https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159747#M28050 <P>Oh I see. Is it for all users, or for this specific hash only?&nbsp;<BR /><BR />If the latter, I would assume the hash is treated as a variable, since it starts with $. Otherwise, looks like a but to me. If it is a global issue, please raise a TAC case for it.</P> Mon, 17 Oct 2022 15:39:55 GMT _Val_ 2022-10-17T15:39:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159639#M27998 <P>Good morning!&nbsp;</P><P>&nbsp;</P><P>I am trying to create a script to automate (Gaia) admin users creation in a cluster with 'cloning group feature enabled'. This cluster is composed of two gateways (fwext01 and fwext02). We have R81.10, take 66 on them.</P><P>When I run the script on fwext01, for example, these are the commands that are executed:</P><P><STRONG><EM>clish -s -f comandos.txt</EM></STRONG></P><P>(The content of 'comandos.txt' file is:)</P><P><EM>set cloning-group-management on</EM><BR /><EM>add user adm_mickeymouse uid 0 homedir /home/adm_mickeymouse</EM><BR /><EM>set user adm_mickeymouse realname "Mickey Mouse"</EM><BR /><EM>set user adm_mickeymouse password-hash $6$PSTU$EvYhx6iMbZygtZamlZ8MRH0RfeVFGRMpn</EM><EM>yfYyeGuXE5O6qq93VB77v.0kVFOEXeRC39gxZBidj4ccOTrGE48x2</EM><BR /><EM>set user adm_mickeymouse force-password-change yes</EM><BR /><EM>add rba user adm_mickeymouse roles adminRole</EM><BR /><EM>set user adm_mickeymouse shell /bin/bash</EM><BR /><EM>save config</EM><BR /><EM>set cloning-group-management off</EM></P><P>The results of script execution on fwext01 is totally correct:</P><P><EM>add user adm_mickeymouse uid 0 homedir /home/adm_mickeymouse</EM><BR /><EM>add rba user adm_mickeymouse roles adminRole</EM><BR /><EM>set user adm_mickeymouse gid 0 shell /bin/bash</EM><BR /><EM>set user adm_mickeymouse realname "Mickey Mouse"</EM><BR /><EM>set user adm_mickeymouse password-hash $6$PSTU$EvYhx6iMbZygtZamlZ8MRH0RfeVFGRMpnyfYyeGuXE5O6qq93VB77v.0kVFOEXeRC39gxZBidj4ccOTrGE48x2</EM></P><P>But... When I look the configuration that was automatically reflected on fwext02 (via cloning group features), I realize that the password is not being replicated at all:</P><P><EM>add user adm_mickeymouse uid 0 homedir /home/adm_mickeymouse</EM><BR /><EM>add rba user adm_mickeymouse roles adminRole</EM><BR /><EM>set user adm_mickeymouse gid 0 shell /bin/bash</EM><BR /><EM>set user adm_mickeymouse realname "Mickey Mouse"</EM><BR /><EM>s<STRONG>et user adm_mickeymouse password-hash *</STRONG></EM></P><P>&nbsp;</P><P>Could anyone please help us with this?&nbsp;</P><P>&nbsp;</P><P><EM><STRONG>Thanks!</STRONG></EM></P><P>&nbsp;</P> Sun, 16 Oct 2022 04:07:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159639#M27998 msa2003 2022-10-16T04:07:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159706#M28025 <P>Could you please elaborate on how you ae using cloning to replicate config on the second FW?</P> Mon, 17 Oct 2022 10:10:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159706#M28025 _Val_ 2022-10-17T10:10:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159723#M28040 <P>Hello _Val_</P><P>Since I am startig the comands execution with '<EM>set cloning-group-management on</EM>', it was supposed that all the comands would be automatically replicated to the second FW, correct?</P><P>This expected replication is ocurring normally for all the commands inside 'comandos.txt' file. The only exception refers to the <EM>"set user adm_mickeymouse password-hash $6$PSTU$EvYh..."</EM> command. I mean, the hash config is not being replicated.</P><P>I realized that this is also happening even when I execute these commands (via clish) interactively.</P><P>But... When I create this user via Gaia GUI in FW1, the password is automatically and correctly replicated on FW2.</P><P>Thanks!</P><P>&nbsp;</P> Mon, 17 Oct 2022 13:24:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159723#M28040 msa2003 2022-10-17T13:24:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159747#M28050 <P>Oh I see. Is it for all users, or for this specific hash only?&nbsp;<BR /><BR />If the latter, I would assume the hash is treated as a variable, since it starts with $. Otherwise, looks like a but to me. If it is a global issue, please raise a TAC case for it.</P> Mon, 17 Oct 2022 15:39:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159747#M28050 _Val_ 2022-10-17T15:39:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159750#M28052 <P>This is happening for any user I try to create. And it seems that is happening for any hash.</P><P>I tried to use MD5 ($1$) hash and the behavior was the same.</P><P>I also tried to use single and double quotes around the hash (to try to avoid the 'hash being treated as variable'). But the behavior is the same.</P><P>I´ll contact TAC staff.</P><P>Thanks anyway!</P> Mon, 17 Oct 2022 17:30:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159750#M28052 msa2003 2022-10-17T17:30:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159779#M28067 <P>Understood. Please let us know what TAC finds out, when it is resolved. Meanwhile, you can use the same scripts on both members to define users, without cloning groups feature</P> Tue, 18 Oct 2022 07:47:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159779#M28067 _Val_ 2022-10-18T07:47:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159836#M28108 <P>Yes, it would be possible to run the scripts separately. But in order to do that I would have to remove "Users and Roles" from the Cloning Group Shared Features list.&nbsp;Otherwise, the system will not allow me to add the user. It warns me with the following message: "<EM>CLINFR0699 This command belongs to a cloning group synchronized feature and therefore cannot be executed in normal mode</EM>."</P><P>Yes, I will let you know what TAC finds out!</P><P>&nbsp;</P><P>Thank you very much for your attention and help!</P> Tue, 18 Oct 2022 12:45:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/159836#M28108 msa2003 2022-10-18T12:45:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/166477#M29960 <P>It was a bug and people from R&amp;D developed a fix. Thanks.</P> Mon, 02 Jan 2023 13:48:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-User-Gaia-via-script-in-a-cloning-group-enabled-cluster/m-p/166477#M29960 msa2003 2023-01-02T13:48:10Z