Invalid credentials when logging in to admin webinterface

v7
server-manager

(Rob Bosch) #1

NethServer Version: 75
Module: web-admin
I am facing a realy strange situation.
My admin web interface is only accessable from the green interface. I use VPN to get to the green side of the server.
When I try to log in to admin web interface I get “invalid credentials”
The credentials I enter are 100% correct (I can log in with the same account over SSH)

I also tried with a Samba user and also there I get “invalid credentials”

Any idea how to troubleshoot?


(Marc) #2

You might have tried already, but just in case, make sure the login box contains what you typed (use the eye icon to unmask the password, and verify it).


(Enrique D) #3

Can you use another browser?

This is from another scenario that I face but in a Synology device.

Before, using Windows/Kubuntu, I can access it using windows.Firefox and Linux.Weaterfox.

Then I migrate my PC to Manjaro. I can still use WeaterFox and login, but FF give a error like “encryption key is invalid…blah” and the login is denied-stuck. (nothing works, clear cache-cookies, writing/copying the password)

I barely remember that we have problems login in this forum some months ago. And need to tweak something in FF.

The browser industry is giving us a lot of problems lately. :thinking:

–Edit: But of course, the browser industry depends of a lot of tools some of those are broken to harden security issues. :upside_down_face:


(Rob Bosch) #4

Just checked with chromium and there I also get invalid credentials.

@dnutan: I did doublechcek the password by making the entry visible: 100% sure the password is ok.


(Marc) #5

Which account provider is in use?
Is sssd service running?


(Rob Bosch) #6

Samba4 account provider.
But I can’t log in woth local root, nor with a samba4 account.
Hwoever, I can log in with root using SSH. I also can use applications like mail with samba4 users (I get my mails delivered in thunderbird and can log into SOGo webinterface)

systemctl status sssd.service gives that service is loaded and running.


(Marc) #7

Can you check:

systemctl -l status sssd nsdc

(Rob Bosch) #8

[root@ns7 ~]# systemctl -l status sssd nsdc
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2018-08-26 15:13:08 CEST; 4 days ago
Main PID: 1229 (sssd)
CGroup: /system.slice/sssd.service
├─1229 /usr/sbin/sssd -i --logger=files
├─1555 /usr/libexec/sssd/sssd_be --domain dom.tld --uid 0 --gid 0 --logger=files
├─2684 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─2685 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
Aug 30 19:30:01 server.dom.tld sssd_be[1555]: GSSAPI client step 1
Aug 30 19:30:01 server.dom.tld_be[1555]: GSSAPI client step 2
Aug 30 19:40:00 server.dom.tld[be[dom.tld]][1555]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
Aug 30 19:40:01 server.dom.tld[be[dom.tld]][1555]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
Aug 30 19:40:03 server.dom.tld sssd[be[dom.tld]][1555]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
Aug 30 19:40:07 server.dom.tld sssd[be[dom.tld]][1555]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
Aug 30 19:44:26 server.dom.tld sssd_be[1555]: GSSAPI client step 1
Aug 30 19:44:26 server.dom.tld sssd_be[1555]: GSSAPI client step 1
Aug 30 19:44:26 server.dom.tld sssd_be[1555]: GSSAPI client step 1
Aug 30 19:44:26 server.dom.tld sssd_be[1555]: GSSAPI client step 2
● nsdc.service - NethServer Domain Controller container
Loaded: loaded (/usr/lib/systemd/system/nsdc.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2018-08-26 15:13:01 CEST; 4 days ago
Docs: man:systemd-nspawn(1)
Main PID: 1050 (systemd-nspawn)
Status: “Container running.”
CGroup: /machine.slice/nsdc.service
├─1050 /usr/bin/systemd-nspawn --quiet --keep-unit --boot --network-bridge=br0 --machine=nsdc --capability=CAP_SYS_TIME
├─1068 /usr/lib/systemd/systemd
└─system.slice
├─samba.service
│ ├─ 3029 /usr/sbin/samba -i --debug-stderr
│ ├─ 3556 /usr/sbin/samba -i --debug-stderr
│ ├─ 3557 /usr/sbin/samba -i --debug-stderr
│ ├─ 3558 /usr/sbin/samba -i --debug-stderr
│ ├─ 3566 /usr/sbin/samba -i --debug-stderr
│ ├─ 3570 /usr/sbin/samba -i --debug-stderr
│ ├─ 3571 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 3577 /usr/sbin/samba -i --debug-stderr
│ ├─ 3578 /usr/sbin/samba -i --debug-stderr
│ ├─ 3581 /usr/sbin/samba -i --debug-stderr
│ ├─ 3583 /usr/sbin/samba -i --debug-stderr
│ ├─ 3585 /usr/sbin/samba -i --debug-stderr
│ ├─ 3590 /usr/sbin/samba -i --debug-stderr
│ ├─ 3591 /usr/sbin/samba -i --debug-stderr
│ ├─ 3592 /usr/sbin/samba -i --debug-stderr
│ ├─ 3593 /usr/sbin/samba -i --debug-stderr
│ ├─ 3596 /usr/sbin/samba -i --debug-stderr
│ ├─ 3597 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─ 3762 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 3774 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 3784 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─ 3789 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─ 3790 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─ 3791 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─15430 /usr/sbin/samba -i --debug-stderr
│ └─16559 /usr/sbin/samba -i --debug-stderr
├─console-getty.service
│ └─2954 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
├─dbus.service
│ └─2925 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
├─systemd-logind.service
│ └─2918 /usr/lib/systemd/systemd-logind
├─ntpd.service
│ └─2952 /usr/sbin/ntpd -u ntp:ntp -g
└─systemd-journald.service
└─2650 /usr/lib/systemd/systemd-journald
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: [ OK ] Started Network Service.
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: [ OK ] Reached target Network.
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: [ OK ] Started Samba domain controller daemon.
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: Starting Samba domain controller daemon…
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: [ OK ] Reached target Multi-User System.
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: [ OK ] Reached target Graphical Interface.
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: Starting Update UTMP about System Runlevel Changes…
Aug 26 15:13:14 server.dom.tld systemd-nspawn[1050]: [ OK ] Started Update UTMP about System Runlevel Changes.
Aug 26 15:13:16 server.dom.tld systemd-nspawn[1050]: CentOS Linux 7 (Core)
Aug 26 15:13:16 server.dom.tld systemd-nspawn[1050]: Kernel 3.10.0-862.9.1.el7.x86_64 on an x86_64


