Unable to authenticate after changing group membership

ttblum
Beiträge: 91
Registriert: 23 Jun 2017, 14:18
Wohnort: Cleveland, Ohio USA

Unable to authenticate after changing group membership

Beitragvon ttblum » 05 Okt 2017, 22:13

Hello,

I was trying to configure a wsusoffline setup, so I added the 'wsusoffline' opsiadmin user to the wsusoffline group.

After that I got a' BackendPermissionDeniedError' every time I tried to log in to the GUI configd:

Code: Alles auswählen

from /var/log/opsi/opsiconfigd/
[5] [Oct 05 18:52:36] Application 'opsi config editor 4.0.7.5.22' on client '10.0.1.124' did not send cookie (workers.py|183)
[5] [Oct 05 18:52:36] New session created (session.py|77)
[5] [Oct 05 18:52:36] Authorization request from adminuser@10.0.1.124 (application: opsi config editor 4.0.7.5.22) (workers.py|213)
[5] [Oct 05 18:52:36] Modules file signature verified (customer: opsivm basic license) (MySQL.py|523)
[5] [Oct 05 18:52:36] -----> Executing: authenticated() (JsonRpc.py|134)
[5] [Oct 05 18:52:36] -----> Executing: getRawData(u'select  *  from SOFTWARE_CONFIG LIMIT 1 ') (JsonRpc.py|134)
[3] [Oct 05 18:52:36] Execution error: Backend configuration error: You have tried to execute a method, that will not work with filebackend. (JsonRpc.py|146)
[4] [Oct 05 18:52:36] Failed RPC on u'getRawData' with params [u'select  *  from SOFTWARE_CONFIG LIMIT 1 ']: <BackendConfigurationError(u'You have tried to execute a method, that will not work with filebackend.
')> (statistics.py|419)
[5] [Oct 05 18:52:36] Application 'opsi config editor 4.0.7.5.22' on client '10.0.1.124' did not send cookie (workers.py|183)
[5] [Oct 05 18:52:36] New session created (session.py|77)
[5] [Oct 05 18:52:36] Authorization request from adminuser@10.0.1.124 (application: opsi config editor 4.0.7.5.22) (workers.py|213)
[5] [Oct 05 18:52:36] Modules file signature verified (customer: opsivm basic license) (MySQL.py|523)
[5] [Oct 05 18:52:37] -----> Executing: getPossibleMethods_listOfHashes() (JsonRpc.py|134)
[5] [Oct 05 18:52:37] -----> Executing: getOpsiInformation_hash() (JsonRpc.py|134)
[5] [Oct 05 18:52:37] -----> Executing: host_getObjects([]) (JsonRpc.py|134)
[4] [Oct 05 18:52:37] 14 objects removed by acl, 0 objects left (BackendManager.py|1042)
[5] [Oct 05 18:52:37] -----> Executing: authenticated() (JsonRpc.py|134)
[5] [Oct 05 18:52:37] -----> Executing: config_getObjects([]) (JsonRpc.py|134)
[3] [Oct 05 18:52:37] Execution error: Backend permission denied error: Access to method 'config_getObjects' denied for user 'adminuser' (JsonRpc.py|146)
[5] [Oct 05 18:52:37] -----> Executing: accessControl_userIsReadOnlyUser() (JsonRpc.py|134)
[4] [Oct 05 18:52:37] 1 objects removed by acl, 0 objects left (BackendManager.py|1042)
[3] [Oct 05 18:52:37] Execution error: Backend permission denied error: Access to method 'config_updateObjects' denied for user 'adminuser': Backend permission denied error: Access denied (JsonRpc.py|146)
[5] [Oct 05 18:52:37] -----> Executing: config_updateObjects([<UnicodeConfig(id=u'product_sort_algorithm', description=u'', possibleValues=[u'algorithm1', u'algorithm2'], defaultValues=[], editable=False, multiValue=False)>, <UnicodeConfig(id=u'configed.license...) (JsonRpc.py|134)
[4] [Oct 05 18:52:37] 24 objects removed by acl, 0 objects left (BackendManager.py|1042)
[3] [Oct 05 18:52:37] Execution error: Backend permission denied error: Access to method 'config_updateObjects' denied for user 'adminuser': Backend permission denied error: Access denied (JsonRpc.py|146)
[5] [Oct 05 18:52:37] -----> Executing: config_updateObjects(<UnicodeConfig(id=u'configed.productonclient_displayfields_localboot', description=u'', possibleValues=[u'actionRequest', u'installationInfo', u'installationStatus', u'position', u'priority', u'produc...) (JsonRpc.py|134)
[4] [Oct 05 18:52:37] 1 objects removed by acl, 0 objects left (BackendManager.py|1042)
[3] [Oct 05 18:52:37] Execution error: Backend permission denied error: Access to method 'config_updateObjects' denied for user 'adminuser': Backend permission denied error: Access denied (JsonRpc.py|146)
[5] [Oct 05 18:52:37] -----> Executing: config_updateObjects(<UnicodeConfig(id=u'configed.productonclient_displayfields_netboot', description=u'', possibleValues=[u'actionRequest', u'installationInfo', u'installationStatus', u'position', u'priority', u'productI...) (JsonRpc.py|134)
[4] [Oct 05 18:52:37] 1 objects removed by acl, 0 objects left (BackendManager.py|1042)
[3] [Oct 05 18:52:37] Execution error: Backend permission denied error: Access to method 'config_updateObjects' denied for user 'adminuser': Backend permission denied error: Access denied (JsonRpc.py|146)
[3] [Oct 05 18:52:37] Execution error: Backend permission denied error: Access to method 'group_getObjects' denied for user 'adminuser' (JsonRpc.py|146)
