Data Domain: DD Boost user shows locked status
Summary: This article describes an issue when a ddboost user shows a locked status on the UI. Leading to backup failure and backup application complaining that there is no communication with storage server Data Domain. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
How to Verify
The only way to detect that the password has expired or within 7 days of expiry is to SSH to the DD system using the ddboost user from backup application.
As such, it is hard to verify that the password age is close to being expired or expired.
Example
ssh ddboost@"testdd.emc.com" Data Domain OS You are required to change your password immediately (password aged) Last login: Thu Apr 21 13:41:18 PDT 2016 from testavamar.emc.com on ssh WARNING: Your password has expired. You must change your password now and login again! Changing password for ddboost. (current) UNIX password:
Issues Seen
- The ddboost user has a status of "locked" on web UI System Manager.
- Backup Applications such as Avamar, NetWorker, and NetBackup encounter backup failures to DD
- Backup Application complains as having no communication with storage server Data Domain
- You can see this status in the "DD Boost" or "Access -> Local Users" tab on the left menu
Cause
Root Cause
The root cause of ddboost user becoming locked is because the Password has expired.
Reason
- Run the command
# user password aging show
- You will most likely see the "Maximum Days Between Change" is set to 90
- Also on the web UI, you can see this under "Access -> Local Users (shown in red in figure above)
- This is because after DDOS upgrades to 5.6 or above, the Maximum Days Between Change is set to a default of 90 days
- Even if you change the password aging to higher than 90 days, on subsequent upgrades (for example, from 6.0 to 6.1), it is set back to default of 90 days again
Resolution
Temporary
When a ddboost user gets locked:
-
Log in to the Data Domain system as sysadmin user (or any other user with admin roles)
-
Enable the ddboost user
# user enable <ddboost-user>
-
Verify that the ddboost user is now enabled.
# user show list
After you perform above action, you should have access again and no further issues for another 90 days.
Resolution
-
Set a reminder on your side to change your ddboost password within every 90 days if you want to keep the 90-day default value.
(Remember, the only way you get a warning to change from DD is if you SSH to the system using ddboost user within 7 days of password expiry)This may not be practical so a better solution is to;
-
Modify the "max-days-between-change" value of 90 to a higher value on your DD system;
# user password aging set <affected ddboost user name> max-days-between-change 99999 Example # user password aging set ddboost_user_1 max-days-between-change 99999
# user password aging show
The value provided above means that you are not required to change the ddboost password ever (273 years to be exact!).
However you can modify to any length of time you prefer.
Important Note: Remember to check and set this again after future DDOS upgrades.
Additional Information
If you still cannot access or backup to DD using ddboost user after the actions above you may encounter a timeout due to multiple attempts by backup application to access the DD, and therefore the ddboost account would remain locked for some time (dependent on how many failed login attempts). It may be necessary to stop the backup application services that communicate with the DD to ensure that the timeout is not reset continuously.
Engage Dell support and open a ticket with Data Domain Support if you are still having issues after performing the actions outlined in this article.
Additional Information
This content is translated in other languages:
- https://downloads.dell.com/TranslatedPDF/ES_KB520213.pdf
- https://downloads.dell.com/TranslatedPDF/DE_KB520213.pdf
- https://downloads.dell.com/TranslatedPDF/FR_KB520213.pdf
- https://downloads.dell.com/TranslatedPDF/IT_KB520213.pdf
- https://downloads.dell.com/TranslatedPDF/JA_KB520213.pdf
- https://downloads.dell.com/TranslatedPDF/KO_KB520213.pdf
User Hardening Details
| Description | Hardening recommendation |
|---|---|
| Change the default password. | Log in as sysadmin and run # user change password |
| Configure frequent password rotation according to the company's password policy. | Follow the company password policy to set the default password aging policy.# user password aging option set |
| Configure a strong password policy. | Set a user password strength policy:# user password strength setPassword recommendations:
|
| Various password aging requirements | DD recommends the CLI user password aging option. By default the password policy is relaxed to be backward compatible. The customer can use UI or CLIs to modify the password configuration so that it is more restrictive and meets the aging requirements.
|
| Various Passwords strength requirements | DD supports a comprehensive password policy and recommends using CLI or UI to harden the password. Set or modify account password policy characteristics and complexity to whatever is wanted within the application code. See the password policy for more information about requirements.
|
Affected Products
Data DomainProducts
Data Domain, Data Domain BoostArticle Properties
Article Number: 000057030
Article Type: Solution
Last Modified: 25 Feb 2025
Version: 5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.