[SOLVED] creating cluster for 2 nodes and TFA is enabled so I can't Join 2nd node then disable TFA no GUI access

[Spirog]

I had TFA enabled then wanted to add a cluster to add another node in my primary datacenter, so I started in the GUI added a cluster and then copied JOIN and went to 2nd node to add it and would not allow me because of TFA was enabled... so I went to TFA and disabled it via GUI then logged out and could not log in again via GUI

then went to ssh
nano /etc/pve/user.cfg

user:root@pam:1:0:Prox:1mx:1mx@m.com:Email Notifications:x:

the issue is somehow some of the :::: was somehow removed?
so I commented out that line
# user:root@pam:1:0:Prox:1mx:1mx@m.com:Email Notifications:x:

and added user:root@pam:1:0::::::

saved the file and was able to login to GUI again

2 questions

- 1st question is this a bug the the ::: got removed because TFA was enabled when creating a cluster and tryingto JOIN the 2nd node?

2nd is my question - after I join 2nd node to a cluster and cluster is working only 2 nodes, can I enable TFA for primary server and second server as well?


thank you
Spiro

 

[fiona]

Hi,

I had TFA enabled then wanted to add a cluster to add another node in my primary datacenter, so I started in the GUI added a cluster and then copied JOIN and went to 2nd node to add it and would not allow me because of TFA was enabled...

yes, unfortunately it's not possible yet to join with TFA enabled.

so I went to TFA and disabled it via GUI then logged out and could not log in again via GUI

then went to ssh
nano /etc/pve/user.cfg

user:root@pam:1:0:Prox:1mx:1mx@m.com:Email Notifications:x:

the issue is somehow some of the :::: was somehow removed?
so I commented out that line
# user:root@pam:1:0:Prox:1mx:1mx@m.com:Email Notifications:x:

and added user:root@pam:1:0::::::

saved the file and was able to login to GUI again

2 questions

- 1st question is this a bug the the ::: got removed because TFA was enabled when creating a cluster and tryingto JOIN the 2nd node?

The colons are just separators for user data, here is what the data actually is from the Perl code:

my ($user, $enable, $expire, $firstname, $lastname, $email, $comment, $keys) = @data

So the fact that the final :x: was there, means that TFA was still enabled apparently. Maybe something went wrong when removing it via GUI. What TFA factor did you have configured? Please also share the output of pveversion -v on that node.

2nd is my question - after I join 2nd node to a cluster and cluster is working only 2 nodes, can I enable TFA for primary server and second server as well?

Yes, that should work AFAIK.

thank you
Spiro

 

[Spirog]

So the fact that the final :x: was there, means that TFA was still enabled apparently.

Hello @Fabian_E
Thanks for reply

Ah ok I never thought about removing the [x]

Maybe something went wrong when removing it via GUI.

What I remember: I clicked edit and then unchecked where it says Enabled, click ok and then logged out and tried to log back in again.
I should of just removed it completely.

What TFA factor did you have configured?

totp only.

Please also share the output of pveversion -v on that node

root@proxmox:~# pveversion -v
proxmox-ve: 7.1-1 (running kernel: 5.13.19-6-pve)
pve-manager: 7.1-12 (running version: 7.1-12/b3c09de3)
pve-kernel-helper: 7.1-14
pve-kernel-5.13: 7.1-9
pve-kernel-5.4: 6.4-11
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-5-pve: 5.13.19-13
pve-kernel-5.13.19-2-pve: 5.13.19-4
pve-kernel-5.4.157-1-pve: 5.4.157-1
pve-kernel-5.4.73-1-pve: 5.4.73-1
ceph-fuse: 16.2.7
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown: 0.8.36+pve1
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.1
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-7
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.1-5
libpve-guest-common-perl: 4.1-1
libpve-http-server-perl: 4.1-1
libpve-storage-perl: 7.1-1
libqb0: 1.0.5-1
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.11-1
lxcfs: 4.0.11-pve1
novnc-pve: 1.3.0-2
proxmox-backup-client: 2.1.5-1
proxmox-backup-file-restore: 2.1.5-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-7
pve-cluster: 7.1-3
pve-container: 4.1-4
pve-docs: 7.1-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.3-6
pve-ha-manager: 3.3-3
pve-i18n: 2.6-2
pve-qemu-kvm: 6.1.1-2
pve-xtermjs: 4.16.0-1
qemu-server: 7.1-4
smartmontools: 7.2-pve2
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.4-pve1
root@proxmox:~#

Yes, that should work AFAIK.

