I cannot login with USERNAME = "SYSTEM" username ?
Opened this issue · 17 comments
Hi,
I am using Windows Server 2019 and the default USERNAME variable (after installation) is "SYSTEM"
Because errors are referring to system, admin and accounts I naively tried all these
The password as it is suggested was generated by openssl rand -hex 32 and put as an environment variable.
Here is the long error log:
(tf-gpu) PS C:\Users\Administrator> jupyterhub -f .\jupyterhub_config.py
[I 2020-05-08 15:53:03.741 JupyterHub app:2240] Running JupyterHub version 1.1.0
[I 2020-05-08 15:53:03.742 JupyterHub app:2271] Using Authenticator: winauthenticator.winauthenticator.WinAuthenticator
[I 2020-05-08 15:53:03.743 JupyterHub app:2271] Using Spawner: winlocalprocessspawner.winlocalprocessspawner.WinLocalProcessSpawner
[I 2020-05-08 15:53:03.743 JupyterHub app:2271] Using Proxy: jupyterhub.proxy.ConfigurableHTTPProxy-1.1.0
[I 2020-05-08 15:53:03.744 JupyterHub app:1349] Loading cookie_secret from C:\Users\Administrator\jupyterhub_cookie_secret
[I 2020-05-08 15:53:03.765 JupyterHub proxy:461] Generating new CONFIGPROXY_AUTH_TOKEN
[E 2020-05-08 15:53:03.792 JupyterHub app:1677] Error adding user admin already in db
Traceback (most recent call last):
File "c:\programdata\anaconda3\envs\tf-gpu\lib\site-packages\jupyterhub\app.py", line 1675, in init_users
await maybe_future(self.authenticator.add_user(user))
File "c:\programdata\anaconda3\envs\tf-gpu\lib\site-packages\winauthenticator\winauthenticator.py", line 66, in add_user
raise KeyError("User %s does not exist." % user.name)
KeyError: 'User admin does not exist.'
[W 2020-05-08 15:53:03.794 JupyterHub app:1693]
You can set
c.Authenticator.delete_invalid_users = True
to automatically delete users from the Hub database that no longer pass
Authenticator validation,
such as when user accounts are deleted from the external system
without notifying JupyterHub.
[E 2020-05-08 15:53:03.795 JupyterHub app:1677] Error adding user system already in db
Traceback (most recent call last):
File "c:\programdata\anaconda3\envs\tf-gpu\lib\site-packages\jupyterhub\app.py", line 1675, in init_users
await maybe_future(self.authenticator.add_user(user))
File "c:\programdata\anaconda3\envs\tf-gpu\lib\site-packages\winauthenticator\winauthenticator.py", line 66, in add_user
raise KeyError("User %s does not exist." % user.name)
KeyError: 'User system does not exist.'
[E 2020-05-08 15:53:03.796 JupyterHub app:1677] Error adding user SYSTEM already in db
Traceback (most recent call last):
File "c:\programdata\anaconda3\envs\tf-gpu\lib\site-packages\jupyterhub\app.py", line 1675, in init_users
await maybe_future(self.authenticator.add_user(user))
File "c:\programdata\anaconda3\envs\tf-gpu\lib\site-packages\winauthenticator\winauthenticator.py", line 66, in add_user
raise KeyError("User %s does not exist." % user.name)
KeyError: 'User SYSTEM does not exist.'
[E 2020-05-08 15:53:03.797 JupyterHub app:1677] Error adding user ADMINISTRATOR already in db
Traceback (most recent call last):
File "c:\programdata\anaconda3\envs\tf-gpu\lib\site-packages\jupyterhub\app.py", line 1675, in init_users
await maybe_future(self.authenticator.add_user(user))
File "c:\programdata\anaconda3\envs\tf-gpu\lib\site-packages\winauthenticator\winauthenticator.py", line 66, in add_user
raise KeyError("User %s does not exist." % user.name)
KeyError: 'User ADMINISTRATOR does not exist.'
I thank you so much ! as this seems to be my only Windows authentication solution out there.
also, the password hex generated , I put it as is right ? like:
for both administrator and system wide variables
capture here: https://ibb.co/TvrtH8b
Many thanks
hi @bacloud14 , if you look at the function system_user_exists (line 116), it calls the Windows API (NetUserEnum) to get a list of all the local users. It then loops through all the users and checks if there is one that matches the name passed. Could you add logging or prints there to see which users the WinAPI is returning? that might give you a clue on what's going on...
