Monday, January 4, 2010

Use NIM to Change Root's Password

Many large AIX environments use IBM’s Network Installation Manager (NIM) to deploy and maintain AIX LPARs. If you ever need to change a "forgotten" root password in AIX and have a NIM environment available, the following procedure will allow you to access and change the password.

This requires an outage, but can be easier than booting off of media. Of course, try this in a test environment first to make sure it works as expected and I offer no warranties/etc if something goes horribly wrong (please make sure you use >> and not > below).

I’m not going to claim it is elegant or the best way of doing it, but it works. If anyone has a better way, please post it in the comments.

On the NIM server, run the following command:
nim -o maint_boot -a spot=SPOTNAME LPARNAME
On the AIX box that is having the “root password opportunity”, reboot and enter SMS mode. Make sure that the NIM server IP address is set as the boot server and the LPAR’s network information is configured properly.

The LPAR will perform a network boot using the SPOT. You will have to go through prompts to set up the current terminal and preferred language.  Following that, there will be an option to either install the BOS or go into a limited maintenance mode. Go into the limited maintenance mode.

You will be booted into a semi-functional AIX environment. Use lspv to see what physical volumes you have available and type the following to import the hdisk that had rootvg on it originally:
importvg hdisk#
Create a temporary mount point and mount the root filesystem:
mkdir test
mount /dev/hd4 /test
You do not have access to a good portion of the command line tools (including vi) in this environment. Run the following command to add a new account to the passwd file:
echo tempuser::0:0::/:/usr/bin/ksh >> /test/etc/passwd
MAKE SURE THAT YOU USE TWO “>” SYMBOLS. Otherwise, you will overwrite the entire passwd file. Run the following commands to sync the file system and prepare the LPAR for the reboot:
sync
cd /
umount /test
Reboot the LPAR. When the LPAR comes up, it should boot to the proper hdisk. At this point, you can log in locally as the user you created above without a password. Run “passwd root” to change the root password. Be sure to remove the entry you made in /etc/passwd after verifying that the password has been changed.

No comments: