System Admin Cannot login to POA console - Micro Focus Community

squartec · ‎2020-08-27

Running Gw 18.1.1 133172 on Sles 12 SP3 OES 2018. We have recently migrated our POs to these new servers with new iPs/DNS names with the intention of upgrading to 18.2.

Running into an odd issue . I have several users configured as System Administators in GWAC including myself, and I can login to GWAC and all the MTA and POA consoles with my account. One user cannot. He can login to the MTA console but not any of the POAs. He can login to GWAC as an admin. As far as we know this just started happening. The other two system admins are on holidays so I can't check with them yet, but I did add another account to the system admins in GWAC and same thing. Can access the GWAC, login to MTA console but none of the POAs. I tried rebuilding a POA to see if that would fix it but no luck.

The POA start up files do not specify the httpusername/password - all that is configured in the GWAC. That user can login to POA console readonly mode as expected.

I'm not sure what else to check or look at or why its behaving this way?

mathiasbraun · ‎2020-08-27

Hmm. If all ports are configured correctly (and unique) then rebuilding the PO DB should clean this up. There's one thing which could easily happen in older builds (as there was no warning): if running several agents on one box, configured with the same ip address (as e.g. a MTA and one or more POA(s)) each of them needs a dedicated admin port. As mentioned it could happen in earlier builds that they all were configured on port 9710, with the POA(s) "losing" most of the time. In such an offset granting rights to someone likely wouldn't get reflected in the PO DB.

If you like it: like it.

squartec · ‎2020-08-27

Thanks @mathiasbraun.
Only the POs (& adminservice) are running on these boxes - no other agent. Again it's odd that I can login to it, and I have the same rights as a system administrator..but he cannot? And odd that the rebuild didn't fix it either.
Not even for the test user I just added.

laurabuckley · ‎2020-08-27

@squartec Hi,

Try rebuilding the PO's owning domain and then the PO.

Cheers,

Laura

Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...

squartec · ‎2020-08-27

Thanks @laurabuckley I just rebuilt the owning domain and one post office - and I still can't login with the one superadmin user I added today?!

mathiasbraun · ‎2020-08-28

---

Only the POs (& adminservice) are running on these boxes - no other agent.

---

Referring to "(&adminservice)": likely just a typo, but do you have a separate adminservice listener for each POA?

If you like it: like it.

squartec · ‎2020-08-28

Yes each Post office server has one poa and the gwadminservice running, listening on port 9710.

mathiasbraun · ‎2020-08-28

Please forgive the question, you've for sure done that, but: did you restart the MTA and POA after rebuilding DOM and PO DBs? Did you have them down for the rebuilds?

If you like it: like it.

squartec · ‎2020-08-28

No worries. Yes I rebuilt both from the GWAC. Validated DB first,then rebuilt the databases. MTA first, then PO.
I had to restart the PO afterwards as admin console showed it was down (or red X even though it was up). The MTA saw that PO as closed as well.
So I restarted the PO, then restarted the MTA. Everything seemed happy at that point. I couldn't login to the POA admin console after that.
I got your response and for good measure I restarted the MTA just now, then the PO, and tried again and still cannot login ! 😞

mathiasbraun · ‎2020-08-28

If you add someone as a system admin and check

/var/log/novell/groupwise/gwadmin/gwadmin-audit.log

do you see something like "CREATE_ACCESS_CONTROL"?

That's how it looks if i add user "willi" (from po2 in dom1) as a sysadmin.

2020-08-28 17:46:00 Operation:{CREATE_ACCESS_CONTROL}, ObjectID:{SYSTEM_RECORD.GroupWiseSystem}, Associated ObjectID:{USER.dom1.po2.willi}, Admin:{admin}, Remote Host:{172.20.96.41}, Domain:{dom1}

If you like it: like it.

squartec · ‎2020-08-31

Yes I do see that in the audit logs - still I can log into the MTAs with this account but not the POAs.

2020-08-31 09:01:46 Operation:{UPDATE}, ObjectID:{CUSTOM_PREFERENCE.Novell.overview-layout}, Admin:{gwadmin}, Remote Host:{10.XX.XX.XXX}, Domain:{TBH}
2020-08-31 09:01:58 Operation:{CREATE_ACCESS_CONTROL}, ObjectID:{SYSTEM_RECORD.TBH_GW}, Associated ObjectID:{USER.TBH.PO_HSCRES.crizzotest}, Admin:{gwadmin}, Remote Host:{10.XX.XX.XXX}, Domain:{TBH}

mathiasbraun · ‎2020-09-01

And in the POA log (verbose), at about the same time, is there something like

ADM: Completed: Update object in post office -  Access Control  (Administrator: admin.GroupWiseSystem, Domain: dom1)

If you like it: like it.