[SOLVED] PVE syncs active directory groups and the users in it, but the users cannot login

[jmattfeld]

Hi,
I am syncing my active directory and am able to sync the users in a group. The settings are these:
User filter: memberOf=CN=VCAdmins,OU=Legacy,OU=Groups,OU=Administrative,OU=Resources,DC=mydomain,DC=com

and
Group filter: sAMAccountName=vcad*

After the sync I see the users from the group were added to the User page under permissions and the group is listed under the groups section

I then add a group permission for that group and try to login with one of the users in that group. But I get "Login failed"

In the logs I see this:
pvedaemon[1835696]: authentication failure; rhost=::ffff:10.145.155.25 user=user@mydomain.com msg=no such user ('user@mydomain.com')

any ideas what I did wrong?

Thanks
Jens

 

[fabian]

are you using the correct username and realm?

 

[jmattfeld]

for syncing? The group and the users are being synced and I see them in the user list. If I add one of the users manually it works. Just if I add the group under permissions the users in that group cannot login.
I get the no such user message

 

[fabian]

when logging in.. maybe it would help if you could post the relevant part of user.cfg and the exact data (skip the password ) you enter/select in the login window.. feel free to censor things, but if you do, do so consistently!

 

[jmattfeld]

this is the user.cfg
user:M31649.VA@domain.com:1:0::::::
user:M43700.VA@domain.com:1:0::::::
user:root@pam:1:0:::jens.mattfeld@tld.com:::

group:VCAdmins-domain.com:M31649.VA@domain.com,M43700.VA@domain.com::



acl:1:/VCAdmins-domain.comVEAdmin:

adding that as a screenshot as it always changes it to smileys

The two users on top were synced by the group VCAdmins

This is how I login

 

[fabian]

you are entering it in lowercase, but the config contains it in uppercase..

you can use [code] tags here in the forum to avoid the smiley (and other ) problems

 

[jmattfeld]

yes, I tried uppercase too

Same problem, but a different message in the logs: authentication failure; rhost=::ffff:10.145.155.25 user=M43700.VA@domain.com msg=80090308: LdapErr: DSID-0C090511, comment: AcceptSecurityContext error, data 52e, v4f7c

 

[fabian]

well, that is an error on the LDAP/AD side that you need to debug there.. do you see anything in the logs on the other end when y ou try a login like that? quick internet search would indicate that one means wrong password

 

[jmattfeld]

great! That's it. Is there a way to get that to case insensitive or lowercase on the Proxmox side?

 

[jmattfeld]

found it. Thanks a lot for your help!