Netscaler MAS and ADC root password reset

Netscaler MAS root password reset

Follow the steps below when running NMAS on Hyper-V:

  1. Access NetScaler MAS through Hyper V Manager console.
  2. Restart NetScaler MAS.
  3. Interrupt the boot sequence at the point where it says press Ctrl-C at the bootloader (shortly after message “Loading /boot/defaults/loader.conf”)
  4. To start the VM kernel in a single user mode, run the following command at OK Prompt: boot -s
  5. After the appliance boots in single user mode , it displays the following message: Enter full path of shell or RETURN for /bin/sh: Press ENTER key to enter into /[email protected] prompt
  6. Mount the flash partition using the following command: mount dev/ad0s1a /flash
  7. Delete rm /flash/mpsconfig/master.passwd
  8. Delete rm –rf /etc/passwd
  9. Create new file using the following command: touch /flash/mpsconfig/.recover
  10. Run the following command: Reboot
  11. Log on with nsrecover/nsroot

Follow a similar approach when running Netscaler MAS on other Hypervisors, as per Citrix support article: https://support.citrix.com/article/CTX232550

Netscaler ADC root password reset

The nsroot account provides complete access to all features of the appliance. Therefore, to preserve security, the nsroot account should be used only when necessary, and only individuals whose duties require full access should know the password for the nsroot account. Frequently changing the nsroot password is advisable. If you lose the password, you can reset it to the default and then change it.

Important! To avoid any unwanted HA failover due to reboot, it is recommended to set STAY PRIMARY on primary node and STAY SECONDARY on secondary node.

To reset the nsroot password, you must boot the appliance into single user mode, mount the file systems in read/write mode, and remove the set NetScaler user nsroot entry from the ns.conf file. You can then reboot, log on with the default password, and choose a new password.

Note: Refer to the transcript in the Additional Resources section for the complete list of various commands run on the appliance and their respective output.

To recover the password from a NetScaler appliance, complete the following procedure:

  1. Attach a console cable to the Serial Console (9600 baud, 8 bits, 1 stop bit, No parity) of the NetScaler appliance.
    In case you are using NetScaler VPX then access NetScaler through console using XenCenter or vSphere.
  2. Restart the NetScaler appliance.
  3. Press Ctrl + C keys simultaneously when the following message is displayed:
    Press [Ctrl-C] for command prompt, or any other key to boot immediately.
    Booting [kernel] in # seconds.
  4. To start the appliance kernel on a single user mode, run the following command:
    boot -s
    Note
    : If boot -s does not work, then try reboot — -s and the appliance reboots in single user mode.

    After the appliance boots, it displays the following message:
    Enter full path name of shell or RETURN for /bin/sh:

  5. Press ENTER key to display the # prompt, and run the following command to verify the /flash drive consistency:
    /sbin/fsck /dev/ad0s1a

    Notes:

    • Refer to CTX122687 – How to Mount the Flash Drive by Using an Appropriate Device Name on a NetScaler Appliance to verify the device name assigned to the flash drive of the appliance model and replace ad0s1a in the preceding command with the appropriate device name. For NetScaler VPX on VMware, the disk uses SCSI emulation. Therefore, the device name of the flash drive is da0s1a.
    • If the above command does not work (displays “Could not determine filesystem type”) use /sbin/fsck_ufs instead of /sbin/fsck.
  6. Run the following command to display the mounted partitions:
    df
  7. Run the following command to mount the flash drive (again, substituting ad0s1a for the proper device name as determined above):
    /sbin/mount /dev/ad0s1a /flash

    If the preceding command fails to mount the flash drive, then run the following command to create the flash directory and then run the preceding command again to mount the drive:
    mkdir /flash
    Note
    : For NetScaler VPX on VMware, the disk uses SCSI emulation. Therefore, the device name of the flash drive is da0s1a.

  8. Run the following command to change to the nsconfig directory:
    cd /flash/nsconfig
  9. Run the following set of commands to rewrite the “ns.conf” file and remove the set of system commands defaulting to the nsroot user:
    1. Run the following command to create a new configuration file that does not have commands defaulting to the nsroot user:
      grep –v “set system user nsroot” ns.conf > new.conf
    2. Run a command similar to the following command to make a backup of the existing configuration file:
      mv ns.conf old.ns.conf
    3. Run the following command to rename the “new.conf” file to “ns.conf”:
      mv new.conf ns.conf
  10. Run the following command to restart the appliance:
    reboot
  11. Log on to the appliance using the default nsroot user credentials.
  12. Run the following command to reset the nsroot user password of your choice:
    set system user nsroot <New_Password>

    If the Above Steps Does not work while Remounting the /Flash and /var Drives then Please Follow the Below Steps .

    Steps to Perform File system Check and Mount /flash and /var Respectively .

    The Below Commands Were Successful on MPX 5650 

    1. To Check /flash and mount if it is not Present when Executing df -h 

    >>To Check  Flash use the Below Command

    \[email protected]_ufs -y /dev/ad4s1a

    >>To Mount Flash Drive use the Below Command

    \[email protected] /dev/ad4s1a /flash

    2. To Check /var and mount if it is not Present when Executing df -h

    >>To Check  Var use the Below Command

    \[email protected]_ufs -y /dev/ad4s1e

    >>To Mount Flash Drive use the Below Command

    \[email protected] /dev/ad4s1e /var

More details on the step-by-step process can be found at https://support.citrix.com/article/CTX109006

About The Author