Invalid credentials when logging in to admin webinterface

mrmarkuz · August 30, 2018, 9:25pm

I don’t get these warnings in sssd status.

Did you try systemctl restart sssd nsdc or a reboot ?

robb · August 30, 2018, 9:58pm

Tried both but both had the same result: invalid credentials…
It seems just to be the httpd-admin because I can log in with SSH with both root and a Samba4 user

mrmarkuz · August 30, 2018, 10:13pm

Couldn’t reproduce it, tried with vpn too. Even if I stop sssd and nsdc I can login with root. I only got “invalid credentials” for samba users.

flatspin · August 31, 2018, 8:24am

What kind of device do you use? Maybe Android?
I’m asking, because I’ve a similar issue with proxmox console. When I use gboard or swipe sofwarekeyboard it doesn’t work, when I use the hardware keyboard to this device it works.
Who knows why…

robb · August 31, 2018, 9:32am

Thnx for the suggestion @flatspin, but no. I try to log in from my laptop. Did try different browsers also: FF and chromium. All give the same result.

dnutan · August 31, 2018, 2:51pm

Some blind shots:

# get more info
id srvmgr
sudo -l -U srvmgr|grep pam-authenticate-pw

robb · August 31, 2018, 3:12pm

[root@ns7 ~]# id srvmgr
uid=996(srvmgr) gid=993(srvmgr) groups=993(srvmgr),4(adm)
[root@ns7 ~]# sudo -l -U srvmgr|grep pam-authenticate-pw
[root@ns7 ~]#

The first does give a response. The 2nd command returns empty
What response should it give?

dnutan · August 31, 2018, 3:16pm

We might have a winner. The script should be in the list of sudo permissions for srvmgr user.

You can get the full list without grepping it:

sudo -l -U srvmgr

EDIT: can you share the outcome of:

getent group adm
rpm -q nethserver-base
cat /etc/sudoers.d/20_nethserver_base

After checking that, try to run:

signal-event nethserver-base-update

robb · August 31, 2018, 3:27pm

[root@ns7 ~]# sudo -l -U srvmgr
User srvmgr is not allowed to run sudo on ns7.

Is there a syntax typo in this command or something really wrong?

root@ns7 ~]# getent group adm
adm:x:4:srvmgr
[root@ns7 ~]# rpm -q nethserver-base
nethserver-base-3.4.2-1.ns7.noarch

[root@ns7 ~]# cat /etc/sudoers.d/20_nethserver_base
#
# 20_nethserver_base
#
%adm ALL=NOPASSWD: /sbin/e-smith/db, \
    /sbin/e-smith/signal-event, \
    /sbin/e-smith/validate, \
    /sbin/e-smith/pam-authenticate-pw, \
    /sbin/e-smith/logviewer, \
    /usr/libexec/nethserver/pkgaction, \
    /usr/libexec/nethserver/pkginfo, \
    /usr/libexec/nethserver/read-service-status, \
    /usr/libexec/nethserver/pki-info, \
    /usr/libexec/nethserver/sigev-batch, \
    /usr/libexec/nethserver/admin-todos, \
    /usr/libexec/nethserver/nic-info, \
    /usr/libexec/nethserver/control-service, \
    /usr/libexec/nethserver/cert-list, \
    /usr/libexec/nethserver/letsencrypt-certs, \
    /usr/bin/yum clean all, \
    /sbin/service [a-zA-Z0-9_-]* status, \
    /etc/e-smith/events/actions/nethserver-generate-certificate, \
    /usr/libexec/nethserver/yum-packages-to-remove

dnutan · August 31, 2018, 3:33pm

No typo, more of the latter but lets hope is not too bad.

I get this (may change depending on the installed modules)

# sudo -l -U srvmgr
Matching Defaults entries for srvmgr on server:
    !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME
    HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME
    LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty, env_keep+=PTRACK_SOCKETPATH

User srvmgr may run the following commands on server:
    (root) NOPASSWD: /usr/libexec/nethserver/backup-data-search,
        /usr/libexec/nethserver/pki-vpn-gencert, /usr/libexec/nethserver/pki-vpn-revoke,
        /usr/bin/traceroute, /usr/sbin/arp-scan, /usr/bin/speedtest-cli,
        /usr/libexec/nethserver/fail2ban-listban, /usr/libexec/nethserver/fail2ban-listip,
        /usr/libexec/nethserver/shorewall-check, /usr/libexec/nethserver/providers-status,
        /usr/sbin/dmidecode
    (root) NOPASSWD: /sbin/e-smith/backup-config, /sbin/e-smith/restore-config,
        /usr/libexec/nethserver/backup-config-history
    (root) NOPASSWD: /sbin/e-smith/db, /sbin/e-smith/signal-event, /sbin/e-smith/validate,
        /sbin/e-smith/pam-authenticate-pw, /sbin/e-smith/logviewer, /usr/libexec/nethserver/pkgaction,
        /usr/libexec/nethserver/pkginfo, /usr/libexec/nethserver/read-service-status,
        /usr/libexec/nethserver/pki-info, /usr/libexec/nethserver/sigev-batch,
        /usr/libexec/nethserver/admin-todos, /usr/libexec/nethserver/nic-info,
        /usr/libexec/nethserver/control-service, /usr/libexec/nethserver/cert-list,
        /usr/libexec/nethserver/letsencrypt-certs, /usr/bin/yum clean all, /sbin/service [a-zA-Z0-9_-]*
        status, /etc/e-smith/events/actions/nethserver-generate-certificate,
        /usr/libexec/nethserver/yum-packages-to-remove
    (root) NOPASSWD: /usr/libexec/nethserver/read-nssamba-version
    (root) NOPASSWD: /usr/sbin/postqueue, /usr/sbin/postsuper
    (root) NOPASSWD: /usr/libexec/nethserver/mail-quota, /usr/bin/doveadm mailbox list -u vmail *,
        /usr/bin/doveadm -f tab acl get -u vmail *
    (root) NOPASSWD: /usr/libexec/nethserver/openvpn-tunnels, /usr/libexec/nethserver/openvpn-tunnel-pem
    (root) NOPASSWD: /usr/sbin/realm join *, /usr/libexec/nethserver/net-ads-info,
        /usr/libexec/nethserver/list-users, /usr/libexec/nethserver/list-groups,
        /usr/libexec/nethserver/list-user-membership, /usr/libexec/nethserver/list-group-members,
        /usr/libexec/nethserver/count-accounts
    (root) NOPASSWD: /sbin/e-smith/restore-file, /usr/libexec/nethserver/nethserver-restore-data-helper

