Login auth request failed: Authenticated user not found from userdb

rp_allen · May 28, 2025, 9:24am

Hi!

I’m getting this log messages in cockpit and I can’t access any of the email accounts on the server.

Login auth request failed: Authenticated user not found from userdb

Can’t login via webmail nor using email clients.

Thanks for your help

rp_allen · May 28, 2025, 11:04am

Other log I’m getting is

pam_authenticate() failed: Authentication failure (/etc/pam.d/imap missing?)

But I have that file with the following content:

#%PAM-1.0
auth	required	pam_apnscpvwh.so	saveroot
auth	required	pam_nologin.so
auth	required	pam_listfile.so onerr=fail item=user sense=allow file=/etc/imap.pamlist
auth       include  system-auth
account    include  system-auth
password   include  system-auth
session    include  system-auth
session required pam_apnscpvwh.so restorelogin restoreroot

I don’t have the file /etc/imap.pamlist

Don’t know if this helps.

Thanks again

msaladna · May 28, 2025, 1:48pm

Sent out a FLARE update for everyone on edge. This will be automatically fixed within the next 15 minutes.

Old NSS package kicks out custom configuration upon update. Migration will reapply these rules to /etc/nsswitch.conf as well as restart Dovecot that caches it upon startup.

Troy · May 28, 2025, 4:37pm

Is there a manual fix for this? Seeing this on non-Edge.
Edit: never mind, it looks like the log entries have stopped afterall.

roboboogie · May 28, 2025, 8:12pm

Im still having this issue, it just started a few hours ago. How do I trigger the update in this case?

msaladna · May 28, 2025, 9:28pm

upcp

lokoum · May 28, 2025, 10:04pm

I, also still encounter the same error even after hopping to edge and doing an upcp

[root@panel ~]# cpcmd scope:get cp.update-policy
edge
[root@panel ~]# upcp
Compiled services and packages files removed!
Nothing to migrate.
Nothing to migrate.
[root@panel ~]#

I also tried upcp -sb, and rebooting the server,

Thank you for your help and support

msaladna · May 28, 2025, 10:10pm

These updates were delivered only on edge.

What does cpcmd misc:cp-version report? Is the problem resolved after running systemctl restart dovecot?

lokoum · May 28, 2025, 10:30pm

Here is the output :

[root@panel ~]# cpcmd misc:cp-version

revision: 7f83b57999b5b151fe34e86b8103e6763e087a11
timestamp: 1748440296
ver_maj: 3
ver_min: 2
ver_patch: 47
ver_pre: 4-g7f83b5799
dirty: false
debug: false

[root@panel ~]# 
[root@panel ~]# systemctl restart dovecot
[root@panel ~]# systemctl status dovecot
● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/dovecot.service.d
           └─override.conf
   Active: active (running) since Wed 2025-05-28 12:28:10 -10; 4s ago
     Docs: man:dovecot(1)
           https://doc.dovecot.org/
  Process: 9812 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
  Process: 9817 ExecStartPre=/usr/libexec/dovecot/prestartscript (code=exited, status=0/SUCCESS)
 Main PID: 9825 (dovecot)
   Status: "v2.3.21 (47349e2482) running"
    Tasks: 4 (limit: 102186)
   Memory: 3.3M
   CGroup: /system.slice/dovecot.service
           ├─9825 /usr/sbin/dovecot -F
           ├─9827 dovecot/anvil [0 connections]
           ├─9828 dovecot/log 
           └─9829 dovecot/config 

May 28 12:28:09 panel.datasolutions.pf systemd[1]: Starting Dovecot IMAP/POP3 email server...
May 28 12:28:10 panel.datasolutions.pf dovecot[9825]: master: Dovecot v2.3.21 (47349e2482) starting up for imap, pop3 (core dumps disabled)
May 28 12:28:10 panel.datasolutions.pf systemd[1]: Started Dovecot IMAP/POP3 email server.
[root@panel ~]#

The error is still going. I double check everything and users cannot login to their emails.

Thank you

msaladna · May 28, 2025, 11:02pm

What’s reported with rpm -qi dovecot23-apnscp | grep Date? For the user having trouble logging in, does getent passwd USER@DOMAIN report a result?

lokoum · May 28, 2025, 11:17pm

Here is the output :

[root@panel ~]# rpm -qi dovecot23-apnscp | grep Date
Install Date: Wed 28 May 2025 12:08:22 AM -10
Build Date  : Tue 27 May 2025 08:15:01 AM -10
[root@panel ~]#

getent passwd return nothing for all my users. I tested dozens.
Nobody can logging in into their email.

thank you for support.

msaladna · May 28, 2025, 11:29pm

Run upcp -sb system/nss, then check again with getent.

lokoum · May 28, 2025, 11:43pm

Here is the playbook output :

