No login in eJabberd, IMAP and SSH

Enrico · October 25, 2018, 8:48am

NethServer Version: 7.5.1804 (final)
Module: Chat (eJabberd)

I can start eJabberd with no problem:

2018-10-25 10:11:47.906 [info] <0.33.0> Application os_mon started on node ejabberd@localhost
2018-10-25 10:11:47.906 [info] <0.65.0>@ejabberd_cluster_mnesia:wait_for_sync:123 Waiting for Mnesia synchronization to complete
2018-10-25 10:11:47.906 [info] <0.65.0>@ejabberd_app:start:59 ejabberd 18.06 is started in the node ejabberd@localhost in 2.99s
2018-10-25 10:11:47.910 [info] <0.33.0> Application ejabberd started on node ejabberd@localhost
2018-10-25 10:11:47.910 [info] <0.349.0>@ejabberd_listener:init_tcp:139 Start accepting TCP connections at 0.0.0.0:5280 for ejabberd_http
2018-10-25 10:11:47.910 [info] <0.348.0>@ejabberd_listener:init_tcp:139 Start accepting TCP connections at 0.0.0.0:5223 for ejabberd_c2s
2018-10-25 10:11:47.910 [info] <0.347.0>@ejabberd_listener:init_tcp:139 Start accepting TCP connections at 0.0.0.0:5222 for ejabberd_c2s

But I can’t access it with no users:

2018-10-25 10:32:59.816 [info] <0.498.0>@ejabberd_c2s:handle_auth_failure:443 (tls|<0.498.0>) Failed c2s PLAIN authentication for enrico@domain.ext from 192.168.1.241: Invalid username or password

I also tried to access the webadmin page (after created the jabberadmins group), but i receive this error:

2018-10-25 10:23:52.288 [warning] <0.481.0>@ejabberd_web_admin:process:233 Access of <<“enrico@domain.ext”>> from <<“my.ip.add.ress”>> failed with error: <<“inexistent-account”>>

It seems that the LDAP bind works, but no users can login in chat server and in the admin webpage.

m.traeumner · October 25, 2018, 10:00am

Perhaps this can help you:

github.com/processone/ejabberd

Ejabberd - getting “Failed c2s PLAIN authentication” error message

opened 03:11PM - 13 Aug 18 UTC

closed 02:56PM - 17 Aug 18 UTC

saranraj07

@zinid > What version of ejabberd are you using? 17.11 > What operating …system (version) are you using? CentOS > How did you install ejabberd (source, package, distribution)? Package (https://www.process-one.net/downloads/ejabberd/17.11/ejabberd-17.11-linux-x86_64-installer.run) > What did not work as expected? Are there error messages in the log? I have installed the Ejabberd version 17.11 in our server. After the intallation, the user is able to connect with the Ejabberd service 1st time successfully. But once the session ended by that user and if the same user tries to connect again then we are getting the below error message. `(websocket Failed c2s PLAIN authentication for 776145@domainname.com: Invalid username or password ` > What was the unexpected behavior? What was the expected result? Getting same issue with the version 18.06 as well. 1st time its opening session with the message. `(websocket| Accepted c2s PLAIN authentication for 776145@domainname.com by anonymous backend (websocket| Opened c2s session for 776145@domainname.com/reg_agent ` Once the user disconnected the session then getting message. `(websocket| Closing c2s session for 776145@domainname.com/reg_agent: Connection failed: connection closed ` Now user trying to rejoin with the same session and getting error. `(websocket Failed c2s PLAIN authentication for 776145@domainname.com: Invalid username or password.`

But don’t change the config file directly, please do it with a custom template.

Enrico · October 25, 2018, 11:26am

Ok, I’ve added “auth_use_cache: false” via custom template, now if I try to login via admin webpage the error is changed

2018-10-25 13:21:10.467 [warning] <0.544.0>@ejabberd_web_admin:process:233 Access of <<“enrico@domain.ext”>> from <<“my.ip.add.ress”>> failed with error: <<“bad-password”>>

And if I try to login with a jabber client (Pidgin) I receive the same error

2018-10-25 13:25:47.453 [info] <0.548.0>@ejabberd_c2s:handle_auth_failure:443 (tls|<0.548.0>) Failed c2s PLAIN authentication for enrico@domain.ext from 192.168.1.241: Invalid username or password

davidep · October 25, 2018, 7:00pm

Maybe the /var/log/secure log file can give a clue…

Enrico · October 25, 2018, 8:54pm

In both cases (login via webpage and pidgin client) I receive this error:

Oct 25 22:46:32 server perl: pam_unix(system-auth:auth): authentication failure; logname= uid=994 euid=994 tty= ruser= rhost= user=enrico@domain.ext

davidep · October 26, 2018, 6:48am

Is it an ejabberd problem only? Can you authenticate with other services? Which one?