(Markus Neuberger) #9

Are there errors in /var/log/secure?


(Rob Bosch) #10

What I can find that looks a bit fishy:

Aug 30 17:13:29 ns7 sudo: srvmgr : user NOT in sudoers ; TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/sbin/e-smith/pam-authenticate-pw
Aug 30 17:25:56 ns7 sshd[4331]: pam_unix(sshd:session): session closed for user root


(Markus Neuberger) #11

I have similar entries except of the user NOT in sudoers.

Aug 30 21:12:44 vps sudo: srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/sbin/e-smith/pam-authenticate-pw

Blind shot: Is your /etc/sudoers ok? You may repair it with expand-template /etc/sudoers


(Rob Bosch) #12

Nope… same result after expand-template /etc/sudoers is still get: invalid credentials


(Markus Neuberger) #13

Did you try to restart httpd-admin service?


(Rob Bosch) #14

Yes… no difference…


(Markus Neuberger) #15

I don’t get these warnings in sssd status.

Did you try systemctl restart sssd nsdc or a reboot ?


(Rob Bosch) #16

Tried both but both had the same result: invalid credentials…
It seems just to be the httpd-admin because I can log in with SSH with both root and a Samba4 user


(Markus Neuberger) #17

Couldn’t reproduce it, tried with vpn too. Even if I stop sssd and nsdc I can login with root. I only got “invalid credentials” for samba users.


(Ralf Jeckel) #18

What kind of device do you use? Maybe Android?
I’m asking, because I’ve a similar issue with proxmox console. When I use gboard or swipe sofwarekeyboard it doesn’t work, when I use the hardware keyboard to this device it works. :roll_eyes:
Who knows why…


(Rob Bosch) #19

Thnx for the suggestion @flatspin, but no. I try to log in from my laptop. Did try different browsers also: FF and chromium. All give the same result.


(Marc) #20

Some blind shots:

# get more info
id srvmgr
sudo -l -U srvmgr|grep pam-authenticate-pw