From: Joe N. <jo...@jo...> - 2012-03-29 09:21:07
|
> Did you update "sudo" recently? It seems that updating it has broken webmin > before now: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=600892 > <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=600892> > > Daniel Hi Daniel, Thank you for your reply. Whilst I don't specifically remember seeing it as an upgrade recently, I couldn't say for sure. Is there any way to check this reliably on Debian/Ubuntu? Here's the output from 'dpkg -s sudo' anyway, if that's of any use: Package: sudo Status: install ok installed Priority: optional Section: admin Installed-Size: 628 Maintainer: Ubuntu Core Developers <ubu...@li...> Architecture: amd64 Version: 1.7.2p1-1ubuntu5.3 Replaces: sudo-ldap Depends: libc6 (>= 2.8), libpam0g (>= 0.99.7.1), libpam-modules Conflicts: sudo-ldap Conffiles: /etc/pam.d/sudo 402488da83015090763d681fffae6340 /etc/sudoers.d/README 2ec19eb188781dd8e2ff0ad509399497 As I mentioned before, this a relatively new system build, so it's more or less 'a recent upgrade' of sudo. It's strange how my other servers on the same physical host, same version of webmin, etc. do not have this issue though. Thanks, Joe |
From: Joe N. <jo...@jo...> - 2012-03-29 15:07:45
|
-----Original message----- > What gets logged to /var/log/auth.log when you try to login to Webmin? > There may be some informative messages from sudo .. > > - Jamie Hi Jamie, This is what get logged in /var/log/auth.log: <attempt_1> Mar 29 15:59:59 MailServer1 perl[2772]: pam_unix(webmin:session): session opened for user joe by (uid=0) Mar 29 15:59:59 MailServer1 webmin[2772]: Invalid login as joe from 192.168.1.4 </attempt_1> <attempt_2> Mar 29 16:00:05 MailServer1 perl[2929]: pam_unix(webmin:session): session opened for user joe by (uid=0) Mar 29 16:00:05 MailServer1 webmin[21308]: Security alert: Host 192.168.1.50 blocked after 5 failed logins for user joe </attempt_2> Obviously, sudo is now blocking me for the time being, as I've tried several times to login whilst verifying my username/password is actually correct :-( Can you offer any suggestions why sudo would be declining the login attempt through Webmin? If there's any further info required, please ask. Thanks, Joe |
From: Fajar P. <faj...@ar...> - 2012-03-29 15:59:19
|
On Thu, Mar 29, 2012 at 11:07 PM, Joe Nyland <jo...@jo...> wrote: > <attempt_1> > Mar 29 15:59:59 MailServer1 perl[2772]: pam_unix(webmin:session): session opened for user joe by (uid=0) > Mar 29 15:59:59 MailServer1 webmin[2772]: Invalid login as joe from 192.168.1.4 > </attempt_1> > > <attempt_2> > Mar 29 16:00:05 MailServer1 perl[2929]: pam_unix(webmin:session): session opened for user joe by (uid=0) > Mar 29 16:00:05 MailServer1 webmin[21308]: Security alert: Host 192.168.1.50 blocked after 5 failed logins for user joe > </attempt_2> > > Obviously, sudo is now blocking me for the time being, as I've tried several times to login whilst verifying my username/password is actually correct :-( > > Can you offer any suggestions why sudo would be declining the login attempt through Webmin? If there's any further info required, please ask. Hi Joe, I can only offer workaround: - From ssh, create another user. Put it into "admin" group. Check if that user can become root: sudo -i - Try to login webmin with that user. Since it's admin group, you will be able to get all webmin menu and see what is wrong. HTH -- http://linux3.arinet.org |
From: Jamie C. <jca...@we...> - 2012-03-29 16:08:00
|
On 29/Mar/2012 08:07 Joe Nyland <jo...@jo...> wrote .. > -----Original message----- > > What gets logged to /var/log/auth.log when you try to login to Webmin? > > There may be some informative messages from sudo .. > > > > - Jamie > > Hi Jamie, > > This is what get logged in /var/log/auth.log: > > <attempt_1> > Mar 29 15:59:59 MailServer1 perl[2772]: pam_unix(webmin:session): session opened > for user joe by (uid=0) > Mar 29 15:59:59 MailServer1 webmin[2772]: Invalid login as joe from 192.168.1.4 > </attempt_1> > > <attempt_2> > Mar 29 16:00:05 MailServer1 perl[2929]: pam_unix(webmin:session): session opened > for user joe by (uid=0) > Mar 29 16:00:05 MailServer1 webmin[21308]: Security alert: Host 192.168.1.50 blocked > after 5 failed logins for user joe > </attempt_2> > > Obviously, sudo is now blocking me for the time being, as I've tried several times > to login whilst verifying my username/password is actually correct :-( > > Can you offer any suggestions why sudo would be declining the login attempt through > Webmin? If there's any further info required, please ask. Another thing you could try is SSHing into the system as "joe" and running : sudo -l -S and post what it outputs. That's the command Webmin uses to check if joe has root sudo privileges. - Jamie |
From: Joe N. <jo...@jo...> - 2012-03-29 20:07:43
|
On 29 Mar 2012, at 17:07, "Jamie Cameron" <jca...@we...> wrote: > On 29/Mar/2012 08:07 Joe Nyland <jo...@jo...> wrote .. >> -----Original message----- >>> What gets logged to /var/log/auth.log when you try to login to Webmin? >>> There may be some informative messages from sudo .. >>> >>> - Jamie >> >> Hi Jamie, >> >> This is what get logged in /var/log/auth.log: >> >> <attempt_1> >> Mar 29 15:59:59 MailServer1 perl[2772]: pam_unix(webmin:session): session opened >> for user joe by (uid=0) >> Mar 29 15:59:59 MailServer1 webmin[2772]: Invalid login as joe from 192.168.1.4 >> </attempt_1> >> >> <attempt_2> >> Mar 29 16:00:05 MailServer1 perl[2929]: pam_unix(webmin:session): session opened >> for user joe by (uid=0) >> Mar 29 16:00:05 MailServer1 webmin[21308]: Security alert: Host 192.168.1.50 blocked >> after 5 failed logins for user joe >> </attempt_2> >> >> Obviously, sudo is now blocking me for the time being, as I've tried several times >> to login whilst verifying my username/password is actually correct :-( >> >> Can you offer any suggestions why sudo would be declining the login attempt through >> Webmin? If there's any further info required, please ask. > > Another thing you could try is SSHing into the system as "joe" and running : > > sudo -l -S > > and post what it outputs. That's the command Webmin uses to check if joe has root > sudo privileges. > > - Jamie Here's the output from 'sudo -l -S': joe@MailServer1:~$ sudo -l -S [sudo] password for joe: Matching Defaults entries for joe on this host: env_reset User joe may run the following commands on this host: joe@MailServer1:~$ Does that look right to you? Thank you for your help. Joe |
From: Jamie C. <jca...@we...> - 2012-03-29 20:22:37
|
On 29/Mar/2012 13:07 Joe Nyland <jo...@jo...> wrote .. > On 29 Mar 2012, at 17:07, "Jamie Cameron" <jca...@we...> wrote: > > > On 29/Mar/2012 08:07 Joe Nyland <jo...@jo...> wrote .. > >> -----Original message----- > >>> What gets logged to /var/log/auth.log when you try to login to Webmin? > >>> There may be some informative messages from sudo .. > >>> > >>> - Jamie > >> > >> Hi Jamie, > >> > >> This is what get logged in /var/log/auth.log: > >> > >> <attempt_1> > >> Mar 29 15:59:59 MailServer1 perl[2772]: pam_unix(webmin:session): session opened > >> for user joe by (uid=0) > >> Mar 29 15:59:59 MailServer1 webmin[2772]: Invalid login as joe from 192.168.1.4 > >> </attempt_1> > >> > >> <attempt_2> > >> Mar 29 16:00:05 MailServer1 perl[2929]: pam_unix(webmin:session): session opened > >> for user joe by (uid=0) > >> Mar 29 16:00:05 MailServer1 webmin[21308]: Security alert: Host 192.168.1.50 > blocked > >> after 5 failed logins for user joe > >> </attempt_2> > >> > >> Obviously, sudo is now blocking me for the time being, as I've tried several > times > >> to login whilst verifying my username/password is actually correct :-( > >> > >> Can you offer any suggestions why sudo would be declining the login attempt > through > >> Webmin? If there's any further info required, please ask. > > > > Another thing you could try is SSHing into the system as "joe" and running : > > > > sudo -l -S > > > > and post what it outputs. That's the command Webmin uses to check if joe has > root > > sudo privileges. > > > > - Jamie > > Here's the output from 'sudo -l -S': > > joe@MailServer1:~$ sudo -l -S > [sudo] password for joe: > Matching Defaults entries for joe on this host: > env_reset > > User joe may run the following commands on this host: > joe@MailServer1:~$ > > Does that look right to you? > > Thank you for your help. That doesn't look like it includes all the needed permissions. It should be more like : User jcameron may run the following commands on this host: (ALL) ALL (ALL) ALL - Jamie |
