No login in eJabberd, IMAP and SSH

NethServer Version: 7.5.1804 (final)
Module: Chat (eJabberd)

I can start eJabberd with no problem:

2018-10-25 10:11:47.906 [info] <0.33.0> Application os_mon started on node ejabberd@localhost
2018-10-25 10:11:47.906 [info] <0.65.0>@ejabberd_cluster_mnesia:wait_for_sync:123 Waiting for Mnesia synchronization to complete
2018-10-25 10:11:47.906 [info] <0.65.0>@ejabberd_app:start:59 ejabberd 18.06 is started in the node ejabberd@localhost in 2.99s
2018-10-25 10:11:47.910 [info] <0.33.0> Application ejabberd started on node ejabberd@localhost
2018-10-25 10:11:47.910 [info] <0.349.0>@ejabberd_listener:init_tcp:139 Start accepting TCP connections at 0.0.0.0:5280 for ejabberd_http
2018-10-25 10:11:47.910 [info] <0.348.0>@ejabberd_listener:init_tcp:139 Start accepting TCP connections at 0.0.0.0:5223 for ejabberd_c2s
2018-10-25 10:11:47.910 [info] <0.347.0>@ejabberd_listener:init_tcp:139 Start accepting TCP connections at 0.0.0.0:5222 for ejabberd_c2s

But I can’t access it with no users:

2018-10-25 10:32:59.816 [info] <0.498.0>@ejabberd_c2s:handle_auth_failure:443 (tls|<0.498.0>) Failed c2s PLAIN authentication for enrico@domain.ext from 192.168.1.241: Invalid username or password

I also tried to access the webadmin page (after created the jabberadmins group), but i receive this error:

2018-10-25 10:23:52.288 [warning] <0.481.0>@ejabberd_web_admin:process:233 Access of <<“enrico@domain.ext”>> from <<“my.ip.add.ress”>> failed with error: <<“inexistent-account”>>

It seems that the LDAP bind works, but no users can login in chat server and in the admin webpage.

Perhaps this can help you:

But don’t change the config file directly, please do it with a custom template.

Ok, I’ve added “auth_use_cache: false” via custom template, now if I try to login via admin webpage the error is changed

2018-10-25 13:21:10.467 [warning] <0.544.0>@ejabberd_web_admin:process:233 Access of <<“enrico@domain.ext”>> from <<“my.ip.add.ress”>> failed with error: <<“bad-password”>>

And if I try to login with a jabber client (Pidgin) I receive the same error

2018-10-25 13:25:47.453 [info] <0.548.0>@ejabberd_c2s:handle_auth_failure:443 (tls|<0.548.0>) Failed c2s PLAIN authentication for enrico@domain.ext from 192.168.1.241: Invalid username or password

Maybe the /var/log/secure log file can give a clue…

In both cases (login via webpage and pidgin client) I receive this error:

Oct 25 22:46:32 server perl: pam_unix(system-auth:auth): authentication failure; logname= uid=994 euid=994 tty= ruser= rhost= user=enrico@domain.ext

Is it an ejabberd problem only? Can you authenticate with other services? Which one?

Can you see the users list under the Users and groups page?

I assume you have a local accounts provider. Is it running?

 systemctl status nsdc slapd

Yes, it’s an ejabberd problem only.
The network client join domain without any problem and shared folders works with correct permission!
I can see and manage users and group in NethServer webpage

root@server ~]# systemctl status nsdc slapd -l
nsdc.service - NethServer Domain Controller container
Loaded: loaded (/usr/lib/systemd/system/nsdc.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2018-10-23 23:21:29 CEST; 2 days ago
Docs: man:systemd-nspawn(1)
Main PID: 1666 (systemd-nspawn)
Status: “Container running.”
CGroup: /machine.slice/nsdc.service
├─1666 /usr/bin/systemd-nspawn --quiet --keep-unit --boot --network-bridge=br0 --machine=nsdc --capability=CAP_SYS_TIME
├─1685 /usr/lib/systemd/systemd
└─system.slice
├─samba.service
│ ├─ 2168 /usr/sbin/samba -i --debug-stderr
│ ├─ 2582 /usr/sbin/samba -i --debug-stderr
│ ├─ 2583 /usr/sbin/samba -i --debug-stderr
│ ├─ 2584 /usr/sbin/samba -i --debug-stderr
│ ├─ 2585 /usr/sbin/samba -i --debug-stderr
│ ├─ 2586 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 2587 /usr/sbin/samba -i --debug-stderr
│ ├─ 2588 /usr/sbin/samba -i --debug-stderr
│ ├─ 2589 /usr/sbin/samba -i --debug-stderr
│ ├─ 2590 /usr/sbin/samba -i --debug-stderr
│ ├─ 2591 /usr/sbin/samba -i --debug-stderr
│ ├─ 2592 /usr/sbin/samba -i --debug-stderr
│ ├─ 2593 /usr/sbin/samba -i --debug-stderr
│ ├─ 2594 /usr/sbin/samba -i --debug-stderr
│ ├─ 2595 /usr/sbin/samba -i --debug-stderr
│ ├─ 2596 /usr/sbin/samba -i --debug-stderr
│ ├─ 2597 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─ 2598 /usr/sbin/samba -i --debug-stderr
│ ├─ 2698 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 2699 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 2709 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─ 2714 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─14100 /usr/sbin/samba -i --debug-stderr
│ ├─14559 /usr/sbin/samba -i --debug-stderr
│ ├─14633 /usr/sbin/samba -i --debug-stderr
│ ├─15072 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ └─21421 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
├─console-getty.service
│ └─2093 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
├─systemd-logind.service
│ └─2091 /usr/lib/systemd/systemd-logind
├─dbus.service
│ └─2041 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
├─ntpd.service
│ └─2073 /usr/sbin/ntpd -u ntp:ntp -g
└─systemd-journald.service
└─1889 /usr/lib/systemd/systemd-journald

Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: [ OK ] Started Network Service.
Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: [ OK ] Reached target Network.
Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: [ OK ] Started Samba domain controller daemon.
Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: Starting Samba domain controller daemon…
Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: [ OK ] Reached target Multi-User System.
Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: [ OK ] Reached target Graphical Interface.
Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: Starting Update UTMP about System Runlevel Changes…
Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: [ OK ] Started Update UTMP about System Runlevel Changes.
Oct 23 23:21:30 server.domain.ext systemd-nspawn[1666]: CentOS Linux 7 (Core)
Oct 23 23:21:30 server.domain.ext systemd-nspawn[1666]: Kernel 3.10.0-862.14.4.el7.x86_64 on an x86_64
Unit slapd.service could not be found.

I checked all the ejabberd config files comparing them with a similar server and it seems there are no configuration problem

Did you double check the client setup? In the end from what we saw so far the server says authentication error…

1 Like

I think there are other problem on this server.
If I try to login webtop I can login, but I receive error about authentication:

What can I try now?

1 Like

a blind shot, does the server is fully upgraded, what are the version of nethserver-dc, does the samba container is upgraded too

The server is updated: NethServer release 7.5.1804 (final)
The Samba DC is at version 4.7.10 and nethserver-dc is 1.5.7-1.ns7

If I change password, webtop accept the new one, but shows me the same error

I’m so confused.

Maybe the error is referring to the embedded xmpp client? It can be still related to ejabberd. /cc @webtop_team

Can you try another IMAP client? For instance Roundcube mail: we’re sure it does not depend on ejabberd!

Roundcube Webmail doesn’t accept my password (I’ve double checked it)

[28-Oct-2018 12:34:34 +0000]: <kspfl7h0> IMAP Error: Login failed for enrico@domain.ext from my.ip.addr.ess. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)

Please paste the output of

 getent passwd enrico
 systemctl status sssd
 config show sssd

Enable shell access for Enrico’s account, then try to access via SSH

 ssh enrico@localhost

Did you install additional RPMS manually or uninstalled any module in the past?

Thanks a lot Davide.
Here the outputs:

[root@server ~]# getent passwd enrico
enrico@domain.ext:*:1153001144:1153000513:enrico:/var/lib/nethserver/home/enrico:/usr/libexec/openssh/sftp-server

[root@server ~]# systemctl status sssd
â—Ź sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-10-24 11:58:39 CEST; 4 days ago
Main PID: 3352 (sssd)
CGroup: /system.slice/sssd.service
├─3352 /usr/sbin/sssd -i --logger=files
├─3353 /usr/libexec/sssd/sssd_be --domain somet.net --uid 0 --gid 0 --logger=files
├─3354 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─3355 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Oct 28 14:30:01 server.domain.ext sssd_be[3353]: GSSAPI client step 1
Oct 28 14:30:01 server.domain.ext sssd_be[3353]: GSSAPI client step 2
Oct 28 14:43:49 server.domain.ext sssd_be[3353]: GSSAPI client step 1
Oct 28 14:43:49 server.domain.ext sssd_be[3353]: GSSAPI client step 1
Oct 28 14:43:49 server.domain.ext sssd_be[3353]: GSSAPI client step 1
Oct 28 14:43:49 server.domain.ext sssd_be[3353]: GSSAPI client step 2
Oct 28 14:45:01 server.domain.ext sssd_be[3353]: GSSAPI client step 1
Oct 28 14:45:01 server.domain.ext sssd_be[3353]: GSSAPI client step 1
Oct 28 14:45:01 server.domain.ext sssd_be[3353]: GSSAPI client step 1
Oct 28 14:45:01 server.domain.ext sssd_be[3353]: GSSAPI client step 2

[root@server ~]# config show sssd
sssd=service
AdDns=192.168.1.253
BindDN=ldapservice@AD.DOMAIN.EXT
BindPassword=wC4f9orI1TAUlCUO
DiscoverDcType=ldapuri
LdapURI=ldaps://nsdc-server.ad.domain.ext
Provider=ad
Realm=AD.DOMAIN.EXT
Workgroup=DOMAIN
status=

How can I enable shell for my user? With “AllowUsers Enrico” in /etc/ssh/sshd_config?
I’ve unistalled sometimes the eJabberd module because it didn’t works, nothing else.

You are Enrico! Did you create an enrico user during the server installation?

grep enrico /etc/passwd

Can you reproduce the same problem with another user?

The output is empty!
I create “enrico” after the ejabber problems just for tests, but al the users are afflicted by this problem.

1 Like

To enable ssh access, go to the users and group page and edit the Enrico’s account. IIRCthe checkbox is under advanced settings or similar

Both nsdc and sssd seem running well… Really puzzling issue