Bug 50937 – pkgdb: (postgresql) password-authenticication for user "host$" fails

Bug 50937 - pkgdb: (postgresql) password-authenticication for user "host$" fails


Summary:	pkgdb: (postgresql) password-authenticication for user "host$" fails

Status:	REOPENED

Product:	UCS
Classification:	Unclassified
Component:	pkgdb
Version:	UCS 4.4
Hardware:	amd64 All

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-03-12 12:51 CET by office
Modified:	2022-08-05 14:51 CEST (History)
CC List:	8 users (show)

See Also:	50858 48677 52790 52791 55073
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.091
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020071021000589, 2020110721000318, 2022072621000359
Bug group (optional):	Regression
Max CVSS v3 score:

Attachments
patch new appcenter_umc_test (3.73 KB, patch) 2020-03-16 13:17 CET, Felix Botner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description office 2020-03-12 12:51:05 CET

recently I saw the following error during package update (on the web-frontend and also on univention-upgrade): 

...
Trigger für libc-bin (2.24-11+deb9u4) werden verarbeitet ...
Traceback (most recent call last):
  File "/usr/sbin/univention-pkgdb-scan", line 37, in <module>
    univention.pkgdb.main()
  File "/usr/lib/python2.7/dist-packages/univention/pkgdb.py", line 579, in main
    connection = open_database_connection(config_registry, pkgdbu=False)
  File "/usr/lib/python2.7/dist-packages/univention/pkgdb.py", line 561, in open_database_connection
    connection = pgdb.connect(database=connectstring)
  File "/usr/lib/python2.7/dist-packages/pgdb.py", line 1615, in connect
    cnx = _connect(dbname, dbhost, dbport, dbopt, dbuser, dbpasswd)
pg.InternalError: FATAL:  Passwort-Authentifizierung für Benutzer »drude$« fehlgeschlagen
....

running "/usr/sbin/univention-pkgdb-scan --scan" also shows this error.

After some debugging I found in "/var/log/postgresql/postgresql-9.6-main.log":

> 2020-03-12 12:16:54 CET [25684-1] ucs-master$@pkgdb FATAL:  Passwort-Authentifizierung für Benutzer »ucs-master$« fehlgeschlagen
> 2020-03-12 12:16:54 CET [25684-2] ucs-master$@pkgdb DETAIL:  Benutzer »ucs-master$« hat kein Passwort zugewiesen.
>         Verbindung stimmte mit pg_hba.conf-Zeile 98 überein: »host    all         all         172.16.1.1/16          md5«

This shows that the "/etc/univention/templates/files/etc/postgresql/9.6/main/pg_hba.conf.d/10-pg_hba.conf" (hba.conf for pkgdb) will not be evaluated as the "/etc/univention/templates/files/etc/postgresql/9.6/main/pg_hba.conf.d/10-appcenter" rules match first.

Comment 1 office 2020-03-12 12:51:44 CET

Quick fix was:

 mv 10-pkgdb_hba.conf 09-pkgdb_hba.conf

but this fails to process when running "ucr commit"

Comment 2 Erik Damrose

2020-03-12 13:00:15 CET

Thank you for the report, this is probably a regression from bug 50858.

Comment 3 Felix Botner

2020-03-12 13:32:56 CET

Is our system's ip part of the default docker-compose network 172.16.1.1/16?

If so, please switch to a different docker-compose network:

 ucr set appcenter/docker/compose/network='172.18.1.1/16'
 service postgresql restart

Does this help?

We will add a check for this situation in the diagnostic module/appcenter and/or try to figure out if rearranging the entries in the pg_hba.conf helps.

Comment 4 office 2020-03-12 15:04:10 CET

rearranging the entries helps, this I tried manually. Based on this I tried to change the order of entries permanent by swapping the order of "10-appcenter" and "10-pg_hba.conf" templates.

Comment 5 office 2020-03-16 11:09:18 CET

>  ucr set appcenter/docker/compose/network='172.18.1.1/16'

fixed it also after reboot

Comment 6 Felix Botner

2020-03-16 13:17:57 CET

Created attachment 10312 [details]
patch new appcenter_umc_test

Comment 7 Dirk Schnick

2020-07-14 10:55:22 CEST

School Customer with the same problem. Workaround of Felix (Comment 3) work also in that environment.

Comment 8 Florian Best

2020-08-19 09:56:17 CEST

happened also in our test environment: 1 times in /var/log/univention/join.log:
Traceback (most recent call last):
  File "/usr/sbin/univention-pkgdb-scan", line 37, in <module>
    univention.pkgdb.main()
  File "/usr/lib/pymodules/python2.7/univention/pkgdb.py", line 578, in main
    connection = open_database_connection(config_registry, pkgdbu=False)
  File "/usr/lib/pymodules/python2.7/univention/pkgdb.py", line 560, in open_database_connection
    connection = pgdb.connect(database=connectstring)
  File "/usr/lib/python2.7/dist-packages/pgdb.py", line 1615, in connect
    cnx = _connect(dbname, dbhost, dbport, dbopt, dbuser, dbpasswd)
pg.InternalError: FATAL:  PAM-Authentifizierung für Benutzer »master071c$« fehlgeschlagen

Comment 11 Philipp Hahn

2022-08-01 16:23:01 CEST

Again:
- customer host is using 172.161.20/24, which conflicts with our docker IP range
- /etc/postgresql/9.6/main/pg_hba.conf is evaluated in order:
  - 10-appcenter matches the docker IP range first fast
  - 10-pg_hba.conf is not considered

Possible solutions:
- ucr set appcenter/docker/compose/network=… 
- mv 10-pkgdb_hba.conf 09-pkgdb_hba.conf

Comment 12 Mirac Erdemiroglu

2022-08-01 17:04:20 CEST

Customer runs into this issue:

Host is using the IP range 172.16.1.10 and runs into the conflict with docker IP range.

Traceback (most recent call last):
  File "/usr/sbin/univention-pkgdb-scan", line 37, in <module>
    univention.pkgdb.main()
  File "/usr/lib/python3/dist-packages/univention/pkgdb.py", line 578, in main
    connection = open_database_connection(config_registry, pkgdbu=False)
  File "/usr/lib/python3/dist-packages/univention/pkgdb.py", line 560, in open_database_connection
    connection = pgdb.connect(database=connectstring)
  File "/usr/lib/python3/dist-packages/pgdb.py", line 1619, in connect
    cnx = _connect(dbname, dbhost, dbport, dbopt, dbuser, dbpasswd)
pg.InternalError: FATAL:  password authentication failed for user "home$"

dist-update finished at Sat Jul 30 14:41:17 2022...


Possible Solution : 
edit /etc/postgresql/9.6/main/pg_hba.conf and move up this entries under local all :

local pkgdb pkgdbu md5
hostssl pkgdb +pkgdbg 0.0.0.0/0 pam
hostssl pkgdb +pkgdbg ::/0 pam


A small note, it would be advisable if before the installation of the docker a check of the ip range is carried out. in case of arising conflicts one could set up in advance for the docker another ip. because there are enough systems that run in this bug.