First Last Prev Next    This bug is not in your last search results.
Bug 27359 - Falsches Passwort in /etc/machine.secret bzw. /etc/libnss.secret nach System-Setup
Falsches Passwort in /etc/machine.secret bzw. /etc/libnss.secret nach System-...
Status: CLOSED DUPLICATE of bug 26057
Product: UCS
Classification: Unclassified
Component: System setup
UCS 3.0
Other Linux
: P5 normal (vote)
: UCS 3.0-2
Assigned To: UCS maintainers
Jürgen Kahrs
: interim-1
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-30 15:07 CEST by Philipp Hahn
Modified: 2018-04-14 13:37 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
setup.log (93.95 KB, text/plain)
2012-05-30 15:07 CEST, Philipp Hahn 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2012-05-30 15:07:21 CEST 
Created attachment 4412 [details]
setup.log

3× 3.0-0 amd64 Master installiert, auf allen 3 Systemen ist beim Anmelden in
der UMC als Administrator nur ein leeren Begrüßungsbildschirm ohne Module zu
sehen; als root bekomme ich wenigstens die lokalen Module.

Ursache scheint ein Problem mit den Host-Credentials zu sein.

# find /etc/univention/ssl \( -nouser -o -nogroup \) -ls
606566    4 drwxr-xr-x   5 root     5005         4096 Mai 29 10:22
/etc/univention/ssl
606616    4 drwxr-x---   2 2001     5005         4096 Mai 29 10:22
/etc/univention/ssl/mas42.dom2.dev
606619    4 -rwxr-x---   1 2001     5005          806 Mai 29 10:22
/etc/univention/ssl/mas42.dom2.dev/req.pem
606618    4 -rwxr-x---   1 2001     5005          887 Mai 29 10:22
/etc/univention/ssl/mas42.dom2.dev/private.key
606620    8 -rwxr-x---   1 2001     5005         4332 Mai 29 10:22
/etc/univention/ssl/mas42.dom2.dev/cert.pem
606617    4 -rwxr-x---   1 2001     5005         3254 Mai 29 10:22
/etc/univention/ssl/mas42.dom2.dev/openssl.cnf
606591    4 drwxrwxr-x   6 root     5005         4096 Mai 29 10:22
/etc/univention/ssl/ucsCA
606623    4 -rw-rw-r--   1 root     5005           21 Mai 29 10:22
/etc/univention/ssl/ucsCA/index.txt.attr
606592    4 drwxrwx---   2 root     5005         4096 Mai 29 10:22
/etc/univention/ssl/ucsCA/certs
606596    0 lrwxrwxrwx   1 root     5005           38 Mai 29 10:22
/etc/univention/ssl/ucsCA/certs/468c8c01.0 ->
/etc/univention/ssl/ucsCA/certs/02.pem

# find /var/log -type f \( -name \*.gz -exec zgrep "Set permissons" {} + \) -o
\( -not -name \*.gz -exec grep "Set permissons" {} + \)                         
/var/log/univention/listener.log:29.05.12 10:23:58.699  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev with
owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:23:58.699  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/req.pem
with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:23:58.699  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for =
/etc/univention/ssl/mas42.dom2.dev/private.key with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:23:58.699  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/cert.pem
with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:23:58.699  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for =
/etc/univention/ssl/mas42.dom2.dev/openssl.cnf with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:24:04.488  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev with
owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:24:04.488  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/req.pem
with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:24:04.488  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for =
/etc/univention/ssl/mas42.dom2.dev/private.key with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:24:04.489  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/cert.pem
with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:24:04.489  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for =
/etc/univention/ssl/mas42.dom2.dev/openssl.cnf with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:24:18.692  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev with
owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:24:18.692  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/req.pem
with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:24:18.692  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for =
/etc/univention/ssl/mas42.dom2.dev/private.key with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:24:18.692  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/cert.pem
with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:24:18.692  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for =
/etc/univention/ssl/mas42.dom2.dev/openssl.cnf with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:25:02.226  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev with
owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:25:02.226  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/req.pem
with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:25:02.226  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for =
/etc/univention/ssl/mas42.dom2.dev/private.key with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:25:02.226  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for = /etc/univention/ssl/mas42.dom2.dev/cert.pem
with owner/group 5005/2001
/var/log/univention/listener.log:29.05.12 10:25:02.226  LISTENER    ( PROCESS )
: CERTIFICATE: Set permissons for =
/etc/univention/ssl/mas42.dom2.dev/openssl.cnf with owner/group 5005/2001

