unable to login cockpit using root after upgrading to 4.4.6

Hi Team, after upgrading ovirt node from 4.4.5 to 4.4.6, unale to login to the cockpit using root, but could able to login via ssh. please check whether this is considered as bug

Connect to engine via ssh and run following command with template: #ovirt-aaa-jdbc-tool user password-reset {username} --password-valid-to='yyyy-MM-dd hh:mm:ssZ' After reset check admin user status: #ovirt-aaa-jdbc-tool user show admin

Hello. I'm having the same issue with cockpit on the nodes. I'm unable to login as root or local user. I went from 4.4.5 to 4.4.6. It worked fine before the upgrade. I know the password is correct because I can log into the node via console and ssh. On one of the nodes I created a local account and have the same issue. The admin account works fine on the hosted engine VM.

On Tue, May 18, 2021 at 7:39 AM <jabeard24@gmail.com> wrote:
Hello. I'm having the same issue with cockpit on the nodes. I'm unable to login as root or local user. I went from 4.4.5 to 4.4.6. It worked fine before the upgrade. I know the password is correct because I can log into the node via console and ssh. On one of the nodes I created a local account and have the same issue. The admin account works fine on the hosted engine VM.
I have not 4.4.6 yet, but could it be a change in /etc/pam.d/cockpit file? On my 4.4.5 CentOS 8.3 based host, where I can connect as root in cockpit host console, I currently have this: #%PAM-1.0 # this MUST be first in the "auth" stack as it sets PAM_USER # user_unknown is definitive, so die instead of ignore to avoid subsequent modules mess up the error code -auth [success=done new_authtok_reqd=done user_unknown=die default=ignore] pam_cockpit_cert.so auth required pam_sepermit.so auth substack password-auth auth include postlogin auth optional pam_ssh_add.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session optional pam_ssh_add.so session include password-auth session include postlogin Gianluca

The current thread is about 4.4.6 - nice that you can login to your 4.4.5. I changed the admin password on the engine - still cannot access the Cockpit GUI on any of my hosts. Do I have to reboot them? Restart Cockpit - tried that - failed. Cannot access Cockpit on all hosts in a cluster after upgrading to 4.4.6 really should be considered a bug.

I see the same thing on a test cluster. I presumed it was due to using sssd and kerberos for local user logins. Here's an example of what gets written to /var/log/secure when root login to cockpit fails. May 18 11:29:07 br014 unix_chkpwd[26429]: check pass; user unknown May 18 11:29:07 br014 unix_chkpwd[26430]: check pass; user unknown May 18 11:29:07 br014 unix_chkpwd[26430]: password check failed for user (root) May 18 11:29:07 br014 cockpit-session[26427]: pam_unix(cockpit:auth): authentication failure; logname= uid=993 euid=993 tty= ruser= rhost=::ffff:128.182.79.36 user=root May 18 11:29:07 br014 cockpit-session[26427]: pam_succeed_if(cockpit:auth): requirement "uid >= 1000" not met by user "root" The uid test is obviously an issue. not sure why check pass seems to always give user unknown errors. tried putting selinux in permissive same issue. On Tue, May 18, 2021 at 10:50 AM Glenn Farmer <glenn.farmer@netfortris.com> wrote:
The current thread is about 4.4.6 - nice that you can login to your 4.4.5.
I changed the admin password on the engine - still cannot access the Cockpit GUI on any of my hosts.
Do I have to reboot them? Restart Cockpit - tried that - failed.
Cannot access Cockpit on all hosts in a cluster after upgrading to 4.4.6 really should be considered a bug. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VZPGTQUWDUPJWV...

On Tue, May 18, 2021 at 4:50 PM Glenn Farmer <glenn.farmer@netfortris.com> wrote:
The current thread is about 4.4.6 - nice that you can login to your 4.4.5.
The subject of the thread says it all... ;-) My point was to ask if you see differences in /etc/pam.d/cockpit in your 4.4.6, in respect with the version I pasted for my 4.4.5 or if they are the same. I cannot compare as I have not yet 4.4.6 installed
I changed the admin password on the engine - still cannot access the Cockpit GUI on any of my hosts.
The cockpit gui for the host is accessed through users defined on the hosts, not on engine side. It is not related to the admin engine web admi gui... I think you can configure a normal user on your hypervisor host and see if you can use it to connect to the cockpit gui or if you receive error. Do you need any particular functionality to use the root user? HIH, Gianluca

