Webtop5 in maintenance after reboot (NS7.3) lost admin password

activedirectory
v7
webtop5

(Guus) #1

NethServer Version: 7.3.1611
Module: Webtop5

After updating packages and Domain controller had to reboot the system since DC restarted with fault after update (no bridge)

Result is that webtop 5 restarted in maintenance mode and the login of admin@domain user fails using the resetted password on installation (password safe is used therefore)

Is there a way to change the password for admin or to overrule the maintenance mode?


(Giacomo Sanchietti) #2

Try to change this record inside the db:
https://github.com/NethServer/nethserver-webtop5/blob/master/root/etc/e-smith/templates/usr/share/webtop/sql/data/init-data-core.sql/20users#L4

Am I right @webtop_team?


(gabriele_bulfon) #3

You should try to enter with the global admin, not the domain one.
Then, look first in the DB Upgrade tool to check there are no sql update errors.
If not, just disable maintenance mode using the top button, and exit.

@giacomo 's trick is the one you need if you can’t enter with admin@domain anymore, receiving a blank page.

Gabriele


(Guus) #4

Hello Giacomo, Gabriele,

I.ve checked inside the db as Giacomo suggested. File matches 1:1

Nevertheless I çan’t login not with the global admin (which I had also tried but not mentioned) nor with the domain admin. So there is no change that I can get webtop out of maintenance mode.

Any further suggestions?

Guus


(gabriele_bulfon) #5

check the /var/log/webtop/webtop.log for any stack trace during admin login.


(Guus) #6

Well I don’t see any for me helping information.

Hope you find any clou.

Logfile from this moment of login attempt contains following:

2017-06-27 19:29:11 [ERROR] c.sonicle.webtop.core.shiro.WTRealm - Authentication error
com.sonicle.security.auth.DirectoryException: Provided password is not valid
_ at com.sonicle.webtop.core.app.auth.WebTopDirectory.authenticate(WebTopDirectory.java:139)_
_ at com.sonicle.webtop.core.shiro.WTRealm.authenticateUser(WTRealm.java:179)_
_ at com.sonicle.webtop.core.shiro.WTRealm.doGetAuthenticationInfo(WTRealm.java:93)_
_ at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)_
_ at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)_
_ at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)_
_ at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)_
_ at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)_
_ at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)_
_ at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)_
_ at org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53)_
_ at org.apache.shiro.web.filter.authc.FormAuthenticationFilter.onAccessDenied(FormAuthenticationFilter.java:154)_
_ at org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133)_
_ at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)_
_ at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)_
_ at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)_
_ at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)_
_ at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)_
_ at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)_
_ at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)_
_ at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)_
_ at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)_
_ at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)_
_ at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)_
_ at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)_
_ at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)_
_ at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)_
_ at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)_
_ at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)_
_ at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)_
_ at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)_
_ at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)_
_ at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)_
_ at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)_
_ at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)_
_ at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)_
_ at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)_
_ at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)_
_ at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683)_
_ at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)_
_ at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)_
_ at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)_
_ at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)_
_ at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)_
_ at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)_
_ at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)_
_ at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)_
_ at java.lang.Thread.run(Thread.java:748)_
2017-06-27 19:41:30 [ERROR] c.sonicle.webtop.core.shiro.WTRealm - Authentication error
com.sonicle.webtop.core.sdk.WTException: Maintenance is active. Only sys-admin can login.
_ at com.sonicle.webtop.core.shiro.WTRealm.authenticateUser(WTRealm.java:146)_
_ at com.sonicle.webtop.core.shiro.WTRealm.doGetAuthenticationInfo(WTRealm.java:93)_
_ at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)_
_ at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)_
_ at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)_
_ at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)_
_ at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)_
_ at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)_
_ at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)_
_ at org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53)_
_ at org.apache.shiro.web.filter.authc.FormAuthenticationFilter.onAccessDenied(FormAuthenticationFilter.java:154)_
_ at org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133)_
_ at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)_
_ at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)_
_ at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)_
_ at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)_
_ at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)_
_ at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)_
_ at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)_
_ at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)_
_ at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)_
_ at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)_
_ at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)_
_ at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)_
_ at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)_
_ at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)_
_ at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)_
_ at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)_
_ at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)_
_ at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)_
_ at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)_
_ at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)_
_ at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)_
_ at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)_
_ at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)_
_ at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)_
_ at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)_
_ at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683)_
_ at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)_
_ at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)_
_ at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)_
_ at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)_
_ at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)_
_ at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)_
_ at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)_
_ at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)_
_ at java.lang.Thread.run(Thread.java:748)_
2017-06-27 19:42:22 [ERROR] c.sonicle.webtop.core.shiro.WTRealm - Authentication error
com.sonicle.security.auth.DirectoryException: Provided password is not valid
_ at com.sonicle.webtop.core.app.auth.WebTopDirectory.authenticate(WebTopDirectory.java:139)_
_ at com.sonicle.webtop.core.shiro.WTRealm.authenticateUser(WTRealm.java:179)_
_ at com.sonicle.webtop.core.shiro.WTRealm.doGetAuthenticationInfo(WTRealm.java:93)_
_ at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)_
_ at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)_
_ at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)_
_ at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)_
_ at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)_
_ at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)_
_ at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)_
_ at org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53)_
_ at org.apache.shiro.web.filter.authc.FormAuthenticationFilter.onAccessDenied(FormAuthenticationFilter.java:154)_
_ at org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133)_
_ at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)_
_ at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)_
_ at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)_
_ at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)_
_ at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)_
_ at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)_
_ at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)_
_ at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)_
_ at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)_
_ at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)_
_ at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)_
_ at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)_
_ at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)_
_ at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)_
_ at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)_
_ at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)_
_ at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)_
_ at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)_
_ at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)_
_ at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)_
_ at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)_
_ at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)_
_ at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)_
_ at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)_
_ at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)_
_ at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683)_
_ at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)_
_ at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)_
_ at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)_
_ at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)_
_ at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)_
_ at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)_
_ at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)_
_ at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)_
_ at java.lang.Thread.run(Thread.java:748)_


