This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Christos_B
Participant
‎2020-07-15 10:50 AM

R80.40 unlock database

Jump to solution

hello all

i have a small virtual R80.40 lab and i was trying to understand the Lock/Unlock feature

When i use the command lock database override i am able to transfer the lock from one admin to another admin between 2 ssh sessions.

According to https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Gaia_AdminGuide/Content/Topi... 

same thing should be achieved with unlock database but it is not working for me. instead i see the message

"CLICMD0201 Config-lock is not owned by this clish session" when i run this command from the admin without the Lock. if i run it on the admin with Lock it is executed but still the Lock remains to the this same admin

What am i missing?

Reply
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-07-17 01:37 PM

Jump to solution

Sounds like a bug and it's worth a TAC case.
One other thing I noticed: if you give both users the same UID (e.g. 0), then it "appears" to work correctly.
If they have different UIDs, then the behavior is as you describe.
Meanwhile "lock database override" should work as expected. 
@Tal_Martsiano 

View solution in original post

Reply
6 Replies
PhoneBoy
Admin
Admin
‎2020-07-17 01:37 PM

Jump to solution

Sounds like a bug and it's worth a TAC case.
One other thing I noticed: if you give both users the same UID (e.g. 0), then it "appears" to work correctly.
If they have different UIDs, then the behavior is as you describe.
Meanwhile "lock database override" should work as expected. 
@Tal_Martsiano 

View solution in original post

Reply
Christos_B
Participant
‎2020-07-18 06:44 AM
In response to PhoneBoy

Jump to solution

first of all thank you very much for the help

now since you mentioned the uid i tried to revalidate these findings as first time i did not bother to change anything else than just the creation of a second admin.

so with different uids as i said to me it looks that only the lock database override works.

now i deleted the second admin and recreated it with uid=0 (in the show configuration output is with this line "add user chris uid 0 homedir /home/chris") and it looks to me that none of those two commands work now running from this second admin

fw1> show config-lock
Configuration locked by admin from 192.168.1.120, facility command line, 291 seconds to expiration
fw1> lock database override
fw1> show config-lock
Configuration locked by admin (300 seconds to expiration)
fw1> unlock database
fw1> show config-lock
Configuration locked by admin (300 seconds to expiration)

Reply
PhoneBoy
Admin
Admin
‎2020-07-18 08:30 AM
In response to Christos_B

Jump to solution

Believe it still works, I think it just displays the wrong name in this case.

0 Kudos
Reply
Christos_B
Participant
‎2020-07-19 04:25 AM
In response to PhoneBoy

Jump to solution

yeah you are right. i saw the name and i did not try to make a change on the cli. I see it works or at least as you said it appears to be working when uid = 0

Is this normal practice to make the uid=0 for different admin user? Is it something that we should keep in mind?

 

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2020-07-19 10:33 AM
In response to Christos_B

Jump to solution

It depends.
There are certain functions (particularly in expert mode) that require admin users to be uid 0.
If you're sticking to clish, I don't believe it is strictly required.

0 Kudos
Reply
Christos_B
Participant
‎2020-07-20 06:21 AM
In response to PhoneBoy

Jump to solution

ok thank you very much for all the assistane

i believe the original question has been answered. I guess if you opened TAC case that CP will fix it

regards

Chris

0 Kudos
Reply