Summary
When attempting to gather information on a SnapVault job, the bexcollect process may encounter a problem accessing your Filer.
Symptoms
If this occurs an error message similar to the following may appear:
Could not log into filer:
Resolution
In order to access information on a Filer, the 'bexcollect' process reads the enterprise configuration for the Filer's name and root access password. This host and password are used with FTP to log into the Filer and pull various OnTap log files from the /etc/log directory.
The bexcollect process may fail because OnTap treats FTP authentication differently from root access authentication. The Filer's root administration authentication corresponds to access control for telnet to Filer, NDMP backup/restore/device control, and OnTap FilerView web access. Whereas, FTP authentication is controlled through a commonly altered and separately maintained /etc/passwd facility.
NOTE: The above paragraph references an /etc/passwd facility. However, if your OnTap system is configured for shadow passwords, your enterprise likely uses an /etc/shadow file instead. Generally if passwords are empty in the /etc/passwd facility and a shadow file exists, then the shadow file security is enabled. In addition to this article, Netapp's documentation makes reference to the /etc/passwd and /etc/shadow files. From the Filer's perspective these files are usually located relative to the /vol/vol0 volume.
As for NetApp's documentation of ftpd, the ftpd service will not accept any login accounts that have empty passwords. Before proceeding, check if either your Backup Express enterprise has been configured with an empty password field or if the corresponding account in /etc/passwd has been configured with an empty password field.
NOTE: the OnTap 'passwd' command changes the Filer's administrative password, but does not update the /etc/passwd facility.
Engineers may initialize a NetApp Filer with one common password when the Filer is first installed. At some point after the initial installation, local administrators may change the root password of the Filer under the assumption that this change is globally applied. The password change will only affects core OnTap services mentioned above (telnet, NDMP, FilerView) and does not affect the /etc/passwd facility. When this occurs, people often forget the original password, rendering any FTP access to the filer is impossible until the FTP account's /etc/passwd entry is corrected.
For consistency with bexcollect and ease of administration, we suggest making the root FTP account password be the same as the Filer's primary root password.
For more information about creating a password for your FTP, see the NetApp knowledge base article now.netapp.com/Knowledgebase/solutionarea.asp?id=kb738 .
In order to update the /etc/passwd entry, follow the below procedure:
- Determine what sort of passwords your system uses.
- Generate an appropriate password string.
- Enter this string into the /etc/passwd or /etc/shadow facility.
You may be able to discern what kinds of passwords are enabled by viewing the current /etc/passwd. If your environment's passwords are long such as,
_J9..xAWiHaHC4fFgNX,
then your system likely recognizes CIFS passwords. However, if your password fields are shorter such as,
00j7XwttgAt6o
then your system likely is configured to recognize UNIX crypt() passwords. With the directions below it doesn't hurt to try either type, but if you cannot determine what specific kinds of passwords your /etc/passwd facility will accept, please call NetApp Ontap support to help you determine which is currently active.
Generating a new CIFS password string can be done at the OnTap command line prompt by running the following command:
cifs passwd <MYPASSWORD>
The <MYPASSWORD> variable represents the plaintext string you want to use as the password. This command will produce output similar to the following:
password is _J9..xAWiHaHC4fFgNX.
CIFS password is Netapp's suggested style. If you need to generating a UNIX style crypt() string, you can enter the command, shown below, on any UNIX machine with a perl installation. You can also use this command in the 'Backup Express Command Shell' for Windows clients.
perl -e "print crypt('sysadmin','00');"
In the crypt command above you can substitute any password followed by any 2-character key. However, for simplicity's sake, use the string generated above which corresponds to the "sysadmin" password. Running the above command will produce output similar to the following:
00j7XwttgAt6o
Use this generated string to update the /etc/passwd facility.
In most cases, the Ontap /etc/passwd file will accept either CIFS or crypt style passwords. The NetApp article, mentioned above, specifically outlines how to generate a CIFS password to use in your /etc/passwd file and should be the preferred method of resolving this issue. Other OnTap manuals document the use of UNIX crypt. For consistency we advise using the same style of password usage be preserved through out.
NOTE: Various CIFS operations on your filer may require a CIFS license. If you cannot generate a password as above, then you will need to contact NetApp Technical Support and either request that they generate a password for you, or issue you a temporary/evaluation CIFS license.
After you have the password string, you will need to update the /etc/passwd file. Please note that this file is in UNIX format, containing different end of line termination than Windows which must be preserved. The safest way to change this file is to NFS mount the root volume (typically /vol/vol0) onto a UNIX machine, get the Filer's /etc/passwd file, and edit it using VI. An alternate method is to mount the same volume via CIFS (usually via the ETC$ share) to access the passwd file.
NOTE: The procedure described below is for modifying the /etc/passwd file. If your Filer was configured with extra security and uses the /etc/shadow facility, you will need to edit /etc/shadow instead. If the shadow file does not exist, then your passwords are configured in the passwd file. If you do not know which file to edit, open and review the /etc/shadow file. If /etc/shadow is empty, you should edit the /etc/passwd file. If it contains one line per user account, then /etc/shadow is being used and this file should be edited. The /etc/shadow file is similar to the description below in which the second colon-separated field is the password field. For further information and assistance with /etc/passwd and /etc/shadow, contact your NetApp Technical Support representative.
Caution: Before editing the /etc/passwd or /etc/shadow file, make a backup copy. If you damage either file, serious side effects may impede various Filer operations.
For either file, find the list starting with "root".
The below excerpt from the /etc/passwd file contains one line per user account, in which colons separate each field.
user:password:user-id:group-id:full-name:home-directory:shell
Replace the "password" field with the password string you had previously generated.
Caution: The /etc/passwd and /etc/shadow files are in UNIX file format. UNIX text files differ in their end of line termination from Windows hosts. Microsoft does not supply an easy-to-use UNIX editor with Windows to format text files. If you must edit these files on a Windows machine, use Notepad to open them. Since notepad doesn't recognize the end of line character, the file will open up on one long line. Edit the password field for root and save. Notepad will force you to save the file with a .txt extension. After saving the file, simply rename it to remove the .txt extension and transfer it to your filer as indicated. Do not use Wordpad to edit this file. Wordpad will properly display UNIX files on the screen, but will not allow you to save the file in UNIX format.
After editing and saving the file, try to initiate an FTP to your filer using the root and new password you created.
Please call your NetApp support representative if you have any difficulty updating the FTP password of your Filer. For 'bexcollect' to properly operate, the FTP password in /etc/passwd (or /etc/shadow) must be the same as the Filer's administrative password, as defined in the Backup Express enterprise configuration.