/etc/pam.d/cockpit under node 4.4.6 is the same as you posted. Something else changed. #%PAM-1.0 # this MUST be first in the "auth" stack as it sets PAM_USER # user_unknown is definitive, so die instead of ignore to avoid subsequent modules mess up the error code -auth [success=done new_authtok_reqd=done user_unknown=die default=ignore] pam_cockpit_cert.so auth required pam_sepermit.so auth substack password-auth auth include postlogin auth optional pam_ssh_add.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session optional pam_ssh_add.so session include password-auth session include postlogin On Tue, May 18, 2021 at 11:50 AM Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Tue, May 18, 2021 at 4:50 PM Glenn Farmer <glenn.farmer@netfortris.com> wrote:
The current thread is about 4.4.6 - nice that you can login to your 4.4.5.
The subject of the thread says it all... ;-) My point was to ask if you see differences in /etc/pam.d/cockpit in your 4.4.6, in respect with the version I pasted for my 4.4.5 or if they are the same. I cannot compare as I have not yet 4.4.6 installed
I changed the admin password on the engine - still cannot access the Cockpit GUI on any of my hosts.
The cockpit gui for the host is accessed through users defined on the hosts, not on engine side. It is not related to the admin engine web admi gui... I think you can configure a normal user on your hypervisor host and see if you can use it to connect to the cockpit gui or if you receive error. Do you need any particular functionality to use the root user?
HIH, Gianluca
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VSM4BLBD36MFNX...

I swapped out the /etc/authselect login and system files and It seems to be that the updated node 4.6 pam stack is calling /usr/sbin/chkpwd and that fails for all cockpit users, root and otherwise. for root May 18 13:03:02 br014 unix_chkpwd[14186]: check pass; user unknown May 18 13:03:02 br014 unix_chkpwd[14187]: check pass; user unknown May 18 13:03:02 br014 unix_chkpwd[14187]: password check failed for user (root) for local user account >1000 UID May 18 13:03:28 br014 unix_chkpwd[14309]: could not obtain user info (e######) On Tue, May 18, 2021 at 12:02 PM Edward Berger <edwberger@gmail.com> wrote:
/etc/pam.d/cockpit under node 4.4.6 is the same as you posted. Something else changed.
#%PAM-1.0 # this MUST be first in the "auth" stack as it sets PAM_USER # user_unknown is definitive, so die instead of ignore to avoid subsequent modules mess up the error code -auth [success=done new_authtok_reqd=done user_unknown=die default=ignore] pam_cockpit_cert.so auth required pam_sepermit.so auth substack password-auth auth include postlogin auth optional pam_ssh_add.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session optional pam_ssh_add.so session include password-auth session include postlogin
On Tue, May 18, 2021 at 11:50 AM Gianluca Cecchi < gianluca.cecchi@gmail.com> wrote:
On Tue, May 18, 2021 at 4:50 PM Glenn Farmer <glenn.farmer@netfortris.com> wrote:
The current thread is about 4.4.6 - nice that you can login to your 4.4.5.
The subject of the thread says it all... ;-) My point was to ask if you see differences in /etc/pam.d/cockpit in your 4.4.6, in respect with the version I pasted for my 4.4.5 or if they are the same. I cannot compare as I have not yet 4.4.6 installed
I changed the admin password on the engine - still cannot access the Cockpit GUI on any of my hosts.
The cockpit gui for the host is accessed through users defined on the hosts, not on engine side. It is not related to the admin engine web admi gui... I think you can configure a normal user on your hypervisor host and see if you can use it to connect to the cockpit gui or if you receive error. Do you need any particular functionality to use the root user?
HIH, Gianluca
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VSM4BLBD36MFNX...

Gianluca, I hope I my frustration didn't come across too strong - I apologize if so. I certainly now understand your posting of 4.4.5 as a diff source against 4.4.6 - thanks! - regards - Glenn

Thanks everyone for the troubleshooting so far. I agree that the cockpit auth file is the same as 4.4.5. The timestamps are before the upgrade too. I get the same errors in the secure log. I found an error messages, looking at it now. secure log May 18 21:50:57 xxxxxxxx unix_chkpwd[529704]: check pass; user unknown May 18 21:50:57 xxxxxxxx unix_chkpwd[529705]: check pass; user unknown May 18 21:50:57 xxxxxxxx unix_chkpwd[529705]: password check failed for user (root) messages May 18 22:00:23 xxxxxxxx cockpit-ws[532424]: cockpit-session: open(/var/log/btmp) failed: Permission denied

I fixed the permission error with btmp but it made no difference.