Sure! This is what that low level function returned on the same environment:
[{'name': 'Administrator'}, {'name': 'DefaultAccount'}, {'name': 'Guest'}, {'name': 'WDAGUtilityAccount'}]
Can you try using Administrator? Could you see if the code chokes on the same place or if it moves further?
It is the same:
[W 2020-05-08 19:27:30.276 JupyterHub base:714] Failed login for Administrator [I 2020-05-08 19:27:30.277 JupyterHub log:174] 200 POST /hub/login?next= (@::1) 10.97ms
I was asking to see if you could instrument the code on system_user_exists to detect where it is failing
to be sure of the password, I put:
JUPYTERHUB_CRYPT_KEY = e4f32f6768f0ce7d56f28dc5f3861e3ebe5eec45dc8cfe37e206ce89134b9f17
The one user and system wide variable
Sure, I will put my hands yes, although I am not keen on Python, a bunch of prints anyway, I will come back with more results, ty
I did this:
@staticmethod def system_user_exists(user): """Check if the user exists on the system""" local_users = win32net.NetUserEnum(None, 0)[0] print('system_user_exists#user:', user) for local_user in local_users: if local_user['name'].lower() == user.name.lower(): print('@@@@@@@@@@@@@@@@@@@@@@@') return True return False
and now it is showing the eyes @@ for user ADMINISTRATOR which is good, This is run when the login endpoint is open, but when I use say ADMINISTRATOR with password it doesn't login.
And this is what Authenticate is doing with values:
print( username, domain, data['password'], win32security.LOGON32_LOGON_NETWORK, win32security.LOGON32_PROVIDER_DEFAULT )
administrator . e4f32f6768f0ce7d56f28dc5f3861e3ebe5eec45dc8cfe37e206ce89134b9f17 3 0
There is an exception catch but I don't know if there is a more readable message underneath
`try:
token = win32security.LogonUser(
username,
domain,
data['password'],
win32security.LOGON32_LOGON_NETWORK,
win32security.LOGON32_PROVIDER_DEFAULT)
except win32security.error:
# Invalid User
print('@@@@@@@@@@@@@',"]]]]]]]]]]]]]]")
return None`
To sum up, now the problem is down to win32security.LogonUser which is not a jupyterhub-winauthenticator error.
A good next step might be to try to reproduce outside Jupyter. That might give more pointers into what's going on.
How does Jupyterhub (is the one responsible to my understanding) federate the env variable JUPYTERHUB_CRYPT_KEY so that the Windows API (to my understanding again) could connect with win32security.LogonUser Because now I want to login with those same values outside of tf-gpu environment with Python.
Thanks again.
I could login with win32security.LogonUser("Administrator", ".", "real password", 3, 0) so this is why I ask how it is federated in jupyterhub
Now I have ambiguities here:
JUPYTERHUB_CRYPT_KEY is to be set with a new random password that I use encoded for login;
in this case, how this is used to login a user with his Windows password?
I just saw in loggin that user could successfully login, but the login page continue to show
[I 2020-05-10 14:59:43.774 JupyterHub base:707] User logged in: Administrator
[I 2020-05-10 14:59:43.775 JupyterHub log:174] 302 POST /hub/login?next=%2Fhub%2Fspawn -> /hub/spawn (Administrator@::1) 19.96ms
[W 2020-05-10 14:59:43.782 JupyterHub base:335] User admin has stale auth info. Login is required to refresh.
[I 2020-05-10 14:59:43.782 JupyterHub log:174] 302 GET /hub/spawn -> /hub/login?next=%2Fhub%2Fspawn (@::1) 2.01ms
[W 2020-05-10 14:59:43.786 JupyterHub base:335] User admin has stale auth info. Login is required to refresh.
[I 2020-05-10 14:59:43.787 JupyterHub log:174] 200 GET /hub/login?next=%2Fhub%2Fspawn (@::1) 2.00ms
Opening a new session with another browser shows:
500 : Internal Server Error
Error in Authenticator.pre_spawn_start: error (1314, 'CreateProcessAsUser', 'A required privilege is not held by the client.')
You can try restarting your server from the home page.
After investigating more, I game permission to Administrator user SeAssignPrimaryTokenPrivilege as suggested here: ni/jupyterhub-winlocalprocessspawner#4 (comment)
so many thanks, I think my issue is solved and to be closed. I think from the begining this was not jupyterhub-winauthenticator issue, sorry for that.
thanks again
Glad to hear you got to the bottom of it!