[SOLVED] creating cluster for 2 nodes and TFA is enabled so I can't Join 2nd node then disable TFA no GUI access

Spirog

Member
Jan 31, 2022
230
36
18
Chicago, IL
I had TFA enabled then wanted to add a cluster to add another node in my primary datacenter, so I started in the GUI added a cluster and then copied JOIN and went to 2nd node to add it and would not allow me because of TFA was enabled... so I went to TFA and disabled it via GUI then logged out and could not log in again via GUI

then went to ssh
nano /etc/pve/user.cfg

user:root@pam:1:0:Prox:1mx:1mx@m.com:Email Notifications:x:

the issue is somehow some of the :::: was somehow removed?
so I commented out that line
# user:root@pam:1:0:Prox:1mx:1mx@m.com:Email Notifications:x:

and added user:root@pam:1:0::::::

saved the file and was able to login to GUI again

2 questions

- 1st question is this a bug the the ::: got removed because TFA was enabled when creating a cluster and tryingto JOIN the 2nd node?

2nd is my question - after I join 2nd node to a cluster and cluster is working only 2 nodes, can I enable TFA for primary server and second server as well?


thank you
Spiro
 
Hi,
I had TFA enabled then wanted to add a cluster to add another node in my primary datacenter, so I started in the GUI added a cluster and then copied JOIN and went to 2nd node to add it and would not allow me because of TFA was enabled...
yes, unfortunately it's not possible yet to join with TFA enabled.

so I went to TFA and disabled it via GUI then logged out and could not log in again via GUI

then went to ssh
nano /etc/pve/user.cfg

user:root@pam:1:0:Prox:1mx:1mx@m.com:Email Notifications:x:

the issue is somehow some of the :::: was somehow removed?
so I commented out that line
# user:root@pam:1:0:Prox:1mx:1mx@m.com:Email Notifications:x:

and added user:root@pam:1:0::::::

saved the file and was able to login to GUI again

2 questions

- 1st question is this a bug the the ::: got removed because TFA was enabled when creating a cluster and tryingto JOIN the 2nd node?

The colons are just separators for user data, here is what the data actually is from the Perl code:
Code:
my ($user, $enable, $expire, $firstname, $lastname, $email, $comment, $keys) = @data
So the fact that the final :x: was there, means that TFA was still enabled apparently. Maybe something went wrong when removing it via GUI. What TFA factor did you have configured? Please also share the output of pveversion -v on that node.

2nd is my question - after I join 2nd node to a cluster and cluster is working only 2 nodes, can I enable TFA for primary server and second server as well?
Yes, that should work AFAIK.

thank you
Spiro
 
So the fact that the final :x: was there, means that TFA was still enabled apparently.
Hello @Fabian_E
Thanks for reply

Ah ok I never thought about removing the [x]
Maybe something went wrong when removing it via GUI.

What I remember: I clicked edit and then unchecked where it says Enabled, click ok and then logged out and tried to log back in again.
I should of just removed it completely.



Screenshot 2022-04-08 022348.jpg

What TFA factor did you have configured?
totp only.


Please also share the output of pveversion -v on that node

Code:
root@proxmox:~# pveversion -v
proxmox-ve: 7.1-1 (running kernel: 5.13.19-6-pve)
pve-manager: 7.1-12 (running version: 7.1-12/b3c09de3)
pve-kernel-helper: 7.1-14
pve-kernel-5.13: 7.1-9
pve-kernel-5.4: 6.4-11
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-5-pve: 5.13.19-13
pve-kernel-5.13.19-2-pve: 5.13.19-4
pve-kernel-5.4.157-1-pve: 5.4.157-1
pve-kernel-5.4.73-1-pve: 5.4.73-1
ceph-fuse: 16.2.7
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown: 0.8.36+pve1
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.1
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-7
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.1-5
libpve-guest-common-perl: 4.1-1
libpve-http-server-perl: 4.1-1
libpve-storage-perl: 7.1-1
libqb0: 1.0.5-1
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.11-1
lxcfs: 4.0.11-pve1
novnc-pve: 1.3.0-2
proxmox-backup-client: 2.1.5-1
proxmox-backup-file-restore: 2.1.5-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-7
pve-cluster: 7.1-3
pve-container: 4.1-4
pve-docs: 7.1-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.3-6
pve-ha-manager: 3.3-3
pve-i18n: 2.6-2
pve-qemu-kvm: 6.1.1-2
pve-xtermjs: 4.16.0-1
qemu-server: 7.1-4
smartmontools: 7.2-pve2
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.4-pve1
root@proxmox:~#