[root@panel ~]# upcp -sb system/nss

PLAY [localhost] ****************************************************************************************************************************************************************************
included: /usr/local/apnscp/resources/playbooks/roles/system/nss/tasks/authselect.yml for localhost
[WARNING]: flush_handlers task does not support when conditional

PLAY RECAP **********************************************************************************************************************************************************************************
localhost                  : ok=15   changed=0    unreachable=0    failed=0    skipped=7    rescued=0    ignored=0

getent still returns nothing for all my users.

thank you for your time

msaladna · May 28, 2025, 11:48pm

What’s in /etc/nsswitch.conf? What’s reported for rpm -qi nss-apnscp | grep Date?

lokoum · May 28, 2025, 11:49pm

Here is the output :

[root@panel ~]# rpm -qi nss-apnscp | grep Date
Install Date: Wed 28 May 2025 12:07:12 AM -10
Build Date  : Sat 24 May 2025 04:51:52 PM -10
[root@panel ~]# cat /etc/nsswitch.conf
# Generated by authselect on Wed Mar  8 19:26:13 2023
# Do not modify this file manually.

# If you want to make changes to nsswitch.conf please modify
# /etc/authselect/user-nsswitch.conf and run 'authselect apply-changes'.
#
# Note that your changes may not be applied as they may be
# overwritten by selected profile. Maps set in the authselect
# profile takes always precedence and overwrites the same maps
# set in the user file. Only maps that are not set by the profile
# are applied from the user file.
#
# For example, if the profile sets:
#     passwd: sss files
# and /etc/authselect/user-nsswitch.conf contains:
#     passwd: files
#     hosts: files dns
# the resulting generated nsswitch.conf will be:
#     passwd: sss files # from profile
#     hosts: files dns  # from user file

passwd:     files sss systemd    
group:      files sss systemd
netgroup:   sss files
automount:  sss files
services:   sss files

# Included from /etc/authselect/user-nsswitch.conf

#
# /etc/nsswitch.conf
#
# Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# Valid databases are: aliases, ethers, group, gshadow, hosts,
# initgroups, netgroup, networks, passwd, protocols, publickey,
# rpc, services, and shadow.
#
# Valid service provider entries include (in alphabetical order):
#
#	compat			Use /etc files plus *_compat pseudo-db
#	db			Use the pre-processed /var/db files
#	dns			Use DNS (Domain Name Service)
#	files			Use the local files in /etc
#	hesiod			Use Hesiod (DNS) for user lookups
#	nis			Use NIS (NIS version 2), also called YP
#	nisplus			Use NIS+ (NIS version 3)
#
# See `info libc 'NSS Basics'` for more information.
#
# Commonly used alternative service providers (may need installation):
#
#	ldap			Use LDAP directory server
#	myhostname		Use systemd host names
#	mymachines		Use systemd machine names
#	mdns*, mdns*_minimal	Use Avahi mDNS/DNS-SD
#	resolve			Use systemd resolved resolver
#	sss			Use System Security Services Daemon (sssd)
#	systemd			Use systemd for dynamic user option
#	winbind			Use Samba winbind support
#	wins			Use Samba wins support
#	wrapper			Use wrapper module for testing
#
# Notes:
#
# 'sssd' performs its own 'files'-based caching, so it should generally
# come before 'files'.
#
# WARNING: Running nscd with a secondary caching service like sssd may
# 	   lead to unexpected behaviour, especially with how long
# 	   entries are cached.
#
# Installation instructions:
#
# To use 'db', install the appropriate package(s) (provide 'makedb' and
# libnss_db.so.*), and place the 'db' in front of 'files' for entries
# you want to be looked up first in the databases, like this:
#
# passwd:    db files
# shadow:    db files
# group:     db files

# In order of likelihood of use to accelerate lookup.
shadow:     files sss
hosts: resolve files mdns4_minimal [NOTFOUND=return] dns myhostname

aliases:    files
ethers:     files
gshadow:    files
# Allow initgroups to default to the setting for group.
# initgroups: files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files
[root@panel ~]#

msaladna · May 29, 2025, 12:07am

Add “apnscpvwh” to passwd such that the line becomes:

passwd: files apnscpvwh sss systemd

Then systemctl restart dovecot

As for why it wasn’t readded, what does this report? authselect current -r ; echo $?

lokoum · May 29, 2025, 12:48am

Modifying the file as you stated worked.

Here is the output of the last command :

[root@panel ~]# authselect current -r ; echo $
custom/apnscp
$
[root@panel ~]#

msaladna · May 29, 2025, 1:24am

No, echo $? - literally $?:

authselect current -r ; echo $?

lokoum · May 29, 2025, 3:26am

Yeah sorry was on mobile I did not pay attention at the pasting. Here is it :

[root@panel ~]# authselect current -r ; echo $?
custom/apnscp
0
[root@panel ~]#

Do you know why the /etc/nsswitch.conf file did not updated properly ?
Thank you