Admin User not functioning (upgrade?)

Ask questions about your setup or get help installing ZCS server (ZD section below).
Post Reply
darkfader
Posts: 20
Joined: Sat Dec 11, 2021 11:39 pm

Admin User not functioning (upgrade?)

Post by darkfader »

Today I was informed about a really weird issue.
From the timeline it's possible that it came along with the update to P32.

A user that normally reads the admin@zimbra mailbox no longer had IMAP access to it.
It turned out there's also a problem logging in on the Admin Console.
It'll return an "authentication failed" even with the correct user (also with user@domain).

So, the admin username cannot be used to login to mail services or to the admin console anymore.
I can verify the admin username using zmprov gaaa and have reset the password using zmprov sp admin@domain pass

Neither that, or any amount of restarts has had any effect.

There's almost no error messages showing up in the logs, which is likely the part I understand the least.
See further below for that.
The service (:7071) is up, I can see as much in netstat / lsof.

The http throttle subnets are unchanged & correct.

Code: Select all

zimbra@iso237:~/log$ grep -v INFO mailbox.log
2022-07-15 14:59:37,841 WARN  [main] [] ephemeral - Replacing ephemeral factory class 'com.zimbra.cs.ephemeral.LdapEphemeralStore$Factory' registered for 'ldap' with 'com.zimbra.cs.ephemeral.LdapEphemeralStore$Factory'
2022-07-15 14:59:37,853 WARN  [main] [] extensions - no Zimbra-Extension-Class found, ignored: /opt/zimbra/lib/ext/mitel
2022-07-15 14:59:37,859 WARN  [main] [] extensions - no Zimbra-Extension-Class found, ignored: /opt/zimbra/lib/ext/twofactorauth
2022-07-15 14:59:37,859 WARN  [main] [] extensions - no Zimbra-Extension-Class found, ignored: /opt/zimbra/lib/ext/zimbra-license
2022-07-15 14:59:37,878 WARN  [main] [] extensions - no Zimbra-Extension-Class found, ignored: /opt/zimbra/lib/ext/openidconsumer
2022-07-15 14:59:37,879 WARN  [main] [] extensions - no Zimbra-Extension-Class found, ignored: /opt/zimbra/lib/ext/zimbra-freebusy
2022-07-15 14:59:40,357 WARN  [main] [] AnnotatedArgumentBuilder - No explicit argument name given and the parameter name lost in compilation: public abstract boolean org.w3c.dom.TypeInfo.isDerivedFrom(java.lang.String,java.lang.String,int)#java.lang.String arg0. For details and possible solutions see https://github.com/leangen/graphql-spqr/wiki/Errors#missing-argument-name
2022-07-15 14:59:40,357 WARN  [main] [] AnnotatedArgumentBuilder - No explicit argument name given and the parameter name lost in compilation: public abstract boolean org.w3c.dom.TypeInfo.isDerivedFrom(java.lang.String,java.lang.String,int)#java.lang.String arg1. For details and possible solutions see https://github.com/leangen/graphql-spqr/wiki/Errors#missing-argument-name
2022-07-15 14:59:40,358 WARN  [main] [] AnnotatedArgumentBuilder - No explicit argument name given and the parameter name lost in compilation: public abstract boolean org.w3c.dom.TypeInfo.isDerivedFrom(java.lang.String,java.lang.String,int)#int arg2. For details and possible solutions see https://github.com/leangen/graphql-spqr/wiki/Errors#missing-argument-name
2022-07-15 14:59:41,550 WARN  [main] [] extensions - Ignoring file non zip-file /opt/zimbra/lib/ext/zimbradrive/zimbradrive-extension.conf.example
Binary file mailbox.log matches
saket.patel
Zimbra Employee
Zimbra Employee
Posts: 137
Joined: Mon Apr 11, 2022 8:39 pm

Re: Admin User not functioning (upgrade?)

Post by saket.patel »

Can you increase log level for zimbra.soap to trace and check logs (mailbox.log and zmmailboxd.out) after admin console authentication, that should give some information on why auth is failing
darkfader
Posts: 20
Joined: Sat Dec 11, 2021 11:39 pm

Re: Admin User not functioning (upgrade?)

Post by darkfader »

saket.patel wrote:Can you increase log level for zimbra.soap to trace and check logs (mailbox.log and zmmailboxd.out) after admin console authentication, that should give some information on why auth is failing
Hi,

I've finally been able to do that.


