用户密码无法修改成功

Security SIG
1

设备用户出现密码修改不生效且旧密码也不可用的问题,删除用户重新添加提示成功,但是设置的密码依然不能登录成功

~ ~ # ipmcset -d adduser -v Administrator
Input your password:
Password:
Confirm password:
Add user successfully.

命令行再次修改密码提示成功,实际登录还是失败,已确认设置的密码不会和历史密码重复

~ ~ # ipmcset -d password -v Administrator
You need to log in again after modifying your attributes.
 Input your password:
Password:
Confirm password:
Set user password successfully.
~ ~ #

account日志报错

2026-04-22 18:38:04.483401 account DEBUG: account_linux.lua(258): file key root duplicated!
2026-04-22 18:38:04.484259 account DEBUG: account_linux.lua(446): add root to user group root: linux user exist
2026-04-22 18:38:04.485176 account DEBUG: account_linux.lua(258): file key sshd duplicated!
2026-04-22 18:38:04.486018 account DEBUG: account_linux.lua(446): add sshd to user group sshd: linux user exist
2026-04-22 18:38:04.486923 account DEBUG: account_linux.lua(258): file key apache duplicated!
2026-04-22 18:38:04.487531 account DEBUG: account_linux.lua(446): add apache to user group apache: linux user exist
2026-04-22 18:38:04.488755 account DEBUG: account_linux.lua(446): add apache to user group apps: linux user exist
2026-04-22 18:38:04.490032 account DEBUG: account_linux.lua(258): file key snmpd_user duplicated!
2026-04-22 18:38:04.491532 account DEBUG: account_linux.lua(446): add snmpd_user to user group snmpd_user: linux user exist
2026-04-22 18:38:04.492197 account DEBUG: account_linux.lua(446): add snmpd_user to user group apps: linux user exist
2026-04-22 18:38:04.493647 account DEBUG: account_linux.lua(258): file key ipmi_user duplicated!
2026-04-22 18:38:04.495188 account DEBUG: account_linux.lua(446): add ipmi_user to user group ipmi_user: linux user exist
2026-04-22 18:38:04.496589 account DEBUG: account_linux.lua(446): add ipmi_user to user group apps: linux user exist
2026-04-22 18:38:04.498210 account DEBUG: account_linux.lua(258): file key kvm_user duplicated!
2026-04-22 18:38:04.498558 account DEBUG: account_linux.lua(446): add kvm_user to user group kvm_user: linux user exist
2026-04-22 18:38:04.500132 account DEBUG: account_linux.lua(446): add kvm_user to user group apps: linux user exist
2026-04-22 18:38:04.501088 account DEBUG: account_linux.lua(446): add kvm_user to user group operator: linux user exist
2026-04-22 18:38:04.501410 account DEBUG: account_linux.lua(446): add kvm_user to user group user: linux user exist
2026-04-22 18:38:04.501984 account DEBUG: account_linux.lua(446): add kvm_user to user group no_access: linux user exist
2026-04-22 18:38:04.502829 account DEBUG: account_linux.lua(258): file key discovery_user duplicated!
2026-04-22 18:38:04.503425 account DEBUG: account_linux.lua(446): add discovery_user to user group discovery_user: linux user exist
2026-04-22 18:38:04.503733 account DEBUG: account_linux.lua(446): add discovery_user to user group apps: linux user exist
2026-04-22 18:38:04.504293 account DEBUG: account_linux.lua(258): file key comm_user duplicated!
2026-04-22 18:38:04.504895 account DEBUG: account_linux.lua(446): add comm_user to user group comm_user: linux user exist
2026-04-22 18:38:04.505489 account DEBUG: account_linux.lua(446): add comm_user to user group apps: linux user exist
2026-04-22 18:38:04.506065 account DEBUG: account_linux.lua(258): file key redfish_user duplicated!
2026-04-22 18:38:04.506385 account DEBUG: account_linux.lua(446): add redfish_user to user group redfish_user: linux user exist
2026-04-22 18:38:04.507078 account DEBUG: account_linux.lua(446): add redfish_user to user group apps: linux user exist
2026-04-22 18:38:04.507979 account DEBUG: account_linux.lua(446): add redfish_user to user group operator: linux user exist
2026-04-22 18:38:04.508746 account DEBUG: account_linux.lua(446): add redfish_user to user group user: linux user exist
2026-04-22 18:38:04.509444 account DEBUG: account_linux.lua(446): add redfish_user to user group no_access: linux user exist
2026-04-22 18:38:04.510029 account DEBUG: account_linux.lua(258): file key secbox duplicated!
2026-04-22 18:38:04.510771 account DEBUG: account_linux.lua(446): add secbox to user group secbox: linux user exist
2026-04-22 18:38:04.511107 account DEBUG: account_linux.lua(446): add secbox to user group apps: linux user exist
2026-04-22 18:38:04.513032 account DEBUG: account_linux.lua(487): remove Administrator from user group no_access
2026-04-22 18:38:04.514885 account DEBUG: account_linux.lua(262): file key data Administrator is no change!
2026-04-22 18:38:04.532750 account DEBUG: account_linux.lua(487): remove test1 from user group user
2026-04-22 18:38:04.534112 account DEBUG: account_linux.lua(262): file key data test1 is no change!
2026-04-22 18:38:04.535169 account DEBUG: account_linux.lua(262): file key data test1 is no change!
2026-04-22 18:38:04.551177 account DEBUG: account_linux.lua(487): remove <root> from user group admin
2026-04-22 18:38:04.553585 account DEBUG: account_linux.lua(262): file key data <root> is no change!
2026-04-22 18:38:04.554122 account DEBUG: account_linux.lua(262): file key data <root> is no change!
2026-04-22 18:38:11.446842 account INFO: persist_client_lib.lua(173): persist saving, op: update, table: t_manager_account, primary_key: [["Id",2]], data_size: 606
2026-04-22 18:38:11.451720 account ERROR: hook.lua(79): database process commit list failed: ./opt/bmc/libmc/lualib/mc/context.lua:203: ./opt/bmc/libmc/lualib/mc/signal.lua:310: ./opt/bmc/libmc/lualib/mc/orm/object.lua:370: construct object failed: key conflict, HistoryPassword
2026-04-22 18:38:11.455842 account INFO: persist_client_lib.lua(173): persist saving, op: update, table: t_history_password, primary_key: [["AccountId",2],["SequenceNumber",3]], data_size: 103
2026-04-22 18:38:11.460996 account ERROR: hook.lua(79): database process commit list failed: ./opt/bmc/libmc/lualib/mc/context.lua:203: ./opt/bmc/libmc/lualib/mc/signal.lua:310: ./opt/bmc/libmc/lualib/mc/orm/object.lua:370: construct object failed: key conflict, HistoryPassword
2026-04-22 18:38:11.489946 account INFO: persist_client_lib.lua(173): persist saving, op: update, table: t_history_password, primary_key: [["AccountId",2],["SequenceNumber",2]], data_size: 103
2026-04-22 18:38:11.536454 account INFO: persist_client_lib.lua(173): persist saving, op: update, table: t_snmp_user_info, primary_key: [["AccountId",2]], data_size: 150
2026-04-22 18:38:11.598040 account INFO: persist_client_lib.lua(173): persist saving, op: insert, table: t_history_password, primary_key: [["AccountId",2],["SequenceNumber",1]], data_size: 495
2026-04-22 18:38:11.604265 account INFO: persist_client_lib.lua(173): persist saving, op: update, table: t_snmp_user_info, primary_key: [["AccountId",2]], data_size: 359
2026-04-22 18:38:11.614598 account DEBUG: account_linux.lua(487): remove Administrator from user group no_access
2026-04-22 18:38:11.615064 account DEBUG: account_linux.lua(262): file key data Administrator is no change!
2026-04-22 18:38:11.636103 account INFO: persist_client_lib.lua(173): persist saving, op: update, table: t_snmp_user_info, primary_key: [["AccountId",2]], data_size: 146
2026-04-22 18:38:11.639798 account INFO: persist_client_lib.lua(173): persist saving, op: update, table: t_account_backup, primary_key: [["Id",2]], data_size: 176
2026-04-22 18:38:11.646106 account INFO: persist_client_lib.lua(173): persist saving, op: update, table: t_manager_account, primary_key: [["Id",2]], data_size: 105
2

