While trying to set up Checkmk with Grafana, I mistakenly (and somewhat stupidly) changed my sole Checkmk admin user from a “normal user login with password” to “Automation secret for machine accounts”. I am now unable to reach Checkmk as admin. I updated my Checkmk admin password via htpasswd, but this didn’t work. Is there some way I can return the admin user to a normal user with a password login?
(I’m running Checkmk Raw via a Docker container.)
Hi @dubdub and welcome to the forum.
It can happen and normally the htpasswd method helps but in your case we have to modify some Checkmk configuration to get your login back.
It took me a while to figure this one out but it works. 
Please follow the instructions very closely and make a backup of your Checkmk site before you edit things!
sudo su - sitename)apt update first after that you can do apt install nano inside the container.nano etc/check_mk/multisite.d/wato/users.mk)multisite_users.update({'cmkadmin': {'roles': ['admin'], 'locked': False, 'connector': 'htpasswd', 'alias': 'cmkadmin'}, 'automation': {'alias': 'Check_MK Automation - used for calling web services', 'automation_secret': '2c0a01af-1337-43bc-9c96-50782b71446a', 'roles': ['admin'], 'locked': False, 'language': 'en', 'connector': 'htpasswd'}})
And this is the same file after I made the cmkadmin user a automation user:
multisite_users.update({'cmkadmin': {'alias': 'cmkadmin', 'roles': ['admin'], 'locked': False, 'connector': 'htpasswd', 'automation_secret': 'CNI@CLYOMAWSHLKVLPFM', 'force_authuser': False, 'nav_hide_icons_title': None, 'icons_per_item': None, 'show_mode': None}, 'automation': {'alias': 'Check_MK Automation - used for calling web services', 'automation_secret': '2c0a01af-1337-43bc-9c96-50782b71446a', 'roles': ['admin'], 'locked': False, 'language': 'en', 'connector': 'htpasswd'}})
As you can see some things changed. Please replace your cmkadmin config with the following:
{'cmkadmin': {'roles': ['admin'], 'locked': False, 'connector': 'htpasswd', 'alias': 'cmkadmin'},
At the end of the line you can still have your automation user config. The alternative would be to remove the automation_secret part form the cmkadmin config.
'automation_secret': 'CNI@CLYOMAWSHLKVLPFM',
So far so good but that’s not everything. 
If you try to login now you will still get a error message like “Automation user rejected”.
Now we have to delete the automation.secret file to be able to log back in. Please delete: rm /opt/omd/sites/cmk/var/check_mk/web/cmkadmin/automation.secret
Make sure it’s the right user! In this case we are working with the cmkadmin.
After that you need to change your password and then should be able to log back in with your cmkadmin. You can reset it using the site user context and cmk-passwd cmkadmin or htpasswd -B -C 12 etc/htpasswd cmkadmin if you are using a patch release before 2.1.0p16.
I know it was a very advanced procedure that may break things if not done correctly! Please always make a backup before working on configuration files.
I hope it helped you and if you have more questions feel free to ask. 
Regards
Norm
All shown secrets are from a test installation and are not used in any production environment.
Many thanks Norm. This worked perfectly. I might be the only one stupid enough to do this, but can I suggest implementing a lock that prevents conversion of an admin user (or at least the sole admin user) to a machine account?
Thanks again. Having tidied that up, I now have an error in the Grafana plugin (“Could not read API response, make sure the URL you provided is correct.”), but if I can’t figure it out I’ll start another post.
Hi @dubdub
good to hear that this helped you.
You can mark the response as a solution to help others in the future.
I don’t think we need a locking mechanism there. Just create another admin user to work on your checkmk. I normally suggest to my customers to leave the cmkadmin untouched in case of an emergency and work with personalised users.
For the grafana problem you can follow the official documentation Integrating Checkmk in Grafana
If that is not helping you you can create another forum thread with more detailed information.
Regards
Norm
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.