Univention Bugzilla – Bug 27359
Falsches Passwort in /etc/machine.secret bzw. /etc/libnss.secret nach System-Setup
Last modified: 2018-04-14 13:37:09 CEST
Created attachment 4412 [details] setup.log 3× 3.0-0 amd64 Master installiert, auf allen 3 Systemen ist beim Anmelden in der UMC als Administrator nur ein leeren Begrüßungsbildschirm ohne Module zu sehen; als root bekomme ich wenigstens die lokalen Module. Ursache scheint ein Problem mit den Host-Credentials zu sein. # find /etc/univention/ssl \( -nouser -o -nogroup \) -ls 606566 4 drwxr-xr-x 5 root 5005 4096 Mai 29 10:22 /etc/univention/ssl 606616 4 drwxr-x--- 2 2001 5005 4096 Mai 29 10:22 /etc/univention/ssl/mas42.dom2.dev 606619 4 -rwxr-x--- 1 2001 5005 806 Mai 29 10:22 /etc/univention/ssl/mas42.dom2.dev/req.pem 606618 4 -rwxr-x--- 1 2001 5005 887 Mai 29 10:22 /etc/univention/ssl/mas42.dom2.dev/private.key 606620 8 -rwxr-x--- 1 2001 5005 4332 Mai 29 10:22 /etc/univention/ssl/mas42.dom2.dev/cert.pem 606617 4 -rwxr-x--- 1 2001 5005 3254 Mai 29 10:22 /etc/univention/ssl/mas42.dom2.dev/openssl.cnf 606591 4 drwxrwxr-x 6 root 5005 4096 Mai 29 10:22 /etc/univention/ssl/ucsCA 606623 4 -rw-rw-r-- 1 root 5005 21 Mai 29 10:22 /etc/univention/ssl/ucsCA/index.txt.attr 606592 4 drwxrwx--- 2 root 5005 4096 Mai 29 10:22 /etc/univention/ssl/ucsCA/certs 606596 0 lrwxrwxrwx 1 root 5005 38 Mai 29 10:22 /etc/univention/ssl/ucsCA/certs/468c8c01.0 -> /etc/univention/ssl/ucsCA/certs/02.pem # find /var/log -type f \( -name \*.gz -exec zgrep "Set permissons" {} + \) -o \( -not -name \*.gz -exec grep "Set permissons" {} + \) /var/log/univention/listener.log:29.05.12 10:23:58.699 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:23:58.699 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/req.pem with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:23:58.699 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/private.key with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:23:58.699 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/cert.pem with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:23:58.699 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/openssl.cnf with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:24:04.488 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:24:04.488 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/req.pem with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:24:04.488 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/private.key with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:24:04.489 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/cert.pem with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:24:04.489 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/openssl.cnf with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:24:18.692 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:24:18.692 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/req.pem with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:24:18.692 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/private.key with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:24:18.692 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/cert.pem with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:24:18.692 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/openssl.cnf with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:25:02.226 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:25:02.226 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/req.pem with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:25:02.226 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/private.key with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:25:02.226 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/cert.pem with owner/group 5005/2001 /var/log/univention/listener.log:29.05.12 10:25:02.226 LISTENER ( PROCESS ) : CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/openssl.cnf with owner/group 5005/2001 606613 8 -rw-rw-r-- 1 root 5005 4346 Mai 29 10:22 /etc/univention/ssl/ucsCA/certs/01.pem 606602 0 lrwxrwxrwx 1 root 5005 38 Mai 29 10:22 /etc/univention/ssl/ucsCA/certs/33cdf4d8.0 -> /etc/univention/ssl/ucsCA/certs/00.pem 606601 4 -rw-rw---- 1 root 5005 2004 Mai 29 10:22 /etc/univention/ssl/ucsCA/certs/00.pem 606625 8 -rw-rw-r-- 1 root 5005 4332 Mai 29 10:22 /etc/univention/ssl/ucsCA/certs/02.pem 606614 0 lrwxrwxrwx 1 root 5005 38 Mai 29 10:22 /etc/univention/ssl/ucsCA/certs/432bf545.0 -> /etc/univention/ssl/ucsCA/certs/01.pem 606603 4 -rw-rw---- 1 root 5005 3646 Mai 29 10:22 /etc/univention/ssl/ucsCA/CAreq.pem 606621 4 -rw-rw-r-- 1 root 5005 3 Mai 29 10:22 /etc/univention/ssl/ucsCA/serial 606593 4 drwxrwx--- 2 root 5005 4096 Mai 29 10:22 /etc/univention/ssl/ucsCA/crl 606604 4 -rw-rw-r-- 1 root 5005 1109 Mai 29 10:22 /etc/univention/ssl/ucsCA/crl/crl.pem 606594 4 drwxrwx--- 2 root 5005 4096 Mai 29 10:22 /etc/univention/ssl/ucsCA/newcerts 606595 4 drwxrwx--- 2 root 5005 4096 Mai 29 10:22 /etc/univention/ssl/ucsCA/private 606599 4 -rw-rw---- 1 root 5005 1743 Mai 29 10:22 /etc/univention/ssl/ucsCA/private/CAkey.pem 606610 4 -rw-rw-r-- 1 root 5005 3 Mai 29 10:22 /etc/univention/ssl/ucsCA/serial.old 606600 4 -rw-r--r-- 1 root 5006 2004 Mai 29 10:22 /etc/univention/ssl/ucsCA/CAcert.pem 606611 4 -rw-rw-r-- 1 root 5005 129 Mai 29 10:22 /etc/univention/ssl/ucsCA/index.txt.old 606622 4 -rw-rw-r-- 1 root 5005 252 Mai 29 10:22 /etc/univention/ssl/ucsCA/index.txt 606612 4 -rw-rw-r-- 1 root 5005 21 Mai 29 10:22 /etc/univention/ssl/ucsCA/index.txt.attr.old 606605 4 drwx------ 2 root 5005 4096 Mai 29 10:22 /etc/univention/ssl/master.univention.qa 606608 4 -rw------- 1 root 5005 814 Mai 29 10:22 /etc/univention/ssl/master.univention.qa/req.pem 606607 4 -rw------- 1 root 5005 891 Mai 29 10:22 /etc/univention/ssl/master.univention.qa/private.key 606609 8 -rw------- 1 root 5005 4346 Mai 29 10:22 /etc/univention/ssl/master.univention.qa/cert.pem 606606 4 -rw------- 1 root 5005 3260 Mai 29 10:22 /etc/univention/ssl/master.univention.qa/openssl.cnf 606597 0 lrwxrwxrwx 1 root 5005 34 Mai 29 10:22 /etc/univention/ssl/mas42 -> /etc/univention/ssl/mas42.dom2.dev 606598 4 -rw-rw---- 1 root 5005 3342 Mai 29 10:22 /etc/univention/ssl/openssl.cnf 606590 4 -rw-rw---- 1 root 5005 9 Mai 29 10:22 /etc/univention/ssl/password # ldapsearch -H ldapi:/// -xLLL uidNumber=2001 dn uidNumber gidNumber dn: cn=mas41,cn=dc,cn=computers,dc=dom1,dc=dev uidNumber: 2001 gidNumber: 5005 # grep '^[^#]' /etc/libnss-ldap.conf uri ldap://mas41.dom1.dev:7389 rootbinddn cn=mas41,cn=dc,cn=computers,dc=dom1,dc=dev base dc=dom1,dc=dev ldap_version 3 scope sub ssl start_tls tls_checkpeer no nss_initgroups_ignoreusers root # ucr get ldap/hostdn cn=mas41,cn=dc,cn=computers,dc=dom1,dc=dev # /etc/machine.secret /etc/libnss-ldap.secret FHpg5jREFHpg5jRE # ldapsearch -xLLL -H ldap://mas41.dom1.dev:7389 -D cn=mas41,cn=dc,cn=computers,dc=dom1,dc=dev -w FHpg5jRE cn=mas41 ldap_bind: Invalid credentials (49) # /usr/sbin/univention-directory-manager computers/domaincontroller_master list --binddn $(ucr get ldap/hostdn) --bindpwd $(cat /etc/machine.secret) authentication error: Authentication failed # cat /var/log/univention/server_password_change.log /etc/machine.secret.old cat: /var/log/univention/server_password_change.log: Datei oder Verzeichnis nicht gefunden cat: /etc/machine.secret.old: Datei oder Verzeichnis nicht gefunden Folgendes hat geholfen: pass=$(makepasswd --chars=8) udm computers/domaincontroller_master modify --dn $(ucr get ldap/hostdn) --set password="$pass" echo -n "$pass" >/etc/machine.secret echo "$pass" /etc/libnss-ldap.secret invoke-rc.d slapd restart invoke-rc.d nscd restart invoke-rc.d apache2 restart invoke-rc.d univention-management-console-server restart invoke-rc.d univention-management-console-web-server restart invoke-rc.d postfix restart invoke-rc.d univention-directory-notifier restart invoke-rc.d univention-directory-listener restart
(In reply to comment #0) > Folgendes hat geholfen: Nochmal mit besserem Zeilenumbruch wegen %!%$! Bugzilla-Line-Wrap: pass=$(makepasswd --chars=8) udm computers/domaincontroller_master modify \ --dn "$(ucr get ldap/hostdn)" --set password="$pass" echo -n "$pass" >/etc/machine.secret echo "$pass" >/etc/libnss-ldap.secret invoke-rc.d slapd restart invoke-rc.d nscd restart invoke-rc.d apache2 restart invoke-rc.d univention-management-console-server restart invoke-rc.d univention-management-console-web-server restart invoke-rc.d postfix restart invoke-rc.d univention-directory-notifier restart invoke-rc.d univention-directory-listener restart
Bug 26057 sollte ein ähnliches Problem behoben haben.
(In reply to comment #2) > Bug 26057 sollte ein ähnliches Problem behoben haben. IMHO ist das identisch. *** This bug has been marked as a duplicate of bug 26057 ***
Bitte für 3.0-2 noch einmal überprüfen
Auf VM-snapshots vom Mai 2012 konnte ich das Problem noch reproduzieren. Mit der aktuellen Software konnte ich das Problem nicht mehr reproduzieren. Jeder login (auch der allererste) mit dem browser (als Administrator) auf der UMC eines neuen masters lieferte mir sofort alle Module der UMC im Überblick. Damit ist das Problem also gelöst.
UCS 3.0-2 has been released: http://forum.univention.de/viewtopic.php?f=54&t=1905 If this error occurs again, please use "Clone This Bug".