Connection error 401: no such user ('admin@pmg')

ldiedrich

Member
Apr 3, 2020
10
0
6
34
Hello guys,

After i upgrade my server to version 5.2-1 and changed my certs at /etc/pmg/pmg-api.pem and /etc/pmg/pmg-tls.pem this error prompts every time i try to login with the admin user.

Searched over the logs and nothing points out what the problem is, the /etc/pmg/user.conf file with the local users seems ok for me. Do you have nay idea what it could be?

I don`t have HA cluster, its just one server. I also tried to regenerate the certs and the same thing happens, loggins with root user works, but when i try to change something it prompts a csrf token error.

Admin:
1585924355853.png

Root:
1585924394261.png

1585924460157.png

root@mercurio:/etc/pmg# pmgversion -v
proxmox-mailgateway: 5.2-1 (API: 5.2-7/9943bd5d, running kernel: 4.15.18-26-pve)
pmg-api: 5.2-7
pmg-gui: 1.0-45
pve-kernel-4.15: 5.4-16
pve-kernel-4.15.18-27-pve: 4.15.18-55
pve-kernel-4.15.18-26-pve: 4.15.18-54
pve-kernel-4.15.18-24-pve: 4.15.18-52
pve-kernel-4.15.18-21-pve: 4.15.18-48
pve-kernel-4.15.18-20-pve: 4.15.18-46
pve-kernel-4.15.18-18-pve: 4.15.18-44
pve-kernel-4.15.18-16-pve: 4.15.18-41
pve-kernel-4.15.18-15-pve: 4.15.18-40
pve-kernel-4.15.18-12-pve: 4.15.18-36
libarchive-perl: 3.2.1-1
libjs-extjs: 6.0.1-2
libjs-framework7: 4.0.5-1
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-54
libpve-http-server-perl: 2.0-14
libxdgmime-perl: 0.01-3
lvm2: 2.02.168-2
pmg-docs: 5.2-3
proxmox-mini-journalreader: 1.0-1
proxmox-spamassassin: 3.4.2-3
proxmox-widget-toolkit: 1.0-28
pve-firmware: 2.0-5
pve-xtermjs: 3.10.1-2
zfsutils-linux: 0.7.13-pve1~bpo1

root@mercurio:/etc/pmg# pmgcm status
NAME(CID)--------------IPADDRESS----ROLE-STATE---------UPTIME---LOAD----MEM---DISK
mercurio(1) 200.134.33.90 master A 8 days 11:29 0.13 39% 69%

Apr 3 11:30:02 mercurio.unila.edu.br pmgdaemon[2799]: successful auth for user 'admin@pmg'
Apr 3 11:30:03 mercurio.unila.edu.br pmgdaemon[2799]: successful auth for user 'admin@pmg'
Apr 3 11:30:03 mercurio.unila.edu.br postfix/smtpd[3215]: Anonymous TLS connection established from ns2.la-linux-1.serverhostname.net[69.12.68.195]: TLSv

