Bug 45531 - OperationalError: FATAL: Passwort-Authentifizierung für Benutzer »selfservice« fehlgeschlagen
OperationalError: FATAL: Passwort-Authentifizierung für Benutzer »selfservic...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Self Service
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Felix Botner
Erik Damrose
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-13 12:17 CEST by Florian Best
Modified: 2018-10-26 17:44 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.343
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support: Yes
Ticket number: 2018102021000255, 2018041621000355, 2018041121000168, 2017120121000299, 2017100621000721, 2017111321000518, 2018080821000354
Bug group (optional): Error handling, External feedback
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-10-13 12:17:38 CEST
Version: 4.2-2 errata189 (Lesum)

Remark: Kontozugang schützen funktioniert nicht

Die Ausführung des Kommandos passwordreset/get_contact ist fehlgeschlagen:

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/protocol/modserver.py", line 178, in _recv
    self.handle(msg)
  File "%PY2.7%/univention/management/console/protocol/modserver.py", line 287, in handle
    self.__handler.init()
  File "%PY2.7%/univention/management/console/modules/passwordreset/__init__.py", line 212, in init
    self.db = TokenDB(MODULE)
  File "%PY2.7%/univention/management/console/modules/passwordreset/tokendb.py", line 53, in __init__
    self.conn = self.open_db()
  File "%PY2.7%/univention/management/console/modules/passwordreset/tokendb.py", line 120, in open_db
    db_name=DB_NAME, db_user=DB_USER, db_pw=password))
  File "/usr/lib/python2.7/dist-packages/psycopg2/__init__.py", line 164, in connect
    conn = _connect(dsn, connection_factory=connection_factory, async=async)
OperationalError: FATAL:  Passwort-Authentifizierung für Benutzer »selfservice« fehlgeschlagen
FATAL:  Passwort-Authentifizierung für Benutzer »selfservice« fehlgeschlagen
Comment 1 Johannes Keiser univentionstaff 2017-11-15 17:05:09 CET
Reported again, 4.2-2 errata219 (Lesum)
Comment 2 Johannes Keiser univentionstaff 2017-12-11 16:32:01 CET
Reported again: Version: 4.2-3 errata231 (Lesum)

OperationalError: could not connect to server: Connection refused
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
Comment 3 Daniel Tröder univentionstaff 2017-12-12 08:20:56 CET
As with https://forge.univention.org/bugzilla/show_bug.cgi?id=45719#c2 : 
Should a message be created that tells the user to tell his admin to (re)start the service?
Comment 4 Johannes Keiser univentionstaff 2018-04-27 20:04:38 CEST
Reported again:  Version: 4.3-0 errata11 (Neustadt)

Remark: Problem besteht leider auch nach Re-Install der App noch

univention-app remove self-service
apt-get purge univention-self-service univention-self-service-passwordreset-umc
univention-app install self-service
Comment 5 Johannes Keiser univentionstaff 2018-04-27 20:15:09 CEST
Reported again: Version: 4.3-0 errata12 (Neustadt)
Comment 6 Christina Scheinig univentionstaff 2018-08-08 12:54:29 CEST
Was now reported within a support ticket (2018080821000354). I will inform the customer and set the ticket in waiting for this fix or do we have a workaround, yet?
Comment 7 Daniel Tröder univentionstaff 2018-08-08 13:26:41 CEST
> OperationalError: FATAL:  Passwort-Authentifizierung für Benutzer
> »selfservice« fehlgeschlagen
> FATAL:  Passwort-Authentifizierung für Benutzer »selfservice« fehlgeschlagen
Dies ist ein Verbindungsfehler vom Webserver zum PostgreSQL-Server.
D.h. das Passwort aus /etc/self-service-db.secret stimmt nicht mit dem Passwort überein, dass PostgreSQL für den Datenbank-User "selfservice" gespeichert hat.
Das Problem lässt sich lösen, indem man das Passwort für den Datenbank-User erneut setzt:

Ungetestet, aber sollte in etwas so funktionieren:

$ selfservice_pwd="$(</etc/self-service-db.secret)"
$ su - postgres -c "echo \"ALTER ROLE selfservice WITH ENCRYPTED PASSWORD '$selfservice_pwd';\" | psql" || die "Could not set selfservice database password."

Alternativ einfach /etc/self-service-db.secret löschen und das join script 35univention-self-service-passwordreset-umc.inst laufen lassen:

$ mv /etc/self-service-db.secret /etc/self-service-db.secret.old
$ univention-run-join-scripts --run-scripts --force 35univention-self-service-passwordreset-umc.inst
Comment 8 Christina Scheinig univentionstaff 2018-08-09 11:40:31 CEST
Both workarounds are not working in the customer environment.
Comment 9 Felix Botner univentionstaff 2018-10-12 12:30:12 CEST
(In reply to Christina Scheinig from comment #8)
> Both workarounds are not working in the customer environment.

Why, there is no information about the actual problem here, just an error message. For example one could test the psql connection as selfservice user

psql  -U selfservice  -h localhost selfservice

with the password from /etc/self-service-db.secret.
Comment 10 Felix Botner univentionstaff 2018-10-12 12:32:18 CEST
By the way, this has nothing to do with password policies as this "selfservice" account is an account in postgres, not in the IDM oder the local system.
Comment 11 Felix Botner univentionstaff 2018-10-16 12:49:29 CEST
e1116dbf7848b8f029e877ef99509bc7881f8c07 - univention-self-service
ee0b0abe99a3a30f12cf48e215d52f79422c31ac - yaml

Just changed the join script to always update the selfservice database user password.
Comment 12 Erik Damrose univentionstaff 2018-10-18 12:32:17 CEST
OK: always set postgresql userpassword for selfservice when executing the joinscript
OK:~ Only re-executing the joinscript will fix the issue. Why the issue appeared at all is not clear
OK: yaml
Comment 13 Arvid Requate univentionstaff 2018-10-24 17:26:56 CEST
<http://errata.software-univention.de/ucs/4.3/291.html>
Comment 14 Johannes Keiser univentionstaff 2018-10-26 17:44:29 CEST
Reported again: Version: 4.3-2 errata287 (Neustadt)

Interner Server-Fehler in "passwordreset/get_contact".
Request: passwordreset/get_contact

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/protocol/modserver.py", line 186, in _recv
    self.handle(msg)
  File "%PY2.7%/univention/management/console/protocol/modserver.py", line 296, in handle
    self.__handler.init()
  File "%PY2.7%/univention/management/console/modules/passwordreset/__init__.py", line 214, in init
    self.db = TokenDB(MODULE)
  File "%PY2.7%/univention/management/console/modules/passwordreset/tokendb.py", line 53, in __init__
    self.conn = self.open_db()
  File "%PY2.7%/univention/management/console/modules/passwordreset/tokendb.py", line 120, in open_db
    db_name=DB_NAME, db_user=DB_USER, db_pw=password))
  File "/usr/lib/python2.7/dist-packages/psycopg2/__init__.py", line 164, in connect
    conn = _connect(dsn, connection_factory=connection_factory, async=async)
OperationalError: FATAL:  Passwort-Authentifizierung für Benutzer »selfservice« fehlgeschlagen
FATAL:  Passwort-Authentifizierung für Benutzer »selfservice« fehlgeschlagen

Role: domaincontroller_master