Bug ID 1145749: Locally defined BIG-IP users can be lost during a failed config-sync

Last Modified: Jul 11, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4

Opened: Sep 02, 2022

Severity: 3-Major

Symptoms

If a configuration sync to a BIG-IP devices fails, for example, due to an MCPD validation error, locally-defined users on the receiving BIG-IP device may be lost. This issue applies to locally-defined users (for accessing the management UI or CLI), but does not affect the built-in "admin" or "root" logins. The users will still be present in /config/bigip_user.conf, but will be missing from /etc/passwd and /etc/shadow, which prevents them from being able to log in to the device. Messages similar to the following may be seen in /var/log/secure when those users attempt to log in to the BIG-IP device. "User 'exampleuser' (fallback: false) - not authenticated: User not known to the underlying authentication module"

Impact

Locally defined users on the receiving BIG-IP device are removed.

Conditions

- A third (or subsequent) BIG-IP device is added to an existing sync group. - The config-sync operation fails to load the new configuration, for example, because it is performed in the wrong direction, and the new empty device tries to overwrite and remove configuration from the existing ones, which is blocked by non-shared object references.

Workaround

Log in as admin or root, and manually reset the passwords on the affected local user accounts. This will repopulate the users into the unix passwd and shadow files.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips