This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SaffaRamma
Participant
‎2022-06-10 08:21 AM
Jump to solution

Creating users via script/using CPDIR on SMB Devices

I know it is possible to execute commands from a management server (SMS) to a centrally managed SMB via CPDIR. For example, the below command works a treat (PS - 10.20.30.40 is not an actual IP I'm using):

$CPDIR/bin/cprid_util -server 10.20.30.40 -verbose rexec -rcmd /bin/clish -c "show configuration"

 

What does seem to be an issue however is the ability to add local administrators this way (I have tried multiple iterations of the below)?

$CPDIR/bin/cprid_util -server 10.20.30.40 -verbose rexec -rcmd /bin/clish -c "add user newadmin type admin password this_is_my_real_password permission RW"
Unexpected error: attempt to index global 'cgilua' (a nil value)

$CPDIR/bin/cprid_util -server 10.20.30.40 -verbose rexec -rcmd /bin/clish -c "add administrator username newadmin password-hash $1$UHVNJb2O$1UXMqCZm9767DZNtoIqYv. permission read-write"
Could not set administrator password-hash: Not valid password hash
Could not set administrator password-hash: Not valid password hash

$CPDIR/bin/cprid_util -server 10.20.30.40 -verbose rexec -rcmd /bin/clish -c "add administrator username newadmin password-hash '$1$UHVNJb2O$1UXMqCZm9767DZNtoIqYv.' permission read-write"
Could not set administrator password-hash: Not valid password hash
Could not set administrator password-hash: Not valid password hash

The above commands within the quotation marks work fine locally on the SMB device, but running the CPRID commands from the SMS fail with the errors in bold above.

0 Kudos
1 Solution

Accepted Solutions
nmelay2
Collaborator
‎2025-09-01 08:17 PM
Jump to solution

Well, it seems like some Lua code in clish is trying to access the USER environment variable while it's not been set by CPRID, hence the nil value error.

You need to set it first:

cprid_util -server <ip> -verbose putenv -attr USER -val admin
cprid_util -server <ip> -verbose rexec -rcmd clish -c 'set administrator username <adminuser> password-hash "<hash>" permission read-write'


The putenv command should remain in effect until the gateway is rebooted.

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2022-06-10 08:40 AM
Jump to solution

Yes, it should be supported.
That said, the canonical path to clish on SMB appliances is /pfrm2.0/bin/clish
If that still doesn't work, recommend a TAC case.

0 Kudos
SaffaRamma
Participant
‎2022-06-10 08:54 AM
In response to PhoneBoy
Jump to solution

Thanks for the quick response! Tried the change in canonical path ($CPDIR/bin/cprid_util -server 10.20.30.40 -verbose rexec -rcmd /pfrm2.0/bin/clish -c "add user testuser type admin password testuser123password permission R") and still no dice! I'll get a ticket raised with TAC.

0 Kudos
Bärbel
Participant
‎2023-03-08 01:45 PM
In response to SaffaRamma
Jump to solution

Was this solved by TAC? I'm also getting "Unexpected error: attempt to index global 'cgilua' (a nil value)" when trying to do something like this:

 

cprid_util -server 1.2.3.4 -verbose rexec -rcmd clish -c "set administrator session-settings inactivity-timeout 15"
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-03-09 01:01 AM
In response to Bärbel
Jump to solution

Seems that some commands will not work, as found in sk106490: How to remotely reset Admin / Expert password on a Security Gateway:

This procedure is NOT supported for Gaia Embedded appliances. If you attempt to run this command on a Gaia Embedded appliance, you will receive the following error: "Unexpected error: attempt to index global 'cgilua' (a nil value)"

There is also a procedure using different syntax to achieve the same on SMBs:

sk106025 - How to reset the Expert mode password on a Quantum Spark Appliance with Gaia Embedded OS

You could try to use a script on SMB, first lines:

#!/bin/bash -f
source /fwtmp/opt/fw1/tmp/.CPprofile.s

 and call it with the needed parameter values using cprid_util command.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2023-07-17 04:55 AM
In response to G_W_Albrecht
Jump to solution

Nice try. But then you get a lua error. so that doesn't work either.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
nmelay2
Collaborator
‎2025-09-01 08:17 PM
Jump to solution

Well, it seems like some Lua code in clish is trying to access the USER environment variable while it's not been set by CPRID, hence the nil value error.

You need to set it first:

cprid_util -server <ip> -verbose putenv -attr USER -val admin
cprid_util -server <ip> -verbose rexec -rcmd clish -c 'set administrator username <adminuser> password-hash "<hash>" permission read-write'


The putenv command should remain in effect until the gateway is rebooted.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events