[5] [Oct 05 18:52:38] -----> Executing: group_createHostGroup(u'clientdirectory', u'root of directory', u'', None) (JsonRpc.py|134)
[5] [Oct 05 18:52:38] -----> Executing: objectToGroup_getObjects() (JsonRpc.py|134)
[3] [Oct 05 18:52:38] Execution error: Backend permission denied error: Access to method 'objectToGroup_getObjects' denied for user 'adminuser' (JsonRpc.py|146)
[4] [Oct 05 18:52:38] Failed RPC on u'objectToGroup_getObjects' with params []: <BackendPermissionDeniedError(u"Access to method 'objectToGroup_getObjects' denied for user 'adminuser'")> (statistics.py|419)
[5] [Oct 05 18:52:38] -----> Executing: config_updateObjects(<UnicodeConfig(id=u'configed.host_displayfields', description=u'', possibleValues=[u'UEFIboot', u'WANmode', u'clientConnected', u'clientCreated', u'clientDescription', u'clientHardwareAddress', u'clie...) (JsonRpc.py|134)
[4] [Oct 05 18:52:38] 1 objects removed by acl, 0 objects left (BackendManager.py|1042)
[3] [Oct 05 18:52:38] Execution error: Backend permission denied error: Access to method 'config_updateObjects' denied for user 'adminuser': Backend permission denied error: Access denied (JsonRpc.py|146)
[5] [Oct 05 18:52:55] -----> Executing: configState_getObjects([]) (JsonRpc.py|134)
[3] [Oct 05 18:52:55] Execution error: Backend permission denied error: Access to method 'configState_getObjects' denied for user 'adminuser' (JsonRpc.py|146)
[5] [Oct 05 18:52:55] -----> Executing: SSHCommand_getObjects() (JsonRpc.py|134)
[5] [Oct 05 18:52:55]  Exception with file /var/lib/opsi/server_commands_custom.conf (30_sshcommands.conf|54)
[2] [Oct 05 18:52:55] Traceback: (Logger.py|757)
[2] [Oct 05 18:52:55]   File "/etc/opsi/backendManager/extend.d/30_sshcommands.conf", line 31, in readFilecontent
    if os.path.getsize(filename) <= 0:
 (Logger.py|757)
 [2] [Oct 05 18:52:55]      ==>>> [Errno 2] No such file or directory: '/var/lib/opsi/server_commands_custom.conf' (30_sshcommands.conf|55)
[5] [Oct 05 18:52:55] -----> Executing: accessControl_userIsReadOnlyUser() (JsonRpc.py|134)
[4] [Oct 05 18:52:55] 1 objects removed by acl, 0 objects left (BackendManager.py|1042)
[3] [Oct 05 18:52:55] Execution error: Backend permission denied error: Access to method 'config_updateObjects' denied for user 'adminuser': Backend permission denied error: Access denied (JsonRpc.py|146)
[5] [Oct 05 18:52:55] -----> Executing: config_updateObjects([<UnicodeConfig(id=u'product_sort_algorithm', description=u'', possibleValues=[u'algorithm1', u'algorithm2'], defaultValues=[], editable=False, multiValue=False)>, <UnicodeConfig(id=u'configed.license...) (JsonRpc.py|134)
[4] [Oct 05 18:52:55] 23 objects removed by acl, 0 objects left (BackendManager.py|1042)
[3] [Oct 05 18:52:55] Execution error: Backend permission denied error: Access to method 'config_updateObjects' denied for user 'adminuser': Backend permission denied error: Access denied (JsonRpc.py|146)
[5] [Oct 05 18:52:55] -----> Executing: product_getObjects([u'id', u'productVersion', u'packageVersion', u'setupScript', u'updateScript', u'uninstallScript', u'alwaysScript', u'onceScript', u'customScript', u'userLoginScript', u'priority', u'advice', u'name',...) (JsonRpc.py|134)
[3] [Oct 05 18:52:55] Execution error: Backend permission denied error: Access to method 'product_getObjects' denied for user 'adminuser' (JsonRpc.py|146)
[5] [Oct 05 18:52:55] -----> Executing: productOnDepot_getObjects([]) (JsonRpc.py|134)
[3] [Oct 05 18:52:55] Execution error: Backend permission denied error: Access to method 'productOnDepot_getObjects' denied for user 'adminuser' (JsonRpc.py|146)
[5] [Oct 05 18:52:55] -----> Executing: getProductOrdering(u'') (JsonRpc.py|134)
[3] [Oct 05 18:52:55] Execution error: Backend permission denied error: Access to method 'config_getObjects' denied for user 'adminuser' (JsonRpc.py|146)
[4] [Oct 05 18:52:55] Failed RPC on u'getProductOrdering' with params [u'']: <BackendPermissionDeniedError(u"Access to method 'config_getObjects' denied for user 'adminuser'")> (statistics.py|419)
[5] [Oct 05 18:52:55] -----> Executing: productProperty_getObjects([]) (JsonRpc.py|134)
[3] [Oct 05 18:52:55] Execution error: Backend permission denied error: Access to method 'productProperty_getObjects' denied for user 'adminuser' (JsonRpc.py|146)
[5] [Oct 05 18:52:56] -----> Executing: getProductOrdering(None) (JsonRpc.py|134)
[3] [Oct 05 18:52:56] Execution error: Backend permission denied error: Access to method 'config_getObjects' denied for user 'adminuser' (JsonRpc.py|146)
[4] [Oct 05 18:52:56] Failed RPC on u'getProductOrdering' with params [None]: <BackendPermissionDeniedError(u"Access to method 'config_getObjects' denied for user 'adminuser'")> (statistics.py|419)


