socket close error with AD or LDAP type realm in pbs storage configuration

P

prox_roy

New Member
Jan 14, 2025
2
0
1
We recently started to use proxmox backup server 4.1.0. Our proxmox cluster is in version 8.4.14 and uses Active Directory via LDAPS as realm.
As soon as we configure PBS storage with an AD service account, we immediately receive the following log message on the backup server (journalctl -f): “socket close error: Connection reset by peer (os error 104)”. If we switch to a local account in PBS, we do not get any errors.
There are no firewall blocks visible.

However, we want to use an AD service account for the storage connection in the PVE cluster.
The backup functionality is working but after a couple of hours (not directly measurable) the PBS is hanging und no more backups are responsible.

Has anyone the same experience, or is there a fix/workaround?

Regards, Roy
 
Update:

Our Debian operating system is connected to an Active Directory via pam_sss.
We have now configured a user in PBS by editing the local configuration file: /etc/proxmox-backup/user.cfg
Code: 
User: domain\pbs-api@pam
        Email pbs-api @email.com

We have therefore set up the AD account as Realm PAM in Proxmox Backup Server.
The result is that this user is used to store the backups in PVE.

Now, the error message no longer occurs.
Code: 
Socket close error: connection reset by peer (OS error 104)


However, PVE permanently authenticates the AD user via PAM. Every second from every PVE node. The integration of the backup-storage into the PVE cluster is successful, but the log on the PBS server is growing very quickly.

Code: 
Dec 12 14:01:18 host-name-pbs proxmox-backup-api[721]: pam_unix(proxmox-backup-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:10.1.2.3  user=domain\pbs-api
Dec 12 14:01:18 host-name-pbs proxmox-backup-api[721]: pam_sss(proxmox-backup-auth:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:10.1.2.3 user=domain\pbs-api
Dec 12 14:01:18 host-name-pbs proxmox-backup-api[721]: pam_unix(proxmox-backup-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:10.1.2.3  user=domain\pbs-api
Dec 12 14:01:18 host-name-pbs proxmox-backup-api[721]: pam_sss(proxmox-backup-auth:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:10.1.2.3 user=domain\pbs-api

We assume that continuous authentication for an AD PAM account is a bug.

here ist our PAM AD interation config for the common-account pam config: /etc/pam.d/common-account
Code: 
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                                               pam_deny.so

account [success=2 default=ignore]                              pam_localuser.so
account [default=bad success=ok user_unknown=ignore]            pam_sss.so

account required                                                pam_succeed_if.so user ingroup [ad_group@domain]
account required                                                pam_permit.so


Has anyone else regongized the same behavior when using AD accounts for the PBS backup storage in the PVE cluster?

Regards, Roy
 
You must log in or register to reply here.
Top Bottom