I am working with Keycloak, version 19.0.3.
I am using it in docker container, using image
quay.io/keycloak/keycloak:19.0
I am using postgresql database.
I am hosting it on azure.
I had a working setup with a few clients, scopes etc. Everything worked fine. Then I tried to set up email provider to be able to receive email confirmations. I successfully received test email and I clicked save. Then after a while my session refreshed and I no longer can log in to the administrator console. I get the following error log:
2022-11-14T09:46:17.033164754Z: [INFO] 2022-11-14 09:46:17,030 WARN [org.keycloak.events] (executor-thread-191) type=LOGIN_ERROR, realmId=[realm_id], clientId=security-admin-console, userId=null, ipAddress=[ipAddress], error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=[redirect_uri], code_id=[code_id], username=[username], authSessionParentId=[authSessionParentId], authSessionTabId=[authSessionTabId]
During startup the following message shows up:
Failed to add user '[admin_user]' to realm 'master': user with username exists
However this user is nowhere in the database.
The administrator log in credentials are set up using environmental variables and the whole setup is still in dev mode.
This is not the first time it happened. It happened once before however I did not connect it to the fact that setting up email account might have caused it. I thought it was because I accidentally upgraded keycloak to version 20, so I started from the beginning.
This time I set up email and came back after 20 minutes. My username and password are invalid. I have them saved in autocomplete, so its not because I wrote my credentials wrong. Nothing else changed.
I thought that maybe its because I have my realm set up to use email as username, so I tested with email address I just added, stil nothing.
I struggled with it for a long time. I am at my wits end. Any tips are welcome.
I have the same issue. Not sure whether it was caused by SMTP setup.
I have checked the databases from the back-up and the new one (after day of work that also included SMTP setup).
The admin user_entity in the database was updated to my email address somehow with keeping the user id. So with my email address and original admin password I am able to sign into the master console.
I hope it'll help.
PS. I recall now that during first 'Test connection' for SMTP execution Keycloak asked me to type an email address for testing (where the test email is going to be sent). Now I think it is at that moment the admin username was changed to my personal email.
I m using GCP compute engine, i m validated through my gmail account to access the instance.
On login to the compute engine instance , i can able to change it to user . This is the usual process which i do for last 2 years .
Suddently today while i m trying to change the user to root from my user(gmail authenticated user) it is asking password for my user .
In ssh key adding page it is marked as :
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTIt…","expireOn":"2018-10-01T14:39:09+0000"}
How to overcome this ?
I solved it by enabling OS Login. The login prompt has been bugging me about that for a while now. I guess they made it mandatory and didn't tell anyone.
I have created events in my MySQL. They are working, but in order for them to execute, I need to
SET event_scheduler = ON;.
In order to do that, I need to get SUPER privileges. I get the following error:
Access denied; you need (at least one of) the SUPER privilege(s) for this operation
I try to grant super: GRANT SUPER ON *.* TO user#'localhost' IDENTIFIED BY 'password'; and get another error:
ERROR 1045 (28000): Access denied for user
I have contacted my host, and they said that since their host is shared, they were unable to add super privileges for my account.
Can anyone help me to find another way, so the events would begin to run? Account doesn't belong to me, so I can't switch hosts.
Cron jobs are likely the best on shared hosts. If you have access to cPanel, it will make your life a lot easier.
First things, first: Create your script. This can access the database, send emails, pretty much do anything that needs to be done. Please note that $_GET, $_POST, $_REQUEST, and $_COOKIE will be unavailable for the duration of the script, as this isn't a web request. You wont be able to set cookies, or view the information about the remote user (As there is none). You can however, pass variables through command line though, using $argv. See this post for more information.
