Invalid credentials when logging in to admin webinterface

NethServer Version: 75
Module: web-admin
I am facing a realy strange situation.
My admin web interface is only accessable from the green interface. I use VPN to get to the green side of the server.
When I try to log in to admin web interface I get “invalid credentials”
The credentials I enter are 100% correct (I can log in with the same account over SSH)

I also tried with a Samba user and also there I get “invalid credentials”

Any idea how to troubleshoot?

You might have tried already, but just in case, make sure the login box contains what you typed (use the eye icon to unmask the password, and verify it).

Can you use another browser?

This is from another scenario that I face but in a Synology device.

Before, using Windows/Kubuntu, I can access it using windows.Firefox and Linux.Weaterfox.

Then I migrate my PC to Manjaro. I can still use WeaterFox and login, but FF give a error like “encryption key is invalid…blah” and the login is denied-stuck. (nothing works, clear cache-cookies, writing/copying the password)

I barely remember that we have problems login in this forum some months ago. And need to tweak something in FF.

The browser industry is giving us a lot of problems lately. :thinking:

–Edit: But of course, the browser industry depends of a lot of tools some of those are broken to harden security issues. :upside_down_face:

1 Like

Just checked with chromium and there I also get invalid credentials.

@dnutan: I did doublechcek the password by making the entry visible: 100% sure the password is ok.

Which account provider is in use?
Is sssd service running?

Samba4 account provider.
But I can’t log in woth local root, nor with a samba4 account.
Hwoever, I can log in with root using SSH. I also can use applications like mail with samba4 users (I get my mails delivered in thunderbird and can log into SOGo webinterface)

systemctl status sssd.service gives that service is loaded and running.

Can you check:

