PVE 7.1 Cant login for web gui

ricardowec

New Member
Dec 16, 2020
9
0
1
71
Hello
This is a four node cluster (all paid licenses) pve,pve1,pve2,pve3

I migrated all nodes from 7.0.11 to 7.1.1

After a couple of days of running fine, suddenly I needed to login from pve and found i was rejected with "Login Failed, please try again", then I tried from the other nodes with same results. SSH connection worked fine in all nodes.

So after doing whatever has been written in the forums from past builds I decided to do a fresh install in pve1 and pve2 and the problem was solved in these nodes, but pve and pve3 kept rejecting.

so.. my cluster is a mess, 7.1 killed whatever I had on them,,,

Regards
 
Aug 19, 2019
52
7
13
Confirmed, one day after the update 7.0 >> 7.1 all web logins with @pam users fail. No matter if they use U2F or not.
The shell login (ssh) is still working though. /var/log/pveproxy/access.log has no useful info for debugging.

Any ideas how to debug this?
 
Aug 19, 2019
52
7
13
I just looked at the web UI of our system again. I still cant login into the Web UI after the upgrade from 7.0 to 7.1. Only the ssh logins are still operational.

The logs show nothing (/var/log/pveproxy/access.log). I have no idea how to fix this and all web UI users are affected. I tested with enabled firewall (which is the default in the production system,) and also with disabled firewall, there is no change at all. Feels like a major bug in 7.1!
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
6,975
820
163
33
Vienna
can you post your journal/syslog during a failed login? as well as your /etc/pve/domains.cfg ?
Feels like a major bug in 7.1!
not a general one since for most users it seems to work...
 

jsterr

Active Member
Jul 24, 2020
170
30
28
30
I had a similiar problem with a 2 node cluster I wanted to create. After creating the cluster and waiting for a while, login via gui was not possible on the second node while I was still able to connect via SSH. I unfortunately dont have any logs anymore, I reinstalled and will create the cluster on customer-site with access to the external quorum device.

Oh I see in my case it seems Im facing this because of: https://bugzilla.proxmox.com/show_bug.cgi?id=3739
So if all nodes are up, why cant we login to the nodes? or am I missing something?
 
Last edited:
Aug 19, 2019
52
7
13
The PVE at https://tokoeka.netzwissen.de is a single node, so, I have no /etc/pve/domains.cfg
journalctl -fu pveproxy.service shows nothing interesting, but

root@tokoeka /etc/pve # journalctl -fu pvedaemon.service

-- Journal begins at Sat 2021-06-12 04:23:15 CEST. -- Nov 25 23:36:07 tokoeka pvedaemon[678304]: authentication failure; rhost=::ffff:87.154.165.78 user=root2@pam@pam msg=no such user ('root2@pam@pam') Nov 25 23:37:36 tokoeka pvedaemon[678306]: authentication failure; rhost=::ffff:87.154.165.78 user=root2@pam@pam msg=no such user ('root2@pam@pam') Nov 25 23:37:58 tokoeka pvedaemon[678305]: authentication failure; rhost=::ffff:87.154.165.78 user=root@pam@pam msg=no such user ('root@pam@pam')

Hm, very strange, why "[username]@pam@pam" with two times @pam@pam ? The "pveum user list" shows them instead as

Code:
root2@pam
root@pam
thommie@pam

??
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
6,975
820
163
33
Vienna
did you enter 'root@pam' in the username field? if yes, that is not correct, only root and select the correct realm..

if not, how exactly is your login configured (u2f/webauth/.. ?)
 
Aug 19, 2019
52
7
13
ok, that was the problem obviously.

The login data (username and PW) for the web access come from a connected keepass database. There we had [username@pam] for all logins. This worked without problems up to PVE 7.0. Looks like the behaviour of PVE 7.1 is different at this point. You need to enter the plain username without @pam, then the the login works as before.

Thommie
 
Last edited:

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
6,975
820
163
33
Vienna
hi,

a colleague and I tested various versions (6.4, 7.0, 7.1, etc.) and it behaved always like this
maybe you are confusing it with pmg? because in pmg, there is no realm selector...
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!