KNOWLEDGE BASE

Authentication error: "Incorrect username or password, or username not member of administrative group?" Using "tsm login -u username"


Published: 30 Jan 2018
Last Modified Date: 03 Aug 2018

Issue

Logging into Tableau Services Manager (TSM) using "tsm login -u username" after installation fails and the following error might occur:

"Authentication error. Incorrect username or password, or username not member of administrative group?"

Environment

  • Tableau Server
  • TSM
  • CentOS Linux 7

Resolution

Step 1 - applies only to Tableau Server v10.5

The "tableau" and "tsmagent" accounts need nopasswd login permission in /etc/sudoers, and "tableau" needs su permissions.

  • To ensure tableau has su permissions, verify file mode of /bin/su is -rwsr-xr-x.

    • For example, -rwsr-xr-x. 1 root root 30092 Jun 22 2012 /bin/su
  • If not please run chmod 4755 /bin/su

Step 2 - applies to all versions

Make sure you are installing as a sudo user or, if installing as the root user, TSM is initialized using the -a flag to specify a non-root TSM user. When trying to login to TSM as root user the same error may occur:

"Authentication error. Incorrect username or password, or username not member of administrative group?"

Step 3 - applies to all versions

Review your pam.d configuration with the steps below:

Important: The instructions in this section are intended for an IT professional who is comfortable editing the pam.d configuration. Please note that toubleshooting pam.d configuration edits is outside the scope of Tableau Technical Support.

Look at your pam.d file with the below command: 
 
sudo cat /etc/pam.d/su
 
If the file contains the below line, comment it out with a #, and save it.
 
auth       required     pam_wheel.so use_uid
 
Alternatively, add the tableau user to the wheel group:

sudo usermod -a -G wheel <user>

 
​Try to log in again with your tsm user:
 
tsm login -u <user>

Cause

The "tableau" account has incorrect permissions on the Linux VM.

Additional Information

/bin/su  needs to have the set-uid bit turned on, so that it always runs with root permissions, otherwise when an ordinary (non-root) user runs it, it will not have access to the password info in /etc/shadow nor the ability to set the userid to the desired new user. It also must have the group and other write bits turned off, so that other users cannot alter it.

For more information, see the following questions and answers: 

Did this article resolve the issue?