606613    8 -rw-rw-r--   1 root     5005         4346 Mai 29 10:22
/etc/univention/ssl/ucsCA/certs/01.pem
606602    0 lrwxrwxrwx   1 root     5005           38 Mai 29 10:22
/etc/univention/ssl/ucsCA/certs/33cdf4d8.0 ->
/etc/univention/ssl/ucsCA/certs/00.pem
606601    4 -rw-rw----   1 root     5005         2004 Mai 29 10:22
/etc/univention/ssl/ucsCA/certs/00.pem
606625    8 -rw-rw-r--   1 root     5005         4332 Mai 29 10:22
/etc/univention/ssl/ucsCA/certs/02.pem
606614    0 lrwxrwxrwx   1 root     5005           38 Mai 29 10:22
/etc/univention/ssl/ucsCA/certs/432bf545.0 ->
/etc/univention/ssl/ucsCA/certs/01.pem
606603    4 -rw-rw----   1 root     5005         3646 Mai 29 10:22
/etc/univention/ssl/ucsCA/CAreq.pem
606621    4 -rw-rw-r--   1 root     5005            3 Mai 29 10:22
/etc/univention/ssl/ucsCA/serial
606593    4 drwxrwx---   2 root     5005         4096 Mai 29 10:22
/etc/univention/ssl/ucsCA/crl
606604    4 -rw-rw-r--   1 root     5005         1109 Mai 29 10:22
/etc/univention/ssl/ucsCA/crl/crl.pem
606594    4 drwxrwx---   2 root     5005         4096 Mai 29 10:22
/etc/univention/ssl/ucsCA/newcerts
606595    4 drwxrwx---   2 root     5005         4096 Mai 29 10:22
/etc/univention/ssl/ucsCA/private
606599    4 -rw-rw----   1 root     5005         1743 Mai 29 10:22
/etc/univention/ssl/ucsCA/private/CAkey.pem
606610    4 -rw-rw-r--   1 root     5005            3 Mai 29 10:22
/etc/univention/ssl/ucsCA/serial.old
606600    4 -rw-r--r--   1 root     5006         2004 Mai 29 10:22
/etc/univention/ssl/ucsCA/CAcert.pem
606611    4 -rw-rw-r--   1 root     5005          129 Mai 29 10:22
/etc/univention/ssl/ucsCA/index.txt.old
606622    4 -rw-rw-r--   1 root     5005          252 Mai 29 10:22
/etc/univention/ssl/ucsCA/index.txt
606612    4 -rw-rw-r--   1 root     5005           21 Mai 29 10:22
/etc/univention/ssl/ucsCA/index.txt.attr.old
606605    4 drwx------   2 root     5005         4096 Mai 29 10:22
/etc/univention/ssl/master.univention.qa
606608    4 -rw-------   1 root     5005          814 Mai 29 10:22
/etc/univention/ssl/master.univention.qa/req.pem
606607    4 -rw-------   1 root     5005          891 Mai 29 10:22
/etc/univention/ssl/master.univention.qa/private.key
606609    8 -rw-------   1 root     5005         4346 Mai 29 10:22
/etc/univention/ssl/master.univention.qa/cert.pem
606606    4 -rw-------   1 root     5005         3260 Mai 29 10:22
/etc/univention/ssl/master.univention.qa/openssl.cnf
606597    0 lrwxrwxrwx   1 root     5005           34 Mai 29 10:22
/etc/univention/ssl/mas42 -> /etc/univention/ssl/mas42.dom2.dev
606598    4 -rw-rw----   1 root     5005         3342 Mai 29 10:22
/etc/univention/ssl/openssl.cnf
606590    4 -rw-rw----   1 root     5005            9 Mai 29 10:22
/etc/univention/ssl/password

# ldapsearch -H ldapi:/// -xLLL uidNumber=2001 dn uidNumber gidNumber
dn: cn=mas41,cn=dc,cn=computers,dc=dom1,dc=dev
uidNumber: 2001
gidNumber: 5005

