Bug 49587 - Cron running in Horde container triggers server password change
Cron running in Horde container triggers server password change
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail - Horde
UCS 4.3
Other Linux
: P5 normal (vote)
: ---
Assigned To: Johannes Keiser
Dirk Wiesenthal
:
: 49449 (view as bug list)
Depends on: 48486
Blocks:
  Show dependency treegraph
 
Reported: 2019-06-03 14:27 CEST by Felix Botner
Modified: 2019-11-22 08:40 CET (History)
10 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.343
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019100121000379
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2019-06-03 14:27:45 CEST
+++ This bug was initially created as a clone of Bug #48486 +++

As described in this forum post:
https://help.univention.com/t/horde-container-machine-password-mismatch-in-configuration-users-cannot-login/10944

We have a machine running UCS: 4.3-2 errata390 as Univention master with the following modules:
Installed: dhcp-server=12.0 horde=5.2.17-2 mailserver=12.0 nagios=4.3 self-service=3.0

The Horde container was freshly (re-)installed when it was updated from 5.2.7 version due to problems with the update.

Inside the container the cron daemon is enabled and running. It is triggering a server password update, which is not reflected into /etc/horde/horde/conf.d/10-ucs.php. Due to this, users are not able to login to horde after that password update and we need to run "ucr commit /etc/horde/horde/conf.d/10-ucs.php", which again copies the machine password to the LDAP config section.

Is the cron daemon supposed to be running?
Comment 1 Felix Botner univentionstaff 2019-06-03 14:35:30 CEST
(In reply to Stefanie Schneider from comment #7)
> I did the horde update in a customer environment last friday and the same
> behaviour appeared again. 
> 
> _____________________________________________________________
> root@ucs05:~# univention-app info
> UCS: 4.3-4 errata523
> Installed: horde=5.2.17-3
> 
> ______________________________________________________________
> After the update to 5.2.17-3, I unset the ucr variable
> server/password/change, which was set to "false" before. 
> 
> ___________________________________________________________
> var/log/univention/server_password_change.log:
> 
> Starting server password change (Fri May 31 01:01:23 UTC 2019)
> Server password change is disabled by the UCR variable server/password/change
> Starting server password change (Sat Jun  1 01:05:54 UTC 2019)
> Proceeding with regular server password change scheduled for today
> ntion-mail-server prechange
> rechange
> ion-libnss-ldap prechange
> ion-nscd prechange
> merhaven,dc=intranet
> ntion-mail-server postchange
> File: /etc/listfilter.secret
> Multifile: /etc/postfix/ldap.distlist
> Multifile: /etc/postfix/ldap.groups
> Multifile: /etc/postfix/ldap.external_aliases
> Multifile: /etc/postfix/ldap.sharedfolderlocal
> Multifile: /etc/postfix/ldap.virtualwithcanonical
> Multifile: /etc/postfix/ldap.virtual_mailbox
> Multifile: /etc/postfix/ldap.sharedfolderremote
> Multifile: /etc/postfix/ldap.sharedfolderlocal_aliases
> Multifile: /etc/postfix/ldap.virtual
> Multifile: /etc/postfix/ldap.canonicalrecipient
> Multifile: /etc/postfix/ldap.transport
> Multifile: /etc/postfix/ldap.canonicalsender
> Multifile: /etc/postfix/ldap.saslusermapping
> Multifile: /etc/postfix/ldap.virtualdomains
> ostchange
> File: /etc/horde/horde/conf.d/10-ucs.php
> ion-libnss-ldap postchange
> File: /etc/libnss-ldap.conf
> ion-nscd postchange
> Restarting nscd (via systemctl): nscd.service.
> done (Sat Jun  1 01:06:00 UTC 2019)
> Starting server password change (Sun Jun  2 01:06:18 UTC 2019)
> No server password change scheduled for today, terminating without a change
> Starting server password change (Mon Jun  3 01:07:29 UTC 2019)
> No server password change scheduled for today, terminating without a change

Some more info: 
root@horde-24172180:/# dpkg -l univention-mail-horde 
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  univention-mai 4.0.0-9A~4.3 all          UCS - horde webmail
Comment 2 Felix Botner univentionstaff 2019-06-03 14:38:42 CEST
I could not reproduce this 

* Installed horde 5.2.17-2.
* Changed machine password inside the container (now horde is broken)
* ucr commit /etc/horde/horde/conf.d/10-ucs.php (now horde works)
* app update to 5.2.17-3
* horde works
* Changed machine password inside the container
* horde still works
Comment 3 Kevin 2019-06-03 14:57:22 CEST
It happens on it's own after a period of time. Presumably this is because of some cron job. I don't think it happens every day though, maybe weekly or based on some other trigger. I usually find out when one of the users needs to log into webmail for some reason and they can't. 

