Nobody but root can login to Virtualmin

Hi,

I am experiencing a major issue with Virtualmin, one that may have existed for a while but that I have only now been made aware of.

Basically, the gist of it is that only the root user can log into Virtualmin. No virtual server owner can log into Virtualmin / Webmin at all. Every time someone tries, they get the typical "Login failed. Please try again" error message.

I checked /var/log/secure but Webmin only reports the failed username and the IP address that made the attempt, but no other information.

Currently all virtual server owners are LDAP users, while of course root is a local user on the system.

These users can login just fine through FTP and SSH, but as stated cannot login at all to Virtualmin/Webmin.

How can I resolve this issue? I am running CentOS 7 with Webmin 1.740 and Virtualmin 4.15 Pro.

Thanks!

Status: 
Active

Comments

Howdy -- you may be experiencing an issue with LDAP on your server. While that's unfortunately not my area of expertise, what you may want to do is review the LDAP documentation here, and make sure it's still setup as expected:

https://www.virtualmin.com/documentation/installation/ldap

You may also want to look at Edit Virtual Server -> Enabled Features, and verify that the "Webmin login" is enabled.

You could also look at /var/webmin/miniserv.error to see if there are any relevant errors in there.

Hi,

While I haven't read through the LDAP documentation, I can confirm LDAP is working because if it wasn't then users would not be able to log in via SSH or FTP. LDAP is managed on a separate server, with my Virtualmin server being the client. Mail also works, and both Postfix and Dovecot are configured to use LDAP.

I looked in /var/webmin/miniserv.error and it didn't throw any errors at all related to login. Though, something interesting, when I tried to log in as a virtual server owner, with Webmin configured correctly to use a retail SSL certificate, the error log said something to the effect of:

[20/Mar/2015:19:03:39 -0400] [64.185.138.70] Document follows : This web server is running in SSL mode. Try the URL https://web1-newark.airshock.net:10000/ instead.

I thought this kind of odd, because the URL used for login is https://web1-newark.airshock.net:10000 as it always has been.

Finally, I did ensure that "Webmin Login Enabled" is checked in the virtual server configuration screen. This happens with all virtual server owners/users, while root is permitted to log in (as a local user).

Yeah I don't suspect it's a general LDAP issue, but perhaps moreso Webmin's authentication against LDAP.

My suspicion is that there's some sort of configuration issue that's affecting just Webmin's ability to authenticate against LDAP.

Hopefully, in reviewing the Webmin/Virtualmin LDAP documentation, that issue will become apparent.

Also, you may want to try adding a new user in Virtualmin, and verify that it gets successfully added into LDAP, and not a local file.

A lot of LDAP issues will become apparent when trying to add a new user.

Do these domain owner users exist in /etc/webmin/miniserv.users file ?

Hi,

I have read through the documentation and verified that LDAP is working properly.

I have also tried creating a new top-level virtual server; everything was created successfully, and I verified that the new account exists in LDAP and not in a local file. I can even log into it on a non-Virtualmin and non-Webmin server I have set up that is an LDAP client.

I also verified that the user exists in the Webmin Users module, which it does.

But still, I can log into SSH and FTP on all servers with this user, but cannot log into Virtualmin/Webmin.

But LDAP seems to be configured correctly, so my guess is that for some reason Webmin is not using it as its authentication backend, and I don't know why.

Yes, the domain users exist in /etc/webmin/miniserv.users, even the new one I Just created as a test.

Make sure that in /etc/pam.d/webmin , there are lines that specify to use LDAP for authentication - it should be basically the same as /etc/pam.d/ssh

Hi,

I modified /etc/pam.d/webmin as follows, but still get the same error as before. These changes are custom because /etc/pam.d/sshd did not contain any lines about LDAP, though LDAP users can log into SSH without any issues.

Contents of /etc/pam.d/webmin:

%PAM-1.0

auth sufficient pam_ldap.so

auth required pam_unix.so nullok

account sufficient pam_ldap.so

account required pam_unix.so

session sufficient pam_ldap.so

session required pam_unix.so

If users in LDAP can login via SSH, you should just copy /etc/pam.d/ssh to /etc/pam.d/webmin .