Univention Bugzilla – Bug 49587
Cron running in Horde container triggers server password change
Last modified: 2019-11-22 08:40:26 CET
+++ This bug was initially created as a clone of Bug #48486 +++ As described in this forum post: https://help.univention.com/t/horde-container-machine-password-mismatch-in-configuration-users-cannot-login/10944 We have a machine running UCS: 4.3-2 errata390 as Univention master with the following modules: Installed: dhcp-server=12.0 horde=5.2.17-2 mailserver=12.0 nagios=4.3 self-service=3.0 The Horde container was freshly (re-)installed when it was updated from 5.2.7 version due to problems with the update. Inside the container the cron daemon is enabled and running. It is triggering a server password update, which is not reflected into /etc/horde/horde/conf.d/10-ucs.php. Due to this, users are not able to login to horde after that password update and we need to run "ucr commit /etc/horde/horde/conf.d/10-ucs.php", which again copies the machine password to the LDAP config section. Is the cron daemon supposed to be running?
(In reply to Stefanie Schneider from comment #7) > I did the horde update in a customer environment last friday and the same > behaviour appeared again. > > _____________________________________________________________ > root@ucs05:~# univention-app info > UCS: 4.3-4 errata523 > Installed: horde=5.2.17-3 > > ______________________________________________________________ > After the update to 5.2.17-3, I unset the ucr variable > server/password/change, which was set to "false" before. > > ___________________________________________________________ > var/log/univention/server_password_change.log: > > Starting server password change (Fri May 31 01:01:23 UTC 2019) > Server password change is disabled by the UCR variable server/password/change > Starting server password change (Sat Jun 1 01:05:54 UTC 2019) > Proceeding with regular server password change scheduled for today > ntion-mail-server prechange > rechange > ion-libnss-ldap prechange > ion-nscd prechange > merhaven,dc=intranet > ntion-mail-server postchange > File: /etc/listfilter.secret > Multifile: /etc/postfix/ldap.distlist > Multifile: /etc/postfix/ldap.groups > Multifile: /etc/postfix/ldap.external_aliases > Multifile: /etc/postfix/ldap.sharedfolderlocal > Multifile: /etc/postfix/ldap.virtualwithcanonical > Multifile: /etc/postfix/ldap.virtual_mailbox > Multifile: /etc/postfix/ldap.sharedfolderremote > Multifile: /etc/postfix/ldap.sharedfolderlocal_aliases > Multifile: /etc/postfix/ldap.virtual > Multifile: /etc/postfix/ldap.canonicalrecipient > Multifile: /etc/postfix/ldap.transport > Multifile: /etc/postfix/ldap.canonicalsender > Multifile: /etc/postfix/ldap.saslusermapping > Multifile: /etc/postfix/ldap.virtualdomains > ostchange > File: /etc/horde/horde/conf.d/10-ucs.php > ion-libnss-ldap postchange > File: /etc/libnss-ldap.conf > ion-nscd postchange > Restarting nscd (via systemctl): nscd.service. > done (Sat Jun 1 01:06:00 UTC 2019) > Starting server password change (Sun Jun 2 01:06:18 UTC 2019) > No server password change scheduled for today, terminating without a change > Starting server password change (Mon Jun 3 01:07:29 UTC 2019) > No server password change scheduled for today, terminating without a change Some more info: root@horde-24172180:/# dpkg -l univention-mail-horde Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-============-============-================================= ii univention-mai 4.0.0-9A~4.3 all UCS - horde webmail
I could not reproduce this * Installed horde 5.2.17-2. * Changed machine password inside the container (now horde is broken) * ucr commit /etc/horde/horde/conf.d/10-ucs.php (now horde works) * app update to 5.2.17-3 * horde works * Changed machine password inside the container * horde still works
It happens on it's own after a period of time. Presumably this is because of some cron job. I don't think it happens every day though, maybe weekly or based on some other trigger. I usually find out when one of the users needs to log into webmail for some reason and they can't. My fix which looks to be the same as yours, just through the GUI, is to simply hit apply in the horde settings. Then it will work again. The next time someone needs to log in it's broken. Most of the users I work with only use webmail for changing their vacation message or for very specific circumstances when they don't have their computer or phone handy for some reason. The last incident a user tried to setup the vacation filter and couldn't log in so I applied settings. They got back from vacation a week later and couldn't log in to turn it off.
OK, we figured out the problem, cron starts the horde pw change hook correctly and updates the machine password in /etc/horde/horde/conf.d/10-ucs.php, but it seems that cron does not have access to the docker environment variables, which are used in the template for the rest of the ldap configuration, and we and up with print "$conf['ucs']['ldaprdn'] = '' print "$conf['ucs']['ldappass'] = 'newpassword' print "$conf['ucs']['ldapbase'] = '' print "$conf['ucs']['ldaphost'] = '' print "$conf['ucs']['ldapport'] = ''
It is normal behavior that cron has no access to docker environment variables. I changed the ucr template for etc/horde/horde/conf.d/10-ucs.php so that it uses ucr instead of environment vars. I put this into the test appcenter as: 5.2.17-4 horde_20190925130937 unpublished Successful build Package: univention-mail-horde Version: 4.0.0-11A~4.3.0.201909251337 Branch: ucs_4.3-0 Scope: horde
Fail: print "$conf['sql']['password'] = '%s';" % password is empty because of if 'DB_PASSWORD' in os.environ: password = os.environ['DB_PASSWORD'] else: password = '' Please read /etc/horde.secret
6335adb Bug #49587: read /etc/horde.secret instead of DB_PASSWORD env var Successful build Package: univention-mail-horde Version: 4.0.0-12A~4.3.0.201910021820 (un)related The first server password change triggered by cron was successful but after that i got """ Starting server password change (Wed Oct 2 18:11:32 CEST 2019) ldap_bind: Invalid credentials (49) failed to contact LDAP server: cannot connect with univention-ldapsearch """ in /var/log/univention/server_password_change.log
(In reply to Johannes Keiser from comment #7) > 6335adb Bug #49587: read /etc/horde.secret instead of DB_PASSWORD env var > > Successful build > Package: univention-mail-horde > Version: 4.0.0-12A~4.3.0.201910021820 > VERIFIED, file changed only in ldap password. > > (un)related > The first server password change triggered by cron was successful but > after that i got > """ > Starting server password change (Wed Oct 2 18:11:32 CEST 2019) > ldap_bind: Invalid credentials (49) > failed to contact LDAP server: cannot connect with univention-ldapsearch > """ > in /var/log/univention/server_password_change.log Happens when server password change is triggered at a high frequency (like every minute while the script itself takes longer than one minute)
*** Bug 49449 has been marked as a duplicate of this bug. ***
Was the update released? Can this bug be closed?
(In reply to Stefan Gohmann from comment #10) > Was the update released? Can this bug be closed? Yes, released with Horde version 5.2.17-4