[Solved] Duplicated admins group...?
-
Hi,
I was about to setup Radius and in that process I find that something odd has happened;
I seem to have two admin groups, same name, same content, same gid...
What should I do? When trying to verify my Radius, it failed using the new Authentication server I just set up, but worked fine with "Local Database", so I guess something is not entirely right here either... It may well be me, but need guidance what to do, reset & restore ?
Edit: To do something I reinstalled and applied a backup, only to realize the "problem" was also restored. So I opened the backup.xml I just restored, and found
<group> <name>admins</name> <description><![CDATA[System Administrators]]></description> <scope>system</scope> <gid>1999</gid> <member>0</member> <member>2000</member> <priv>page-all</priv> </group> <group> <name>admins</name> <description><![CDATA[System Administrators]]></description> <scope>system</scope> <gid>1999</gid> <member>0</member> <member>2000</member> </group>Why two almost identical groups? Can I safely just remove the second one?
-
Hmm, that's definitely invalid. I would remove one of those entries and restore the config.
Any idea what you did to make that happen? What pfSense version is that?
-
@stephenw10 said in Duplicated admins group...?:
Hmm, that's definitely invalid. I would remove one of those entries and restore the config.
Any idea what you did to make that happen? What pfSense version is that?
Hi,
it's latest, 23.01. Exactly what I did I can't answer as I didn't realize until later, but it was when I was trying to configure freeradius3. I massively failed in creating a user in the new 'Authentication Server' I had created, called "RADIUS". At first, I was able to validate my user when instead selecting "Local Database", which is the default one, which was a bit strange and unexpected.I have tried to ssh in and delete one of these from /conf/config.xml, but it was restored again when rebooted. I suppose this is something one should not normally mess with...
-
@furom At this point I really would like to just keep the bare minimum of my config, aliases, rules etc and discard all the rest... But the backup is a bit all or just a single part... And editing the XML before restoring isn't exactly recommended, I know that
-
@furom Modified the backup xml and restored. The extra group is now gone, but can't stop wondering whatever else may have been affected too... Is there based on this cause for concern?
-
Probably not. If you edited the config originally that was probably the cause here. if you only edited the user section then I doubt anything else is affected. If it was a random bad edit it would probably result in bad xml and pfSense will alert you to that.
-
@stephenw10 said in Duplicated admins group...?:
Probably not. If you edited the config originally that was probably the cause here. if you only edited the user section then I doubt anything else is affected. If it was a random bad edit it would probably result in bad xml and pfSense will alert you to that.
Well, I didn't edit the config directly when it happened. I merely used the GUI normally to configure the package and set it up. That is why I am a bit questioning...
-
Mmm, that would certainly be a bug if it is. It shouldn't be possible to either create two groups with the same name or the same number. The gui has numerous things to prevent it.
If you're able to replicate that we'd certainly want to know what steps hit it.Steve
-
@stephenw10 said in Duplicated admins group...?:
Mmm, that would certainly be a bug if it is. It shouldn't be possible to either create two groups with the same name or the same number. The gui has numerous things to prevent it.
If you're able to replicate that we'd certainly want to know what steps hit it.Steve
Thanks, By all means, I hope it will not happen again, but if it does, and I'm lucky enough to be able to trace the steps to reproduce, I'll surely let you know :)
Any chance this can be related to me not being able to use diagnostics to verify a user?
-
If that user was part of the admins group it could cause a problem trying to assign the permissions there. It seems unlikely though.
-
@stephenw10 said in Duplicated admins group...?:
If that user was part of the admins group it could cause a problem trying to assign the permissions there. It seems unlikely though.
No it wasn't. I was more thinking if something on my system caused it to not accept authentication. I suppose it is another Gremlin to be found, but sure don't get why it will not work, but I'll have to make do until someone (hopefully) sees that post :) Marking this one solved, thanks for the assist! :)
-
-
@jimp said in [Solved] Duplicated admins group...?:
Thanks! Reading that bug report reminded me... That's exactly what I did. :)
-
@furom I ran right back into it unfortunately (now having dual groups again), but also something I didn't have the first time;
And WHAT? I could undo the dual group! Or that is what the GUI showed, until editing the user again;
and checking the groups;
Looking forward to a fix to this madness...
-
What do you mean "ran right back into it"?
The patch doesn't put back the "all" group or remove the duplicate "admins" group, you'd have to put it back in
config.xmlmanually, there's no way to get back to the fixed group in the GUI unless you restore an old config with the correct group.If you do edit the
config.xmlyou can copy the 'all' group from the default config:
https://github.com/pfsense/pfsense/blob/master/src/conf.default/config.xml#L11 though it wouldn't reflect the correct membership unless you add<member></member>lines with all your existing user ID numbers.You could also download an old backup that had the correct users and "all" group and copy that section over to the newer config and restore that, which would be closer.
-
@jimp said in [Solved] Duplicated admins group...?:
What do you mean "ran right back into it"?
Exactly that. I had reinstalled and then did the same mistake again... :(
The patch doesn't put back the "all" group or remove the duplicate "admins" group, you'd have to put it back in
config.xmlmanually, there's no way to get back to the fixed group in the GUI unless you restore an old config with the correct group.I am not aware of any patch for this, thus far I have edited the backup only
If you do edit the
config.xmlyou can copy the 'all' group from the default config:
https://github.com/pfsense/pfsense/blob/master/src/conf.default/config.xml#L11 though it wouldn't reflect the correct membership unless you add<member></member>lines with all your existing user ID numbers.I was confused this time though, for the first time ever I saw this "all" group that is being talked about, perhaps a good thing then :)
You could also download an old backup that had the correct users and "all" group and copy that section over to the newer config and restore that, which would be closer.
I have now reinstalled with 23.01 and from a printout entered all my settings... Tedious, no doubt, but also a way to sanity test my settings. DNS is always driving me nuts, took me too long to get everything aligned.
I have yet to succeed with adding my ed25519 ssh key to my user config... Perhaps for tomorrow, a bit tired of all this now really, why isn't there a button on it - "just work damn it" ;) Kidding of course, I love pfSense, but it gets to me sometimes.
-
There is a commit on https://redmine.pfsense.org/issues/14363 which corrects the behavior.
You can install the System Patches package and then create an entry for
a2a2e8a8bee55d5b0c393d2c2d311a2fc8903bceto apply the fix. -
@jimp said in [Solved] Duplicated admins group...?:
There is a commit on https://redmine.pfsense.org/issues/14363 which corrects the behavior.
You can install the System Patches package and then create an entry for
a2a2e8a8bee55d5b0c393d2c2d311a2fc8903bceto apply the fix.I have that, I'll check the patch out, thanks :)