Yes, that should work AFAIK.
Yes it is working now.
I removed the setup and started fresh.
now I did everything with command line from wiki
https://pve.proxmox.com/wiki/Nested_Virtualization

This works. But I did not try with gui again because it said in wiki
  • create vm or ct inside the guest pve (nodes of CLUSTERNAME)
    • if you did't enable hardware-assisted nested virtualization, you have to turn off KVM hardware virtualization (see VM options)
    • install only CLI based, small ct or vm for those guest (do not try anything with a GUI, don't even think of running Windows...)
now is working :)

Thank you for reply I really appreciate you and every member of Team Proxmox.
I am waiting for a little more money because I have 2 cpu in this server and I need a little more to get lic. :)



Kind Regards,
Spiro
 
Last edited:
Hello @fabian
Thanks for reply
Please note that that's not me ;)

Ah ok I never thought about removing the [x]


What I remember: I clicked edit and then unchecked where it says Enabled, click ok and then logged out and tried to log back in again.
I should of just removed it completely.



View attachment 35830
This is a bug, thanks for reporting! I was able to reproduce the issue. I guess the 'x' should be removed by us if all second factors are disabled.

totp only.




Code:
root@proxmox:~# pveversion -v
proxmox-ve: 7.1-1 (running kernel: 5.13.19-6-pve)
pve-manager: 7.1-12 (running version: 7.1-12/b3c09de3)
pve-kernel-helper: 7.1-14
pve-kernel-5.13: 7.1-9
pve-kernel-5.4: 6.4-11
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-5-pve: 5.13.19-13
pve-kernel-5.13.19-2-pve: 5.13.19-4
pve-kernel-5.4.157-1-pve: 5.4.157-1
pve-kernel-5.4.73-1-pve: 5.4.73-1
ceph-fuse: 16.2.7
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown: 0.8.36+pve1
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.1
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-7
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.1-5
libpve-guest-common-perl: 4.1-1
libpve-http-server-perl: 4.1-1
libpve-storage-perl: 7.1-1
libqb0: 1.0.5-1
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.11-1
lxcfs: 4.0.11-pve1
novnc-pve: 1.3.0-2
proxmox-backup-client: 2.1.5-1
proxmox-backup-file-restore: 2.1.5-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-7
pve-cluster: 7.1-3
pve-container: 4.1-4
pve-docs: 7.1-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.3-6
pve-ha-manager: 3.3-3
pve-i18n: 2.6-2
pve-qemu-kvm: 6.1.1-2
pve-xtermjs: 4.16.0-1
qemu-server: 7.1-4
smartmontools: 7.2-pve2
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.4-pve1
root@proxmox:~#


Yes it is working now.
I removed the setup and started fresh.
now I did everything with command line from wiki
https://pve.proxmox.com/wiki/Nested_Virtualization

This works. But I did not try with gui again because it said in wiki
  • create vm or ct inside the guest pve (nodes of CLUSTERNAME)
    • if you did't enable hardware-assisted nested virtualization, you have to turn off KVM hardware virtualization (see VM options)
    • install only CLI based, small ct or vm for those guest (do not try anything with a GUI, don't even think of running Windows...)
now is working :)

Thank you for reply I really appreciate you and every member of Team Proxmox.
I am waiting for a little more money because I have 2 cpu in this server and I need a little more to get lic. :)



Kind Regards,
Spiro
 
Please note that that's not me ;)


This is a bug, thanks for reporting! I was able to reproduce the issue. I guess the 'x' should be removed by us if all second factors are disabled.
Please note that that's not me ;)
Ahhh
the _ underscore E
I guess that means Fabian _ Excellence ;)


Thank you for answering that for me, I was going crazy trying to figure if it was just my install or a Bug.

Just to keep on the same subject I thought I would open a new Bug Post here , after testing on a few new installs.

not sure if you want to merge them or keep that for other users to see.

Thanks again sorry for creating a new post :)

Kind Regards,
Spiro
This is a bug, thanks for reporting! I was able to reproduce the issue. I guess the 'x' should be removed by us if all second factors are disabled.
Yes and added as well. it does nothing not add or remove the X


Bug Reported here https://bugzilla.proxmox.com/show_bug.cgi?id=3989
Patch Reported Here https://lists.proxmox.com/pipermail/pve-devel/2022-April/052561.html
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!