# grep '^[^#]' /etc/libnss-ldap.conf
uri ldap://mas41.dom1.dev:7389
rootbinddn cn=mas41,cn=dc,cn=computers,dc=dom1,dc=dev
base dc=dom1,dc=dev
ldap_version 3
scope sub
ssl start_tls
tls_checkpeer no
nss_initgroups_ignoreusers root

# ucr get ldap/hostdn
cn=mas41,cn=dc,cn=computers,dc=dom1,dc=dev

# /etc/machine.secret /etc/libnss-ldap.secret
FHpg5jREFHpg5jRE

# ldapsearch -xLLL -H ldap://mas41.dom1.dev:7389 -D
cn=mas41,cn=dc,cn=computers,dc=dom1,dc=dev -w FHpg5jRE cn=mas41
ldap_bind: Invalid credentials (49)

# /usr/sbin/univention-directory-manager computers/domaincontroller_master list
--binddn $(ucr get ldap/hostdn) --bindpwd $(cat /etc/machine.secret)
authentication error: Authentication failed

# cat /var/log/univention/server_password_change.log /etc/machine.secret.old
cat: /var/log/univention/server_password_change.log: Datei oder Verzeichnis
nicht gefunden
cat: /etc/machine.secret.old: Datei oder Verzeichnis nicht gefunden


Folgendes hat geholfen:

pass=$(makepasswd --chars=8)
udm computers/domaincontroller_master modify --dn $(ucr get ldap/hostdn) --set
password="$pass"
echo -n "$pass" >/etc/machine.secret
echo "$pass" /etc/libnss-ldap.secret
invoke-rc.d slapd restart
invoke-rc.d nscd restart
invoke-rc.d apache2 restart
invoke-rc.d univention-management-console-server restart
invoke-rc.d univention-management-console-web-server restart
invoke-rc.d postfix restart
invoke-rc.d univention-directory-notifier restart
invoke-rc.d univention-directory-listener restart
Comment 1 Philipp Hahn univentionstaff 2012-05-30 15:14:43 CEST 
(In reply to comment #0)
> Folgendes hat geholfen:
Nochmal mit besserem Zeilenumbruch wegen %!%$! Bugzilla-Line-Wrap:

pass=$(makepasswd --chars=8)
udm computers/domaincontroller_master modify \
 --dn "$(ucr get ldap/hostdn)" --set password="$pass"
echo -n "$pass" >/etc/machine.secret
echo "$pass" >/etc/libnss-ldap.secret
invoke-rc.d slapd restart
invoke-rc.d nscd restart
invoke-rc.d apache2 restart
invoke-rc.d univention-management-console-server restart
invoke-rc.d univention-management-console-web-server restart
invoke-rc.d postfix restart
invoke-rc.d univention-directory-notifier restart
invoke-rc.d univention-directory-listener restart
Comment 2 Alexander Kläser univentionstaff 2012-05-30 16:03:35 CEST 
Bug 26057 sollte ein ähnliches Problem behoben haben.
Comment 3 Stefan Gohmann univentionstaff 2012-05-30 16:06:37 CEST 
(In reply to comment #2)
> Bug 26057 sollte ein ähnliches Problem behoben haben.

IMHO ist das identisch.

*** This bug has been marked as a duplicate of bug 26057 ***
Comment 4 Alexander Kläser univentionstaff 2012-05-30 16:08:18 CEST 
Bitte für 3.0-2 noch einmal überprüfen
Comment 5 Jürgen Kahrs univentionstaff 2012-06-20 11:46:06 CEST 
Auf VM-snapshots vom Mai 2012 konnte ich das Problem noch reproduzieren. Mit der aktuellen Software konnte ich das Problem nicht mehr reproduzieren. Jeder login (auch der allererste) mit dem browser (als Administrator) auf der UMC eines neuen masters lieferte mir sofort alle Module der UMC im Überblick. Damit ist das Problem also gelöst.
Comment 6 Stefan Gohmann univentionstaff 2012-07-20 15:24:15 CEST 
UCS 3.0-2 has been released: 
  http://forum.univention.de/viewtopic.php?f=54&t=1905

If this error occurs again, please use "Clone This Bug".
First Last Prev Next    This bug is not in your last search results.