Can you see the users list under the Users and groups page?

I assume you have a local accounts provider. Is it running?

 systemctl status nsdc slapd

Enrico · October 26, 2018, 7:05am

Yes, it’s an ejabberd problem only.
The network client join domain without any problem and shared folders works with correct permission!
I can see and manage users and group in NethServer webpage

root@server ~]# systemctl status nsdc slapd -l
nsdc.service - NethServer Domain Controller container
Loaded: loaded (/usr/lib/systemd/system/nsdc.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2018-10-23 23:21:29 CEST; 2 days ago
Docs: man:systemd-nspawn(1)
Main PID: 1666 (systemd-nspawn)
Status: “Container running.”
CGroup: /machine.slice/nsdc.service
├─1666 /usr/bin/systemd-nspawn --quiet --keep-unit --boot --network-bridge=br0 --machine=nsdc --capability=CAP_SYS_TIME
├─1685 /usr/lib/systemd/systemd
└─system.slice
├─samba.service
│ ├─ 2168 /usr/sbin/samba -i --debug-stderr
│ ├─ 2582 /usr/sbin/samba -i --debug-stderr
│ ├─ 2583 /usr/sbin/samba -i --debug-stderr
│ ├─ 2584 /usr/sbin/samba -i --debug-stderr
│ ├─ 2585 /usr/sbin/samba -i --debug-stderr
│ ├─ 2586 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 2587 /usr/sbin/samba -i --debug-stderr
│ ├─ 2588 /usr/sbin/samba -i --debug-stderr
│ ├─ 2589 /usr/sbin/samba -i --debug-stderr
│ ├─ 2590 /usr/sbin/samba -i --debug-stderr
│ ├─ 2591 /usr/sbin/samba -i --debug-stderr
│ ├─ 2592 /usr/sbin/samba -i --debug-stderr
│ ├─ 2593 /usr/sbin/samba -i --debug-stderr
│ ├─ 2594 /usr/sbin/samba -i --debug-stderr
│ ├─ 2595 /usr/sbin/samba -i --debug-stderr
│ ├─ 2596 /usr/sbin/samba -i --debug-stderr
│ ├─ 2597 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─ 2598 /usr/sbin/samba -i --debug-stderr
│ ├─ 2698 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 2699 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 2709 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─ 2714 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─14100 /usr/sbin/samba -i --debug-stderr
│ ├─14559 /usr/sbin/samba -i --debug-stderr
│ ├─14633 /usr/sbin/samba -i --debug-stderr
│ ├─15072 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ └─21421 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
├─console-getty.service
│ └─2093 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
├─systemd-logind.service
│ └─2091 /usr/lib/systemd/systemd-logind
├─dbus.service
│ └─2041 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
├─ntpd.service
│ └─2073 /usr/sbin/ntpd -u ntp:ntp -g
└─systemd-journald.service
└─1889 /usr/lib/systemd/systemd-journald

Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: [ OK ] Started Network Service.
Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: [ OK ] Reached target Network.
Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: [ OK ] Started Samba domain controller daemon.
Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: Starting Samba domain controller daemon…
Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: [ OK ] Reached target Multi-User System.
Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: [ OK ] Reached target Graphical Interface.
Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: Starting Update UTMP about System Runlevel Changes…
Oct 23 23:21:29 server.domain.ext systemd-nspawn[1666]: [ OK ] Started Update UTMP about System Runlevel Changes.
Oct 23 23:21:30 server.domain.ext systemd-nspawn[1666]: CentOS Linux 7 (Core)
Oct 23 23:21:30 server.domain.ext systemd-nspawn[1666]: Kernel 3.10.0-862.14.4.el7.x86_64 on an x86_64
Unit slapd.service could not be found.