Use of uninitialized value $ticket in pattern match (m//) at /usr/share/perl5/PMG/Service/pmgproxy.pm line 193.
close connection AnyEvent::Handle=HASH(0x55d5b35af260)
1926: CLOSE FH11 CONN0
1926: ACCEPT FH11 CONN1
1928: ACCEPT FH12 CONN2
1928: ACCEPT FH13 CONN3
close connection AnyEvent::Handle=HASH(0x55d5b3604a00)
1928: CLOSE FH13 CONN2
close connection AnyEvent::Handle=HASH(0x55d5b35af278)
1928: CLOSE FH11 CONN1
close connection AnyEvent::Handle=HASH(0x55d5b35ef4a8)
1928: CLOSE FH12 CONN0
close connection AnyEvent::Handle=HASH(0x55d5b35a8758)
1926: CLOSE FH11 CONN0
1929: ACCEPT FH11 CONN1
close connection AnyEvent::Handle=HASH(0x55d5b35af290)
1929: CLOSE FH11 CONN0
1928: ACCEPT FH11 CONN1
1926: ACCEPT FH11 CONN1
1929: ACCEPT FH11 CONN1
1928: ACCEPT FH12 CONN2
close connection AnyEvent::Handle=HASH(0x55d5b35af218)
1926: CLOSE FH11 CONN0
close connection AnyEvent::Handle=HASH(0x55d5b35f1de0)
1928: CLOSE FH11 CONN1
close connection AnyEvent::Handle=HASH(0x55d5b35dc6a0)
1928: CLOSE FH12 CONN0
close connection AnyEvent::Handle=HASH(0x55d5b35ac1c8)
1929: CLOSE FH11 CONN0
1928: ACCEPT FH11 CONN1
close connection AnyEvent::Handle=HASH(0x55d5b35dc718)
1928: CLOSE FH11 CONN0
1929: ACCEPT FH11 CONN1
1929: ACCEPT FH12 CONN2
1928: ACCEPT FH11 CONN1
1926: ACCEPT FH11 CONN1
close connection AnyEvent::Handle=HASH(0x55d5b35dc598)
1928: CLOSE FH11 CONN0
close connection AnyEvent::Handle=HASH(0x55d5b355ecc0)
1929: CLOSE FH11 CONN1
close connection AnyEvent::Handle=HASH(0x55d5b3667868)
1929: CLOSE FH12 CONN0
close connection AnyEvent::Handle=HASH(0x55d5b35e5440)
1926: CLOSE FH11 CONN0
 
this seems odd
* could you try to reproduce this with a different browser (without any plugins installed)?
* if this fails - please try to login to the API using curl (see the PVE wiki for an example - https://pve.proxmox.com/wiki/Proxmox_VE_API)
* try restarting pmgdaemon and pmgproxy (need to exit from the debug mode before) and check the journal while they start:
Code:
systemctl restart pmgproxy pmgdaemon
journalctl -r

I hope this helps!
 
Yes, i've tested with chrome, edge and firefox, all without plugins, same thing.

The authentication seems to work, its something after the auth that is closing the session, see the curl:
1585935450359.png

I've also restarded the server, didn't work also, here a list of the packages was upgraded before this problem start ocurring:
Start-Date: 2020-03-19 09:12:07
Commandline: apt upgrade
Install: pve-kernel-4.15.18-26-pve:amd64 (4.15.18-54, automatic)
Upgrade: postgresql-client-9.6:amd64 (9.6.15-0+deb9u1, 9.6.17-0+deb9u1), perl-base:amd64 (5.24.1-3+deb9u5, 5.24.1-3+deb9u6), postfix:amd64 (3.1.12-0+deb9u1, 3.1.14-0+deb9u1), libcups2:amd64 (2.2.1-8+deb9u4, 2.2.1-8+deb9u5), postfix-pcre:amd64 (3.1.12-0+deb9u1, 3.1.14-0+deb9u1), linux-libc-dev:amd64 (4.9.189-3+deb9u2, 4.9.210-1), libcurl3:amd64 (7.52.1-5+deb9u9, 7.52.1-5+deb9u10), postfix-sqlite:amd64 (3.1.12-0+deb9u1, 3.1.14-0+deb9u1), perl-modules-5.24:amd64 (5.24.1-3+deb9u5, 5.24.1-3+deb9u6), sudo:amd64 (1.8.19p1-2.1+deb9u1, 1.8.19p1-2.1+deb9u2), libpq5:amd64 (9.6.15-0+deb9u1, 9.6.17-0+deb9u1), libperl5.24:amd64 (5.24.1-3+deb9u5, 5.24.1-3+deb9u6), postgresql-9.6:amd64 (9.6.15-0+deb9u1, 9.6.17-0+deb9u1), libxml-security-c17v5:amd64 (1.7.3-4+deb9u1, 1.7.3-4+deb9u2), clamav:amd64 (0.101.4+dfsg-0+deb9u1, 0.102.2+dfsg-0~deb9u1), clamav-daemon:amd64 (0.101.4+dfsg-0+deb9u1, 0.102.2+dfsg-0~deb9u1), clamdscan:amd64 (0.101.4+dfsg-0+deb9u1, 0.102.2+dfsg-0~deb9u1), clamav-freshclam:amd64 (0.101.4+dfsg-0+deb9u1, 0.102.2+dfsg-0~deb9u1), libtimedate-perl:amd64 (2.3000-2, 2.3000-2+deb9u1), libidn11:amd64 (1.33-1, 1.33-1+deb9u1), qemu-guest-agent:amd64 (1:2.8+dfsg-6+deb9u8, 1:2.8+dfsg-6+deb9u9), libfreetype6:amd64 (2.6.3-3.2, 2.6.3-3.2+deb9u1), perl:amd64 (5.24.1-3+deb9u5, 5.24.1-3+deb9u6), clamav-base:amd64 (0.101.4+dfsg-0+deb9u1, 0.102.2+dfsg-0~deb9u1), pve-kernel-4.15:amd64 (5.4-12, 5.4-14), libclamav9:amd64 (0.101.4+dfsg-0+deb9u1, 0.102.2+dfsg-0~deb9u1), curl:amd64 (7.52.1-5+deb9u9, 7.52.1-5+deb9u10), libglib2.0-0:amd64 (2.50.3-2+deb9u1, 2.50.3-2+deb9u2), libcurl3-gnutls:amd64 (7.52.1-5+deb9u9, 7.52.1-5+deb9u10), base-files:amd64 (9.9+deb9u11, 9.9+deb9u12)
End-Date: 2020-03-19 09:13:28
root@mercurio:~#

