No Login with ActiveDirectory Realm

[Draces]

Hello,

We are currently evaluating the usage of PDM in our environment.
Most of the configurations worked like a charm.
I am currently hitting a roadblock as i am trying to enable AD auth.

I configured as follows:
Realm: MyDomain.de
Server: MyDomain.de
Fallbackserver: FSMO.MyDomain.de
Mode: LDAPS
Port: 636
Verify Certificate: disabled
Bind Domain Name: "DN of read enabled user"
Bind Password: That users Passwort

Attributes and filters work.
The users are correctly imported and the attributes are set correctly.

For Testing, I gave Admin Access on "/" and enabled propagate.
When I try to Login, I enter my AD User, my Password and set the Realm to MyDomain.de and get the Message "Login failed. Please try again (api error (status = 401: Unauthorized))".
The Auth.log file sends the Message: 2026-01-13T09:19:17+01:00: authentication failure; rhost=[::ffff:<<IP>>]:62917 user=adUser@myDomain.de msg=user account disabled or expired.

My User is neither disabled or expired, as I am currently logged on to my machine with this user.

Oh, and wenn I try to disable/enable any user, pdm throws an Error that an Integer was expected.

I hope somebody can point me in the right direction

 

[sterzy]

My User is neither disabled or expired, as I am currently logged on to my machine with this user.

This refers to the users state within PDM and not within your AD realm. Does the user appear as enabled when you look at the overview of users in the access control panel?

Oh, and wenn I try to disable/enable any user, pdm throws an Error that an Integer was expected.

I'll try to reproduce this one, sounds like a wiring issue. Sorry for the inconvenience.

 

[sterzy]

Could be that you are running into a previously patched issue [1], but version has been released that includes it yet [2]. So for now, you can either manually edit the file /etc/proxmox-datacenter-manager/access/user.cfg directly and add the line enable true to any account you want to enable:

user: example@adRealm
    enable true

You can also set “Enable new users” to “Yes” when triggering a sync (note: this will only apply to newly synced users).

[1]: https://git.proxmox.com/?p=ui/proxm...it;h=808a5c0c6a8a4c7ec5a285c9d585425e98d84f6b
[2]: https://git.proxmox.com/?p=proxmox-...it;h=20093a55e49b7e6d66a1e59a41e5052baedafbb0

 

[Draces]

Could be that you are running into a previously patched issue [1], but version has been released that includes it yet [2]. So for now, you can either manually edit the file /etc/proxmox-datacenter-manager/access/user.cfg directly and add the line enable true to any account you want to enable:

user: example@adRealm
    enable true

You can also set “Enable new users” to “Yes” when triggering a sync (note: this will only apply to newly synced users).

[1]: https://git.proxmox.com/?p=ui/proxm...it;h=808a5c0c6a8a4c7ec5a285c9d585425e98d84f6b
[2]: https://git.proxmox.com/?p=proxmox-...it;h=20093a55e49b7e6d66a1e59a41e5052baedafbb0

Hi,
Trank you for your Informations.
I tried with enabled yes and enabled no.
This error kept persisting and i wasn‘t able to toggle any Users from the ad realm.
I will read your links and Check my System again tomorrow. Thank you very much

 

[sterzy]

I tried with enabled yes and enabled no.

Yes, enabling users by default only works when syncing and only for users that get added by that sync operation. So existing users will stay disabled and the bug in the UI is entirely separate from that (unfortunately). So the only workaround for existing users is to edit the user.cfg file directly.

In theory, you could also remove all users again and then do a new sync. However, that is probably more effort than editing the user.cfg file yourself.

 

[erfus]

Hi all,

we are having the same issue. Running PDM 1.0.3.
We tried both enabled at sync and also manually editing the config file, but we are also getting this error: Login failed. Please try again (api error (status = 401: Unauthorized))

In the journalctl we also have the same error: msg=user account disabled or expired.

Any ideas?
Thanks!

 

[sterzy]

When you look at the user management panel, is the user that you are trying to log in enabled there? If you changed the setting for “Enable new users” after the user was originally created, it won't be enabled by the sync. Also make sure that the user's “Expire” property is not set or in the future.

 

[erfus]

Yes, I tried both!

When I sync with enable new users == off then the user is disabled as expected. When I enabled it via the GUI it shows enabled in the GUI but doesn't get enabled in the config file. I manually edited the config file which didn't solve the issue.

Then I deleted all users again, and synced again with new users == on. Users are enabled in the web ui and also in the config file. Login still fails with the same error.

 

[sterzy]

Can you maybe post a (redacted) version of your user configuration (/etc/proxmox-datacenter-manager/access/user.cfg)? This seems to work fine for me, though I noticed some unrelated oddities about our UI in this area.

 

[Draces]

I found a Solution for my Problem in the meantime.
PDM cannot validate an LDAP- / AD-User when used in conjunction with Access on „/„ ( As in everything ).
I had to grant Rights on every path to the first Level, e.g. „/system“.
Afterwards all Logins worked for us.

Would be nice, if we could define roles and add the rights to these.

 

[sterzy]

PDM cannot validate an LDAP- / AD-User when used in conjunction with Access on „/„ ( As in everything ).

Did you enable “Propagate” when setting this up? That should grand the user access to all paths below.

Logging in should work regardless of the ACLs set up for that users (though they won't be able to do anything meaningful ofc).

 

[Draces]

Did you enable “Propagate” when setting this up? That should grand the user access to all paths below.

Logging in should work regardless of the ACLs set up for that users (though they won't be able to do anything meaningful ofc).

Propagate was enabled. A Login was not possible.
Propagate is currently enabled on all subpaths in permissions. That works like a charm.
I am happy with the current workaround, groups would be nice though.

 

[sterzy]

Groups are on our list of improvements to make [1]. It would be nice though if you could send a version of your configuration files that didn't work. If possible I would like to know what exactly went wrong there. Because logging in that scenario should work.

[1]: https://bugzilla.proxmox.com/show_bug.cgi?id=5867

 

[erfus]

I did try that workaround, but that's not working for me as well.

Here is our config:

root@PDM:/etc/proxmox-datacenter-manager/access# tail -n3 user.cfg
user: username@AD-DOMAIN
enable true
expire 0
root@PDM:/etc/proxmox-datacenter-manager/access# cat acl.cfg
acl:1:/system:username@AD-DOMAIN:Administrator

 

[sterzy]

Sorry I still can't reproduce this. In the logs, with these settings, you still get “account disabled or expired”? This seems pretty strange to me, the only explanation I have is that caching for some reason isn't working as intended. In that case the "modify" time of the file would be interesting (stat /etc/proxmox-datacenter-manager/access/user.cfg), as well as the timestamp of the last realm sync job.

Also, which file system are you using and did you use our default installer to set it up?