This issue has happened to me quite some times now. I’ve had multiple VCD environments where the root account magically closed up and/or the account simply expired. This resulted in a boat load of issues that were not easy to understand at first, until I had a look at the root account password expiration, or simply by the fact that I was not able to login to the VCD Cells anymore. Just for this issue here I wanted to create a really quick blogpost that captures the essentials in this and explains it in just a couple of steps what you need to do to either unlock the VCD cell root account and make sure it doesn’t happen anytime soon.

So usually the root account needs to have it’s password changed each year. You can check this on your own environment by running the chage -l root command. This will display the following in normal circumstances:

root@vcd-cell02 [ ~ ]# chage -l root
Last password change                                    : Feb 26, 2021
Password expires                                        : Feb 26, 2022
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 365
Number of days of warning before password expires       : 7

Now you can see that the root user will need to have the password changes each year. Personally I agree with this since it makes the environment more secure, however changing the root password, also means you have to update the appliance certificate private key which is a hassle. If you don’t want to do this each year, you can just simply disable the root account password expiration, by entering the following command:

chage -I -1 -m 0 -M 99999 -E -1 root

This will make sure you only need to change the password each 99999 days (273 years). This will be sufficient. Once you did this re-enter chage -l root and see the results:

root@vcd-cell02 [ ~ ]# chage -l root
Last password change                                    : Feb 26, 2021
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

Another pro tip. If you find yourself in the situation that you cannot login to the VCD Cells anymore and you wish to change this, execute the following steps:

  • Reboot the VCD Appliance(s).
  • Press e during boot to enter the GRUB Loader.
  • Behind the line that starts with linux /$photon enter rw init=/bin/bash. Press F10 to start the environment.
  • Once this is booted you can use the pam_tally2 command set to unlock the user and reset it.
  • Enter pam_tally2 --reset --user root
  • Once this is done you can check if the account is still locked with pam_tally2 --user root
root@vcd-cell02 [ ~ ]# pam_tally2 --user root
Login           Failures Latest failure     From
root                0

Now reboot the appliance with reboot -f and once the VCD Cell comes back up you have succesfully unlocked your VCD Cell root account.

I hope this quick blogpost helps everybody when they have issues with their VCD Cells.


Bryan van Eeden

Bryan is an ambitious and seasoned IT professional with almost a decade of experience in designing, building and operating complex (virtual) IT environments. In his current role he tackles customers, complex issues and design questions on a daily basis. Bryan holds several certifications such as VCIX-DCV, VCAP-DCA, VCAP-DCD, V(T)SP and vSAN and vCloud Specialist badges.

1 Comment

PJL · August 9, 2023 at 12:41 pm

Many thanks for this very helpful article.

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *