NSX-T Passwords Expired for default accounts

A colleague of my, had some troubles making an API call to the NSX-T Managers in a particular site.
Looking closer into vRA we saw the following message:

Afbeelding met tekst Automatisch gegenereerde beschrijving

So we decided to log into one of the NSX-T managers, and we directly saw the following:

Afbeelding met tekst Automatisch gegenereerde beschrijving

Since the password was expired, we were asked to change it during login. However, the NSX-T managers are part of a vCF cluster. So the best way to change this is through the SDDC-Manager, if that’s what we wanted. There was no reason for us to change the password, besides the fact that it had expired. But for our environment we wanted to everything to stay the same. So in this case we changed the password back to the original password with the paswd command, and wanted to remove the password expiration timer.

Now the best way to do this is by using the official VMware documentation, instead of doing it on the Linux way. For this we used the following documentation.
For vRA and other services being able to keep running, we removed the password expiration for the following accounts:

Root, admin & audit.

To remove this, first SSH to the NSX-T Manager and login with root.

Then change the login to the user admin. Make sure you’re using the shell as admin, since root will not be able to use the upcoming commands. You can change the user with:

su admin

Then check the password expiration policy with the command:

get user admin password-expiration

Most likely this is set to 90 days, which is the default policy after deploying NSX-T.
Now to remove the password expiration policy, use the command:

clear user admin password-expiration

Do this for all 3 standard users (root, admin, audit).
Check if the password expiration policy has been removed by repeating the command:

get user admin password-expiration

If everything is alright you should see the following.

Afbeelding met tekst Automatisch gegenereerde beschrijving

I hope this was helpful.
If by any chance you want to change the password policy expiration-time to a different aging policy, you can do that for example with the command:

set user admin password-expiration 120

Which of course can be dan per user.
With the set command you can also change the user password:

set user admin

Alright, let me know if this was of any value for you.

↑↑ Follow me on my Socialz ↑↑ - Or - ↓↓ Care & Share ↓↓

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.