Posted on 05-03-2016 11:16 AM
Preface: this is currently affecting a test JSS environment and is not in production.
Our test JSS environment has LDAP integration configured and the service account that is in use had its password recently reset by another party. As of the password reset, I am no longer able to log into the test JSS using any domain accounts. To make matters worse, I do not have the passwords to the two local JSS accounts. What I do have access to is the host machine where this JSS resides. This is hosted on a virtualized Windows Server 2012 R2 server. Pretty bad stuff, huh? Plot twist: I also do not have the password for the SQL database password. I was able to find this JAMF article found here but again, those default credentials did not work. Any ideas, thoughts or prayers?
Solved! Go to Solution.
05-03-2016 01:57 PM - edited 01-27-2022 01:43 PM
Thanks for the input, @davidacland! I was able to get this working using the following.
use mysql update user set password = password('your_password_here') where user='root';
select user_id,username from users where ldap_server_id='-1'; update users set password='$password', salt='$salt' where user_id='X'; select account_status from users where where user_id = 'X';
15. Close the MySQL 5.6 Command Line Client.
16. Log onto your JSS with the user ID obtained from the above section and enter "changeme" as the password. 17. Change the temporary password immediately by going to System Settings>JSS User Accounts & Groups.
18. Update your LDAP account password by going to System Settings>LDAP Servers
Posted on 05-03-2016 11:22 AM
Alternatively, since I do have access to the VM where this JSS resides, would it be possible to reset the SQL database account password? If so, what effects would that entail?
Posted on 05-03-2016 12:32 PM
I'm guessing the password on the LDAP account can't be set back to what it was previously? (probably a long shot).
It's possible to reset the MySQL root password if you have admin access to the server (guide here) and potentially reset the JSS password (although I haven't tried that part before).
If it's a development server, I'd probably take a copy of the production database and restore that in it's place (if you want to keep the test JSS the same as the production service).
Posted on 05-03-2016 12:36 PM
@davidacland Yeah, no dice on resetting the LDAP password. It actually did affect our production JSS but the password to the one local JSS account was known. I logged on then updated the LDAP account password to the current one.
I have a snapshot of the test JSS but it was taken after this mess was already in place. If I screw anything up, I can roll back to this afternoon. I am hesitant to restore a copy of our production database in our test given that it's a very stripped down version of what we have deployed out in the wild. I'll try and reset the SQL root password with the guide you provided. Thanks!
05-03-2016 01:57 PM - edited 01-27-2022 01:43 PM
Thanks for the input, @davidacland! I was able to get this working using the following.
use mysql update user set password = password('your_password_here') where user='root';
select user_id,username from users where ldap_server_id='-1'; update users set password='$password', salt='$salt' where user_id='X'; select account_status from users where where user_id = 'X';
15. Close the MySQL 5.6 Command Line Client.
16. Log onto your JSS with the user ID obtained from the above section and enter "changeme" as the password. 17. Change the temporary password immediately by going to System Settings>JSS User Accounts & Groups.
18. Update your LDAP account password by going to System Settings>LDAP Servers
Posted on 12-08-2016 07:16 AM
I need to do this too because I mistyped the admin password during setup and now can't get in. However, I'm confused from where the password and salt came from. It looks like the password is SHA512 according to the documentation. And it looks like it's stored in base64?
# decode the salt from base64
$ salt=`echo -n "NmUeqSwHagk=" | base64 -D`
# password + salt hashed with sha512 and then put into base 64
$ echo -n "changeme${salt}" | openssl dgst -sha512 | base64
KHN0ZGluKT0gMTg1YzcwNWMyZTM4NzgzY2ViMmEzYTQxMjhjOTNjYjM0YWE5OWE3YWI4OTI2ZDJmNWIyN2IxN2IyMzI3ZjQ5ZGI5NGJmMmJlMDIxNTc1OTNlYzQ2NDNlZjliMDQzYjJmMjE5ZDRlODIxZTllZjk3MWRhMTM4OWUzZjQ1YWRiNDMK
# salt + password
$ echo -n "${salt}changeme" | openssl dgst -sha512 | base64
KHN0ZGluKT0gMmQ3NmE1YWFhOWExM2FmODk0NjNiZGM4ZDJmMjdiNjRlMTc1YWI5MWY0MGU3YTE2ZmRlNmNjNGNmMGQyMWIzOTQwZjA0YzhlMjVkMDNiZjY1OGQ2ZGI0M2Y4YjhlZTUyNjMyMjFjMmU1YmJjZDkwNmUzNmYzZTlkYWI3OGMzYjkK
Am I missing something? If this is using AES-256 or something, I don't want to change the password to the wrong thing and have it not work.
Posted on 03-07-2019 04:19 AM
Hi Guys!