Enrico · October 27, 2018, 1:45pm

I checked all the ejabberd config files comparing them with a similar server and it seems there are no configuration problem

davidep · October 27, 2018, 3:30pm

Did you double check the client setup? In the end from what we saw so far the server says authentication error…

Enrico · October 27, 2018, 5:22pm

I think there are other problem on this server.
If I try to login webtop I can login, but I receive error about authentication:

What can I try now?

stephdl · October 27, 2018, 8:03pm

a blind shot, does the server is fully upgraded, what are the version of nethserver-dc, does the samba container is upgraded too

Enrico · October 28, 2018, 11:14am

The server is updated: NethServer release 7.5.1804 (final)
The Samba DC is at version 4.7.10 and nethserver-dc is 1.5.7-1.ns7

Enrico · October 28, 2018, 11:41am

If I change password, webtop accept the new one, but shows me the same error

I’m so confused.

davidep · October 28, 2018, 11:45am

Maybe the error is referring to the embedded xmpp client? It can be still related to ejabberd. /cc @webtop_team

Can you try another IMAP client? For instance Roundcube mail: we’re sure it does not depend on ejabberd!

Enrico · October 28, 2018, 12:39pm

Roundcube Webmail doesn’t accept my password (I’ve double checked it)

[28-Oct-2018 12:34:34 +0000]: <kspfl7h0> IMAP Error: Login failed for enrico@domain.ext from my.ip.addr.ess. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)

davidep · October 28, 2018, 1:46pm

Please paste the output of

 getent passwd enrico
 systemctl status sssd
 config show sssd

Enable shell access for Enrico’s account, then try to access via SSH

 ssh enrico@localhost

Did you install additional RPMS manually or uninstalled any module in the past?

Enrico · October 28, 2018, 2:25pm

Thanks a lot Davide.
Here the outputs:

[root@server ~]# getent passwd enrico
enrico@domain.ext:*:1153001144:1153000513:enrico:/var/lib/nethserver/home/enrico:/usr/libexec/openssh/sftp-server

[root@server ~]# systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-10-24 11:58:39 CEST; 4 days ago
Main PID: 3352 (sssd)
CGroup: /system.slice/sssd.service
├─3352 /usr/sbin/sssd -i --logger=files
├─3353 /usr/libexec/sssd/sssd_be --domain somet.net --uid 0 --gid 0 --logger=files
├─3354 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─3355 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Oct 28 14:30:01 server.domain.ext sssd_be[3353]: GSSAPI client step 1
Oct 28 14:30:01 server.domain.ext sssd_be[3353]: GSSAPI client step 2
Oct 28 14:43:49 server.domain.ext sssd_be[3353]: GSSAPI client step 1
Oct 28 14:43:49 server.domain.ext sssd_be[3353]: GSSAPI client step 1
Oct 28 14:43:49 server.domain.ext sssd_be[3353]: GSSAPI client step 1
Oct 28 14:43:49 server.domain.ext sssd_be[3353]: GSSAPI client step 2
Oct 28 14:45:01 server.domain.ext sssd_be[3353]: GSSAPI client step 1
Oct 28 14:45:01 server.domain.ext sssd_be[3353]: GSSAPI client step 1
Oct 28 14:45:01 server.domain.ext sssd_be[3353]: GSSAPI client step 1
Oct 28 14:45:01 server.domain.ext sssd_be[3353]: GSSAPI client step 2

[root@server ~]# config show sssd
sssd=service
AdDns=192.168.1.253
BindDN=ldapservice@AD.DOMAIN.EXT
BindPassword=wC4f9orI1TAUlCUO
DiscoverDcType=ldapuri
LdapURI=ldaps://nsdc-server.ad.domain.ext
Provider=ad
Realm=AD.DOMAIN.EXT
Workgroup=DOMAIN
status=

How can I enable shell for my user? With “AllowUsers Enrico” in /etc/ssh/sshd_config?
I’ve unistalled sometimes the eJabberd module because it didn’t works, nothing else.

davidep · October 28, 2018, 2:28pm

You are Enrico! Did you create an enrico user during the server installation?

grep enrico /etc/passwd

Can you reproduce the same problem with another user?

Enrico · October 28, 2018, 2:43pm

The output is empty!
I create “enrico” after the ejabber problems just for tests, but al the users are afflicted by this problem.

davidep · October 28, 2018, 2:47pm

To enable ssh access, go to the users and group page and edit the Enrico’s account. IIRCthe checkbox is under advanced settings or similar

Both nsdc and sssd seem running well… Really puzzling issue