How to Reset a Local JSS Account Password

sepiemoini
Contributor III

Preface: this is currently affecting a test JSS environment and is not in production.

Our test JSS environment has LDAP integration configured and the service account that is in use had its password recently reset by another party. As of the password reset, I am no longer able to log into the test JSS using any domain accounts. To make matters worse, I do not have the passwords to the two local JSS accounts. What I do have access to is the host machine where this JSS resides. This is hosted on a virtualized Windows Server 2012 R2 server. Pretty bad stuff, huh? Plot twist: I also do not have the password for the SQL database password. I was able to find this JAMF article found here but again, those default credentials did not work. Any ideas, thoughts or prayers?

1 ACCEPTED SOLUTION

sepiemoini
Contributor III

Thanks for the input, @davidacland! I was able to get this working using the following.

  1. Log onto the affected JSS.
  2. Locate the my.ini file in Explorer. This should be located in C:ProgramDataMySQLMySQL Server 5.6 by default.
  3. Open the my.ini file.
  4. Find "[mysqld]" in the Server Section and type "skip-grant-tables."
  5. Save and close the my.ini file.
  6. Open MySQL 5.6 Command Line Client. You should not have to enter in the root account password.
  7. Type in the following:
use mysql
update user set password = password('your_password_here') where user='root';
  1. Close the MySQL 5.6 Command Line Client.
  2. Re-open the my.ini file and comment out the "skip-grant-tables" string by placing a "# " in front of the string.
  3. Save and close the my.ini file.
  4. Go to Services.msc and restart the MySQL56 service.
  5. Open MySQL 5.6 Command Line Client.
  6. Type in the password you specified in Step 7 -- your_password_here -- and hit Enter.
  7. The below command will return the user ID for each local JSS user account created. Take note of the one you would like to reset to "changeme." Type in the following:
select user_id,username from users where ldap_server_id='-1';
update users set password='k0q5CnA9xV7aJZvH4G5RO5SYSWgOkXug362mjSgjikFqBRa0d2g8pP6zKI971RQVFzDQcKXzMyniB9C0LsMwHg==', salt='NmUeqSwHagk=' where user_id='X';
select account_status from users where where user_id = 'X';

15. Close the MySQL 5.6 Command Line Client.
16. Log onto your JSS with the user ID obtained from the above section and enter "changeme" as the password. 17. Change the temporary password immediately by going to System Settings>JSS User Accounts & Groups.
18. Update your LDAP account password by going to System Settings>LDAP Servers

View solution in original post

14 REPLIES 14

sepiemoini
Contributor III

Alternatively, since I do have access to the VM where this JSS resides, would it be possible to reset the SQL database account password? If so, what effects would that entail?

davidacland
Honored Contributor II
Honored Contributor II

I'm guessing the password on the LDAP account can't be set back to what it was previously? (probably a long shot).

It's possible to reset the MySQL root password if you have admin access to the server (guide here) and potentially reset the JSS password (although I haven't tried that part before).

If it's a development server, I'd probably take a copy of the production database and restore that in it's place (if you want to keep the test JSS the same as the production service).

sepiemoini
Contributor III

@davidacland Yeah, no dice on resetting the LDAP password. It actually did affect our production JSS but the password to the one local JSS account was known. I logged on then updated the LDAP account password to the current one.

I have a snapshot of the test JSS but it was taken after this mess was already in place. If I screw anything up, I can roll back to this afternoon. I am hesitant to restore a copy of our production database in our test given that it's a very stripped down version of what we have deployed out in the wild. I'll try and reset the SQL root password with the guide you provided. Thanks!

sepiemoini
Contributor III

Thanks for the input, @davidacland! I was able to get this working using the following.

  1. Log onto the affected JSS.
  2. Locate the my.ini file in Explorer. This should be located in C:ProgramDataMySQLMySQL Server 5.6 by default.
  3. Open the my.ini file.
  4. Find "[mysqld]" in the Server Section and type "skip-grant-tables."
  5. Save and close the my.ini file.
  6. Open MySQL 5.6 Command Line Client. You should not have to enter in the root account password.
  7. Type in the following:
use mysql
update user set password = password('your_password_here') where user='root';
  1. Close the MySQL 5.6 Command Line Client.
  2. Re-open the my.ini file and comment out the "skip-grant-tables" string by placing a "# " in front of the string.
  3. Save and close the my.ini file.
  4. Go to Services.msc and restart the MySQL56 service.
  5. Open MySQL 5.6 Command Line Client.
  6. Type in the password you specified in Step 7 -- your_password_here -- and hit Enter.
  7. The below command will return the user ID for each local JSS user account created. Take note of the one you would like to reset to "changeme." Type in the following:
select user_id,username from users where ldap_server_id='-1';
update users set password='k0q5CnA9xV7aJZvH4G5RO5SYSWgOkXug362mjSgjikFqBRa0d2g8pP6zKI971RQVFzDQcKXzMyniB9C0LsMwHg==', salt='NmUeqSwHagk=' where user_id='X';
select account_status from users where where user_id = 'X';

15. Close the MySQL 5.6 Command Line Client.
16. Log onto your JSS with the user ID obtained from the above section and enter "changeme" as the password. 17. Change the temporary password immediately by going to System Settings>JSS User Accounts & Groups.
18. Update your LDAP account password by going to System Settings>LDAP Servers

View solution in original post

jlerickson
New Contributor

I need to do this too because I mistyped the admin password during setup and now can't get in. However, I'm confused from where the password and salt came from. It looks like the password is SHA512 according to the documentation. And it looks like it's stored in base64?

