failed to parse TFA file

B

bryanpedini

Member
Dec 20, 2020
17
0
6
Italy
bryanpedini.dev
Hello,

This morning I installed and joined my existing cluster of 3 nodes with proxmox ve 7.4-3 a fourth node with the latest proxmox 8.0-2
I successfully logged out and back in a couple of time this morning performing a couple of networking changes to bootstrap the new host ready for production, however now I'm unable to login to the web UI on half of the hosts and to change the settings of 2FA in the cluster configuration...
The error message is the following:
Code: 
Oct 13 16:18:00 pve01 pvedaemon[3488049]: authentication failure; rhost=::ffff:10.60.0.199 user=root@pam msg=failed to parse TFA file, neither old style nor valid json
The beautiful thing is that that ip 10.60.0.199 is nothing, doesn't mean anything in my pve network - I mean, it's my gateway jump host but not related to proxmox.

Thanks in advance.
 
Last edited:
Another thing on this new host: I'm unable to start VMs - I can migrate there VMs already on, but this is the error I get when starting a new one, both from command line and from the GUI:
Code: 
start failed: command '/usr/bin/kvm -id 50202 -name 'dns02.home.bjphoster.cloud,debug-threads=on' -no-shutdown -chardev 'socket,id=qmp,path=/var/run/qemu-server/50202.qmp,server=on,wait=off' -mon 'chardev=qmp,mode=control' -chardev 'socket,id=qmp-event,path=/var/run/qmeventd.sock,reconnect=5' -mon 'chardev=qmp-event,mode=control' -pidfile /var/run/qemu-server/50202.pid -daemonize -smbios 'type=1,uuid=0bf3ace1-6076-45fb-94b9-6fdb5e19c31e' -smp '2,sockets=1,cores=2,maxcpus=2' -nodefaults -boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' -vnc 'unix:/var/run/qemu-server/50202.vnc,password=on' -cpu kvm64,enforce,+kvm_pv_eoi,+kvm_pv_unhalt,+lahf_lm,+sep -m 1024 -object 'iothread,id=iothread-virtioscsi0' -device 'pci-bridge,id=pci.1,chassis_nr=1,bus=pci.0,addr=0x1e' -device 'pci-bridge,id=pci.2,chassis_nr=2,bus=pci.0,addr=0x1f' -device 'pci-bridge,id=pci.3,chassis_nr=3,bus=pci.0,addr=0x5' -device 'vmgenid,guid=28c4e36e-2b35-430f-bc96-071fcddd24e4' -device 'piix3-usb-uhci,id=uhci,bus=pci.0,addr=0x1.0x2' -device 'usb-tablet,id=tablet,bus=uhci.0,port=1' -device 'VGA,id=vga,bus=pci.0,addr=0x2' -chardev 'socket,path=/var/run/qemu-server/50202.qga,server=on,wait=off,id=qga0' -device 'virtio-serial,id=qga0,bus=pci.0,addr=0x8' -device 'virtserialport,chardev=qga0,name=org.qemu.guest_agent.0' -device 'virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3,free-page-reporting=on' -iscsi 'initiator-name=iqn.1993-08.org.debian:01:72791a83d79' -drive 'if=none,id=drive-ide0,media=cdrom,aio=io_uring' -device 'ide-cd,bus=ide.0,unit=0,drive=drive-ide0,id=ide0,bootindex=100' -device 'virtio-scsi-pci,id=virtioscsi0,bus=pci.3,addr=0x1,iothread=iothread-virtioscsi0' -drive 'file=/var/lib/vz/images/50202/vm-50202-disk-0.qcow2,if=none,id=drive-scsi0,aio=native,format=qcow2,cache=none,detect-zeroes=on' -device 'scsi-hd,bus=virtioscsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0,id=scsi0,bootindex=101' -netdev 'type=tap,id=net0,ifname=tap50202i0,script=/var/lib/qemu-server/pve-bridge,downscript=/var/lib/qemu-server/pve-bridgedown,vhost=on' -device 'virtio-net-pci,mac=00:44:00:1C:C5:6E,netdev=net0,bus=pci.0,addr=0x12,id=net0,rx_queue_size=1024,tx_queue_size=256' -machine 'type=pc+pve0'' failed: got timeout
 
Hello @bryanpedini, I guess I arrived in the same situation like you (adding new pve-8 node to a pve-7 cluster - of course in attempt to upgrade the whole cluster in the next steps).

In my attempt to (temporarily) disable TFA for the root account, I found this [answer from a Proxmox Staff Member](https://forum.proxmox.com/threads/remove-tfa-authentication-via-ssh.69241/post-311910).

What worked for me to login again into the web ui:

Code: 
# On the new node

pveum user tfa delete root@pam

# Than on one of the old nodes

pveum user tfa delete root@pam

I did it in two steps as my first attempt to execute the command on one of the old nodes resulted in this error message:

Code: 
cannot update tfa config, following nodes are not up to date:
  cluster node 'NAME-OF-NEW-NODE' is too old, did not broadcast its version info

I hope this helps, but I am also interested in an official advice by a Proxmox Staff Member. Especially if joining and upgrading a cluster with enabled TFA for the root user is supported.

Regards,
t3k
 
the thing is... dunno why, but now login works fine just fine, and I did nothing of that, it just started working like after a reboot or two (something I didn't do after joining the node, I guess rebooting the new node updated the configuration or something).

now the issue I need to sort out is why the hell I can't start up vms :confused::rolleyes:
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom