Access Denied on Backups page (token_not_in_session)

trj · March 23, 2017, 11:01pm

I’ve just set up UrBackup on Ubuntu 16.04. When I sign in using LDAP, everything works fine except the “Backups” tab. This is the error:

This is my group rights map:

CN=UrBackup Administrators,*==>all=all

And my class rights map (left as defaults):

user==>lastacts={AUTOCLIENTS},progress={AUTOCLIENTS},status={AUTOCLIENTS},stop_backup={AUTOCLIENTS},start_backup=all,browse_backups=tokens

It works fine if I disable LDAP and log in with a locally created account.

I’m not sure if it’s worth noting, but I am running this via nginx. However, the problem still happens if I disable nginx and use the built-in webserver on port 55414.

uroni · March 24, 2017, 3:35pm

If you want to debug this open backup_server.db (/var/urbackup/backup_server.db) with sqlite3, then

sqlite3 /var/urbackup/backup_server.db
> SELECT * FROM user_tokens;

LDAP prefix + login username + LDAP suffix needs to match one of those users in the table.

trj · March 24, 2017, 4:46pm

Here’s what I have (removed what looks like a credential). There appear to be no LDAP users. I must be doing something wrong?

sqlite> SELECT * FROM user_tokens;                                                                                                                                                                                                           
1|administrator||1|<removed>|2017-03-13 21:13:01                                                                                                                                                                                  
3|administrator||1|<removed>|2017-03-23 22:08:41                                                                                                                                                                                  
5|administrator||1|<removed>|2017-03-24 10:11:26                                                                                                                                                                                  
6|administrator|administrators|1|<removed>|2017-03-24 10:11:26

uroni · March 24, 2017, 4:50pm

Do you have 2.1.x clients? If yes can you have look at the client log file?

trj · March 24, 2017, 4:51pm

I only have it running on my desktop for testing. Yes, it is 2.1.15.0.

Edit: One second on the log file.

trj · March 24, 2017, 4:56pm

I emailed the log file to bugreports@urbackup.org.

uroni · March 24, 2017, 6:54pm

2017-03-24 06:11:07: ERROR: Error while enumerating DC users: 1726
2017-03-24 06:11:11: WARNING: Limiting number of DC groups to 101

1726 is probably

RPC_S_CALL_FAILED
1726 (0x6BE)
The remote procedure call failed.

So something with the AD server? The other will be fixed with 2.2.x. Currently it limits the number of enumerated AD users/groups to 100 for performance reasons.

trj · March 24, 2017, 9:15pm

Are LDAP referrals disabled and is it using LDAP version 3? I glanced at the source and didn’t see mention of either. At least with the Python libraries I use, it’s required to set an LDAP option to disable referrals when connecting to AD. Otherwise some LDAP queries will fail.

uroni · March 25, 2017, 7:53pm

It uses NetUserEnum (OS functionality), idk how that is implemented internally, only that it normally works.

trj · March 27, 2017, 10:40pm

I may be misunderstanding, but the problem exists server-side, right? It’s the server that is not allowing me access to the Backups tab. My server is running on Linux, but NetUserEnum is a Windows function.

trj · April 3, 2017, 10:06pm

After more testing, I’m hitting the same problem on a clean of the server on Ubuntu 16.04.2. No clients, no other settings changed from their defaults. Just LDAP.

Also, when I enable LDAP for the first time and use the following query…

DC=myorg,DC=local?memberOf,objectClass?sub?(sAMAccountName={USERNAME})

…the website hangs when trying to save the settings. It appears to save the settings because I am prompted to log in with AD credentials. But that just hangs after submitting, too. At this point, I need to revert the snapshot on the VM in order to use the UrBackup web interface again.

AD login only works at all if I narrow the search, like so…

OU=My Users,DC=myorg,DC=local?memberOf,objectClass?sub?(sAMAccountName={USERNAME})

But again, still can’t access the Backups page.

I understand LDAP/AD authentication is experimental, but I’d like to help troubleshoot these problems with you however I can.

Dagon · October 6, 2017, 9:50am

Hi,

I’m hitting the same issue. With the following settings on LDAP/AD class rights map I can finally login using LDAP (OpenLDAP) credentials, but just like @trj I can’t access the Backups page. It keeps outputting the token_not_in_session error:

posixAccount==>lastacts="{AUTOCLIENTS}",progress="{AUTOCLIENTS}",status="{AUTOCLIENTS}",stop_backup="{AUTOCLIENTS}",start_backup=all,browse_backups=tokens

Any update from your side @uroni?