[SOLVED] Lost GUI access (single node)

[highchloride]

Hi folks,

I've joined the ranks of users who suddenly lost GUI access. The last thing I was doing was working with API tokens, then I was signed out and cannot log back in. Unlike many of the other threads I've seen around this topic, I don't have a quorum to lose or control as I'm in a single-node configuration. I've been able to log in over SSH and PCT my containers, but I'd like to regain access to the GUI if possible. I've rebooted, reset services, added rules to IPTables, changed my passwd, tried another account, no joy. Which log would record the access attempt? I wasn't able to find it. Thanks.

 

[simonhoffmann]

So the GUI is accessible but it says authentication failed? Or is it not loading at all? Is the realm on the login screen correct (pam vs PVE)?

 

[highchloride]

The GUI is accessible, yes. When I attempt to login to PAM standard authentication as root, I receive "Login failed. Please try again." This also happens when I try an alternate username.

 

[highchloride]

I just set up glances on the server and it's reporting critical CPU_IOWAIT alerts repeatedly. I understand this could be because I'm out of RAM and its swapping, but glances reports only 3gb of the 16gb on the server are being utilized. Possibly relevant? It looks like the "ZMC" program is the one waiting.

 

[highchloride]

FIXED. Turns out I inadvertently deactivated the root user. This was discovered with

sudo systemctl status pvedaemon.service

which showed the root user deactivation notice. To resolve,

nano /etc/pve/user.cfg

and find the entry for root. Mine looked like this:

user:root@pam:0:0::::::

Change the first zero to a one, and I'm able to get back in.

 

[jonnelson74]

For my fix (after updates and the kernel) I lost GUI access. I flushed the IP tables with
iptables -F # Clear IPv4 rules
ip6tables -F # Clear IPv6 rules
nft flush ruleset # If using nftables

Then made persistent:
apt update && apt install iptables-persistent
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

iptables -A INPUT -p tcp --dport 8006 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 8006 -j ACCEPT

Then save again:
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Reboot and check:
iptables -L -n | grep 8006 # Should show ACCEPT rule
ss -tulnp | grep 8006 # Should show pveproxy listening

and Kazamm, back to business after working on this all day yesterday. Hope this helps somebody.