New AD realm not working - "blank username"

U

uptonguy75

New Member
Nov 15, 2024
14
5
3
Proxmox v8.2.10

I tried setting up AD integration per this article: https://forum.proxmox.com/threads/h...cluster-to-an-active-directory-domain.100395/

But, when I try to log into Proxmox with an AD user, it returns "Login failed.". When I check syslog, I see these errors:

Code: 
Use of uninitialized value $username in concatenation (.) or string at /usr/share/perl5/PVE/API2/AccessControl.pm line 303.
authentication failure; rhost=::ffff:10.130.41.116 user= msg=user name '' is too short

It seems like the username is not being appropriately passed to the AccessControl script. Has anyone seen this before?

Thank you!
 
Hi,

What's the exact username (possibly pseudonymized as needed)?
Would it also be possible to share the appropriate section from /etc/pve/domains.cfg and /etc/pve/user.cfg, i.e. the realm config and the user entry for which the error occurs, respectively.
 
cheiss said:
Hi,

What's the exact username (possibly pseudonymized as needed)?
Would it also be possible to share the appropriate section from /etc/pve/domains.cfg and /etc/pve/user.cfg, i.e. the realm config and the user entry for which the error occurs, respectively.
Click to expand...

Hi Christoph,

I'm trying to log in with the following details:
  • User name: upton.guy.da
  • Realm: My Active Directory
This user exists within AD. My understanding is that once credentials are validated in AD, Proxmox will create an entry in the user.cfg file.

Code: 
/etc/pve/domains.cfg:

ad: corp.mydomain.com
        comment My Active Directory
        domain corp.mydomain.com
        server1 10.30.20.11
        base_dn DC=corp,DC=mydomain,DC=com
        bind_dn CN=Proxmox Service,OU=Service Accounts,OU=MyDomain,DC=corp,DC=mydomain,DC=com
        case-sensitive 0
        default 1
        filter (&(objectclass=user)(samaccountname=*)(MemberOf=CN=Proxmox Admins,OU=Service Accounts,OU=MyDomain,DC=corp,DC=mydomain,DC=com))
        mode ldaps
        server2 10.70.20.10
        sync-defaults-options remove-vanished=entry,scope=users

pam: pam
        comment Linux PAM standard authentication

pve: pve
        comment Proxmox VE authentication server

Code: 
/etc/pve/user.cfg

user:upton.guy@pam:1:0:Upton:Guy:upton.guy@mydomain.com::x:
user:root@pam:1:0:::admins@mydomain.com:::
 
I was able to solve this by changing the realm name to something different from the AD domain name. In this case I used “MYDOMAIN” for the realm and “corp.mydomain.com” for the domain.
 
Hi,

uptonguy75 said:
I was able to solve this by changing the realm name to something different from the AD domain name. In this case I used “MYDOMAIN” for the realm and “corp.mydomain.com” for the domain.
Click to expand...
Thank you for investigating! Also, good to hear you could solve it in the end.

But it is indeed strange that dots in the name cause such an obscure failure - I'll try to reproduce it and send a fix!
 
You must log in or register to reply here.
Top Bottom