Interesting thing is that are nothing over the logs.
 
do you have some kind of proxy or firewall between your browser and PMG?
if yes - try to connect directly
 
I don't have, i connect directly to the server. Maybe one of the packages updates overwrited some config file?

This is really odd, because the auth is working but the authorization don't, i call log but it cant do anything with the root user for example. I've created another user and the same thing as the admin user happens, it doesn't auth. So its probably something with the @pmg "domain", :eek:

Maybe migrating to pmg 6 fix this? i could make it worst?

Thanks.
 
At the /var/log/pmgproxy.log, after the auth returns first and 501 error at /access/ticket which i think is the ticket issue for the user, and 501 its internal server error, than it succeeds with 4 401 error, unauthorized:

root@mercurio:~# tail -f /var/log/pmgproxy/pmgproxy.log
^T10.50.100.169 - - [06/04/2020:10:23:58 -0300] "POST /api2/extjs/access/ticket HTTP/1.1" 200 501
10.50.100.169 - - [06/04/2020:10:23:58 -0300] "GET /api2/extjs/version?_dc=1586179441951 HTTP/1.1" 401 -
10.50.100.169 - - [06/04/2020:10:23:59 -0300] "GET /api2/extjs/nodes/localhost/subscription?_dc=1586179442164 HTTP/1.1" 401 -
10.50.100.169 - - [06/04/2020:10:23:59 -0300] "GET /api2/json/config/cluster/status?list_single_node=1 HTTP/1.1" 401 -
10.50.100.169 - - [06/04/2020:10:23:59 -0300] "POST /api2/json/access/ticket HTTP/1.1" 200 489
10.50.100.169 - - [06/04/2020:10:23:59 -0300] "GET /api2/json/statistics/recent?hours=12&timespan=300 HTTP/1.1" 401 -
10.50.100.169 - - [06/04/2020:10:23:59 -0300] "GET /api2/json/statistics/recentreceivers?hours=12 HTTP/1.1" 401 -
 
10.50.100.169 - - [06/04/2020:10:23:58 -0300] "POST /api2/extjs/access/ticket HTTP/1.1" 200 501
please:
* start watching the journal:
Code:
journalctl -f
* restart pmgproxy and pmgdaemon
Code:
systemctl restart pmgproxy pmgdaemon

* try logging in as 'admin@pmg'
* post what the journal yields here

I just added an user 'testadmin@pmg' on my local install here and login and the interface works - so my guess is something is not quite right with your certificates.
 
Ok, the issue has been fixed, based on the last update , i removed the csrf certificate (/etc/pmg/pmg-csrf.key) i regenerate it with pmgconfig init. Everything is working fine now.

Thanks,
 
Glad you found the issue!
please mark the thread as 'SOLVED' - this should help other users in similar situations!

Also please consider upgrading to PMG 6.x at some point, since PMG 5.2 will reach EOL in july

Thanks!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!