Password reset failing

SpiceDenver · June 19, 2020, 7:34pm

NethServer Version: 7.8.2003
Module: base

Users get the page for /user-settings/ and enter their credentials, but the page result says:

The same password works for other resources, and they’re [users] putting in their AD creds. The /var/log/http/ssl_access_log returns a 401 on them.

I’m at a loss on things to check. I’ve verified that their source network is part of trusted networks, and even tried changing the SSH access to add “Normal users” to ssh/sftp access. The same user-settings page works fine on AD creds for me and the other domain admin.

michelandre · June 19, 2020, 8:41pm

Hi Grey,

Did you import the users after installation of AD ?
AD created domain admin in its installation, so that is why yours work.

Michel-André

Andy_Wismer · June 19, 2020, 8:46pm

@SpiceDenver

Hi Grey

Test if elevating a user to Domain Admin (temporarily) allows them to change their password.
This could be a permissions issue…

My 2 cents
Andy

SpiceDenver · June 19, 2020, 9:02pm

Did this and no success.

SpiceDenver · June 19, 2020, 9:04pm

No, the AD was already stood up when Neth was installed. We just want Neth to be able to reset users’ passwords via the new feature.

Andy_Wismer · June 19, 2020, 9:04pm

@SpiceDenver

As Andre asked: did you import the users, or were they created on NrthServer?
You were faster…

What happens if you create a new user (for testing)? Can that user change their password?

Andy

SpiceDenver · June 19, 2020, 9:10pm

No? You have to import them? Did I miss an important section in the documentation?

Andy_Wismer · June 19, 2020, 9:14pm

@SpiceDenver

Well, what you mentionned above implies that the AD was there before NethServer, so it can’t be part of the NethServer installation…

Something BIG is missing here… ( scratch, scratch… )

Maybe a word of explanation HOW that AD got together with NethServer, which makes it’s AD during install (post install with Account Provider, actually) would help us ignorants understand your situation a bit better.
And with understanding - help isn’t too far away!

Andy

SpiceDenver · June 19, 2020, 9:31pm

My AD Enterprise had a couple DCs on Server 2016. These were up and running as healthy AD servers before installing Neth, which is joined to the domain through the Users & Groups as a remote AD. It was very straightforward. Users and groups — NethServer 7 Final

Andy_Wismer · June 19, 2020, 9:41pm

Now, the main (primary) AD is NethServer or still the Windows 2016?

Andy_Wismer · June 19, 2020, 9:46pm

@SpiceDenver

Understanding is dawning…

With AD users as you have from MS, they are missing AFAIK a few fields in LDAP/AD that MS doesn’t use normally, like the shell field (bash, csh, etc). NethServer uses these, and also set’s stuff…

That’s one of your “Gotchas”, there are more…

MS created users also tend to have a dot in the username ( firstname.lastname ), wheras in NethServer a dot in the username is - AFAIK - not legit.

My 2 cents
Andy

mrmarkuz · June 19, 2020, 10:05pm

Do the usernames of the users not working contain special characters?

ertank · June 20, 2020, 3:41am

I have no problem using my user. It only contains special characters in name. Not in username as it is set as ertan

I am not sure if that was what you wanted to know though.

mrmarkuz · June 20, 2020, 9:30am

I just mentioned your thread as an example.

SpiceDenver · June 22, 2020, 1:23pm

They do contain a dot in the username. We use a full name with a dot.
Would the older password reset tool work to get around that?

mrmarkuz · June 22, 2020, 6:38pm

It was just an idea. Could it be because of some char in the passwords?

To use the old server manager for changing password:

https://NETH_IP:980/en-US/UserProfile

Alternative:

https://wiki.nethserver.org/doku.php?id=userguide:self-service-password

I tried it now and dots in usernames are no issue with remote AD to Nethserver. I am going to test with Win Server 2016…

EDIT:

I can confirm the issue.
It seems not possible to login to cockpit/user-settings with remote AD users from Windows Server 2016. It shows “Wrong user name or password”.
It’s the same in old server manager. It shows “Invalid credentials”.
As regards apps, Nextcloud is working, Roundcube is not.

AFAIK self service password works with Windows Server 2016 DC.

SpiceDenver · June 23, 2020, 3:08pm

mrmarkuz · June 23, 2020, 3:34pm

Sorry I edited my post. The part after EDIT is important.
Here is the explanation of using old server manager for password change.
It was not possible for users to login to neither old or new server manager in my tests with Win Server 2016.

Are the apps logins (roundcube, nextcloud) working in your environment?

You may use SSP as a workaround until we fix this issue.

stephdl · July 9, 2020, 5:53am

cc @davidep @giacomo @edoardo_spadoni

a weird issue with remote AD and dot inside full name

SpiceDenver · July 9, 2020, 2:18pm

Dot in username.