答案内容由AI生成,仅供参考:

总结

当前问题本质是用户历史密码数据不一致引发的数据库写入冲突,导致密码修改虽提示成功但实际未生效。

:red_circle: 根本原因t_history_password表存在主键冲突,HistoryPassword记录无法提交,造成密码变更事务失败。

:white_check_mark: 推荐解决路径

  1. 优先通过IPMI命令调整首次登录策略,绕过强制改密;
  2. 登录后清除历史密码记录或重建用户;
  3. 升级后务必验证Account Storage迁移完整性。

如问题持续存在,建议抓取完整的framework.logaccount.log,提交至社区论坛(如discuss.openubmc.cn)进一步诊断。

点击此处查看详细分析解答

用户密码修改失败问题分析与解决方案

问题描述

用户在尝试修改Administrator账户密码时,虽然系统提示“Set user password successfully”,但实际登录(SSH或Web)仍然失败。账户删除后重建也无法解决问题。相关操作和错误日志显示存在数据库写入冲突和历史密码记录异常的问题。

核心错误日志分析

account组件的日志中可以发现以下关键错误:

2026-04-22 18:38:11.451720 account ERROR: hook.lua(79): database process commit list failed: 
./opt/bmc/libmc/lualib/mc/context.lua:203: 
./opt/bmc/libmc/lualib/mc/signal.lua:310: 
./opt/bmc/libmc/lualib/mc/orm/object.lua:370: construct object failed: key conflict, HistoryPassword

该错误表明:

  • 数据库写入失败,原因是HistoryPassword表存在主键冲突。
  • 系统在尝试将新密码保存为历史密码记录时,因AccountIdSequenceNumber组合的主键已存在而导致写入失败。
  • 尽管密码修改操作返回“成功”,但由于历史密码记录无法持久化,最终导致整个事务未完整提交。