This sample script will send out a newsletter to all users in the to_be_mailed table:
<?php
include('db.cfg.php');
include('newsletter.php');
$body = get_newsletter();
$result = $db->query("SELECT * FROM to_be_mailed");
while ( $row = $result->fetch_row() )
{
mail($row['email'], 'Nightly news update!', $body);
}
//Probably want to update the database again and set them all to sent.
echo 'Done sending emails!';
Debugging scripts can be difficult, as you usually don't have access to the output. Have a look at this answer and be sure to enable error_logs so that you can make sure your script executed sucessfully.
When using cPanel's Cron Jobs it makes your life easier by emailing the output to you at the end of execution. This makes it easier for you to track down bugs, and ensure your cron job executes successfully.
Next adding your cron job:
See cPanel's Cron Jobs for info on how to add a cron job for cPanel enabled hosts.
Non cpanel hosts: See this post. The gist is, you use crontab -e to add the task (This will open up an editor, and you would add in the following line):
# crontab -e
00 * * * * /usr/local/bin/php /home/USERNAME/myscript.php
If you're just getting started with cron syntax, this site is absolutely wonderful. It will give you examples, help with syntax, and help you figure out the schedule you want to run.
I'm trying to run a SQL Server Agent Job manually but keep getting an error that basically says the domain account is denied on sp_send_dbmail.
The job has multiple steps that run stored procedures. The domain account is sysadmin and it's also the owner of the job. Each step in the job runs as the sysadmin account and my account is also a sysadmin.
It should run under (I assume) sysadmin security context, but I'm lost why it keeps failing.
This is not a pure answer but a way to see what's going on :
On the machine that sends mail , please run :
EXEC master..xp_cmdshell 'whoami'
then see who is the user which tries to send mail and grant permission to that user.
Also ,go to the services.msc to your instance , right click , properties and go to logon as and see if that user has permissions.
After creating the instance, I can login using gcutil or ssh. I tried copy/paste from the ssh link listed at the bottom of the instance and get the same error message.
The permission denied error probably indicates that SSH private key authentication has failed. Assuming that you're using an image derived from the Debian or Centos images recommended by gcutil, it's likely one of the following:
You don't have any ssh keys loaded into your ssh keychain, and you haven't specified a private ssh key with the -i option.
None of your ssh keys match the entries in .ssh/authorized_keys for the account you're attempting to log in to.
You're attempting to log into an account that doesn't exist on the machine, or attempting to log in as root. (The default images disable direct root login – most ssh brute-force attacks are against root or other well-known accounts with weak passwords.)
How to determine what accounts and keys are on the instance:
There's a script that runs every minute on the standard Compute Engine Centos and Debian images which fetches the 'sshKeys' metadata entry from the metadata server, and creates accounts (with sudoers access) as necessary. This script expects entries of the form "account:\n" in the sshKeys metadata, and can put several entries into authorized_keys for a single account. (or create multiple accounts if desired)
In recent versions of the image, this script sends its output to the serial port via syslog, as well as to the local logs on the machine. You can read the last 1MB of serial port output via gcutil getserialportoutput, which can be handy when the machine isn't responding via SSH.
How gcutil ssh works:
gcutil ssh does the following:
Looks for a key in $HOME/.ssh/google_compute_engine, and calls ssh-keygen to create one if not present.
Checks the current contents of the project metadata entry for sshKeys for an entry that looks like ${USER}:$(cat $HOME/.ssh/google_compute_engine.pub)
If no such entry exists, adds that entry to the project metadata, and waits for up to 5 minutes for the metadata change to propagate and for the script inside the VM to notice the new entry and create the new account.
Once the new entry is in place, (or immediately, if the user:key was already present) gcutil ssh invokes ssh with a few command-line arguments to connect to the VM.
A few ways this could break down, and what you might be able to do to fix them:
If you've removed or modified the scripts that read sshKeys, the console and command line tool won't realize that modifying sshKeys doesn't work, and a lot of the automatic magic above can get broken.
