Saturday, April 13, 2013

Correction to the Cisco UC rooting process

I got a lot of feedback regarding the problem after rooting Cisco UC products (CUCM/UCCX, etc.).  The symptom was that every service is in [STARTING] state and you get 'Database Communication Error' while trying to log into the GUI (as the 'A Cisco DB' service was not able to start).

It's strange as I never ran into any problem.  I reviewed the process today and ran some tests.  I think I found the problem.  There's an unnecessary section in the instructions:

For version 8.6 or later, Cisco use SeLinux for additional security.  You need the following:

vi /etc/pam.d/su, comment the following:
    #auth   sufficient      /lib/security/$ISA/pam_rootok.so debug
    #auth   required        /lib/security/$ISA/pam_wheel.so group=priviledged_grp


 This section was added to the blog based on a reader's feedback.  I didn't verify it myself and thought it wouldn't do any harm even if it's unnecessary.

Evidently, this unnecessary step broke the system.  If you already performed this, you may undo it by removing the # signs. So the two lines should read like this:

auth    sufficient      /lib/security/$ISA/pam_rootok.so debug
auth    required        /lib/security/$ISA/pam_wheel.so group=priviledged_grp

Reboot the system after making the changes.  View service status with command 'utils service list page'.  You should see 'A Cisco DB' service is [STARTED].  Wait for a while, other services should be in [STARTED] state.

I've removed the section from original post.  Sorry for the inconvenience caused.