Admin/root password problem (after upgrade to 6.8?)

jaapvdv · July 3, 2016, 8:13am

The morning after upgrading to 6.8 I received the following mail message from my Nethserver installation alerting me about a backup-error:

===== Report for data backup =====

Backup started at 2016-07-03 03:00:02
Pre backup scripts status: SUCCESS
Backup script status: ERROR

Extract from log file /var/log/backup-data.log:

2016-07-03 03:00:02 - START - Backup data started
2016-07-03 03:00:42 - STEP - pre-backup-done done
2016-07-03 03:00:43 - ERROR - Backup failed, see /var/log/last-backup.log for details - 5888
2016-07-03 03:00:43 - ERROR - Action backup-data-duplicity failed - 1

Extract from log file /var/log/last-backup.log:

Duplicity 0.6 series is being deprecated:
See duplicity: Encrypted bandwidth-efficient backup

Reading globbing filelist /tmp/wYCdgtJQN2
Another instance is already running with this archive directory
If you are sure that this is the only instance running you may delete
the following lockfile and run the command again :
/var/lib/nethserver/backup/duplicity/0df53d96254028b034db11901017dbca/lockfile.lock

Strange, but appararently a lock-file issue so it should not really be a problem.

Strange enough I am able to login to console and webui as admin, but I am unable to use sudo or to su root.

sudo command results in the following:

[admin@fqdn ~]$ sudo command
[sudo] password for admin:
Sorry, user admin is not allowed to execute ‘/bin/command’ as root on fqdn.

admin no longer appear to be in the sudoers file. I can’t check because I need root access to do so . . . .

su root results in the following:

[admin@fqdn ~]$ su root
Password:
su: incorrect password

The admin and root passwords seem not to be synced/the same anymore.

Any ideas how to proceed now?

alefattorini · July 3, 2016, 8:56am

Look like two kind of issues, backup and admin.
Any idea @support_team @quality_team ?

fasttech · July 3, 2016, 4:54pm

@jaapvdv have you logged in as root?

… I don’t mean log in as admin and try to su, I mean log in as root.

jaapvdv · July 4, 2016, 6:19am

Yes, i did:

Permission denied, please try again.

Should I try to change the password for admin (from WebUI) and see what happens in the logs?

davidep · July 4, 2016, 7:34am

Admin should not be in sudoers file itself. It is a member of adm group which is granted privileged execution of a restricted set of commands (NETHSERVER_ADM).

admin/root passwords are no longer synchronized since 6.6 release!

You could change the passwords from the UserProfile page, or from the command line, with passwd command.

jaapvdv · July 4, 2016, 3:38pm

Thanks, I’ll have a go at it! Will be reporting back.

jaapvdv · July 5, 2016, 7:45am

Admin should not be in sudoers file itself. It is a member of adm group which is granted privileged execution of a restricted set of commands (NETHSERVER_ADM).

OK, so why do I get the error:

Sorry, user admin is not allowed to execute ‘/bin/command’ as root on fqdn.

when admin is a member of the domadmins group?

I have an other user which is also a member of domadmins, when issuing a sudo command as that user in console I get:

userxyz is not in the sudoers file. This incident will be reported.

?

davidep · July 5, 2016, 8:22am

Members of domadmins group receive the Samba SeMachineAccountPrivilege privilege, that allows adding a machine to the NT Domain.

https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html

AFAIK this is the only privilege granted to members of domadmins group!

This is the expected behavior from my point of view because sudo is not configured for command line execution. On NethServer side sudo is configured to delegate administration commands to the UI, nothing more.

Is this different from what a vanilla CentOS does?

jaapvdv · July 5, 2016, 3:34pm

Well, it seems we are talking about two different groups . . . . correct?

I have a domadmins group on my server but no adm group (anymore?).

I have been able to use sudo on the commandline using the admin account, but now I can’t, admin is currently only member of the group domadmins.

I just checked the howto I wrote on installing NethServer on an ESXi host, the chapter on installing OpenVM Tools contains the following text:

First open a console or ssh session and login using your admin credentials. Enter the following commands (when asked for a password, use your admin password again):

su root
yum -y install http://packages.vmware.com/tools/esx/5.1/repos/vmware-tools-repo-RHEL6-9.0.0-2.x86_64.rpm
yum -y install vmware-tools-esx-nox
exit
That is it, Open VM Tools installed!

It appears I somehow have been able to use my admin password when switching to user root . . . (the first NethServer release I used is 6.7 . . .)

davidep · July 5, 2016, 3:51pm

Could you paste the output of?

id admin

Mine is

uid=500(admin) gid=500(admin) groups=500(admin),4(adm),502(locals),504(domadmins)

jaapvdv · July 5, 2016, 4:02pm

Below, looks the same:

[user@nethserver ~]$ id admin
uid=500(admin) gid=500(admin) groups=500(admin),4(adm),502(locals),503(domadmins)

So, only domadmins is visible in WebUI!

davidep · July 5, 2016, 4:03pm

Yes, the UI shows only groups from LDAP

jaapvdv · July 5, 2016, 4:15pm

As always asking a question and using other people as a sounding board helps solve problems.

This case is no different!

Using this instruction: Reset forgotten root password in rhel centos and fedora/ I have been able to reset my root password and delete the offending lockfile (initial question).

So thank you, the problem appears to be solved, I’ll know for sure tomorrow morning when my backup is succesfull!

fasttech · July 5, 2016, 4:27pm

You can just change the time of your backup to 2 minutes from now…

jaapvdv · July 6, 2016, 11:27am

Backup was successfull, so I am properly up and running again!