Hot!FG50B - lost super_admin access profile?

Author
rodeca
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2007/06/28 07:28:59
  • Location: Spain
  • Status: offline
2008/09/20 04:25:34 (permalink)
0

FG50B - lost super_admin access profile?

Current OS: MR6-sp1

- I cannot assign " super_admin" profile (nor GUI, nor CLI)
- It doesn' t show at GUI / system / admin / profiles
- If I try to create a profile named " super_admin" , I get a " duplicated name..." error

Presently, it is not a problem (I have an Admin account); but may be tomorrow I' ll have to do some management requiring " super_admin" account...

Any hint?
RØ

BACKGROUND:

May be it is related to a serious problem with an MR4 fw (a year ago):
---------------
Initializing firewall...
System is started.
Failed to save PRNG state.
failed to change to (/data/./config/)
...
Error generating self-signed certificate
unknown operation mode(0)

The system is going down NOW !!
---------------
over and over again

Following KB and Forums advices, I did
- an HQIP (everything correct)
- a Format + Get-from-tftp (again MR4)
- an Admin password reset (I couldn' t log in)

#1
abelio
Expert Member
  • Total Posts : 3674
  • Scores: 57
  • Reward points: 0
  • Joined: 2005/03/31 13:28:59
  • Location: Buenos Aires, Argentina
  • Status: offline
RE: FG50B - lost super_admin access profile? 2008/09/20 09:53:28 (permalink)
0
hi,
in order to understand your problem, could you post the output of cli command

" show full-configuration system admin" please?

regards
--
Abel
#2
rodeca
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2007/06/28 07:28:59
  • Location: Spain
  • Status: offline
RE: FG50B - lost super_admin access profile? 2008/09/21 04:57:23 (permalink)
0
My problem:
I thought there would be a " super_admin" access profile. But I cannot assign it to any account.

My " full config etc. etc.:

FGT50B $ show full-configuration system admin
config system admin
edit " admin"
set remote-auth disable
set peer-auth disable
set trusthost1 0.0.0.0 0.0.0.0
set trusthost2 0.0.0.0 0.0.0.0
set trusthost3 0.0.0.0 0.0.0.0
set accprofile " prof_admin"
set comments ' '
set vdom " root"
unset ssh-public-key1
unset ssh-public-key2
unset ssh-public-key3
set schedule ' '
config dashboard
edit " licinfo"
set column 1
set status open
next
edit " jsconsole"
set column 1
set status close
next
edit " sysres"
set column 1
set show-fds-chart enable
set show-fortianalyzer-chart enable
set status open
next
edit " sysop"
set column 1
set status open
next
edit " sysinfo"
set column 2
set status open
next
edit " alert"
set column 2
set show-conserve-mode enable
set show-firmware-change enable
set show-system-restart enable
set status close
next
edit " statistics"
set column 2
set status open
next
set column 1
set show-fds-chart enable
set show-fortianalyzer-chart enable
set status open
next
edit " sysop"
set column 1
set status open
next
edit " sysinfo"
set column 2
set status open
next
edit " alert"
set column 2
set show-conserve-mode enable
set show-firmware-change enable
set show-system-restart enable
set status close
next
edit " statistics"
set column 2
set status open
next
end
set password ENC AK13DEr+pGzT+ etc..
next
end
FGT50B $


Thank you
RØ
#3
abelio
Expert Member
  • Total Posts : 3674
  • Scores: 57
  • Reward points: 0
  • Joined: 2005/03/31 13:28:59
  • Location: Buenos Aires, Argentina
  • Status: offline
RE: FG50B - lost super_admin access profile? 2008/09/21 06:09:33 (permalink)
0
Ok, it' s clear now:
you only have an admin account with ' prof_admin' and no one with ' super_admin' profile.
Agree with you: you could need that profile for certain tasks.

Well, I don' t know other non-disruptive procedures that this one, mainly used for recover admin passwd;
maybe others in the forum could point another path.

use this thread as reference: http://support.fortinet.com/forum/tm.asp?m=41433
after logged as maintainer user you could type:


config system admin
edit " admin"
set accprofile " super_admin"
next
end



hope it helps,
< Message edited by abelio -- 9/21/2008 6:10:20 AM >

regards
--
Abel
#4
rodeca
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2007/06/28 07:28:59
  • Location: Spain
  • Status: offline
RE: FG50B - lost super_admin access profile? 2008/09/21 07:03:53 (permalink)
0
Thank you for your quick reply. As I' m now leaving the town (no, no problem with the sheriff), it' ll take some days before I try and I can say how it resulted.

See you
RØ
#5
romanr
Platinum Member
  • Total Posts : 923
  • Scores: 34
  • Reward points: 0
  • Joined: 2004/06/08 08:29:56
  • Location: Vienna/Austria
  • Status: offline
RE: FG50B - lost super_admin access profile? 2008/09/26 07:03:40 (permalink)
0
You will only need the super_admin profile/account if you use virtual domains!! If you don' t have virtual domains, then there is no difference and you don' t need to bother actually!

I also sometimes lost the ' super_admin' profile, because i did backup and recover with only ' prof_admin' profiles! This is how it gets lost ;)!

cheers.roman
#6
rodeca
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2007/06/28 07:28:59
  • Location: Spain
  • Status: offline
RE: FG50B - lost super_admin access profile? 2008/10/01 09:28:41 (permalink)
0
It' s me again, back home.

Abel,
applied procedure and now I have a " super_admin" .

Roman,
I lost that profile after a reset-to-factory + restore-backup
Restored backup included only a ' config system admin' + ' edit " 1" ' . So may be I deleted the original " admin" account and created another one with that same name .

Anyway, everything is OK now.

Thank you all
RØ
#7
bouchlk
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/07 06:44:58
  • Status: offline
Re: RE: FG50B - lost super_admin access profile? 2020/09/07 07:02:18 (permalink)
0
Hey there,
 
Hope you are all doing well,
 
I have the same problem and I tried to recover the super admin account using CLI and maintainer account, but I got below error:
 
# edit "admin"
'maintainer' account can only edit existing admins.
node_check_object fail! for name admin
 
value parse error before 'admin'
Command fail. Return code -37
 
Is there any way to know the super admin account as I can't see them with my profil admin
#8
Jump to:
© 2020 APG vNext Commercial Version 5.5