From: Joe N. <jo...@jo...> - 2012-03-30 08:34:09
|
-----Original message----- > > > > Here's the output from 'sudo -l -S': > > > > joe@MailServer1:~$ sudo -l -S > > [sudo] password for joe: > > Matching Defaults entries for joe on this host: > > env_reset > > > > User joe may run the following commands on this host: > > joe@MailServer1:~$ > > > > Does that look right to you? > > > > Thank you for your help. > > That doesn't look like it includes all the needed permissions. > > It should be more like : > > User jcameron may run the following commands on this host: > (ALL) ALL > (ALL) ALL > > - Jamie Ok, this is a bit strange; 'sudo -l -S' now gives: joe@MailServer1:~$ sudo -l -S [sudo] password for joe: Matching Defaults entries for joe on this host: env_reset User joe may run the following commands on this host: (ALL) ALL joe@MailServer1:~$ But I still can't login to Webmin. Sudo from an SSH connection still continues to work. Also, I've checked the above command output on my file server which I can login to Webmin fine on, and that gives the same output as above: joe@FileServer1:~$ sudo -l -S Matching Defaults entries for joe on this host: env_reset User joe may run the following commands on this host: (ALL) ALL joe@FileServer1:~$ I'm not sure how to proceed with this. I'm tempted to do a reinstall of Webmin on this server, but I'm not convinced this will help. Thanks, Joe |
From: Jamie C. <jca...@we...> - 2012-03-30 22:46:38
|
On 30/Mar/2012 01:33 Joe Nyland <jo...@jo...> wrote .. > -----Original message----- > > > > > > Here's the output from 'sudo -l -S': > > > > > > joe@MailServer1:~$ sudo -l -S > > > [sudo] password for joe: > > > Matching Defaults entries for joe on this host: > > > env_reset > > > > > > User joe may run the following commands on this host: > > > joe@MailServer1:~$ > > > > > > Does that look right to you? > > > > > > Thank you for your help. > > > > That doesn't look like it includes all the needed permissions. > > > > It should be more like : > > > > User jcameron may run the following commands on this host: > > (ALL) ALL > > (ALL) ALL > > > > - Jamie > > Ok, this is a bit strange; 'sudo -l -S' now gives: > > joe@MailServer1:~$ sudo -l -S > [sudo] password for joe: > Matching Defaults entries for joe on this host: > env_reset > > User joe may run the following commands on this host: > (ALL) ALL > joe@MailServer1:~$ > > But I still can't login to Webmin. > > Sudo from an SSH connection still continues to work. Also, I've checked the above > command output on my file server which I can login to Webmin fine on, and that > gives the same output as above: > > joe@FileServer1:~$ sudo -l -S > Matching Defaults entries for joe on this host: > env_reset > > User joe may run the following commands on this host: > (ALL) ALL > joe@FileServer1:~$ > > I'm not sure how to proceed with this. I'm tempted to do a reinstall of Webmin > on this server, but I'm not convinced this will help. The (ALL) ALL is what Webmin is looking for .. so I would expect the login as a sudo-capable user to work now. What gets logged to the debug file now when you try to login? - Jamie |
From: Joe N. <jo...@jo...> - 2012-03-31 10:35:45
|
On 30 Mar 2012, at 23:46, Jamie Cameron wrote: > On 30/Mar/2012 01:33 Joe Nyland <jo...@jo...> wrote .. >> -----Original message----- >>>> >>>> Here's the output from 'sudo -l -S': >>>> >>>> joe@MailServer1:~$ sudo -l -S >>>> [sudo] password for joe: >>>> Matching Defaults entries for joe on this host: >>>> env_reset >>>> >>>> User joe may run the following commands on this host: >>>> joe@MailServer1:~$ >>>> >>>> Does that look right to you? >>>> >>>> Thank you for your help. >>> >>> That doesn't look like it includes all the needed permissions. >>> >>> It should be more like : >>> >>> User jcameron may run the following commands on this host: >>> (ALL) ALL >>> (ALL) ALL >>> >>> - Jamie >> >> Ok, this is a bit strange; 'sudo -l -S' now gives: >> >> joe@MailServer1:~$ sudo -l -S >> [sudo] password for joe: >> Matching Defaults entries for joe on this host: >> env_reset >> >> User joe may run the following commands on this host: >> (ALL) ALL >> joe@MailServer1:~$ >> >> But I still can't login to Webmin. >> >> Sudo from an SSH connection still continues to work. Also, I've checked the above >> command output on my file server which I can login to Webmin fine on, and that >> gives the same output as above: >> >> joe@FileServer1:~$ sudo -l -S >> Matching Defaults entries for joe on this host: >> env_reset >> >> User joe may run the following commands on this host: >> (ALL) ALL >> joe@FileServer1:~$ >> >> I'm not sure how to proceed with this. I'm tempted to do a reinstall of Webmin >> on this server, but I'm not convinced this will help. > > The (ALL) ALL is what Webmin is looking for .. so I would expect the login > as a sudo-capable user to work now. > > What gets logged to the debug file now when you try to login? > > - Jamie Here's a login attempt I just made, which has been taken from miniserv.debug: handle_request: passed timeout check handle_request reqline=POST /session_login.cgi HTTP/1.1 handle_request: got headline Host: mailserver1:10000 handle_request: got headline User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20100101 Firefox/11.0 handle_request: got headline Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 handle_request: got headline Accept-Language: en-gb,en;q=0.5 handle_request: got headline Accept-Encoding: gzip, deflate handle_request: got headline Connection: keep-alive handle_request: got headline Referer: https://mailserver1:10000/session_login.cgi handle_request: got headline Cookie: testing=1 handle_request: got headline Content-Type: application/x-www-form-urlencoded handle_request: got headline Content-Length: 29 clen_read=29 clen=29 posted_data=29 handle_request: posted_data=page=%2F&user=joe&pass=**** handle_request: Need authentication validate_user: user=joe pass=**** host=mailserver1 can_user_login: Validate with PAM validate_user: canuser=joe canmode=2 notexist=0 webminuser=root sudo=1 validate_user: unix val=1 check_sudo_permissions: querying cache for joe main: inline readsudo joe check_sudo_permissions: cache said 0 validate_user: sudo failed handle_login: requesting delay vu=joe acptip=192.168.1.205 ok=0 main: inline delay joe 192.168.1.205 0 handle_login: delay=2 blocked=0 handle_request: page=/session_login.cgi simple=/session_login.cgi handle_request: initial full= handle_request: full=/usr/share/webmin/session_login.cgi handle_request: executing CGI REMOTE_USER = BASE_REMOTE_USER = main: Done handle_request loop pid=7801 main: inline EOF For completeness, I checked my sudo privileges again, after the login attempt: joe@MailServer1:~$ sudo -l -S Matching Defaults entries for joe on this host: env_reset User joe may run the following commands on this host: (ALL) ALL However, still: "Login failed. Please try again." I'm happy to perform a reinstall of Webmin, if you think this will resolve anything. However, this would also remove any hope of finding what this issue is, so that it can be worked around in the future, if it crops up again. Thanks, Joe |
From: Jamie C. <jca...@we...> - 2012-03-31 17:37:20
|
On 31/Mar/2012 03:35 Joe Nyland <jo...@jo...> wrote .. > > On 30 Mar 2012, at 23:46, Jamie Cameron wrote: > > > On 30/Mar/2012 01:33 Joe Nyland <jo...@jo...