First of all thanks @sepiemoini for the solution.
Just my 2 cents from my experience .
the hashed key : 'k0q5CnA9xV7aJZvH4G5RO5SYSWgOkXug362mjSgjikFqBRa0d2g8pP6zKI971RQVFzDQcKXzMyniB9C0LsMwHg=='
for 'changeme' passwrord didn't work for me .
Instead the user broke and I got error 400 on this user, no matter what password I tried to login with (right/wrong) on the web admin console.
instead I made a new working hash key : '$s0$e0801$g35KnToEUFe0+BSL1ziK2g==$7U0HHYJ8WyDadoyzxomO9CFTJCO8JAFbRgduVP5qzSw='
so you'll need to change the key inside @sepiemoini 's command.
it will be look like that :
select user_id,username from users where ldap_server_id='-1';
update users set password='$s0$e0801$g35KnToEUFe0+BSL1ziK2g==$7U0HHYJ8WyDadoyzxomO9CFTJCO8JAFbRgduVP5qzSw=', salt='NmUeqSwHagk=' where user_id='X';
select account_status from users where where user_id = 'X'
and then proceed login the user with 'changeme' password.
hope it helps to some people who struggled with it ;)
All The Best
Meir
Posted on 07-05-2019 11:17 AM
Hi @m3ir
I have similar issue with my local jamf pro account and similar to you I'am getting the error message 400 after @sepiemoini solution.
Could you be so kind and help me how should I make a new working hash key?
Is it possible to create a new user?
Posted on 07-07-2019 02:27 AM
Hi @mms.sdg
yes it possible, But why do you want to create and a new user instead of changing the password to nonworking Password?
it will be much easier for you to change the password with the key I provided '$s0$e0801$g35KnToEUFe0+BSL1ziK2g==$7U0HHYJ8WyDadoyzxomO9CFTJCO8JAFbRgduVP5qzSw='
and then login with the password 'changeme' .
All The Best
Meir
Posted on 07-07-2019 03:15 AM
Hi @m3ir, thank you kindly for your response.
On Monday I will be able to test with your key in my environment. I would like to ask for advice if resetting the password with another key does not help, it may be possible to create a new account.
I tried to reset the password based on a different key and on one instance Jamf it worked, but unfortunately on that to which I need to log in because unfortunately LDAP disconnected without consultation reset password on "changeme" using this command does not work:
update users set password = ‘$s0$e0801$mPlSjumOBihHn38qxif7QA==$ouoe0H+Trqyk9/nYYRVzMxkVEm8ulAZK8EM5W1RRwiE=’ where user_id=36;
On the test instance I tried to create a new user, unfortunately I do not know for some reason I can not log in to it. As I check in the console, the user is created while I do not have the opportunity to login.
Maybe you'll notice where the error lies. I will be really grateful for your help because I am unfortunately in a difficult situation and I have to deal with it. I will be grateful for any suggestions.
INSERT INTO users (user_id,username,password,salt,ldap_server_id,access_level_type,privilege_level_type) VALUES (“50”,“JAMF”,“GYwK8M1EWw3owwdyQ0yyqaXNy84/wsnhyBoB1PRM6wwH/ub9vIBDsZU2LxyT87YstUhrXMZABygZl//cQImUIg==“,”KK6dVa0m530=“,”0",“1”,“1");
Pass for this user should be: tBNgAawPKBCwn7v5
Regards,
Martin
Posted on 07-08-2019 02:16 AM
Your key works like a charm thank you. You rock :)
I had to change account_status to 1 and it's working well. Thanks.
Posted on 02-01-2022 06:32 AM
Hi, what command did you set to set the account_status to 1? Thanks.
Posted on 07-09-2019 05:12 AM
@mms.sdg yw ;)
Glad it Helped you :)
Regards,
Posted on 07-10-2019 02:21 AM
The command to create a new local administrator. Maybe someone will come in handy:
inset into users (user_id,username,password,algorithm_type,salt,ldap_server_id,access_level_type,privilege_level_type) values ('50','JAMF','$s0$e0801$g35KnToEUFe0+BSL1ziK2g==$7U0HHYJ8WyDadoyzxomO9CFTJCO8JAFbRgduVP5qzSw=','1','NmUeqSwHagk=','0','1','1');
Posted on 09-18-2019 10:46 AM
Hi @m3ir
Your new hash key worked great for me!
I have one question for you - when you say you "made a new working hash key", how exactly did you do that? What commands did you use?
Thanks!
Rob
Posted on 09-24-2019 05:11 AM
Hi @rprante glad you find it usefull ;)
basically I made a new key on other working Jamf environment, created a new user with password I chose.
later on I got the new hash key thru Mysql db query.
Regards,
Meir