Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot enable IPMI access for user without changing password #394

Open
srikarpyda opened this issue Jan 2, 2025 · 2 comments
Open

Cannot enable IPMI access for user without changing password #394

srikarpyda opened this issue Jan 2, 2025 · 2 comments

Comments

@srikarpyda
Copy link

srikarpyda commented Jan 2, 2025
edited
Loading

Hello,
I am working with a ThinkSystem SR655 V3.

BMC Version: 4.20
UEFI Version: 5.20

I have updated the BMC password for the root user from its factory default (and password expiration is turned off).

I am able to manually enable IPMI for the root user through the BMC Web UI without having to change the password.

However, when I try to update the root user's account type to allow for IPMI access through redfish, I receive the following error. Can you help me resolve this? Given that I have already changed the default password, I do not want to further change the BMC password.


curl -k -u root:'CUSTOM_PASSWORD' -X PATCH -H "Content-Type: application/json" -d '{"AccountTypes": ["WebUI", "Redfish", "ManagerConsole", "IPMI"]}' https://10.217.157.82/redfish/v1/AccountService/Accounts/1
{"error":{"@Message.ExtendedInfo":[{"Message":"The password provided for this account must be changed before access is granted.  PATCH the Password property for this account located at the target URI '/redfish/v1/AccountService/Accounts/1' to complete this process.","MessageSeverity":"Critical","MessageId":"Base.1.14.PasswordChangeRequired","MessageArgs":["/redfish/v1/AccountService/Accounts/1"],"Resolution":"Change the password for this account using a PATCH to the Password property at the URI provided.","@odata.type":"#Message.v1_1_2.Message"}],"message":"A general error has occurred. See ExtendedInfo for more information.","code":"Base.1.14.GeneralError"}}

Thank you so much for the assistance.
@srikarpyda
Copy link
Author

srikarpyda commented Jan 2, 2025
edited
Loading

More context:


curl -k -D - --user root:'PASSWORD' -H 'Content-Type: application/json' -X GET https://10.217.157.82/redfish/v1/AccountService/Accounts/1


HTTP/1.1 200 OK
Date: Thu, 02 Jan 2025 22:42:59 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Link: </redfish/v1/schemas/ManagerAccount.v1_9_0.json>; rel="describedby"
Link: <http://redfish.dmtf.org/schemas/v1/redfish-payload-annotations.v1_2_0.json>
ETag: "87bc5c7a998525b434e"
Allow: GET
Allow: HEAD
Allow: PATCH
Allow: DELETE
OData-Version: 4.0
Content-Language: en
Cache-Control: no-store
Server: XCC Web Server
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'; connect-src *; script-src 'self'; img-src 'self' data:; style-src 'self'; font-src 'self'; child-src 'self'; object-src 'none'; frame-ancestors 'none' 
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, must-revalidate, private
X-Frame-Options: DENY
Referrer-Policy: same-origin
X-Permitted-Cross-Domain-Policies: value
X-Download-Options: value

{"Password":null,"AccountTypes":["WebUI","Redfish","ManagerConsole"],"Enabled":true,"PasswordExpiration":null,"Locked":false,"HostBootstrapAccount":false,"Description":"This resource is used to represent an account for the manager for a Redfish implementation.","Oem":{"Lenovo":{"@odata.type":"#LenovoManagerAccount.v1_0_0.LenovoManagerAccount","SSHPublicKey":[null,null,null,null],"NoPasswordChangeInterval":false}},"PasswordChangeRequired":false,"@odata.etag":"\"87bc5c7a998525b434e\"","@odata.context":"/redfish/v1/$metadata#ManagerAccount.ManagerAccount","UserName":"root","Id":"1","Name":"User1","@odata.type":"#ManagerAccount.v1_9_0.ManagerAccount","@odata.id":"/redfish/v1/AccountService/Accounts/1","Keys":{"@odata.id":"/redfish/v1/AccountService/Accounts/1/Keys"},"Links":{"Role":{"@odata.id":"/redfish/v1/AccountService/Roles/Administrator"}},"[email protected]":["WebUI","Redfish","ManagerConsole","IPMI","SNMP"],"SNMP":{"AuthenticationProtocol":"HMAC_SHA96","EncryptionKey":null,"EncryptionKeySet":false,"EncryptionProtocol":"CFB128_AES128"},"RoleId":"Administrator"}

@tanmin1
Copy link
Contributor

tanmin1 commented Jan 3, 2025

Hi srikarpyda,

I've tried with the command as bellow, which was set successfully as required and it showed the right value on WebUI. The parameter ' --newpassword' is a must, but don't need to change it. Please have a try.

python3 update_bmc_user_account_type.py -i 10.245.39.83 -u USERID -p PASSW0RD=1 --username USERID --accounttype {WebUI,Redfish,ManagerConsole,IPMI,SNMP} --newpassword PASSW0RD=1
"Succeeded to update account type of BMC user USERID. url is /redfish/v1/AccountService/Accounts/1."

$ python3 update_bmc_user_account_type.py -h
usage: update_bmc_user_account_type.py [-h] [-c CONFIG] [-i IP] [-u USER] [-p PASSWD] [-s SYSID] [-a {session,basic}]
[-f CAFILE] [-t TIMEOUT] [--username USERNAME] --accounttype
{WebUI,Redfish,ManagerConsole,IPMI,SNMP}
[{WebUI,Redfish,ManagerConsole,IPMI,SNMP} ...] [--newpassword NEWPASSWORD]
[--url URL]

This tool can be used to perform system management via Redfish. BMC connect information (ip/username/password) is needed.
Set them by command line -i,-u,-p or using configuration file (default config.ini).

optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
Configuration file(may be overrided by parameters from command line)
-i IP, --ip IP BMC IP address
-u USER, --user USER BMC user name
-p PASSWD, --passwd PASSWD
BMC user password
-s SYSID, --sysid SYSID
ComputerSystem instance id(None: first instance, All: all instances)
-a {session,basic}, --auth {session,basic}
Authentication mode(session or basic), the default is session
-f CAFILE, --cafile CAFILE
Specify the security certificate file for SSL connections
-t TIMEOUT, --timeout TIMEOUT
Specify timeout seconds value for BMC redfish accessing. If not set, default value is 30 seconds
--username USERNAME Input the name of BMC user to be updated.
--accounttype {WebUI,Redfish,ManagerConsole,IPMI,SNMP} [{WebUI,Redfish,ManagerConsole,IPMI,SNMP} ...]
Input account type of BMC user
--newpassword NEWPASSWORD
Input the password for the user specified, only needed when you specified "IPMI" or "SNMP" in
accounttype.
--url URL Input account url of BMC user to update the account type.(e.g.,
/redfish/v1/AccountService/Accounts/2)

Example: Change the account type for the default BMC account: "python update_bmc_user_account_type.py -i 10.10.10.10 -u
USERID -p PASSW0RD --accounttype WebUI Redfish" Change the account type for the specified user: "python
update_bmc_user_account_type.py -i 10.10.10.10 -u USERID -p PASSW0RD --username USERNAME --accounttype WebUI Redfish"
"python update_bmc_user_account_type.py -i 10.10.10.10 -u USERID -p PASSW0RD --accounttype WebUI Redfish --url
/redfish/v1/AccountService/Accounts/2" "python update_bmc_user_account_type.py -i 10.10.10.10 -u USERID -p PASSW0RD
--accounttype WebUI Redfish IPMI --newpassword NEWPASSWORD --url /redfish/v1/AccountService/Accounts/2"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@srikarpyda @tanmin1