20_nethserver_base is OK

dnutan · August 31, 2018, 4:14pm

What says:

egrep "root|wheel" /etc/sudoers
egrep -i "srvmgr|adm" /etc/sudoers.d/{10_nethserver,20_nethserver_httpd_admin}

robb · August 31, 2018, 8:20pm

[root@ns7 ~]# egrep “root|wheel” /etc/sudoers
.## the root user, without needing the root password.
.## Allow root to run any commands anywhere
root ALL=(ALL) ALL
.## Allows people in group wheel to run all commands
.%wheel ALL=(ALL) ALL
.# %wheel ALL=(ALL) NOPASSWD: ALL
.## cdrom as root

[root@ns7 ~]# egrep -i “srvmgr|adm” /etc/sudoers.d/{10_nethserver,20_nethserver_httpd_admin}
/etc/sudoers.d/10_nethserver:# 30nethserver_adm
/etc/sudoers.d/10_nethserver:Cmnd_Alias NETHSERVER_ADM = /usr/libexec/nethserver/backup-data-search, /usr/libexec/nethserver/pki-vpn-gencert, /usr/libexec/nethserver/pki-vpn-revoke, /usr/bin/traceroute, /usr/sbin/arp-scan, /usr/bin/speedtest-cli, /usr/libexec/nethserver/fail2ban-listban, /usr/libexec/nethserver/fail2ban-listip, /usr/libexec/nethserver/shorewall-check, /usr/libexec/nethserver/providers-status, /usr/sbin/dmidecode
/etc/sudoers.d/10_nethserver:%adm ALL=NOPASSWD: NETHSERVER_ADM
/etc/sudoers.d/10_nethserver:Defaults:srvmgr !requiretty
/etc/sudoers.d/20_nethserver_httpd_admin:# 20_nethserver_httpd_admin
/etc/sudoers.d/20_nethserver_httpd_admin:Defaults:%adm env_keep += “PTRACK_SOCKETPATH”

mrmarkuz · August 31, 2018, 9:02pm

You may check sudoers files with

visudo -c

dnutan · August 31, 2018, 9:06pm

If the points at the beginning of lines are yours (not from files), then config looks good.
Markus advice for verification is a better idea.

Looks like srvmgr (within adm group) fails to get sudo permissions from sudoers.

robb · August 31, 2018, 9:40pm

Yeah, I added those points. The double hashtags messed up formatting

robb · September 1, 2018, 11:54am

Seems ok:

[root@ns7 ~]# visudo -c
/etc/sudoers: parsed OK

Checked what groups srvmgr is member of:

[root@ns7 ~]# groups srvmgr
srvmgr : srvmgr adm

That seems to be ok. Got the same on another server.

dnutan · September 1, 2018, 12:09pm

Any action taken before having this issue? (updates, installs, password expiration…)
Does you AD has a group with the same name (adm)?
Can you list the files in sudoers.d ? (to identify involved modules)

mrmarkuz · September 1, 2018, 12:27pm

Is this the whole result?

I get this:

/etc/sudoers: parsed OK
/etc/sudoers.d/10_nethserver: parsed OK
/etc/sudoers.d/20_nethserver_backup_config: parsed OK
/etc/sudoers.d/20_nethserver_base: parsed OK
/etc/sudoers.d/20_nethserver_dc: parsed OK
/etc/sudoers.d/20_nethserver_httpd_admin: parsed OK
/etc/sudoers.d/20_nethserver_mail_common: parsed OK
/etc/sudoers.d/20_nethserver_mail_server: parsed OK
/etc/sudoers.d/20_nethserver_sssd: parsed OK
/etc/sudoers.d/40_nethserver_restore_data: parsed OK
/etc/sudoers.d/90_nethserver_nextcloud: parsed OK

If yes check the last line of /etc/sudoers, it should be #includedir /etc/sudoers.d.

robb · September 1, 2018, 1:06pm

Yes that was the whole result…

That line was missing from /etc/sudoers
Do I need to restart some service to make it active or is the /etc/sudoers file checked every time an action needs sudo rights?

/edit: @mrmarkuz: you nailed it. That line was missing. Question is HOW could it be deleted?
btw… the line is including the #. I can log in again into the admin webinterface. Thnx a LOT.

mrmarkuz · September 1, 2018, 1:28pm

That’s a good question but I am just happy it works again!