systemctl -l status sssd nsdc

[root@ns7 ~]# systemctl -l status sssd nsdc
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2018-08-26 15:13:08 CEST; 4 days ago
Main PID: 1229 (sssd)
CGroup: /system.slice/sssd.service
├─1229 /usr/sbin/sssd -i --logger=files
├─1555 /usr/libexec/sssd/sssd_be --domain dom.tld --uid 0 --gid 0 --logger=files
├─2684 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─2685 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
Aug 30 19:30:01 server.dom.tld sssd_be[1555]: GSSAPI client step 1
Aug 30 19:30:01 server.dom.tld_be[1555]: GSSAPI client step 2
Aug 30 19:40:00 server.dom.tld[be[dom.tld]][1555]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
Aug 30 19:40:01 server.dom.tld[be[dom.tld]][1555]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
Aug 30 19:40:03 server.dom.tld sssd[be[dom.tld]][1555]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
Aug 30 19:40:07 server.dom.tld sssd[be[dom.tld]][1555]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
Aug 30 19:44:26 server.dom.tld sssd_be[1555]: GSSAPI client step 1
Aug 30 19:44:26 server.dom.tld sssd_be[1555]: GSSAPI client step 1
Aug 30 19:44:26 server.dom.tld sssd_be[1555]: GSSAPI client step 1
Aug 30 19:44:26 server.dom.tld sssd_be[1555]: GSSAPI client step 2
● nsdc.service - NethServer Domain Controller container
Loaded: loaded (/usr/lib/systemd/system/nsdc.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2018-08-26 15:13:01 CEST; 4 days ago
Docs: man:systemd-nspawn(1)
Main PID: 1050 (systemd-nspawn)
Status: “Container running.”
CGroup: /machine.slice/nsdc.service
├─1050 /usr/bin/systemd-nspawn --quiet --keep-unit --boot --network-bridge=br0 --machine=nsdc --capability=CAP_SYS_TIME
├─1068 /usr/lib/systemd/systemd
└─system.slice
├─samba.service
│ ├─ 3029 /usr/sbin/samba -i --debug-stderr
│ ├─ 3556 /usr/sbin/samba -i --debug-stderr
│ ├─ 3557 /usr/sbin/samba -i --debug-stderr
│ ├─ 3558 /usr/sbin/samba -i --debug-stderr
│ ├─ 3566 /usr/sbin/samba -i --debug-stderr
│ ├─ 3570 /usr/sbin/samba -i --debug-stderr
│ ├─ 3571 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 3577 /usr/sbin/samba -i --debug-stderr
│ ├─ 3578 /usr/sbin/samba -i --debug-stderr
│ ├─ 3581 /usr/sbin/samba -i --debug-stderr
│ ├─ 3583 /usr/sbin/samba -i --debug-stderr
│ ├─ 3585 /usr/sbin/samba -i --debug-stderr
│ ├─ 3590 /usr/sbin/samba -i --debug-stderr
│ ├─ 3591 /usr/sbin/samba -i --debug-stderr
│ ├─ 3592 /usr/sbin/samba -i --debug-stderr
│ ├─ 3593 /usr/sbin/samba -i --debug-stderr
│ ├─ 3596 /usr/sbin/samba -i --debug-stderr
│ ├─ 3597 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─ 3762 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 3774 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 3784 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─ 3789 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─ 3790 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─ 3791 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─15430 /usr/sbin/samba -i --debug-stderr
│ └─16559 /usr/sbin/samba -i --debug-stderr
├─console-getty.service
│ └─2954 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
├─dbus.service
│ └─2925 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
├─systemd-logind.service
│ └─2918 /usr/lib/systemd/systemd-logind
├─ntpd.service
│ └─2952 /usr/sbin/ntpd -u ntp:ntp -g
└─systemd-journald.service
└─2650 /usr/lib/systemd/systemd-journald
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: [ OK ] Started Network Service.
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: [ OK ] Reached target Network.
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: [ OK ] Started Samba domain controller daemon.
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: Starting Samba domain controller daemon…
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: [ OK ] Reached target Multi-User System.
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: [ OK ] Reached target Graphical Interface.
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: Starting Update UTMP about System Runlevel Changes…
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: [ OK ] Started Update UTMP about System Runlevel Changes.
Aug 26 15:13:16 server.dom.tld systemd-nspawn[1050]: CentOS Linux 7 (Core)
Aug 26 15:13:16 server.dom.tld systemd-nspawn[1050]: Kernel 3.10.0-862.9.1.el7.x86_64 on an x86_64

Are there errors in /var/log/secure?

What I can find that looks a bit fishy:

Aug 30 17:13:29 ns7 sudo: srvmgr : user NOT in sudoers ; TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/sbin/e-smith/pam-authenticate-pw
Aug 30 17:25:56 ns7 sshd[4331]: pam_unix(sshd:session): session closed for user root

I have similar entries except of the user NOT in sudoers.

Aug 30 21:12:44 vps sudo: srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/sbin/e-smith/pam-authenticate-pw

Blind shot: Is your /etc/sudoers ok? You may repair it with expand-template /etc/sudoers

Nope… same result after expand-template /etc/sudoers is still get: invalid credentials

Did you try to restart httpd-admin service?

Yes… no difference…

I don’t get these warnings in sssd status.

Did you try systemctl restart sssd nsdc or a reboot ?

Tried both but both had the same result: invalid credentials…
It seems just to be the httpd-admin because I can log in with SSH with both root and a Samba4 user

Couldn’t reproduce it, tried with vpn too. Even if I stop sssd and nsdc I can login with root. I only got “invalid credentials” for samba users.

What kind of device do you use? Maybe Android?
I’m asking, because I’ve a similar issue with proxmox console. When I use gboard or swipe sofwarekeyboard it doesn’t work, when I use the hardware keyboard to this device it works. :roll_eyes:
Who knows why…

Thnx for the suggestion @flatspin, but no. I try to log in from my laptop. Did try different browsers also: FF and chromium. All give the same result.

Some blind shots:

# get more info
id srvmgr
sudo -l -U srvmgr|grep pam-authenticate-pw