My fix which looks to be the same as yours, just through the GUI, is to simply hit apply in the horde settings. Then it will work again.

The next time someone needs to log in it's broken. Most of the users I work with only use webmail for changing their vacation message or for very specific circumstances when they don't have their computer or phone handy for some reason. 

The last incident a user tried to setup the vacation filter and couldn't log in so I applied settings. They got back from vacation a week later and couldn't log in to turn it off.
Comment 4 Felix Botner univentionstaff 2019-09-09 09:38:25 CEST
OK, we figured out the problem, cron starts the horde pw change hook correctly and updates the machine password in /etc/horde/horde/conf.d/10-ucs.php, but it seems that cron does not have access to the docker environment variables, which are used in the template for the rest of the ldap configuration, and we and up with 

print "$conf['ucs']['ldaprdn'] = ''
print "$conf['ucs']['ldappass'] = 'newpassword'
print "$conf['ucs']['ldapbase'] = ''
print "$conf['ucs']['ldaphost'] = ''
print "$conf['ucs']['ldapport'] = ''
Comment 5 Jannik Ahlers univentionstaff 2019-09-25 14:43:34 CEST
It is normal behavior that cron has no access to docker environment variables.
I changed the ucr template for etc/horde/horde/conf.d/10-ucs.php so that it uses ucr instead of environment vars.

I put this into the test appcenter as:
5.2.17-4	horde_20190925130937	unpublished

Successful build
Package: univention-mail-horde
Version: 4.0.0-11A~4.3.0.201909251337
Branch: ucs_4.3-0
Scope: horde
Comment 6 Dirk Wiesenthal univentionstaff 2019-10-01 16:26:10 CEST
Fail:

print "$conf['sql']['password']   = '%s';" % password

is empty because of

if 'DB_PASSWORD' in os.environ:
        password = os.environ['DB_PASSWORD']
else:
        password = ''


Please read /etc/horde.secret
Comment 7 Johannes Keiser univentionstaff 2019-10-02 18:23:57 CEST
6335adb Bug #49587: read /etc/horde.secret instead of DB_PASSWORD env var

Successful build
Package: univention-mail-horde
Version: 4.0.0-12A~4.3.0.201910021820


(un)related
The first server password change triggered by cron was successful but
after that i got
"""
Starting server password change (Wed Oct  2 18:11:32 CEST 2019)
ldap_bind: Invalid credentials (49)
failed to contact LDAP server: cannot connect with univention-ldapsearch
"""
in /var/log/univention/server_password_change.log
Comment 8 Dirk Wiesenthal univentionstaff 2019-10-07 02:45:07 CEST
(In reply to Johannes Keiser from comment #7)
> 6335adb Bug #49587: read /etc/horde.secret instead of DB_PASSWORD env var
> 
> Successful build
> Package: univention-mail-horde
> Version: 4.0.0-12A~4.3.0.201910021820
> 

VERIFIED, file changed only in ldap password.

> 
> (un)related
> The first server password change triggered by cron was successful but
> after that i got
> """
> Starting server password change (Wed Oct  2 18:11:32 CEST 2019)
> ldap_bind: Invalid credentials (49)
> failed to contact LDAP server: cannot connect with univention-ldapsearch
> """
> in /var/log/univention/server_password_change.log

Happens when server password change is triggered at a high frequency (like every minute while the script itself takes longer than one minute)
Comment 9 Felix Botner univentionstaff 2019-10-15 10:15:52 CEST
*** Bug 49449 has been marked as a duplicate of this bug. ***
Comment 10 Stefan Gohmann univentionstaff 2019-11-22 07:27:09 CET
Was the update released? Can this bug be closed?
Comment 11 Dirk Wiesenthal univentionstaff 2019-11-22 08:40:26 CET
(In reply to Stefan Gohmann from comment #10)
> Was the update released? Can this bug be closed?

Yes, released with Horde version 5.2.17-4