(Guus) #7

No clues?

is there a way to overrule the maintenance state through config files?


(gabriele_bulfon) #8

You need to log in as webtop admin, that is…just “admin”, no domain, password just admin, or what you see in the “core”.“local_vault” table. That is what is saying your stack trace.
Are you sure you’re trying to login as just admin/admin?


(Guus) #9

Hallo Gabrielle,

you describe the first step I’ve taken. After the necessary reboot I discovered that webtop5 had entered maintenance mode.

So I tried login in with

  1. admin/new password created after first installation
  2. admin/admin
  3. admin@domain/admin
  4. admin@domain/created password after installation

then I changed the password of the nethserver admininistrator account under tab user/group and tried to login with these credentials, both with user admin as well as with user admmin@domain
No succes

Then I removed webtop and reinstalled it with no succes either.
So after searching the internet and the community forum giving me not any clue I opend this thread, which up till now also doesn’t give any solution.

Where do I find this “core”.“local_vault” table?

I think it’s in the above mentioned ./inti-data-core.sql/20users file which states:

“INSERT INTO “core”.“local_vault” VALUES (’*’, ‘admin’, ‘PLAIN’, ‘admin’);”

Also there seems to be a typo in the following (locahlost instead of localhost)
“INSERT INTO “core”.“users_info” VALUES (’*’, ‘admin’, NULL, NULL, ‘System’, ‘Admin’, NULL, NULL, ‘admin@locahlost’, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);”

Regards
Guus


(Marc) #10

As Giacomo and Gabriele suggested you can try to reset the password by editing the webtop5 postgreSQL database.

You can do it from the command line:

su - postgres
psql webtop5
UPDATE "core"."local_vault" SET password_type='PLAIN', password='admin' WHERE user_id='admin';
\q
exit

After that, try to login with admin/admin, and if it works use webtop interface to set a new admin password as soon as possible.

Nice, thanks for checking the code. I bet you’ve found a bug.


Webtop5, cannot change admin password
(Guus) #11

Hello Marc,

thanks for the instruction, this worked like a charme, resetted the admin to defaults from commandline and changed password immediately. Tested it and all turns out well. Removed maintenance mode.

It’s, I guess, my lack off knowledge that I didn’t understand the meaning out of the instructions of Giacomo and Gabriele.

Regards,
Guus