SymptomsSome domain administrators cannot log in to Parallels Plesk Panel.
For example, the cannotlogin.tld domain administrator cannot log in, whereas the canlogin.tld domain administrator can log in with no issues.
What is the reason for this selective behavior?
CauseMost probably, login to Parallels Plesk Panel (PP) is being achieved by means of Parallels Power Panel (PPP).
The sequence to check the ability to log in to PPP is this:
1) If there is a system user with the supplied name, PPP checks the password and the system user’s group ID; if the user is not a member of the group with ID 0 or the password is wrong, then the access is denied;
2) If there is no such system user, the authentication is passed through to PP as is, disabling PPP redirection for this session entirely (so that PP manages further access).
Thus, there are a few possible explanations for the above symptoms, including the following:
- There is no system user with the name canlogin.tld.
- There is a system user with the name cannotlogin.tld, and he is not a member of the group with ID 0.
In general, support for domain administrative logins in PPP is declared as unsupported (because it is not possible to check the domain-level logins on the first step).
ResolutionYou have at least two options to solve the issue:
- Disable PPP for the container.
- Rename the corresponding system users so that they do not match any domain administrator login names (domain names).