Il giorno lun 17 mag 2021 alle ore 07:48 dhanaraj.ramesh--- via Users < users@ovirt.org> ha scritto:
Hi Team,
after upgrading ovirt node from 4.4.5 to 4.4.6, unale to login to the cockpit using root, but could able to login via ssh. please check whether this is considered as bug
Can you please open a bugzilla ticket at https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-node ? Please attach a sos report to the bug, it will help understanding the issue better. +Chen Shao <cshao@redhat.com> , +Yaning Wang <yaniwang@redhat.com> , +Meital Avital <mavital@redhat.com> never seen this happening on testing, can you reproduce? -- Sandro Bonazzola MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV Red Hat EMEA <https://www.redhat.com/> sbonazzo@redhat.com <https://www.redhat.com/> *Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*

add peyu@redhat.com Sandro Bonazzola <sbonazzo@redhat.com> 于2021年5月19日周三 下午2:40写道:
Il giorno lun 17 mag 2021 alle ore 07:48 dhanaraj.ramesh--- via Users < users@ovirt.org> ha scritto:
Hi Team,
after upgrading ovirt node from 4.4.5 to 4.4.6, unale to login to the cockpit using root, but could able to login via ssh. please check whether this is considered as bug
Can you please open a bugzilla ticket at https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-node ? Please attach a sos report to the bug, it will help understanding the issue better. +Chen Shao <cshao@redhat.com> , +Yaning Wang <yaniwang@redhat.com> , +Meital Avital <mavital@redhat.com> never seen this happening on testing, can you reproduce?
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV
Red Hat EMEA <https://www.redhat.com/>
sbonazzo@redhat.com <https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*
-- Yaning Wang

On Wed, May 19, 2021 at 9:05 AM Yaning Wang <yaniwang@redhat.com> wrote:
add peyu@redhat.com
Sandro Bonazzola <sbonazzo@redhat.com> 于2021年5月19日周三 下午2:40写道:
Il giorno lun 17 mag 2021 alle ore 07:48 dhanaraj.ramesh--- via Users < users@ovirt.org> ha scritto:
Hi Team,
after upgrading ovirt node from 4.4.5 to 4.4.6, unale to login to the cockpit using root, but could able to login via ssh. please check whether this is considered as bug
Can you please open a bugzilla ticket at https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-node ? Please attach a sos report to the bug, it will help understanding the issue better. +Chen Shao <cshao@redhat.com> , +Yaning Wang <yaniwang@redhat.com> , +Meital Avital <mavital@redhat.com> never seen this happening on testing, can you reproduce?
I've just updated the engine of one of my environments from 4.4.5 to 4.4.6 and then one of the managed hosts that are plain CentOS 8 hosts. And I can still login to the cockpit dashboard both as a normal user (id 1000 in this case) and as root I don't have at the moment an environment with oVirt node or RHVH node to test the same on them.
Gianluca

Hi, I reproduced this issue when upgrading ovirt node from ovirt-node-ng-4.4.5.1-0.20210323.0+1 to ovirt-node-ng-4.4.6.3-0.20210518.0+1 After the upgrade, when logging in to cockpit, got a "Wrong user name or password" error. Thanks & regards Pengshan Yu On Wed, May 19, 2021 at 3:13 PM Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Wed, May 19, 2021 at 9:05 AM Yaning Wang <yaniwang@redhat.com> wrote:
add peyu@redhat.com
Sandro Bonazzola <sbonazzo@redhat.com> 于2021年5月19日周三 下午2:40写道:
Il giorno lun 17 mag 2021 alle ore 07:48 dhanaraj.ramesh--- via Users < users@ovirt.org> ha scritto:
Hi Team,
after upgrading ovirt node from 4.4.5 to 4.4.6, unale to login to the cockpit using root, but could able to login via ssh. please check whether this is considered as bug
Can you please open a bugzilla ticket at https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-node ? Please attach a sos report to the bug, it will help understanding the issue better. +Chen Shao <cshao@redhat.com> , +Yaning Wang <yaniwang@redhat.com> , +Meital Avital <mavital@redhat.com> never seen this happening on testing, can you reproduce?
I've just updated the engine of one of my environments from 4.4.5 to 4.4.6 and then one of the managed hosts that are plain CentOS 8 hosts. And I can still login to the cockpit dashboard both as a normal user (id 1000 in this case) and as root I don't have at the moment an environment with oVirt node or RHVH node to test the same on them.
Gianluca

Hi All if any further logs required let me know I can share the info,

Hi Dhanaraj, First of all - thanks for informing us about this issue! We found the source of the issue, and are working on fixing it for the next release. Meanwhile there is a workaround that should fix the situation. You need to run (with root account) the following command: chmod u+s /usr/libexec/cockpit-session Please let us know if that works for you. Thanks in advance, On Thu, May 20, 2021 at 9:30 AM dhanaraj.ramesh--- via Users < users@ovirt.org> wrote:
Hi All
if any further logs required let me know I can share the info, _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/4JMVGQYUEIXIDS...
-- Lev Veyde Senior Software Engineer, RHCE | RHCVA | MCITP Red Hat Israel <https://www.redhat.com> lev@redhat.com | lveyde@redhat.com <https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>