> wrote .. > >> -----Original message----- > >>>> > >>>> Here's the output from 'sudo -l -S': > >>>> > >>>> joe@MailServer1:~$ sudo -l -S > >>>> [sudo] password for joe: > >>>> Matching Defaults entries for joe on this host: > >>>> env_reset > >>>> > >>>> User joe may run the following commands on this host: > >>>> joe@MailServer1:~$ > >>>> > >>>> Does that look right to you? > >>>> > >>>> Thank you for your help. > >>> > >>> That doesn't look like it includes all the needed permissions. > >>> > >>> It should be more like : > >>> > >>> User jcameron may run the following commands on this host: > >>> (ALL) ALL > >>> (ALL) ALL > >>> > >>> - Jamie > >> > >> Ok, this is a bit strange; 'sudo -l -S' now gives: > >> > >> joe@MailServer1:~$ sudo -l -S > >> [sudo] password for joe: > >> Matching Defaults entries for joe on this host: > >> env_reset > >> > >> User joe may run the following commands on this host: > >> (ALL) ALL > >> joe@MailServer1:~$ > >> > >> But I still can't login to Webmin. > >> > >> Sudo from an SSH connection still continues to work. Also, I've checked the > above > >> command output on my file server which I can login to Webmin fine on, and that > >> gives the same output as above: > >> > >> joe@FileServer1:~$ sudo -l -S > >> Matching Defaults entries for joe on this host: > >> env_reset > >> > >> User joe may run the following commands on this host: > >> (ALL) ALL > >> joe@FileServer1:~$ > >> > >> I'm not sure how to proceed with this. I'm tempted to do a reinstall of Webmin > >> on this server, but I'm not convinced this will help. > > > > The (ALL) ALL is what Webmin is looking for .. so I would expect the login > > as a sudo-capable user to work now. > > > > What gets logged to the debug file now when you try to login? > > > > - Jamie > > Here's a login attempt I just made, which has been taken from miniserv.debug: > > handle_request: passed timeout check > handle_request reqline=POST /session_login.cgi HTTP/1.1 > handle_request: got headline Host: mailserver1:10000 > handle_request: got headline User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X > 10.7; rv:11.0) Gecko/20100101 Firefox/11.0 > handle_request: got headline Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > handle_request: got headline Accept-Language: en-gb,en;q=0.5 > handle_request: got headline Accept-Encoding: gzip, deflate > handle_request: got headline Connection: keep-alive > handle_request: got headline Referer: https://mailserver1:10000/session_login.cgi > handle_request: got headline Cookie: testing=1 > handle_request: got headline Content-Type: application/x-www-form-urlencoded > handle_request: got headline Content-Length: 29 > clen_read=29 clen=29 posted_data=29 > handle_request: posted_data=page=%2F&user=joe&pass=**** > handle_request: Need authentication > validate_user: user=joe pass=**** host=mailserver1 > can_user_login: Validate with PAM > validate_user: canuser=joe canmode=2 notexist=0 webminuser=root sudo=1 > validate_user: unix val=1 > check_sudo_permissions: querying cache for joe > main: inline readsudo joe > check_sudo_permissions: cache said 0 > validate_user: sudo failed > handle_login: requesting delay vu=joe acptip=192.168.1.205 ok=0 > main: inline delay joe 192.168.1.205 0 > handle_login: delay=2 blocked=0 > handle_request: page=/session_login.cgi simple=/session_login.cgi > handle_request: initial full= > handle_request: full=/usr/share/webmin/session_login.cgi > handle_request: executing CGI > REMOTE_USER = > BASE_REMOTE_USER = > main: Done handle_request loop pid=7801 > main: inline EOF > > For completeness, I checked my sudo privileges again, after the login attempt: > > joe@MailServer1:~$ sudo -l -S > Matching Defaults entries for joe on this host: > env_reset > > User joe may run the following commands on this host: > (ALL) ALL > > However, still: "Login failed. Please try again." > > I'm happy to perform a reinstall of Webmin, if you think this will resolve anything. > However, this would also remove any hope of finding what this issue is, so that > it can be worked around in the future, if it crops up again. Looks like Webmin was caching the response from sudo in that check .. I can tell from the message "check_sudo_permissions: cache said 0" Try running /etc/webmin/restart , and then immediately after attempting a login and post what gets logged to the debug file. I'm pretty sure a re-install won't help here. - Jamie |
From: Joe N. <jo...@jo...> - 2012-03-31 20:20:27
|
On 31 Mar 2012, at 18:37, Jamie Cameron wrote: > On 31/Mar/2012 03:35 Joe Nyland <jo...@jo...> wrote .. >> >> On 30 Mar 2012, at 23:46, Jamie Cameron wrote: >> >>> On 30/Mar/2012 01:33 Joe Nyland <jo...@jo...> wrote .. >>>> -----Original message----- >>>>>> >>>>>> Here's the output from 'sudo -l -S': >>>>>> >>>>>> joe@MailServer1:~$ sudo -l -S >>>>>> [sudo] password for joe: >>>>>> Matching Defaults entries for joe on this host: >>>>>> env_reset >>>>>> >>>>>> User joe may run the following commands on this host: >>>>>> joe@MailServer1:~$ >>>>>> >>>>>> Does that look right to you? >>>>>> >>>>>> Thank you for your help. >>>>> >>>>> That doesn't look like it includes all the needed permissions. >>>>> >>>>> It should be more like : >>>>> >>>>> User jcameron may run the following commands on this host: >>>>> (ALL) ALL >>>>> (ALL) ALL >>>>> >>>>> - Jamie >>>> >>>> Ok, this is a bit strange; 'sudo -l -S' now gives: >>>> >>>> joe@MailServer1:~$ sudo -l -S >>>> [sudo] password for joe: >>>> Matching Defaults entries for joe on this host: >>>> env_reset >>>> >>>> User joe may run the following commands on this host: >>>> (ALL) ALL >>>> joe@MailServer1:~$ >>>> >>>> But I still can't login to Webmin. >>>> >>>> Sudo from an SSH connection still continues to work. Also, I've checked the >> above >>>> command output on my file server which I can login to Webmin fine on, and that >>>> gives the same output as above: >>>> >>>> joe@FileServer1:~$ sudo -l -S >>>> Matching Defaults entries for joe on this host: >>>> env_reset >>>> >>>> User joe may run the following commands on this host: >>>> (ALL) ALL >>>> joe@FileServer1:~$ >>>> >>>> I'm not sure how to proceed with this. I'm tempted to do a reinstall of Webmin >>>> on this server, but I'm not convinced this will help. >>> >>> The (ALL) ALL is what Webmin is looking for .. so I would expect the login >>> as a sudo-capable user to work now. >>> >>> What gets logged to the debug file now when you try to login? >>> >>> - Jamie >> >> Here's a login attempt I just made, which has been taken from miniserv.debug: >> >> handle_request: passed timeout check >> handle_request reqline=POST /session_login.cgi HTTP/1.1 >> handle_request: got headline Host: mailserver1:10000 >> handle_request: got headline User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X >> 10.7; rv:11.0) Gecko/20100101 Firefox/11.0 >> handle_request: got headline Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> handle_request: got headline Accept-Language: en-gb,en;q=0.5 >> handle_request: got headline Accept-Encoding: gzip, deflate >> handle_request: got headline Connection: keep-alive >> handle_request: got headline Referer: https://mailserver1:10000/session_login.cgi >> handle_request: got headline Cookie: testing=1 >> handle_request: got headline Content-Type: application/x-www-form-urlencoded >> handle_request: got headline Content-Length: 29 >> clen_read=29 clen=29 posted_data=29 >> handle_request: posted_data=page=%2F&user=joe&pass=**** >> handle_request: Need authentication >> validate_user: user=joe pass=**** host=mailserver1 >> can_user_login: Validate with PAM >> validate_user: canuser=joe canmode=2 notexist=0 webminuser=root sudo=1 >> validate_user: unix val=1 >> check_sudo_permissions: querying cache for joe >> main: inline readsudo joe >> check_sudo_permissions: cache said 0 >> validate_user: sudo failed >> handle_login: requesting delay vu=joe acptip=192.168.1.205 ok=0 >> main: inline delay joe 192.168.1.205 0 >> handle_login: delay=2 blocked=0 >> handle_request: page=/session_login.cgi simple=/session_login.cgi >> handle_request: initial full= >> handle_request: full=/usr/share/webmin/session_login.cgi >> handle_request: executing CGI >> REMOTE_USER = >> BASE_REMOTE_USER = >> main: Done handle_request loop pid=7801 >> main: inline EOF >> >> For completeness, I checked my sudo privileges again, after the login attempt: >> >> joe@MailServer1:~$ sudo -l -S >> Matching Defaults entries for joe on this host: >> env_reset >> >> User joe may run the following commands on this host: >> (ALL) ALL >> >> However, still: "Login failed. Please try again." >> >> I'm happy to perform a reinstall of Webmin, if you think this will resolve anything. >> However, this would also remove any hope of finding what this issue is, so that >> it can be worked around in the future, if it crops up again. > > Looks like Webmin was caching the response from sudo in that check .. I can tell > from the message "check_sudo_permissions: cache said 0" > > Try running /etc/webmin/restart , and then immediately after attempting a login > and post what gets logged to the debug file. > > I'm pretty sure a re-install won't help here. > > - Jamie Still no luck, I'm afraid: miniserv.pl starting .. Reading crons from /etc/webmin/webmincron/crons adding cron id=133215899832608 module=system-status func=scheduled_collect_system_info adding cron id=133215899832422 module=cron func=cleanup_temp_files Running cron id=133215899832422 module=cron func=cleanup_temp_files main: Starting handle_request loop pid=16829 handle_request: from 192.168.1.205 to 192.168.1.8 ipv6=0 handle_request: passed IP checks handle_request: passed timeout check handle_request reqline=POST /session_login.cgi HTTP/1.1 handle_request: got headline