/opt/zimbra/log/mailbox.log

Code: Select all

2022-08-02 21:46:19,126 INFO  [qtp1381713434-219:https://localhost:7071/service/admin/soap/GetAccountRequest] [name=zimbra;ua=zmprov/8.8.15_GA_4372;soapId=75430636;] misc - d
elegated access: doc=GetAccount, authenticated account=zimbra, target account=admin@post.domain.tld
2022-08-02 21:46:19,127 INFO  [qtp1381713434-219:https://localhost:7071/service/admin/soap/GetAccountRequest] [name=zimbra;ua=zmprov/8.8.15_GA_4372;soapId=75430636;] misc - d
elegated access: doc=GetAccount, authenticated account=zimbra, target account=admin@post.domain.tld
2022-08-02 21:46:19,128 INFO  [qtp1381713434-219:https://localhost:7071/service/admin/soap/GetAccountRequest] [name=zimbra;ua=zmprov/8.8.15_GA_4372;soapId=75430636;] soap - GetAccountRequest elapsed=3
2022-08-02 21:46:19,599 INFO  [qtp1381713434-222:https://localhost:7071/service/admin/soap/GetServerRequest] [name=zimbra;ua=zmprov/8.8.15_GA_4372;soapId=75430637;] soap - GetServerRequest elapsed=2
2022-08-02 21:46:19,715 INFO  [qtp1381713434-222:https://post.domain.tld:7071/service/admin/soap/AddAccountLoggerRequest] [name=zimbra;ip=192.168.xx.xxx;port=36778;ua=zmprov/8.8.15_GA_4372;soapId=75430638;] misc - Adding custom logger: account=admin@post.domain.tld, category=zimbra.soap, level=trace
2022-08-02 21:46:19,716 INFO  [qtp1381713434-222:https://post.domain.tld:7071/service/admin/soap/AddAccountLoggerRequest] [name=zimbra;ip=192.168.xx.xxx;port=36778;ua=zmprov/8.8.15_GA_4372;soapId=75430638;] soap - AddAccountLoggerRequest elapsed=2
2022-08-02 21:46:35,159 INFO  [qtp1381713434-222:https://localhost:7071/service/admin/soap/AuthRequest] [ua=zmprov/8.8.15_GA_4372;soapId=75430639;] soap - AuthRequest elapsed=4
2022-08-02 21:46:36,621 INFO  [qtp1381713434-129:https://localhost:7071/service/admin/soap/GetServerRequest] [name=zimbra;ua=zmprov/8.8.15_GA_4372;soapId=7543063a;] soap - GetServerRequest elapsed=5
2022-08-02 21:46:37,108 INFO  [qtp1381713434-222:https://post.domain.tld:7071/service/admin/soap/ResetAllLoggersRequest] [name=zimbra;ip=192.168.xx.xxx;port=36784;ua=zmprov/8.8.15_GA_4372;soapId=7543063b;] misc - Resetting all loggers  
2022-08-02 21:46:37,152 INFO  [qtp1381713434-222:https://post.domain.tld:7071/service/admin/soap/ResetAllLoggersRequest] [name=zimbra;ip=192.168.xx.xxx;port=36784;ua=zmprov/8.8.15_GA_4372;soapId=7543063b;] soap - ResetAllLoggersRequest elapsed=45
        2022-08-02 21:47:25,078 WARN  [qtp1381713434-129:https://192.168.xx.xxx:7071/service/admin/soap/AuthRequest] [ip=192.168.yy.yyy;port=42236;ua=ZimbraWebClient - SAF15.6 (Mac);soapId=7543063c;] SoapEngine - handler exception
com.zimbra.common.service.ServiceException: permission denied: Error in Authentication
        at com.zimbra.common.service.ServiceException.PERM_DENIED(ServiceException.java:348) ~[zimbracommon.jar:8.8.15_GA_4372]
        at com.zimbra.cs.service.admin.Auth.handle(Auth.java:92) ~[zimbrastore.jar:8.8.15_GA_4372]
        at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:646) ~[zimbrastore.jar:8.8.15_GA_4372]
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:491) ~[zimbrastore.jar:8.8.15_GA_4372]
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:278) ~[zimbrastore.jar:8.8.15_GA_4372]
        at com.zimbra.soap.SoapServlet.doWork(SoapServlet.java:308) ~[zimbrastore.jar:8.8.15_GA_4372]
        at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:217) ~[zimbrastore.jar:8.8.15_GA_4372]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[servlet-api-3.1.jar:3.1.0]
        at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:214) ~[zimbrastore.jar:8.8.15_GA_4372]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) ~[servlet-api-3.1.jar:3.1.0]

/opt/zimbra/log/zmmailboxd.out has nothing for the corresponding timeframe.

...So all I can see is an auth failure.
now, I had already tried resetting the password to the stored one but that had no success.
The normal users that use AD auth are still working fine.

I just tried one more time, following the steps in https://wiki.zimbra.com/wiki/Admin_Password_Reset (2006 article, certified and work in progress???)
It stays an immediate permission denied. It happens both as "admin" and "admin@mail.domain.tld".
Post Reply