Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
msa2003
Contributor
Jump to solution

Adding User (Gaia) via script in a cloning group enabled cluster

Good morning! 

 

I am trying to create a script to automate (Gaia) admin users creation in a cluster with 'cloning group feature enabled'. This cluster is composed of two gateways (fwext01 and fwext02). We have R81.10, take 66 on them.

When I run the script on fwext01, for example, these are the commands that are executed:

clish -s -f comandos.txt

(The content of 'comandos.txt' file is:)

set cloning-group-management on
add user adm_mickeymouse uid 0 homedir /home/adm_mickeymouse
set user adm_mickeymouse realname "Mickey Mouse"
set user adm_mickeymouse password-hash $6$PSTU$EvYhx6iMbZygtZamlZ8MRH0RfeVFGRMpnyfYyeGuXE5O6qq93VB77v.0kVFOEXeRC39gxZBidj4ccOTrGE48x2
set user adm_mickeymouse force-password-change yes
add rba user adm_mickeymouse roles adminRole
set user adm_mickeymouse shell /bin/bash
save config
set cloning-group-management off

The results of script execution on fwext01 is totally correct:

add user adm_mickeymouse uid 0 homedir /home/adm_mickeymouse
add rba user adm_mickeymouse roles adminRole
set user adm_mickeymouse gid 0 shell /bin/bash
set user adm_mickeymouse realname "Mickey Mouse"
set user adm_mickeymouse password-hash $6$PSTU$EvYhx6iMbZygtZamlZ8MRH0RfeVFGRMpnyfYyeGuXE5O6qq93VB77v.0kVFOEXeRC39gxZBidj4ccOTrGE48x2

But... When I look the configuration that was automatically reflected on fwext02 (via cloning group features), I realize that the password is not being replicated at all:

add user adm_mickeymouse uid 0 homedir /home/adm_mickeymouse
add rba user adm_mickeymouse roles adminRole
set user adm_mickeymouse gid 0 shell /bin/bash
set user adm_mickeymouse realname "Mickey Mouse"
set user adm_mickeymouse password-hash *

 

Could anyone please help us with this? 

 

Thanks!

 

0 Kudos
1 Solution

Accepted Solutions
msa2003
Contributor

It was a bug and people from R&D developed a fix. Thanks.

View solution in original post

0 Kudos
7 Replies
_Val_
Admin
Admin

Could you please elaborate on how you ae using cloning to replicate config on the second FW?

0 Kudos
msa2003
Contributor

Hello _Val_

Since I am startig the comands execution with 'set cloning-group-management on', it was supposed that all the comands would be automatically replicated to the second FW, correct?

This expected replication is ocurring normally for all the commands inside 'comandos.txt' file. The only exception refers to the "set user adm_mickeymouse password-hash $6$PSTU$EvYh..." command. I mean, the hash config is not being replicated.

I realized that this is also happening even when I execute these commands (via clish) interactively.

But... When I create this user via Gaia GUI in FW1, the password is automatically and correctly replicated on FW2.

Thanks!

 

0 Kudos
_Val_
Admin
Admin

Oh I see. Is it for all users, or for this specific hash only? 

If the latter, I would assume the hash is treated as a variable, since it starts with $. Otherwise, looks like a but to me. If it is a global issue, please raise a TAC case for it.

0 Kudos
msa2003
Contributor

This is happening for any user I try to create. And it seems that is happening for any hash.

I tried to use MD5 ($1$) hash and the behavior was the same.

I also tried to use single and double quotes around the hash (to try to avoid the 'hash being treated as variable'). But the behavior is the same.

I´ll contact TAC staff.

Thanks anyway!

0 Kudos
_Val_
Admin
Admin

Understood. Please let us know what TAC finds out, when it is resolved. Meanwhile, you can use the same scripts on both members to define users, without cloning groups feature

0 Kudos
msa2003
Contributor

Yes, it would be possible to run the scripts separately. But in order to do that I would have to remove "Users and Roles" from the Cloning Group Shared Features list. Otherwise, the system will not allow me to add the user. It warns me with the following message: "CLINFR0699 This command belongs to a cloning group synchronized feature and therefore cannot be executed in normal mode."

Yes, I will let you know what TAC finds out!

 

Thank you very much for your attention and help!

0 Kudos
msa2003
Contributor

It was a bug and people from R&D developed a fix. Thanks.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events