Host: mailserver1:10000 handle_request: got headline User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20100101 Firefox/11.0 handle_request: got headline Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 handle_request: got headline Accept-Language: en-gb,en;q=0.5 handle_request: got headline Accept-Encoding: gzip, deflate handle_request: got headline Connection: keep-alive handle_request: got headline Referer: https://mailserver1:10000/ handle_request: got headline Cookie: testing=1 handle_request: got headline Content-Type: application/x-www-form-urlencoded handle_request: got headline Content-Length: 29 clen_read=29 clen=29 posted_data=29 handle_request: posted_data=page=%2F&user=joe&pass=*** handle_request: Need authentication validate_user: user=joe pass=*** host=mailserver1 can_user_login: Validate with PAM validate_user: canuser=joe canmode=2 notexist=0 webminuser=root sudo=1 validate_user: unix val=1 check_sudo_permissions: querying cache for joe main: inline readsudo joe check_sudo_permissions: cache said 2 check_sudo_permissions: ptyfh=IO::Pty=GLOB(0x281df28) check_sudo_permissions: ttyfh=IO::Tty=GLOB(0x3326030) check_sudo_permissions: tty=/dev/pts/1 check_sudo_permissions: about to fork.. check_sudo_permissions: fork=0 pid=16831 check_sudo_permissions: fork=16831 pid=16829 check_sudo_permissions: pid=16831 check_sudo_permissions: about to send pass check_sudo_permissions: sent pass=*** validate_user: sudo failed handle_login: requesting delay vu=joe acptip=192.168.1.205 ok=0 main: inline writesudo joe 0 main: inline delay joe 192.168.1.205 0 handle_login: delay=0 blocked=0 handle_request: page=/session_login.cgi simple=/session_login.cgi handle_request: initial full= handle_request: full=/usr/share/webmin/session_login.cgi handle_request: executing CGI REMOTE_USER = BASE_REMOTE_USER = main: Done handle_request loop pid=16829 Running cron id=133215899832608 module=system-status func=scheduled_collect_system_info main: inline EOF Running cron id=133215899832422 module=cron func=cleanup_temp_files Thank you for you continued support. Joe |
From: Fajar P. <faj...@ar...> - 2012-04-01 01:17:42
|
Hi Joe. Why dont you try my suggestion of creating another admin and login with it? Maybe you accidentally set your account to "no password accepted". Sent from my iPhone On Apr 1, 2012, at 4:20 AM, Joe Nyland <jo...@jo...> wrote: > > On 31 Mar 2012, at 18:37, Jamie Cameron wrote: > >> On 31/Mar/2012 03:35 Joe Nyland <jo...@jo...> wrote .. >>> >>> On 30 Mar 2012, at 23:46, Jamie Cameron wrote: >>> >>>> On 30/Mar/2012 01:33 Joe Nyland <jo...@jo...> wrote .. >>>>> -----Original message----- >>>>>>> >>>>>>> Here's the output from 'sudo -l -S': >>>>>>> >>>>>>> joe@MailServer1:~$ sudo -l -S >>>>>>> [sudo] password for joe: >>>>>>> Matching Defaults entries for joe on this host: >>>>>>> env_reset >>>>>>> >>>>>>> User joe may run the following commands on this host: >>>>>>> joe@MailServer1:~$ >>>>>>> >>>>>>> Does that look right to you? >>>>>>> >>>>>>> Thank you for your help. >>>>>> >>>>>> That doesn't look like it includes all the needed permissions. >>>>>> >>>>>> It should be more like : >>>>>> >>>>>> User jcameron may run the following commands on this host: >>>>>> (ALL) ALL >>>>>> (ALL) ALL >>>>>> >>>>>> - Jamie >>>>> >>>>> Ok, this is a bit strange; 'sudo -l -S' now gives: >>>>> >>>>> joe@MailServer1:~$ sudo -l -S >>>>> [sudo] password for joe: >>>>> Matching Defaults entries for joe on this host: >>>>> env_reset >>>>> >>>>> User joe may run the following commands on this host: >>>>> (ALL) ALL >>>>> joe@MailServer1:~$ >>>>> >>>>> But I still can't login to Webmin. >>>>> >>>>> Sudo from an SSH connection still continues to work. Also, I've checked the >>> above >>>>> command output on my file server which I can login to Webmin fine on, and that >>>>> gives the same output as above: >>>>> >>>>> joe@FileServer1:~$ sudo -l -S >>>>> Matching Defaults entries for joe on this host: >>>>> env_reset >>>>> >>>>> User joe may run the following commands on this host: >>>>> (ALL) ALL >>>>> joe@FileServer1:~$ >>>>> >>>>> I'm not sure how to proceed with this. I'm tempted to do a reinstall of Webmin >>>>> on this server, but I'm not convinced this will help. >>>> >>>> The (ALL) ALL is what Webmin is looking for .. so I would expect the login >>>> as a sudo-capable user to work now. >>>> >>>> What gets logged to the debug file now when you try to login? >>>> >>>> - Jamie >>> >>> Here's a login attempt I just made, which has been taken from miniserv.debug: >>> >>> handle_request: passed timeout check >>> handle_request reqline=POST /session_login.cgi HTTP/1.1 >>> handle_request: got headline Host: mailserver1:10000 >>> handle_request: got headline User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X >>> 10.7; rv:11.0) Gecko/20100101 Firefox/11.0 >>> handle_request: got headline Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >>> handle_request: got headline Accept-Language: en-gb,en;q=0.5 >>> handle_request: got headline Accept-Encoding: gzip, deflate >>> handle_request: got headline Connection: keep-alive >>> handle_request: got headline Referer: https://mailserver1:10000/session_login.cgi >>> handle_request: got headline Cookie: testing=1 >>> handle_request: got headline Content-Type: application/x-www-form-urlencoded >>> handle_request: got headline Content-Length: 29 >>> clen_read=29 clen=29 posted_data=29 >>> handle_request: posted_data=page=%2F&user=joe&pass=**** >>> handle_request: Need authentication >>> validate_user: user=joe pass=**** host=mailserver1 >>> can_user_login: Validate with PAM >>> validate_user: canuser=joe canmode=2 notexist=0 webminuser=root sudo=1 >>> validate_user: unix val=1 >>> check_sudo_permissions: querying cache for joe >>> main: inline readsudo joe >>> check_sudo_permissions: cache said 0 >>> validate_user: sudo failed >>> handle_login: requesting delay vu=joe acptip=192.168.1.205 ok=0 >>> main: inline delay joe 192.168.1.205 0 >>> handle_login: delay=2 blocked=0 >>> handle_request: page=/session_login.cgi simple=/session_login.cgi >>> handle_request: initial full= >>> handle_request: full=/usr/share/webmin/session_login.cgi >>> handle_request: executing CGI >>> REMOTE_USER = >>> BASE_REMOTE_USER = >>> main: Done handle_request loop pid=7801 >>> main: inline EOF >>> >>> For completeness, I checked my sudo privileges again, after the login attempt: >>> >>> joe@MailServer1:~$ sudo -l -S >>> Matching Defaults entries for joe on this host: >>> env_reset >>> >>> User joe may run the following commands on this host: >>> (ALL) ALL >>> >>> However, still: "Login failed. Please try again." >>> >>> I'm happy to perform a reinstall of Webmin, if you think this will resolve anything. >>> However, this would also remove any hope of finding what this issue is, so that >>> it can be worked around in the future, if it crops up again. >> >> Looks like Webmin was caching the response from sudo in that check .. I can tell >> from the message "check_sudo_permissions: cache said 0" >> >> Try running /etc/webmin/restart , and then immediately after attempting a login >> and post what gets logged to the debug file. >> >> I'm pretty sure a re-install won't help here. >> >> - Jamie > > Still no luck, I'm afraid: > > miniserv.pl starting .. > Reading crons from /etc/webmin/webmincron/crons > adding cron id=133215899832608 module=system-status func=scheduled_collect_system_info > adding cron id=133215899832422 module=cron func=cleanup_temp_files > Running cron id=133215899832422 module=cron func=cleanup_temp_files > main: Starting handle_request loop pid=16829 > handle_request: from 192.168.1.205 to 192.168.1.8 ipv6=0 > handle_request: passed IP checks > handle_request: passed timeout check > handle_request reqline=POST /session_login.cgi HTTP/1.1 > handle_request: got headline Host: mailserver1:10000 > handle_request: got headline User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20100101 Firefox/11.0 > handle_request: got headline Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > handle_request: got headline Accept-Language: en-gb,en;q=0.5 > handle_request: got headline Accept-Encoding: gzip, deflate > handle_request: got headline Connection: keep-alive > handle_request: got headline Referer: https://mailserver1:10000/ > handle_request: got headline Cookie: testing=1 > handle_request: got headline Content-Type: application/x-www-form-urlencoded > handle_request: got headline Content-Length: 29 > clen_read=29 clen=29 posted_data=29 > handle_request: posted_data=page=%2F&user=joe&pass=*** > handle_request: Need authentication > validate_user: user=joe pass=*** host=mailserver1 > can_user_login: Validate with PAM > validate_user: canuser=joe canmode=2 notexist=0 webminuser=root sudo=1 > validate_user: unix val=1 > check_sudo_permissions: querying cache for joe > main: inline readsudo joe > check_sudo_permissions: cache said 2 > check_sudo_permissions: ptyfh=IO::Pty=GLOB(0x281df28) > check_sudo_permissions: ttyfh=IO::Tty=GLOB(0x3326030) > check_sudo_permissions: tty=/dev/pts/1 > check_sudo_permissions: about to fork.. > check_sudo_permissions: fork=0 pid=16831 > check_sudo_permissions: fork=16831 pid=16829 > check_sudo_permissions: pid=16831 > check_sudo_permissions: about to send pass > check_sudo_permissions: sent pass=*** > validate_user: sudo failed > handle_login: requesting delay vu=joe acptip=192.168.1.205 ok=0 > main: inline writesudo joe 0 > main: inline delay joe 192.168.1.205 0 > handle_login: delay=0 blocked=0 > handle_request: page=/session_login.cgi simple=/session_login.cgi > handle_request: initial full= > handle_request: full=/usr/share/webmin/session_login.cgi > handle_request: executing CGI > REMOTE_USER = > BASE_REMOTE_USER = > main: Done handle_request loop pid=16829 > Running cron id=133215899832608 module=system-status func=scheduled_collect_system_info > main: inline EOF > Running cron id=133215899832422 module=cron func=cleanup_temp_files > > Thank you for you continued support. > > Joe > > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > - > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list |
From: Joe N. <jo...@jo...> - 2012-04-02 06:04:52
|
On 1 Apr 2012, at 01:19, Fajar Priyanto wrote: > On Apr 1, 2012, at 4:20 AM, Joe Nyland <jo...@jo...> wrote: >> >> On 31 Mar 2012, at 18:37, Jamie Cameron wrote: >> >>> On 31/Mar/2012 03:35 Joe Nyland <jo...@jo...> wrote .. >>>> >>>> On 30 Mar 2012, at 23:46, Jamie Cameron wrote: >>>> >>>>> On 30/Mar/2012 01:33 Joe Nyland <jo...@jo...> wrote .. >>>>>> -----Original message----- >>>>>>>> >>>>>>>> Here's the output from 'sudo -l -S': >>>>>>>> >>>>>>>> joe@MailServer1:~$ sudo -l -S >>>>>>>> [sudo] password for joe: >>>>>>>> Matching Defaults entries for joe on this host: >>>>>>>> env_reset >>>>>>>> >>>>>>>> User joe may run the following commands on this host: >>>>>>>> joe@MailServer1:~$ >>>>>>>> >>>>>>>> Does that look right to you? >>>>>>>> >>>>>>>> Thank you for your help. >>>>>>> >>>>>>> That doesn't look like it includes all the needed permissions. >>>>>>> >>>>>>> It should be more like : >>>>>>> >>>>>>> User jcameron may run the following commands on this host: >>>>>>> (ALL) ALL >>>>>>> (ALL) ALL >>>>>>> >>>>>>> - Jamie >>>>>> >>>>>> Ok, this is a bit strange; 'sudo -l -S' now gives: >>>>>> >>>>>> joe@MailServer1:~$ sudo -l -S >>>>>> [sudo] password for joe: >>>>>> Matching Defaults entries for joe on this host: >>>>>> env_reset >>>>>> >>>>>> User joe may run the following commands on this host: >>>>>> (ALL) ALL >>>>>> joe@MailServer1:~$ >>>>>> >>>>>> But I still can't login to Webmin. >>>>>> >>>>>> Sudo from an SSH connection still continues to work. Also, I've checked the >>>> above >>>>>> command output on my file server which I can login to Webmin fine on, and that >>>>>> gives the same output as above: >>>>>> >>>>>> joe@FileServer1:~$ sudo -l -S >>>>>> Matching Defaults entries for joe on this host: >>>>>> env_reset >>>>>> >>>>>> User joe may run the following commands on this host: >>>>>> (ALL) ALL >>>>>> joe@FileServer1:~$ >>>>>> >>>>>> I'm not sure how to proceed with this. I'm tempted to do a reinstall of Webmin >>>>>> on this server, but I'm not convinced this will help. >>>>> >>>>> The (ALL) ALL is what Webmin is looking for .. so I would expect the login >>>>> as a sudo-capable user to work now. >>>>> >>>>> What gets logged to the debug file now when you try to login? >>>>> >>>>> - Jamie >>>> >>>> Here's a login attempt I just made, which has been taken from miniserv.debug: >>>> >>>> handle_request: passed timeout check >>>> handle_request reqline=POST /session_login.cgi HTTP/1.1 >>>> handle_request: got headline Host: mailserver1:10000 >>>> handle_request: got headline User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X >>>> 10.7; rv:11.0) Gecko/20100101 Firefox/11.0 >>>> handle_request: got headline Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >>>> handle_request: got headline Accept-Language: en-gb,en;q=0.5 >>>> handle_request: got headline Accept-Encoding: gzip, deflate >>>> handle_request: got headline Connection: keep-alive >>>> handle_request: got headline Referer: https://mailserver1:10000/session_login.cgi >>>> handle_request: got headline Cookie: testing=1 >>>> handle_request: got headline Content-Type: application/x-www-form-urlencoded >>>> handle_request: got headline Content-Length: 29 >>>> clen_read=29 clen=29 posted_data=29 >>>> handle_request: posted_data=page=%2F&user=joe&pass=**** >>>> handle_request: Need authentication >>>> validate_user: user=joe pass=**** host=mailserver1 >>>> can_user_login: Validate with PAM >>>> validate_user: canuser=joe canmode=2 notexist=0 webminuser=root sudo=1 >>>> validate_user: unix val=1 >>>> check_sudo_permissions: querying cache for joe >>>> main: inline readsudo joe >>>> check_sudo_permissions: cache said 0 >>>> validate_user: sudo failed >>>> handle_login: requesting delay vu=joe acptip=192.168.1.205 ok=0 >>>> main: inline delay joe 192.168.1.205 0 >>>> handle_login: delay=2 blocked=0 >>>> handle_request: page=/session_login.cgi simple=/session_login.cgi >>>> handle_request: initial full= >>>> handle_request: full=/usr/share/webmin/session_login.cgi >>>> handle_request: executing CGI >>>> REMOTE_USER = >>>> BASE_REMOTE_USER = >>>> main: Done handle_request loop pid=7801 >>>> main: inline EOF >>>> >>>> For completeness, I checked my sudo privileges again, after the login attempt: >>>> >>>> joe@MailServer1:~$ sudo -l -S >>>> Matching Defaults entries for joe on this host: >>>> env_reset >>>> >>>> User joe may run the following commands on this host: >>>> (ALL) ALL >>>> >>>> However, still: "Login failed. Please try again." >>>> >>>> I'm happy to perform a reinstall of Webmin, if you think this will resolve anything. >>>> However, this would also remove any hope of finding what this issue is, so that >>>> it can be worked around in the future, if it crops up again. >>> >>> Looks like Webmin was caching the response from sudo in that check .. I can tell >>> from the message "check_sudo_permissions: cache said 0" >>> >>> Try running /etc/webmin/restart , and then immediately after attempting a login >>> and post what gets logged to the debug file. >>> >>> I'm pretty sure a re-install won't help here. >>> >>> - Jamie >> >> Still no luck, I'm afraid: >> >> miniserv.pl starting .. >> Reading crons from /etc/webmin/webmincron/crons >> adding cron id=133215899832608 module=system-status func=scheduled_collect_system_info >> adding cron id=133215899832422 module=cron func=cleanup_temp_files >> Running cron id=133215899832422 module=cron func=cleanup_temp_files >> main: Starting handle_request loop pid=16829 >> handle_request: from 192.168.1.205 to 192.168.1.8 ipv6=0 >> handle_request: passed IP checks >> handle_request: passed timeout check >> handle_request reqline=POST /session_login.cgi HTTP/1.1 >> handle_request: got headline Host: mailserver1:10000 >> handle_request: got headline User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20100101 Firefox/11.0 >> handle_request: got headline Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> handle_request: got headline Accept-Language: en-gb,en;q=0.5 >> handle_request: got headline Accept-Encoding: gzip, deflate >> handle_request: got headline Connection: keep-alive >> handle_request: got headline Referer: https://mailserver1:10000/ >> handle_request: got headline Cookie: testing=1 >> handle_request: got headline Content-Type: application/x-www-form-urlencoded >> handle_request: got headline Content-Length: 29 >> clen_read=29 clen=29 posted_data=29 >> handle_request: posted_data=page=%2F&user=joe&pass=*** >> handle_request: Need authentication >> validate_user: user=joe pass=*** host=mailserver1 >> can_user_login: Validate with PAM >> validate_user: canuser=joe canmode=2 notexist=0 webminuser=root sudo=1 >> validate_user: unix val=1 >> check_sudo_permissions: querying cache for joe >> main: inline readsudo joe >> check_sudo_permissions: cache said 2 >> check_sudo_permissions: ptyfh=IO::Pty=GLOB(0x281df28) >> check_sudo_permissions: ttyfh=IO::Tty=GLOB(0x3326030) >> check_sudo_permissions: tty=/dev/pts/1 >> check_sudo_permissions: about to fork.. >> check_sudo_permissions: fork=0 pid=16831 >> check_sudo_permissions: fork=16831 pid=16829 >> check_sudo_permissions: pid=16831 >> check_sudo_permissions: about to send pass >> check_sudo_permissions: sent pass=*** >> validate_user: sudo failed >> handle_login: requesting delay vu=joe acptip=192.168.1.205 ok=0 >> main: inline writesudo joe 0 >> main: inline delay joe 192.168.1.205 0 >> handle_login: delay=0 blocked=0 >> handle_request: page=/session_login.cgi simple=/session_login.cgi >> handle_request: initial full= >> handle_request: full=/usr/share/webmin/session_login.cgi >> handle_request: executing CGI >> REMOTE_USER = >> BASE_REMOTE_USER = >> main: Done handle_request loop pid=16829 >> Running cron id=133215899832608 module=system-status func=scheduled_collect_system_info >> main: inline EOF >> Running cron id=133215899832422 module=cron func=cleanup_temp_files >> >> Thank you for you continued support. >> >> Joe > Hi Joe. Why dont you try my suggestion of creating another admin and login with it? Maybe you accidentally set your account to "no password accepted". > > Sent from my iPhone Hi Fajar, Thanks for your suggestion. I've just tried it now; I created a new user with the same group membership as my main admin user, like so: $: sudo useradd -m -U -G adm,dialout,cdrom,plugdev,lpadmin,sambashare,admin joe_admin_test I then gave the user a different password (more complex) than my own on this system: $: sudo passwd joe_admin_test But still no luck, I'm afraid: main: Starting handle_request loop pid=17006 handle_request: from 192.168.1.205 to 192.168.1.8 ipv6=0 handle_request: passed IP checks handle_request: passed timeout check handle_request reqline=POST /session_login.cgi HTTP/1.1 handle_request: got headline Host: mailserver1:10000 handle_request: got headline User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20100101 Firefox/11.0 handle_request: got headline Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 handle_request: got headline Accept-Language: en-gb,en;q=0.5 handle_request: got headline Accept-Encoding: gzip, deflate handle_request: got headline Connection: keep-alive handle_request: got headline Referer: https://mailserver1:10000/ handle_request: got headline Cookie: testing=1 handle_request: got headline Content-Type: application/x-www-form-urlencoded handle_request: got headline Content-Length: 43 clen_read=43 clen=43 posted_data=43 handle_request: posted_data=page=%2F&user=joe_admin_test&pass=*** handle_request: Need authentication validate_user: user=joe_admin_test pass=*** host=mailserver1 can_user_login: Validate with PAM validate_user: canuser=joe_admin_test canmode=2 notexist=0 webminuser=root sudo=1 validate_user: unix val=1 check_sudo_permissions: querying cache for joe_admin_test main: inline readsudo joe_admin_test check_sudo_permissions: cache said 2 check_sudo_permissions: ptyfh=IO::Pty=GLOB(0x281de50) check_sudo_permissions: ttyfh=IO::Tty=GLOB(0x3326108) check_sudo_permissions: tty=/dev/pts/1 check_sudo_permissions: about to fork.. check_sudo_permissions: fork=17007 pid=17006 check_sudo_permissions: pid=17007 check_sudo_permissions: fork=0 pid=17007 check_sudo_permissions: about to send pass check_sudo_permissions: sent pass=*** check_sudo_permissions: got [sudo] password for joe_admin_test: validate_user: sudo failed main: inline writesudo joe_admin_test 0 handle_login: requesting delay vu=joe_admin_test acptip=192.168.1.205 ok=0 main: inline delay joe_admin_test 192.168.1.205 0 handle_login: delay=0 blocked=0 handle_request: page=/session_login.cgi simple=/session_login.cgi handle_request: initial full= handle_request: full=/usr/share/webmin/session_login.cgi handle_request: executing CGI REMOTE_USER = BASE_REMOTE_USER = main: Done handle_request loop pid=17006 main: inline EOF Thank you for your help. Joe |
From: Fajar P. <faj...@ar...> - 2012-04-02 06:16:48
|
On Mon, Apr 2, 2012 at 2:04 PM, Joe Nyland <jo...@jo...> wrote: >> Hi Joe. Why dont you try my suggestion of creating another admin and login with it? Maybe you accidentally set your account to "no password accepted". > Hi Fajar, > > Thanks for your suggestion. > I've just tried it now; I created a new user with the same group membership as my main admin user, like so: > $: sudo useradd -m -U -G adm,dialout,cdrom,plugdev,lpadmin,sambashare,admin joe_admin_test > I then gave the user a different password (more complex) than my own on this system: > $: sudo passwd joe_admin_test > > But still no luck, I'm afraid: > > main: Starting handle_request loop pid=17006 > handle_request: from 192.168.1.205 to 192.168.1.8 ipv6=0 > handle_request: passed IP checks > handle_request: passed timeout check > handle_request reqline=POST /session_login.cgi HTTP/1.1 > handle_request: got headline Host: mailserver1:10000 > handle_request: got headline User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20100101 Firefox/11.0 > handle_request: got headline Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > handle_request: got headline Accept-Language: en-gb,en;q=0.5 > handle_request: got headline Accept-Encoding: gzip, deflate > handle_request: got headline Connection: keep-alive > handle_request: got headline Referer: https://mailserver1:10000/ > handle_request: got headline Cookie: testing=1 > handle_request: got headline Content-Type: application/x-www-form-urlencoded > handle_request: got headline Content-Length: 43 > clen_read=43 clen=43 posted_data=43 > handle_request: posted_data=page=%2F&user=joe_admin_test&pass=*** > handle_request: Need authentication > validate_user: user=joe_admin_test pass=*** host=mailserver1 > can_user_login: Validate with PAM > validate_user: canuser=joe_admin_test canmode=2 notexist=0 webminuser=root sudo=1 > validate_user: unix val=1 > check_sudo_permissions: querying cache for joe_admin_test > main: inline readsudo joe_admin_test > check_sudo_permissions: cache said 2 > check_sudo_permissions: ptyfh=IO::Pty=GLOB(0x281de50) > check_sudo_permissions: ttyfh=IO::Tty=GLOB(0x3326108) > check_sudo_permissions: tty=/dev/pts/1 > check_sudo_permissions: about to fork.. > check_sudo_permissions: fork=17007 pid=17006 > check_sudo_permissions: pid=17007 > check_sudo_permissions: fork=0 pid=17007 > check_sudo_permissions: about to send pass > check_sudo_permissions: sent pass=*** > check_sudo_permissions: got [sudo] password for joe_admin_test: validate_user: sudo failed > main: inline writesudo joe_admin_test 0 > handle_login: requesting delay vu=joe_admin_test acptip=192.168.1.205 ok=0 > main: inline delay joe_admin_test 192.168.1.205 0 > handle_login: delay=0 blocked=0 > handle_request: page=/session_login.cgi simple=/session_login.cgi > handle_request: initial full= > handle_request: full=/usr/share/webmin/session_login.cgi > handle_request: executing CGI > REMOTE_USER = > BASE_REMOTE_USER = > main: Done handle_request loop pid=17006 > main: inline EOF Hi Joe, Sorry to hear that. Any particular changes you remember that could cause this? OS update? System crashes? One last suggestion: How about try accessing Webmin from different computer, different Browser? -- http://linux3.arinet.org |
From: Andrey R. <anr...@fr...> - 2012-04-02 06:49:58
|
Greetings, Webmin users list! > Any particular changes you remember that could cause this? For me, I've installed new version (1.570, I recall), when things went south. > OS update? System crashes? > One last suggestion: > How about try accessing Webmin from different computer, different Browser? I did that, nothing changes. Mac, Win, Linux. Opera, Safari, IE. In any appropriate combination. No difference. auth: sudo: failed attempt -- WBR, Andrey Repin (anr...@fr...) 02.04.2012, <10:41> Sorry for my terrible english... |
From: Joe N. <jo...@jo...> - 2012-04-02 07:47:42
|
-----Original message----- From: Andrey Repin <anr...@fr...> Sent: Mon 02-04-2012 07:51 Subject: Re: [webmin-l] "Login failed. Please try again." "validate_user: sudo failed" on Ubuntu 10.04.4 Webmin 1.580 To: Webmin users list <web...@li...>; > Greetings, Webmin users list! > > > Any particular changes you remember that could cause this? > > For me, I've installed new version (1.570, I recall), when things went south. > > > OS update? System crashes? > > > One last suggestion: > > How about try accessing Webmin from different computer, different Browser? > > I did that, nothing changes. > Mac, Win, Linux. Opera, Safari, IE. In any appropriate combination. No > difference. > auth: sudo: failed attempt > > > -- > WBR, > Andrey Repin (anr...@fr...) 02.04.2012, <10:41> > > Sorry for my terrible english... Hello, As I said in my original email, this is a relatively new system build, so yes, OS updates were made prior to the error. However the system had been commissioned for approx. 2 weeks, before Webmin suddenly stopped letting users login. No system crashes though. As Andrey has reported, I too have tried this from several Mac/Win/Linux systems, Firefox/IE/Safari but I'm still unable to login. Cleared browser caches, etc. Thanks, Joe |