I can confirm after this cockpit login works again on ovirt-node 4.4.6.3 Greetings Klaas On 5/25/21 5:10 PM, Lev Veyde wrote:
Hi Dhanaraj,
First of all - thanks for informing us about this issue!
We found the source of the issue, and are working on fixing it for the next release.
Meanwhile there is a workaround that should fix the situation. You need to run (with root account) the following command:
chmod u+s /usr/libexec/cockpit-session
Please let us know if that works for you.
Thanks in advance,
On Thu, May 20, 2021 at 9:30 AM dhanaraj.ramesh--- via Users <users@ovirt.org <mailto:users@ovirt.org>> wrote:
Hi All
if any further logs required let me know I can share the info, _______________________________________________ Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org <mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/privacy-policy.html <https://www.ovirt.org/privacy-policy.html> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ <https://www.ovirt.org/community/about/community-guidelines/> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/4JMVGQYUEIXIDS... <https://lists.ovirt.org/archives/list/users@ovirt.org/message/4JMVGQYUEIXIDS73GNIEJKRPRZV2CRF5/>
--
Lev Veyde
Senior Software Engineer, RHCE | RHCVA | MCITP
Red Hat Israel
lev@redhat.com <mailto:lev@redhat.com> | lveyde@redhat.com <mailto:lveyde@redhat.com>
<https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/R5KGWWQGSBEEGC...

Hi Klaas, Thanks for the update! On Tue, May 25, 2021 at 8:12 PM Klaas Demter <klaasdemter@gmail.com> wrote:
I can confirm after this cockpit login works again on ovirt-node 4.4.6.3
Greetings
Klaas
On 5/25/21 5:10 PM, Lev Veyde wrote:
Hi Dhanaraj,
First of all - thanks for informing us about this issue!
We found the source of the issue, and are working on fixing it for the next release.
Meanwhile there is a workaround that should fix the situation. You need to run (with root account) the following command:
chmod u+s /usr/libexec/cockpit-session
Please let us know if that works for you.
Thanks in advance,
On Thu, May 20, 2021 at 9:30 AM dhanaraj.ramesh--- via Users < users@ovirt.org> wrote:
Hi All
if any further logs required let me know I can share the info, _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/4JMVGQYUEIXIDS...
--
Lev Veyde
Senior Software Engineer, RHCE | RHCVA | MCITP
Red Hat Israel
lev@redhat.com | lveyde@redhat.com <https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/R5KGWWQGSBEEGC...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/O3D4COQOZJG66C...
-- Lev Veyde Senior Software Engineer, RHCE | RHCVA | MCITP Red Hat Israel <https://www.redhat.com> lev@redhat.com | lveyde@redhat.com <https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>

Huge Thanks to all of you and the team. Yes After executed the given command, I can able to access the cock pit. will wait for the fixes.

Hi Sandro, QE did not reproduce this issue when upgrading RHVH from 4.4.5 to 4.4.6. I will try to reproduce with ovirt node. Thanks & Regards Pengshan Yu On Wed, May 19, 2021 at 2:41 PM Sandro Bonazzola <sbonazzo@redhat.com> wrote:
Il giorno lun 17 mag 2021 alle ore 07:48 dhanaraj.ramesh--- via Users < users@ovirt.org> ha scritto:
Hi Team,
after upgrading ovirt node from 4.4.5 to 4.4.6, unale to login to the cockpit using root, but could able to login via ssh. please check whether this is considered as bug
Can you please open a bugzilla ticket at https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-node ? Please attach a sos report to the bug, it will help understanding the issue better. +Chen Shao <cshao@redhat.com> , +Yaning Wang <yaniwang@redhat.com> , +Meital Avital <mavital@redhat.com> never seen this happening on testing, can you reproduce?
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV
Red Hat EMEA <https://www.redhat.com/>
sbonazzo@redhat.com <https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/6K5N453PLEFFSD...
participants (13)
-
dhanaraj.ramesh@yahoo.com
-
Edward Berger
-
Gianluca Cecchi
-
Glenn Farmer
-
J Beard
-
jabeard24@gmail.com
-
Jason Beard
-
Klaas Demter
-
Lev Veyde
-
Patrick Lomakin
-
Pengshan Yu
-
Sandro Bonazzola
-
Yaning Wang