If you're trying to use raw ssh, it may not find your .ssh/google_compute_engine key. You can fix this by using gcutil ssh, or by copying your ssh public key (ends in .pub) and adding to the sshKeys entry for the project or instance in the console. (You'll also need to put in a username, probably the same as your local-machine account name.)
If you've never used gcutil ssh, you probably don't have a .ssh/google_compute_engine.pub file. You can either use ssh-keygen to create a new SSH public/private keypair and add it to sshKeys, as above, or use gcutil ssh to create them and manage sshKeys.
If you're mostly using the console, it's possible that the account name in the sshKeys entry doesn't match your local username, you may need to supply the -l argument to SSH.
Ensure that the permissions on your home directory and on the home directory of the user on the host you're connecting to are set to 700 ( owning user rwx only to prevent others seeing the .ssh subdirectory ).
Then ensure that the ~/.ssh directory is also 700 ( user rwx ) and that the authorized_keys is 600 ( user rw ) .
Private keys in your ~/.ssh directory should be 600 or 400 ( user rw or user r )
I was facing this issue for long time. Finally it was issue of ssh-add. Git ssh credentials were not taken into consideration.
Check following command might work for you:
ssh-add
I had the same problem and for some reason The sshKeys was not syncing up with my user on the instance.
I created another user by adding --ssh_user=anotheruser to gcutil command.
The gcutil looked like this
gcutil --service_version="v1" --project="project" --ssh_user=anotheruser ssh --zone="us-central1-a" "inst1"
I just experienced a similar message [ mine was "Permission denied (publickey)"] after connecting to a compute engine VM which I just created. After reading this post, I decided to try it again.
That time it worked. So i see 3 possible reasons for it working the second time,
connecting the second time resolves the problem (after the ssh key was created the first time), or
perhaps trying to connect to a compute engine immediately after it was created could also cause a problem which resolves itself after a while, or
merely reading this post resolves the problem
I suspect the last is unlikely :)
I found this error while connecting ec2 instance with ssh.
and it comes if i write wrong user name.
eg. for ubuntu I need to use ubuntu as user name
and for others I need to use ec2-user.
You haven't accepted an answer, so here's what worked for me in PuTTY:
Without allowing username changes, i got this question's subject as error on the gateway machine.
You need to follow this instructions
https://cloud.google.com/compute/docs/instances/connecting-to-instance#generatesshkeypair
If get "Permission denied (publickey)." with the follow command
ssh -i ~/.ssh/my-ssh-key [USERNAME]#[IP_ADDRESS]
you need to modify the /etc/ssh/sshd_config file and add the line
AllowUsers [USERNAME]
Then restart the ssh service with
service ssh restart
if you get the message "Could not load host key: /etc/ssh/ssh_host_ed25519_key" execute:
ssh-keygen -A
and finally restart the ssh service again.
service ssh restart
I followed everything from here:
https://cloud.google.com/compute/docs/instances/connecting-to-instance#generatesshkeypair
But still there was an error and SSH keys in my instance metadata wasn't getting recognized.
Solution: Check if your ssh key has any new-line. When I copied my public key using cat, it added into-lines into the key, thus breaking the key. Had to manually check any line-breaks and correct it.
The trick here is to use the -C (comment) parameter to specify your GCE userid. It looks like Google introduced this change last in 2018.
If the Google user who owns the GCE instance is myname#gmail.com (which you will use as your login userid), then generate the key pair with (for example)
ssh-keygen -b521 -t ecdsa -C myname -f mykeypair
When you paste mykeypair.pub into the instance's public key list, you should see "myname" appear as the userid of the key.
Setting this up will let you use ssh, scp, etc from your command line.
Add ssh public key to Google cloud
cat ~/.ssh/id_rsa.pub
go and click your VM instances
edit VM instances
add ssh public key(from id_rsa.pub) in SSH keys area
ssh login from Git bash on your computer
ssh -i ~/.ssh/id_rsa tiennt#x.y.z.120