此外,日志还显示多个Linux系统用户(如sshd, apache, snmpd_user等)已被存在系统中,且尝试重复添加时出现警告:

file key root duplicated!
add sshd to user group sshd: linux user exist

这说明账户同步机制可能存在问题,但尚不影响核心认证流程。

问题根因

综合知识库信息与日志分析,问题的根本原因如下:

1. 历史密码表(t_history_password)数据不一致或损坏

  • HistoryPassword表中存在重复或无效的主键记录(AccountId=2对应Administrator)。
  • 每次修改密码时,系统需将旧密码存入历史记录,并为新密码生成新序列号。若序列号管理异常(如回滚、重复编号),会导致主键冲突
  • 日志中多次出现对同一SequenceNumber进行更新(op: update)和插入(op: insert)操作,表明存在数据状态混乱。

2. 用户数据不一致(User Data Inconsistency)

  • 根据知识图谱信息,Administrator User账户曾被报告存在“数据不完整或损坏”的情况。
  • 密码更改操作依赖于完整的用户元数据(如UserProperties, UserPassword, History Password Check配置等),一旦这些属性不一致,会导致认证失败或修改不生效。

3. V2到V3升级导致的账户存储迁移问题

  • Account Storage在V2到V3版本升级过程中发生变化,可能导致Administrator用户的凭证未正确迁移。
  • 在类似案例中(Document Chunk “4”),升级后出现SSH登录失败,根本原因就是用户数据区变动导致密码丢失

解决方案

:white_check_mark: 方案一:清理并重建历史密码记录(推荐)

步骤:

  1. 进入带外管理通道(IPMI或串口)

    • 使用ipmitool或其他带内工具连接设备,确保有权限执行低级操作。

  2. 检查当前用户状态

    ipmitool user list 1

    确认Administrator (ID=2)存在且状态正常。

  3. 清除损坏的历史密码记录

    • 若可访问数据库(如SQLite或持久化存储),手动清理/data/persist/t_history_password中关于AccountId=2的所有记录。
    • 或调用内部API强制重置历史密码序列:
      # 假设支持调试命令(需具体系统支持)
debug_cli --module account --action reset_history_password --userid 2

  4. 重新设置密码

    ipmitool user set password 2

    输入新密码两次,确保设置成功。

:white_check_mark: 方案二:通过带内IPMI命令重置用户策略(适用于首次登录卡死场景)

根据知识库中的成功案例(Topic ID 3565),可通过IPMI原始命令修改用户登录策略以绕过强制改密逻辑:

步骤:

  1. 设置逃生用户(Escape Account)

    ipmitool raw 0x30 0x93 0xdb 0x07 0x00 0x77 0x05 0x00 0x00 0x01 <用户ID>

  2. 修改首次登录策略为“提示修改”而非“强制修改”

    ipmitool raw 0x30 0x93 0xdb 0x07 0x00 0x77 0x02 <用户ID> 0x00 0x01 0x00

    此操作允许用户先登录,再在安全环境下修改密码。

  3. 登录后使用passwd命令修改密码

    passwd Administrator

    输入旧密码 → 新密码 → 确认密码。

:white_check_mark: 方案三:重建账户并验证存储完整性

步骤:

  1. 删除原Administrator账户(若非唯一管理员)

    ipmcset -d deluser -v Administrator

  2. 创建新管理员账户

    ipmcset -d adduser -v admin_new
ipmitool user set password <new_id>
ipmitool channel setaccess 1 <new_id> ipmi=on link=on privilege=4

  3. 测试登录是否正常

    • 若新账户可成功SSH/Web登录,则证明原账户数据已损坏。

  4. 将新账户重命名为Administrator(如支持)

    • 或将其提升为主管理员并弃用旧账户。

预防措施与建议

措施 说明
定期备份账户数据库 备份/data/persist/t_manager_accountt_history_password表,防止升级或重置丢失数据。
避免频繁密码修改测试 高频修改易造成历史密码序列混乱,建议测试时关闭历史密码检查。
启用Get Local User Password Complexity Check Enable方法监控策略 查询密码复杂度设置是否影响修改成功率。
检查Account组件服务状态 使用mdbctlbusctl确认bmc.kepler.account服务正常运行,防止因服务异常导致写入失败。

总结

当前问题本质是用户历史密码数据不一致引发的数据库写入冲突,导致密码修改虽提示成功但实际未生效。

:red_circle: 根本原因t_history_password表存在主键冲突,HistoryPassword记录无法提交,造成密码变更事务失败。

:white_check_mark: 推荐解决路径

  1. 优先通过IPMI命令调整首次登录策略,绕过强制改密;
  2. 登录后清除历史密码记录或重建用户;
  3. 升级后务必验证Account Storage迁移完整性。

如问题持续存在,建议抓取完整的framework.logaccount.log,提交至社区论坛(如discuss.openubmc.cn)进一步诊断。

3

恢复出厂设置,能恢复么。