    That wasn't an Oops, it was on purpose for security to prevent internal user password guessing. There was another admin user it just wasn't documented. That was the real oops.

    Yes, that was able to get me logged in, I was able to guess the password, thanks!

     

    But for other reference, is there any way to change a local user's password? Exploring CLI a bit and it seems you can modify the objects; it's just not always easy to figure out the syntax. I assume if I had the Password Hash for a known password I could put that into another user's object? Thoughts?

     

    Now that I'm back in the device I have learned what screwed me: The License! It's gone! So AD integration self-disabled. That's garbage! BOO Sophos!

    Thank you,
    Travis Grenell
    Certified Sophos UTM Architect

Unfiltered HTML