Can someone help me with this? I'm really stumped here.

Is your Zabbix web front end integrated with Active Directory or some other external authentication mechanism, or is it "standalone", meaning all users, passwords, etc. are stored in the Zabbix database?

If you run the "Audit" report for all actions for one of the new users, are there any clues in the audit report about what may be causing problems for the user?

Are you comfortable running an SQL query against the "users" table in you zabbix database, to see if there are any obvious differences between working accounts and non-working accounts? I'm thinking something like:

You may want to add other columns to the comparison, but I would probably start with those columns.

Thank you for your answer!

No, the service is local auth, not connected to our LDAP.
The audit only says "Login failed" on the login attempts and nothing else.
I did check the database, but I didn't see what would be wrong with it. I attached a screencap.



The new account is on the bottom of the table, I don't see what could be wrong with it. All the new accounts I created (deleted already) have looked the same, but still couldn't log in with the password I set for them.

Ok, thanks for providing that information. I didn't think the Audit report would solve the mystery, but it's always worth checking that first, since it's easy to do.

I have a theory, but it's just a guess.

If you look at the encrypted passwd column (which I probably would have obscured if I was going to post it, but I'm glad you didn't in this case), only the guest account and the new account have passwords that start with "$2y$10$". All your other passwords are just 32 bytes of hex characters, but the new one isn't and the guest password isn't.

"$2y$10$" may just look like any "random" part of an encrypted passphrase, but it's actually not. A lot of encryption routines that work like the Linux crypt() function use the first part of the encrypted password to specify not just a salt but what backend algorithm was used to encrypt the passphrase. You can look at the man page for 'crypt' on a Linux system, specifically the section about "Glibc notes" that describes what the $ section at the start of the encrypted blob actually means.

The PHP developers decided they liked the selectable-backend for encryption, so they made the PHP crypt() routine work in a similar (but not compatible) way, see: PHP crypt function

Reading the web documentation for the PHP crypt function, you can identify that the $2y at the start of those passphrases identify the remainder as using the Blowfish encryption algorithm. The $10 after it relates to the Blowfish cost parameter.

What seems to be going on here is that your older users used Zabbix's original encryption mechanism for passwords, but your new users are getting a new method, possibly because of the version of PHP you're using now.

I took a quick look at the release notes for Zabbix 5.2 and didn't see anything mentioned about "support for new encryption for user passwords" or anything similar, but I couldn't find any mention of changes there. It might be worth it if you looked through the 5.0 and 5.2 release notes and list of changes, to see if you can spot anything related to PHP encryption or user passwords. I would hope a change like this is mentioned somewhere in the release notes.

You may also want to look through your php.ini and the pool setting for your PHP-FPM (assuming you're using php-fpm with the web front end), to see if any crypt-related settings have been enabled.

Something is causing your current version of Zabbix with your current PHP to use a newer encryption method than was used previously, and for some reason this is what's breaking things for you.

You can verify this by updating the database directly for the new user in question, just as a test. For example, assuming you know the passphrase for Admin or for some other user (like yourself), you can just apply that encrypted passphrase to the new user, something like:

and then test logging in as the new user using the passphrase for the user you copied. Obviously that isn't a long-term solution, it's just to test the theory.

If that proves true, I think you need to spend some time looking at the 5.0 and 5.2 release notes and list of changes, to see if you spot anything related to encryption. That might tell us what we need to do to make the newer methods work for your install.

Thank you for the detailed answer!

I actually intentionally did not obscure the hash because I found it weird too (you can only see the first half anyway, I didn't show all of it). I guess I was right to suspect something was going on with that, thanks for confirming.

Actually, I inherited this Zabbix system from another admin, and it was woefully neglected for years. The VM under it was still running 16.04(Xenial) for no reason when 20.04(Focal) was out for months, no updates, no nothing. I actually had to upgrade Zabbix from 3.0 to 5.0 and that caused quite a few problems along with the release upgrade. One of which was the database upgrade to the new engine and of course PHP and everything else. It took weeks to finally get everything up and running, but it was working fine ever since (since last winter). Well, up until I tried to create a new user...

So somewhere along the way the PHP encryption changed. That actually makes sense, since the hashes looked fishy for me as well. Some users don't even have a hash in DB, which is weird, since they have proper accounts.

Now, one question remains, if this is a PHP issue or a Zabbix issue? I'll have a look in the PHP and Zabbix settings, but I really would appreciate some pointers.

So I did a quick web search for "zabbix 5 crypt encryption" and turned up this blog post, which makes it clear the change is in Zabbix:

https://blog.zabbix.com/zabbix-5-0-s...vements/10929/

See Item #5 on the list of improvements. That confirms that the new format passwords are part of the Zabbix changes at 5.x.

Now the question is why are you not able to authenticate?

Since you've mentioned that this was an old install and it has been upgraded, I would compare your "users" table, especially the passwd column, to the same table that you would get from creating a brand new database via the "create.sql" that's part of a fresh install. It's possible that something went awry as part of your upgrades and something is missing or hasn't been altered appropriately.

Grab the "create.sql.gz" from a fresh version and look at the table definition to see if it matches what you have.

Hi,

I'm having a similar problem. I've installed a few months ago Zabbix 5.4. Later, I've activated LDAP authentication. All works fine. But since last week, I cannot log in with "some users". What I've tried is:

1. Login using a local account. Some local accounts works, other ones doesn't.
2. Login using an ldap account. Some ldap accounts works, other ones doesn't.
3. I've tried to change password of local accounts (via Administration - Users, via updating the database). Doesn't worked.
4. Create new users (ldap or local). Didn't work.
5. In the Audit section, only "login failed" i shown.
6. I've tried from other computers, and the behaviour is exactly the same.

And a possible workaround (but I cannot login with domain accounts):
7. If I disable ldap authentication, then all local accounts could log in (and I can create local accounts that works). But if I enable ldap authentication again, doesn't work.

I'm still trying to look for a solution; suppose there's something about authentication, or certificates, or my astrological sign, or something else... but I've dicided to post it here. Maybe it's useful for someone.

Regards,

Good day,

I know that it seems to be an old thread, but we still use the old version of Zabbix here.
Had the same problem and found out that problem still occurs, but only in firefox browser.
Did the login change on chrome and everything works just fine now.