#Can't unlock diag user

Has anyone ever seen a case where you cannot unlock the diag user account? I followed the procedures in this KB, but after I do the unlock, it still shows the account as being locked. I tried changing the password for the diag account as well, but that didn't help. It won't let me get into systemshell while it's locked. Any ideas on how to fix this?

https://kb.netapp.com/onprem/ontap/os/How_to_unlock_Systemshell_diag_user_account

Can't say I have.

What version of ONTAP?

Usually I just do "set d; systemshell -node <node> <command>"

New installs prevent that. I think new 9.10 and higher. You have to unlock the diag account or there is a command to run (forgot offhand what it is) which allows that to work

OnTap 9.8P15
The systemshell won't work, because even if I'm in diag mode, it won't let me run any systemshell commands because it says the diag user is locked.
I have tried to unlock the diag user (see the KB article in my original post), but even after I run the unlock command, it's still showing as locked.

I'm thinking I'm going to have to open a ticket.

Yeah.

What's the serial #? I can look at ASUPs real fast and see if I see any errors or anything.

@zinc inlet

Thanks, Paul. I opened ticket #2009570582, so I'll let everyone know what comes of that in case anyone else ever runs into this in the future.

The KB article should get updated if there’s something new to learn from your case 🪄

Logging in :: Success
security login unlock -username diag :: Pending
security login unlock -username diag :: Success
rows 0 :: Pending
rows 0 :: Success
set diag :: Pending
Question: Warning: These diagnostic command... :: Pending
Question: Warning: These diagnostic command... : y :: Success
set diag :: Success
security login unlock -username diag :: Pending
security login unlock -username diag :: Success
security login password -username diag :: Pending
Question: Enter a new password :: Pending
Question: Enter a new password : (echo off) :: Success
Question: Enter it again :: Pending
Question: Enter it again : (echo off) :: Success
security login password -username diag :: Error: New password must be different from the old password
exit :: Pending
exit :: Success
Logging out :: Success

I see where your attempt was done above.

https://kb.netapp.com/onprem/ontap/os/How_to_reset_the_diag_user_password_from_the_bootmenu

The other thought I had was maybe try from the "admin" local account not your activedirectory\username account.

So, the fix for this turned out to be very simple... we just ran the "security login lock -user diag", and then the "security login unlock -user diag" worked. Never occurred to me to even try that.

@rocky moss, is there a way to submit this to be added to the KB? Or, is that something the NetApp case owner should do? I know I'm going to make note of it in my personal notes 🙂

The case owner should do that by default.
@agile herald, can you please follow-up to make sure it happens?

Looks like there was a feedback left. It makes more sense to have it as a separate KB. I'll create now.

@zinc inlet did you end up using the built in admin account or your windowsdomain\adminusername account?

I was able to use my Windows domain account. Using the built in admin didn't make any difference.

Hmm. That is so odd. I wonder why that worked.

Yeah, I found it very bizarre as well.

https://kb.netapp.com/onprem/ontap/os/Unable_to_unlock_the_diag_account_in_ONTAP_9 KB created

4

system systemshell-config modify -allow-cmd-while-locked true 😉

Yeah. Wasn’t sure if that should be shared😀. But there it is

Meh, I'm not sure either, but I'd say don't do it.

You can share it. Use Systemshell wisely. What's the line we always use?: "With great power, comes great responsibility." Or, something like that anyway.