Last Modified: Sep 24, 2024
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5
Opened: Sep 02, 2022 Severity: 3-Major
If a configuration sync to a BIG-IP devices fails, for example, due to an MCPD validation error, locally-defined users on the receiving BIG-IP device may be lost. This issue applies to locally-defined users (for accessing the management UI or CLI), but does not affect the built-in "admin" or "root" logins. The users will still be present in /config/bigip_user.conf, but will be missing from /etc/passwd and /etc/shadow, which prevents them from being able to log in to the device. Messages similar to the following may be seen in /var/log/secure when those users attempt to log in to the BIG-IP device. "User 'exampleuser' (fallback: false) - not authenticated: User not known to the underlying authentication module"
Locally defined users on the receiving BIG-IP device are removed.
- A third (or subsequent) BIG-IP device is added to an existing sync group. - The config-sync operation fails to load the new configuration, for example, because it is performed in the wrong direction, and the new empty device tries to overwrite and remove configuration from the existing ones, which is blocked by non-shared object references.
Log in as admin or root, and manually reset the passwords on the affected local user accounts. This will repopulate the users into the unix passwd and shadow files.
None