VCSA User account has expired

premio739 · ‎05-25-2020

Hello everyone,

I have issue that my root account has expired. I'd tried to change password but there was no effect. I can login ssh and console. But I cannot patch and upgrade my vcsa. Are there any suggestions?

I've tried:

- pam_tally2 -r -u root

- passwd root

- I've made password "never expired" in /etc/shadow

But all this took no effect.

vcsa version:

vCenter Server 6.5 0a Express Patch 1

2017-02-02

4944578

Alex_Romeo · ‎05-25-2020

Hi,

perform the procedures described in these links:

VMware Knowledge Base

https://www.kieri.com/how-to-fix-or-change-vcenter-root-password-expired-6-5-and-6-7/

ARomeo

Blog: https://www.aleadmin.it/

premio739 · ‎05-25-2020

I've done this action and after I've got the same issue.

chage -l root

Your account has expired; please contact your system administrator

chage: PAM: User account has expired

It seems that there is some kind of cache where it is stored. I have no ideas.

diegodco31 · ‎05-25-2020

You could check this article:

VMware Knowledge Base

Diego Oliveira
LinkedIn: http://www.linkedin.com/in/dcodiego

premio739 · ‎05-25-2020

As I said I've already checked and done VMware Knowledge Base Step-by-step. And nothing has changed. It seems something wrong with PAM.

Alex_Romeo · ‎05-26-2020

Hi,

look at the solution proposed in this article, it seems interesting:

vcenter appliance root login denied

ARomeo

Blog: https://www.aleadmin.it/

berndweyand · ‎05-26-2020

i wonder that you can login via ssh and console if the account is expired.

can you login into the vami ?

how do you want to patch ? vami or cli ?

what errors do you get when trying to patch ?

techuser579 · ‎02-26-2021

Having the same issue. Did you find a resolution?

dgerol3 · ‎05-03-2021

Having the same issue - VCSA 7.0u1d

Authenticated to ssh using administrator@vsphere.local following https://kb.vmware.com/s/article/75174

chage -l root
Your account has expired; please contact your system administrator
chage: PAM: User account has expired

chage -I -1 -m 0 -M 99999 -E -1 root
Your account has expired; please contact your system administrator
chage: PAM: User account has expired

pam_tally2 --user=root
Login Failures Latest failure From
root 0

passwd -S root
root P 05/04/2021 999 999 7 -1

Changed the password in SSH - issue remains

Broke intop the GRUB using https://kb.vmware.com/s/article/2147144 and changed the password - issue remains

Trying to log into VAMI gives the error "Could not fetch the user details."

This is not an issue with the root password or changing the root password etc - please do not suggest ways in which the password or expiry date can be changed. This has all been done multiple times

It looks to be an issue with PAM whereby even after sucessfully changing the root password, the root account is still listed as expired

flopezconde5 · ‎07-23-2021

Did anyone find a solution ?

I'm experiencing the same issue.

I can't upgrade VCSA 6.5 to 6.7 because of this issue

comahony · ‎07-30-2021

Try the following

These are the Nine fields, which are in /etc/shadow file.

Username: User login name, it be a valid account name, which exists on the system.
Encrypted Password: Encrypted Password hash, which contains three parts like hash_algorithm, hash_salt, and hash_data.
Date of last password change: The date of the last password change, expressed as the number of days since Jan 1, 1970.
Minimum password age: The minimum password age is the number of days the user will have to wait before she will be allowed to change her password again.
Maximum password age: The maximum password age is the number of days after which the user will have to change her password.
Password warning period: The number of days before a password is going to expire (see the maximum password age above) during which the user should be warned.
Password inactivity period: The number of days after a password has expired during which the password should still be accepted. After the expiration of the password and this expiration period is elapsed, no login is possible using the current user’s password.
Account expiration date: The date of expiration of the account, expressed as the number of days since Jan 1, 1970.
Reserved field: Not used or reserved for future use.

The last 7 fields can be changed using "chage" command (https://linux.die.net/man/1/chage)

Something like :

root@photon [ ~ ]# cat /etc/shadow | head -1
root:$6$S5wlfuIprQNjvWLt$Uu3yjxYgKhsVhAfKQKYK.WcAEkOKm1SwOahP.Lktr7GFN.fAqkDjSQeQNLnyoQPoZQjtrG8KrMIo.JT5OjuS3.:18722:0::7::0:

Last "0" indicates "Account expiration date" is set to 0

Solution:
Modify the /etc/shadow to make it "-1" by keeping the 8th field as empty.

Like :

root@photon [ ~ ]# cat /etc/shadow | head -1
root:$6$S5wlfuIprQNjvWLt$Uu3yjxYgKhsVhAfKQKYK.WcAEkOKm1SwOahP.Lktr7GFN.fAqkDjSQeQNLnyoQPoZQjtrG8KrMIo.JT5OjuS3.:18722:0::7:::

This makes Account expiration set to never.
root@photon [ ~ ]# chage -l root
Last password change : Apr 05, 2021
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : -1
Number of days of warning before password expires : 7

flopezconde5 · ‎08-03-2021

Thank you so much, the issue was resolved.

vCenter has been upgraded successfully.

Thank you again

BeckyDu007 · ‎01-03-2023

Hi @comahony any chance you can create a Public KB for this issue please?

Seems like it occurs often enough on the Photon OS's.

Thanks, Mich.

All

VCSA User account has expired