# decode the salt from base64
$ salt=`echo -n "NmUeqSwHagk=" | base64 -D`

# password + salt hashed with sha512 and then put into base 64
$ echo -n "changeme${salt}" | openssl dgst -sha512 | base64
KHN0ZGluKT0gMTg1YzcwNWMyZTM4NzgzY2ViMmEzYTQxMjhjOTNjYjM0YWE5OWE3YWI4OTI2ZDJmNWIyN2IxN2IyMzI3ZjQ5ZGI5NGJmMmJlMDIxNTc1OTNlYzQ2NDNlZjliMDQzYjJmMjE5ZDRlODIxZTllZjk3MWRhMTM4OWUzZjQ1YWRiNDMK

# salt + password
$ echo -n "${salt}changeme" | openssl dgst -sha512 | base64
KHN0ZGluKT0gMmQ3NmE1YWFhOWExM2FmODk0NjNiZGM4ZDJmMjdiNjRlMTc1YWI5MWY0MGU3YTE2ZmRlNmNjNGNmMGQyMWIzOTQwZjA0YzhlMjVkMDNiZjY1OGQ2ZGI0M2Y4YjhlZTUyNjMyMjFjMmU1YmJjZDkwNmUzNmYzZTlkYWI3OGMzYjkK

Am I missing something? If this is using AES-256 or something, I don't want to change the password to the wrong thing and have it not work.

m3ir
New Contributor III
New Contributor III

Hi Guys!

First of all thanks @sepiemoini for the solution.
Just my 2 cents from my experience .
the hashed key : 'k0q5CnA9xV7aJZvH4G5RO5SYSWgOkXug362mjSgjikFqBRa0d2g8pP6zKI971RQVFzDQcKXzMyniB9C0LsMwHg=='
for 'changeme' passwrord didn't work for me . Instead the user broke and I got error 400 on this user, no matter what password I tried to login with (right/wrong) on the web admin console.
instead I made a new working hash key : '$s0$e0801$g35KnToEUFe0+BSL1ziK2g==$7U0HHYJ8WyDadoyzxomO9CFTJCO8JAFbRgduVP5qzSw='
so you'll need to change the key inside @sepiemoini 's command.
it will be look like that :

select user_id,username from users where ldap_server_id='-1';
update users set password='$s0$e0801$g35KnToEUFe0+BSL1ziK2g==$7U0HHYJ8WyDadoyzxomO9CFTJCO8JAFbRgduVP5qzSw=', salt='NmUeqSwHagk=' where user_id='X';
select account_status from users where where user_id = 'X'

and then proceed login the user with 'changeme' password.

hope it helps to some people who struggled with it 😉

All The Best
Meir

mms_sdg
New Contributor

Hi @m3ir

I have similar issue with my local jamf pro account and similar to you I'am getting the error message 400 after @sepiemoini solution.

Could you be so kind and help me how should I make a new working hash key?

Is it possible to create a new user?

m3ir
New Contributor III
New Contributor III

Hi @mms.sdg

yes it possible, But why do you want to create and a new user instead of changing the password to nonworking Password?
it will be much easier for you to change the password with the key I provided '$s0$e0801$g35KnToEUFe0+BSL1ziK2g==$7U0HHYJ8WyDadoyzxomO9CFTJCO8JAFbRgduVP5qzSw='
and then login with the password 'changeme' .

All The Best
Meir

mms_sdg
New Contributor

Hi @m3ir, thank you kindly for your response.

On Monday I will be able to test with your key in my environment. I would like to ask for advice if resetting the password with another key does not help, it may be possible to create a new account.

I tried to reset the password based on a different key and on one instance Jamf it worked, but unfortunately on that to which I need to log in because unfortunately LDAP disconnected without consultation reset password on "changeme" using this command does not work:

update users set password = ‘$s0$e0801$mPlSjumOBihHn38qxif7QA==$ouoe0H+Trqyk9/nYYRVzMxkVEm8ulAZK8EM5W1RRwiE=’ where user_id=36;

On the test instance I tried to create a new user, unfortunately I do not know for some reason I can not log in to it. As I check in the console, the user is created while I do not have the opportunity to login.

Maybe you'll notice where the error lies. I will be really grateful for your help because I am unfortunately in a difficult situation and I have to deal with it. I will be grateful for any suggestions.

INSERT INTO users (user_id,username,password,salt,ldap_server_id,access_level_type,privilege_level_type) VALUES (“50”,“JAMF”,“GYwK8M1EWw3owwdyQ0yyqaXNy84/wsnhyBoB1PRM6wwH/ub9vIBDsZU2LxyT87YstUhrXMZABygZl//cQImUIg==“,”KK6dVa0m530=“,”0",“1”,“1");

Pass for this user should be: tBNgAawPKBCwn7v5

Regards,
Martin

mms_sdg
New Contributor

@m3ir

Your key works like a charm thank you. You rock 🙂

I had to change account_status to 1 and it's working well. Thanks.

m3ir
New Contributor III
New Contributor III

@mms.sdg yw 😉
Glad it Helped you 🙂

Regards,

mms_sdg
New Contributor

The command to create a new local administrator. Maybe someone will come in handy:

inset into users (user_id,username,password,algorithm_type,salt,ldap_server_id,access_level_type,privilege_level_type) values ('50','JAMF','$s0$e0801$g35KnToEUFe0+BSL1ziK2g==$7U0HHYJ8WyDadoyzxomO9CFTJCO8JAFbRgduVP5qzSw=','1','NmUeqSwHagk=','0','1','1');

rprante
New Contributor

Hi @m3ir

Your new hash key worked great for me!

I have one question for you - when you say you "made a new working hash key", how exactly did you do that? What commands did you use?

Thanks!
Rob

m3ir
New Contributor III
New Contributor III

Hi @rprante glad you find it usefull 😉

basically I made a new key on other working Jamf environment, created a new user with password I chose.
later on I got the new hash key thru Mysql db query.

Regards,
Meir