From: Joe N. <jo...@jo...> - 2012-04-03 14:56:13
|
-----Original message----- From: Andrey Repin <anr...@fr...> Sent: Tue 03-04-2012 15:36 Subject: Re: [webmin-l] "Login failed. Please try again." "validate_user: sudo failed" on Ubuntu 10.04.4 Webmin 1.580 To: Webmin users list <web...@li...>; > Greetings, Webmin users list! > > > The work-around would be to set a password for your root user in Webmin's own > password > > file, which will let you login as root instead of as a sudo-capable user. > This can be > > done with a command like : > > > /usr/share/webmin/changepass.pl /etc/webmin root xyz > > > where xyz is the password. > > Can we have it read password from STDIN, if one is not set at command line, > please? > I can cleanup the history file, of course, but that is needless work. > > And, I would very much like to see the real issue resolved. > Can I help you trace it down? Do you need any additional information? > > For my account, > # sudo -S -l > User anrdaemon may run the following commands on this host: > (ALL) ALL > > I don't know, how to enable debug log, though. > > > -- > WBR, > Andrey Repin (anr...@fr...) 03.04.2012, <18:16> > > Sorry for my terrible english... > I agree that I feel this issue needs to be addressed, if at all possible. I feel that enabling root login (albeit only to Webmin and only to the local network) on a public facing mail server may not be the best option. I don't have this issue on other servers, so it seems to be something environment specific... I appreciate it's not affecting everyone and this is a open source project so I am very grateful for vast amounts of time and also money invested in the project. I too am more than happy to continue troubleshooting/testing with you to resolve this. I understand the issue may not be directly Webmin's fault, if it's sudo that's not playing ball? If this is the case and you can give me some more information about it, I can log a bug with Ubuntu? I fear if I did this with the little information I have at the moment the bug would be rejected more or less straight away, though. @Andrey: > I don't know, how to enable debug log, though. Add: debuglog=/var/webmin/miniserv.debug to end of: /etc/webmin/miniserv.conf Then issue: sudo service webmin restart The debug log will be created in /var/webmin/miniserv.debug Joe |
From: Jamie C. <jca...@we...> - 2012-04-03 19:52:02
|
On 03/Apr/2012 07:55 Joe Nyland <jo...@jo...> wrote .. > -----Original message----- > From: Andrey Repin <anr...@fr...> > Sent: Tue 03-04-2012 15:36 > Subject: Re: [webmin-l] "Login failed. Please try again." "validate_user: sudo > failed" on Ubuntu 10.04.4 Webmin 1.580 > To: Webmin users list <web...@li...>; > > Greetings, Webmin users list! > > > > > The work-around would be to set a password for your root user in Webmin's own > > password > > > file, which will let you login as root instead of as a sudo-capable user. > > This can be > > > done with a command like : > > > > > /usr/share/webmin/changepass.pl /etc/webmin root xyz > > > > > where xyz is the password. > > > > Can we have it read password from STDIN, if one is not set at command line, > > please? > > I can cleanup the history file, of course, but that is needless work. > > > > And, I would very much like to see the real issue resolved. > > Can I help you trace it down? Do you need any additional information? > > > > For my account, > > # sudo -S -l > > User anrdaemon may run the following commands on this host: > > (ALL) ALL > > > > I don't know, how to enable debug log, though. > > > > > > -- > > WBR, > > Andrey Repin (anr...@fr...) 03.04.2012, <18:16> > > > > Sorry for my terrible english... > > > > I agree that I feel this issue needs to be addressed, if at all possible. I feel > that enabling root login (albeit only to Webmin and only to the local network) > on a public facing mail server may not be the best option. I don't have this issue > on other servers, so it seems to be something environment specific... It shouldn't make much difference security-wise .. if the sudo login had been working, it would have been equivalent in terms of Webmin permissions to logging in as root. > I appreciate it's not affecting everyone and this is a open source project so I > am very grateful for vast amounts of time and also money invested in the project. > > I too am more than happy to continue troubleshooting/testing with you to resolve > this. I understand the issue may not be directly Webmin's fault, if it's sudo that's > not playing ball? If this is the case and you can give me some more information > about it, I can log a bug with Ubuntu? I fear if I did this with the little information > I have at the moment the bug would be rejected more or less straight away, though. My guess is that maybe sudo is failing in some unexpected way when Webmin is running it, causing it not to produce the (ALL) output. Since I can't re-produce this, the only way I can debug it further would be to login to a system with this problem and see what is going wrong with sudo internally. - Jamie |
From: Andrey R. <anr...@fr...> - 2012-04-03 22:49:54
|
Greetings, Webmin users list! > Since I can't re-produce this, the only way I can debug it further would be to login > to a system with this problem and see what is going wrong with sudo internally. It's pretty easy to organize. Send me a private mail, and i'll try to arrange server instance by the end of the week. -- WBR, Andrey Repin (anr...@fr...) 04.04.2012, <02:47> Sorry for my terrible english... |
From: Joe N. <jo...@jo...> - 2012-04-04 15:10:51
|
-----Original message----- From: Fajar Priyanto <faj...@ar...> Sent: Tue 03-04-2012 16:16 Subject: Re: [webmin-l] "Login failed. Please try again." "validate_user: sudo failed" on Ubuntu 10.04.4 Webmin 1.580 To: Andrey Repin <web...@li...>; > On Tue, Apr 3, 2012 at 10:56 PM, Andrey Repin <anr...@fr...> wrote: > > Greetings, Webmin users list! > > > > Most puzzling discovery so far. > > If I set a _system_ password for root, I can login to Webmin interface just > > fine. But I can't do the same with any SUDO user in system. > > > > Seems just like some permission issue to me. > > Also what puzzles me is that Joe has tried to purge webmin and > reinstall, but the problem persists. > Maybe somehow there is something wrong with his pam.d? > > Joe, if you want, I can compare your pam.d with a clean one. > > -- > http://linux3.arinet.org I've not really dealt with PAM before. I appreciate the offer to help Fajar. To save you the hassle, I've compared the contents of /etc/pam.d with that of another working system with Webmin installed and there doesn't seem to be any differences between them. I can provide you with a copy of my pam.d if you think it's worth your time - I trust there's no confidential passwords/usernames in pam.d is there? From: Jamie Cameron <jca...@we...> > > Since I can't re-produce this, the only way I can debug it further would be to > login to a system with this problem and see what is going wrong with sudo internally. > > - Jamie If you could suggest the way in which you intend to login to one of my servers securely, I'm happy to setup a clone of my mail server for you debug this on. Thanks, Joe |
From: Jamie C. <jca...@we...> - 2012-04-04 19:48:50
|
