Bug 38137 - sysvol-sync.sh can't handle reinstalled systems (host key changes)
sysvol-sync.sh can't handle reinstalled systems (host key changes)
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 4.0-3-errata
Assigned To: Felix Botner
Florian Best
Depends on:
  Show dependency treegraph
Reported: 2015-03-26 10:59 CET by Janis Meybohm
Modified: 2015-09-24 14:37 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2015-03-26 10:59:39 CET

sysvol-sync.sh fails more or less sinlently when a "downstream s4 dc" is reinstalled (e.g. SSH host key changes).
Only the two messages like the following reach the log file as the rsync commands redirect stderr to /dev/null

rsync: change_dir "/var/cache/univention-samba4/sysvol-sync/downstream-s4dc" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1060) [sender=3.0.7]
Comment 1 Janis Meybohm univentionstaff 2015-03-26 11:08:29 CET
Workaround (obviously):

ssh-keygen -R downstream-s4dc
Comment 2 Felix Botner univentionstaff 2015-09-22 16:15:21 CEST
With Bug #38868 we already get an appropriate error message in /var/log/univention/sysvol-sync.log:

2015-09-19 05:45:08 ERROR [slave] rsync exitcode was 12. Will not sync to hot target! (@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is 44:95:18:40:18:7a:cf:48:c5:5a:52:65:91:38:9d:c9. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending RSA key in /root/.ssh/known_hosts:1 Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive). rsync: connection unexpectedly closed (0 bytes received so far) [Receiver] rsync error: error in rsync protocol data stream (code 12) at io.c(605) [Receiver=3.0.9])

Additionally, a new umc diagnostic plugin ssh_connection has been added to check host keys and machine authentication via ssh (python-paramiko) for all UCS DC's and memberserver.

YAML: 2015-09-22-univention-management-console-module-diagnostic.yaml

merged to 4.1-0
Comment 3 Arvid Requate univentionstaff 2015-09-22 16:50:00 CEST
Ok, works. Advisory ok. Merged to UCS 4.1.

The new dependency on python-paramiko works, it's maintained.
Comment 4 Florian Best univentionstaff 2015-09-23 11:56:56 CEST
The error handling of the diagnostic plugin should be enhanced a little bit. getMachineConnection may raise IOError or ldap.LDAPError if unjoined/broken join status/no password file/wrong password.
Comment 5 Felix Botner univentionstaff 2015-09-24 09:59:40 CEST
fixed and merged

YAML: 2015-09-22-univention-management-console-module-diagnostic.yaml
Comment 6 Florian Best univentionstaff 2015-09-24 12:24:31 CEST
The module is now showing (in an error case):
SSH-Verbindung zu anderem UCS Server fehlgeschlagen!
[Errno 2] Datei oder Verzeichnis nicht gefunden: '/etc/machine.secret'

Well, not the best usability thing but okay for now.
Comment 7 Janek Walkenhorst univentionstaff 2015-09-24 14:37:08 CEST