Yes it is working now.
I removed the setup and started fresh.
now I did everything with command line from wiki
https://pve.proxmox.com/wiki/Nested_Virtualization

This works. But I did not try with gui again because it said in wiki

• create vm or ct inside the guest pve (nodes of CLUSTERNAME)
  • if you did't enable hardware-assisted nested virtualization, you have to turn off KVM hardware virtualization (see VM options)
  • install only CLI based, small ct or vm for those guest (do not try anything with a GUI, don't even think of running Windows...)

now is working

Thank you for reply I really appreciate you and every member of Team Proxmox.
I am waiting for a little more money because I have 2 cpu in this server and I need a little more to get lic.



Kind Regards,
Spiro

 

[fiona]

Hello @fabian
Thanks for reply

Please note that that's not me

Ah ok I never thought about removing the [x]


What I remember: I clicked edit and then unchecked where it says Enabled, click ok and then logged out and tried to log back in again.
I should of just removed it completely.



View attachment 35830

This is a bug, thanks for reporting! I was able to reproduce the issue. I guess the 'x' should be removed by us if all second factors are disabled.

totp only.

root@proxmox:~# pveversion -v
proxmox-ve: 7.1-1 (running kernel: 5.13.19-6-pve)
pve-manager: 7.1-12 (running version: 7.1-12/b3c09de3)
pve-kernel-helper: 7.1-14
pve-kernel-5.13: 7.1-9
pve-kernel-5.4: 6.4-11
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-5-pve: 5.13.19-13
pve-kernel-5.13.19-2-pve: 5.13.19-4
pve-kernel-5.4.157-1-pve: 5.4.157-1
pve-kernel-5.4.73-1-pve: 5.4.73-1
ceph-fuse: 16.2.7
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown: 0.8.36+pve1
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.1
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-7
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.1-5
libpve-guest-common-perl: 4.1-1
libpve-http-server-perl: 4.1-1
libpve-storage-perl: 7.1-1
libqb0: 1.0.5-1
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.11-1
lxcfs: 4.0.11-pve1
novnc-pve: 1.3.0-2
proxmox-backup-client: 2.1.5-1
proxmox-backup-file-restore: 2.1.5-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-7
pve-cluster: 7.1-3
pve-container: 4.1-4
pve-docs: 7.1-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.3-6
pve-ha-manager: 3.3-3
pve-i18n: 2.6-2
pve-qemu-kvm: 6.1.1-2
pve-xtermjs: 4.16.0-1
qemu-server: 7.1-4
smartmontools: 7.2-pve2
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.4-pve1
root@proxmox:~#

Yes it is working now.
I removed the setup and started fresh.
now I did everything with command line from wiki
https://pve.proxmox.com/wiki/Nested_Virtualization

This works. But I did not try with gui again because it said in wiki

• create vm or ct inside the guest pve (nodes of CLUSTERNAME)
  • if you did't enable hardware-assisted nested virtualization, you have to turn off KVM hardware virtualization (see VM options)
  • install only CLI based, small ct or vm for those guest (do not try anything with a GUI, don't even think of running Windows...)

now is working

Thank you for reply I really appreciate you and every member of Team Proxmox.
I am waiting for a little more money because I have 2 cpu in this server and I need a little more to get lic.



Kind Regards,
Spiro

 

[Spirog]

Please note that that's not me


This is a bug, thanks for reporting! I was able to reproduce the issue. I guess the 'x' should be removed by us if all second factors are disabled.

Please note that that's not me

Ahhh
the _ underscore E
I guess that means Fabian _ Excellence


Thank you for answering that for me, I was going crazy trying to figure if it was just my install or a Bug.

Just to keep on the same subject I thought I would open a new Bug Post here , after testing on a few new installs.

not sure if you want to merge them or keep that for other users to see.

Thanks again sorry for creating a new post

Kind Regards,
Spiro

This is a bug, thanks for reporting! I was able to reproduce the issue. I guess the 'x' should be removed by us if all second factors are disabled.

Yes and added as well. it does nothing not add or remove the X


Bug Reported here https://bugzilla.proxmox.com/show_bug.cgi?id=3989
Patch Reported Here https://lists.proxmox.com/pipermail/pve-devel/2022-April/052561.html