On 04/Apr/2012 08:10 Joe Nyland <jo...@jo...> wrote .. > -----Original message----- > From: Fajar Priyanto <faj...@ar...> > Sent: Tue 03-04-2012 16:16 > Subject: Re: [webmin-l] "Login failed. Please try again." "validate_user: sudo > failed" on Ubuntu 10.04.4 Webmin 1.580 > To: Andrey Repin <web...@li...>; > > On Tue, Apr 3, 2012 at 10:56 PM, Andrey Repin <anr...@fr...> wrote: > > > Greetings, Webmin users list! > > > > > > Most puzzling discovery so far. > > > If I set a _system_ password for root, I can login to Webmin interface just > > > fine. But I can't do the same with any SUDO user in system. > > > > > > Seems just like some permission issue to me. > > > > Also what puzzles me is that Joe has tried to purge webmin and > > reinstall, but the problem persists. > > Maybe somehow there is something wrong with his pam.d? > > > > Joe, if you want, I can compare your pam.d with a clean one. > > > > -- > > http://linux3.arinet.org > > I've not really dealt with PAM before. > > I appreciate the offer to help Fajar. To save you the hassle, I've compared the > contents of /etc/pam.d with that of another working system with Webmin installed > and there doesn't seem to be any differences between them. I can provide you with > a copy of my pam.d if you think it's worth your time - I trust there's no confidential > passwords/usernames in pam.d is there? > > > From: Jamie Cameron <jca...@we...> > > > > Since I can't re-produce this, the only way I can debug it further would be to > > login to a system with this problem and see what is going wrong with sudo internally. > > > > - Jamie > > If you could suggest the way in which you intend to login to one of my servers > securely, I'm happy to setup a clone of my mail server for you debug this on. I'd need remote root SSH access to a system that is seeing this problem in order to debug it. I can send you my SSH public key if this would be possible.. - Jamie |
From: Joe N. <jo...@jo...> - 2012-04-04 20:44:41
|
On 4 Apr 2012, at 20:48, Jamie Cameron wrote: > On 04/Apr/2012 08:10 Joe Nyland <jo...@jo...> wrote .. >> -----Original message----- >> From: Fajar Priyanto <faj...@ar...> >> Sent: Tue 03-04-2012 16:16 >> Subject: Re: [webmin-l] "Login failed. Please try again." "validate_user: sudo >> failed" on Ubuntu 10.04.4 Webmin 1.580 >> To: Andrey Repin <web...@li...>; >>> On Tue, Apr 3, 2012 at 10:56 PM, Andrey Repin <anr...@fr...> wrote: >>>> Greetings, Webmin users list! >>>> >>>> Most puzzling discovery so far. >>>> If I set a _system_ password for root, I can login to Webmin interface just >>>> fine. But I can't do the same with any SUDO user in system. >>>> >>>> Seems just like some permission issue to me. >>> >>> Also what puzzles me is that Joe has tried to purge webmin and >>> reinstall, but the problem persists. >>> Maybe somehow there is something wrong with his pam.d? >>> >>> Joe, if you want, I can compare your pam.d with a clean one. >>> >>> -- >>> http://linux3.arinet.org >> >> I've not really dealt with PAM before. >> >> I appreciate the offer to help Fajar. To save you the hassle, I've compared the >> contents of /etc/pam.d with that of another working system with Webmin installed >> and there doesn't seem to be any differences between them. I can provide you with >> a copy of my pam.d if you think it's worth your time - I trust there's no confidential >> passwords/usernames in pam.d is there? >> >> >> From: Jamie Cameron <jca...@we...> >>> >>> Since I can't re-produce this, the only way I can debug it further would be to >>> login to a system with this problem and see what is going wrong with sudo internally. >>> >>> - Jamie >> >> If you could suggest the way in which you intend to login to one of my servers >> securely, I'm happy to setup a clone of my mail server for you debug this on. > > I'd need remote root SSH access to a system that is seeing this problem in > order to debug it. I can send you my SSH public key if this would be possible.. > > - Jamie Ok, I'll see if I can setup a cloned instance of my mail server and get in touch with you with the details of how you can access it. Joe |
From: Fajar P. <faj...@ar...> - 2012-04-05 02:46:49
|
On Wed, Apr 4, 2012 at 11:10 PM, Joe Nyland <jo...@jo...> wrote: > > I appreciate the offer to help Fajar. To save you the hassle, I've compared the contents of /etc/pam.d with that of another working system with Webmin installed and there doesn't seem to be any differences between them. I can provide you with a copy of my pam.d if you think it's worth your time - I trust there's no confidential passwords/usernames in pam.d is there? > Hi Joe, This is my clean Ubuntu 10.04 LTS pam.d with samba installed. You can ignore the samba part. root@samba2:/etc/pam.d# cat sudo #%PAM-1.0 @include common-auth @include common-account session required pam_permit.so session required pam_limits.so --------------- root@samba2:/etc/pam.d# cat common-account account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so account requisite pam_deny.so account required pam_permit.so ---------------- root@samba2:/etc/pam.d# cat common-auth auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_smbpass.so migrate ---------------- root@samba2:/etc/pam.d# cat common-password password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so password optional pam_smbpass.so nullok use_authtok use_first_pass ---------------- root@samba2:/etc/pam.d# cat common-session session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_winbind.so ----------------- root@samba2:/etc/pam.d# cat common-session-noninteractive session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_winbind.so ----------------- This is pam.d of webmin: root@samba2:~# cat /etc/pam.d/webmin #%PAM-1.0 @include common-auth @include common-account @include common-password @include common-session ---------------- My sudoers config: # User privilege specification root ALL=(ALL) ALL %sudo ALL=(ALL) ALL %admin ALL=(ALL) ALL HTH, Fajar. |
From: Joe N. <jo...@jo...> - 2012-04-05 12:00:29
|
-----Original message----- From: Fajar Priyanto <faj...@ar...> Sent: Thu 05-04-2012 03:50 > > Hi Joe, > This is my clean Ubuntu 10.04 LTS pam.d with samba installed. You can > ignore the samba part. > > root@samba2:/etc/pam.d# cat sudo > #%PAM-1.0 > @include common-auth > @include common-account > session required pam_permit.so > session required pam_limits.so > --------------- > root@samba2:/etc/pam.d# cat common-account > account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so > account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so > account requisite pam_deny.so > account required pam_permit.so > ---------------- > root@samba2:/etc/pam.d# cat common-auth > auth [success=2 default=ignore] pam_unix.so nullok_secure > auth [success=1 default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login try_first_pass > auth requisite pam_deny.so > auth required pam_permit.so > auth optional pam_smbpass.so migrate > ---------------- > root@samba2:/etc/pam.d# cat common-password > password [success=2 default=ignore] pam_unix.so obscure sha512 > password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass > password requisite pam_deny.so > password required pam_permit.so > password optional pam_smbpass.so nullok use_authtok use_first_pass > ---------------- > root@samba2:/etc/pam.d# cat common-session > session [default=1] pam_permit.so > session requisite pam_deny.so > session required pam_permit.so > session required pam_unix.so > session optional pam_winbind.so > ----------------- > root@samba2:/etc/pam.d# cat common-session-noninteractive > session [default=1] pam_permit.so > session requisite pam_deny.so > session required pam_permit.so > session required pam_unix.so > session optional pam_winbind.so > > ----------------- > This is pam.d of webmin: > > root@samba2:~# cat /etc/pam.d/webmin > #%PAM-1.0 > @include common-auth > @include common-account > @include common-password > @include common-session > > ---------------- > My sudoers config: > # User privilege specification > root ALL=(ALL) ALL > %sudo ALL=(ALL) ALL > %admin ALL=(ALL) ALL > > HTH, > Fajar. > Hi Fajar, Thanks for this. I've compared my pam.d to yours and noticed that common-account is different: account [success=3 new_authtok_reqd=done default=ignore] pam_unix.so account [success=2 new_authtok_reqd=done default=ignore] pam_winbind.so account [success=1 default=ignore] pam_ldap.so and my common-auth: auth [success=3 default=ignore] pam_unix.so nullok_secure auth [success=2 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass and common-password: password [success=3 default=ignore] pam_unix.so obscure sha512 password [success=2 default=ignore] pam_winbind.so use_authtok try_first_pass password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass and common-session: session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_winbind.so session optional pam_ldap.so and finally common-noninteractive: session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_winbind.so session optional pam_ldap.so What seems to be different is that inclusion of pam_ldap in my files, which I believe may be because open-ldap has been pulled in by Zarafa on this server. As the pam_ldap modules are only showing as optional though, I'm not sure why this would stop me from logging in to Webmin. Thanks, Joe |