Then, I tried to put the adminuser back to the way it was, like so:

Code: Alles auswählen

$ id adminuser
uid=1001(adminuser) gid=992(pcpatch) groups=992(pcpatch)


And I also typed:

Code: Alles auswählen

opsi-set-rights
opsi-setup --init-current-config


Now I am getting 'No Connection Unauthorized', even though I am putting in the right password:

Code: Alles auswählen

[5] [Oct 05 21:00:30] Application 'opsi config editor 4.0.7.5.22' on client '10.0.1.124' did not send cookie (workers.py|183)
[5] [Oct 05 21:00:30] New session created (session.py|77)
[5] [Oct 05 21:00:30] Authorization request from adminuser@10.0.1.124 (application: opsi config editor 4.0.7.5.22) (workers.py|213)
[5] [Oct 05 21:00:32] Session 'zuGnQFiZCoOOUePWqJIzBTbtT1tPOYuz' from ip '10.0.1.124', application 'opsi config editor 4.0.7.5.22' deleted (Session.py|225)
[2] [Oct 05 21:00:32] Traceback: (Logger.py|757)
[2] [Oct 05 21:00:32]   File "/usr/lib/python2.7/dist-packages/OPSI/Service/Worker.py", line 292, in _errback
    failure.raiseException()
 (Logger.py|757)
[2] [Oct 05 21:00:32]   File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 588, in _runCallbacks
    current.result = callback(current.result, *args, **kw)
 (Logger.py|757)
[2] [Oct 05 21:00:32]   File "/usr/lib/python2.7/dist-packages/opsiconfd/workers.py", line 278, in _authenticate
    raise OpsiAuthenticationError(u"Forbidden: %s" % error)
 (Logger.py|757)
[2] [Oct 05 21:00:32]      ==>>> Opsi authentication error: Forbidden: Backend authentication error: Backend authentication error: PAM authentication failed for user 'adminuser': ('Authentication failure', 7) (Worker.py|294)
[3] [Oct 05 21:00:32] 6 authentication failures from '10.0.1.124' in a row, waiting 60 seconds to prevent flooding (workers.py|93)


Does anyone know how I can configure this so I can log in again?

Benutzeravatar
n.wenselowski
uib-Team
Beiträge: 3120
Registriert: 04 Apr 2013, 12:15

Re: Unable to authenticate after changing group membership

Beitragvon n.wenselowski » 06 Okt 2017, 09:09

Hi,

the first error looks to be from ACL where the second one is related to PAM.
Easy things first: did you restart opsiconfd? Did you restart the machine?


Kind regards

Niko
opsi development - uib gmbh
For productive opsi installations we recommend support contracts.

ttblum
Beiträge: 91
Registriert: 23 Jun 2017, 14:18
Wohnort: Cleveland, Ohio USA

Re: Unable to authenticate after changing group membership

Beitragvon ttblum » 23 Okt 2017, 22:23

Yes, that was very strange, I'm not sure how things got so bad so fast.

I ended up downloaded a new demo VM and starting from scratch.

Benutzeravatar
ueluekmen
uib-Team
Beiträge: 1889
Registriert: 28 Mai 2008, 10:53

Re: Unable to authenticate after changing group membership

Beitragvon ueluekmen » 30 Nov 2017, 16:48

Perhaps a little bit late but:

ttblum hat geschrieben:Then, I tried to put the adminuser back to the way it was, like so:

$ id adminuser
uid=1001(adminuser) gid=992(pcpatch) groups=992(pcpatch)


That will not work, because your adminuser is not a member of 'opsiadmin' group.
opsi support - uib gmbh
For productive opsi installations we recommend support contracts.
http://www.uib.de