Login failed. Please try again

[AngryAdm]

5 of 6 nodes down for maint.

Can't login to web interface on the 6th with the correct password.
Can SSH to the 6th with the correct password.

Why?
If quorum is the culprit.... WHY?

 

[t.lamprecht]

5 of 6 nodes down for maint.

As few as possible nodes should be brought down for maintenance at the same time, to ensure the remaining system stays quorate.

If quorum is the culprit....

Yes.

WHY?

Because without quorum the login data on the shared pmxcfs /etc/pve cannot be trusted as being still valid (e.g., a user could have been disabled or stripped from their privileges, but the non-quorate node would still have it as enabled and with privileges which could do some bad stuff or see info they shouldn't see anymore.

You should still be able to login with SSH.

edit: for clarity, lock-out immediately happens with TFA enabled, as there a write operation for the challenge is required, otherwise it will happen if the node is not quorate for (max) 24h + 5 minutes, as we rotate the main authkey every 24h, so if that cannot happen on that node or cannot get synced from another node (due to not being quorate) the old key will loose validity.