Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Maik
Advisor

"cpconfig" => "Administrator" does not show the options to list all admins

Hello guys,

I have the following issue...

When I execute the cpconfig command on a R80.20 log server (dedicated log server with SmartEvent + Correlation Unit blades enabled - if that information is required) I simply do not see any way to list and possibly delete SmartConsole admins. The second option of the cpconfig command, "Administrator" just shows the following text: "Do you want to add an administrator (y/n) [y] ?"

We have a few admins that are configured via a Radius server on the CP mgmt server and linked via the DB install to the log server. However; for testing purposes I needed to create a GUI admin for the log server which is just present there - exactly this one needs to get deleted now as it is not needed anymore. As the cpconfig command does not give me the possibility to change or even view all configured GUI admins I'm not sure how to proceed further.

The Manage & Settings > Permissions & Adminustrators > Administrators tab within the SmartConsole of the management server seems to not show admins that were configured via cpconfig from the log servers perspective.

Is there any way to manually delete a GUI user which is just present on the log server or in general?

Thanks and best regards,

Maik

PS: I already tried to resync the management database with the hope that the logging db would get overwritten and therefore removed the "temp admin". Unfortunately this did not work. I'm still able to log in with this temp user.

0 Kudos
14 Replies
Tal_Paz-Fridman
Employee
Employee

Hi Maik

Managing administrators using cpconfig was mostly relevant for very old versions. Currently it only stores the first administrator created or older administrators carried from previous upgrades.

 

The current way to manage them today (aside from SmartConsole) is using Management API commands like:

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-administrator~v1.5%20

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-administrator~v1.5%20

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-administrator~v1.5%20

 

HTH

Tal

0 Kudos
Maik
Advisor

@Tal_Paz-Fridman thanks for the quick repsonse! Seems like all mgmt api commands related to show/add/delete administrator/s are related to MDM setups.

"This command is available only after logging in to the System Data domain."

show administrators

code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

How can I execute it with a standard SMS/log server without any subdomains?

 

@G_W_Albrecht Also thank you for the reply. The web gui just lists the standard admin and minitor users - but aren't these also only related to GAiA access and not for the SmartConsole application?

 
0 Kudos
Tal_Paz-Fridman
Employee
Employee

The command is available for Security Management Server and Multi-Domain:

add administrator - examples.JPGadd administrator.JPG

Using the above example I can run:

mgmt_cli -u <current admin> -p <password> add administrator name "<new admin>" password "<password>" must-change-password false authentication-method "INTERNAL_PASSWORD" permissions-profile "super user" --domain "System Data";

 

Maik
Advisor

--domain "System Data" did the Trick, thanks again!

Unfortunately I think that I ran into a bug...

I was able to delete the related user:

 

[Expert@HOSTNAME]# mgmt_cli delete administrator name 'adminTEMP' --domain 'System Data'
Username: [OTHER_ADMIN_USERNAME]
Password:


---------------------------------------------
Time: [10:56:42] 26/6/2019
---------------------------------------------
"Publish operation" succeeded (100%)


Unfortunately I still see the deleted user when I execute the "show administrators" command:

 

[Expert@fHOSTNAME]# mgmt_cli show administrators --domain 'System Data'
Username: [OTHER_ADMIN_USERNAME]
Password:
objects:
[...]
- uid: "eb3f8bce-521a-41f8-a607-e97899eea175"
name: "adminTEMP"
type: "administrator"
domain:
uid: "a0eebc99-afed-4ef8-bb6d-fedfedfedfed"
name: "System Data"
domain-type: "mds"
[...]

Now, when I try to execute the command to delete the user once more I get the following result:

 

[Expert@HOSTNAME]# mgmt_cli delete administrator name 'adminTEMP' --domain 'System Data' --format json
Username: [OTHER_ADMIN_USERNAME]
Password:
{
"code" : "generic_server_error",
"message" : "Management server failed to execute command"
}

Are there any additional steps that need to be done? I can confirm that a login with the "deleted" user is still possible, so we don't have a visual bug.

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Hi Maik

Management API is also a Session (you can see in the SmartConsole Session view).

This means you need to run Publish from Management API (or even SmartConsole).

Tal

0 Kudos
Maik
Advisor

Hi Tal,

 

The publish has been done directly after the user was deleted, as mentioned above:

 

[Expert@HOSTNAME]# mgmt_cli delete administrator name 'adminTEMP' --domain 'System Data'
Username: [OTHER_ADMIN_USERNAME]
Password:


---------------------------------------------
Time: [10:56:42] 26/6/2019
---------------------------------------------
"Publish operation" succeeded (100%)

 

Edit: I also tried to resync the management database to the log server - still no luck.

Now the user is shown via "show administrators" but can't be deleted via "delete administrator name xyz".

A login via the SmartConsole with this user is still possible.

 

If someone has the chance to test this behaviour in a lab I'd appreciate it.

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Just tried on two of my systems - R80.20 and one in development - and it was successful, including the deletion.

Can you paste the exact command you used to the define adminTEMP?

 

Thanks

Tal

0 Kudos
Maik
Advisor

This user has been created with cpconfig and not via the API 😉

Maybe thats the issue? As already mentioned, cpconfig does not list this user nor does it allow me to delete it.

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Probably. Try the flow when the administrator is created by Management API.

Tal

Maik
Advisor

I believe that you are correct, however that does not help me as I need to get rid of the user which was created by cpconfig 😄 The database position for GUI admins, regardless from which point they were created, is the same, correct? If not maybe a db edit could do the trick.
0 Kudos
Maik
Advisor

I'll open a TAC case - still thank you very much for pointing me into the right direction 😉

0 Kudos
Wolfgang
Authority
Authority

Hello Maik,

is your logserver a newer one then your SMS ? Meaning your LOGserver is running R80.20 and SMS is R77.30 or R80...

If this is your case you have to connect with smartconsole to your logserver to see the defined administrators.

Wolfgang

Maik
Advisor

Hello Wolfgang,

Thanks for your reply. Both, the management server and log server run R80.20 with the latest GA jumbo hotfix (take 47).

0 Kudos
G_W_Albrecht
Legend Legend
Legend

In R80.30 - GuiDBedit, Table > Users > users shows all defined local users (cpconfig defined or VPN users) and let you delete them...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events