Univention Bugzilla – Full Text Bug Listing |
Summary: | INSUFFICIENT_ACCESS: {'desc': 'Insufficient access'} - univention-portal-server | ||
---|---|---|---|
Product: | UCS | Reporter: | Felix Botner <botner> |
Component: | Portal | Assignee: | Philipp Hahn <hahn> |
Status: | CLOSED FIXED | QA Contact: | Dirk Wiesenthal <wiesenthal> |
Severity: | normal | ||
Priority: | P5 | CC: | best |
Version: | UCS 4.4 | ||
Target Milestone: | UCS 4.4-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 5: Will affect all installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.229 | Enterprise Customer affected?: | Yes |
School Customer affected?: | Yes | ISV affected?: | Yes |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Attachments: | syslog-no-samba-master.gz |
Description
Felix Botner
2019-06-28 11:02:17 CEST
Created attachment 10094 [details]
syslog-no-samba-master.gz
(In reply to Felix Botner from comment #0) > Multiple times In the syslog of master/backup/... of the errata jenkins -> zless syslog-no-samba-master.gz| grep Insuff|wc -l 140 This happened this night the first time? I could imagine that this happens during a machine.secret rotation. If any cached ldap connection wouldn't do a bind() again. (In reply to Florian Best from comment #4) > I could imagine that this happens during a machine.secret rotation. If any > cached ldap connection wouldn't do a bind() again. yes, seems that self.udm (i guess this thing holds the connection) does not "reload" the password -> kill -HUP 12696 (portal server refresh) Jun 28 13:14:15 master univention-portal-server[12696]: refreshing cache Jun 28 13:14:15 master univention-portal-server[12696]: INFO:univention.portal.cache:refreshing cache Jun 28 13:14:15 master slapd[12787]: <= mdb_equality_candidates: (univentionComputerPortal) not indexed Jun 28 13:14:15 master univention-portal-server[12696]: No CSS code available Jun 28 13:14:15 master univention-portal-server[12696]: INFO:univention.portal.css:No CSS code available Jun 28 13:14:15 master univention-portal-server[12696]: Writing CSS file /var/www/univention/portal/portal.css Jun 28 13:14:15 master univention-portal-server[12696]: INFO:univention.portal.css:Writing CSS file /var/www/univention/portal/portal.css Jun 28 13:14:15 master slapd[12787]: <= mdb_equality_candidates: (univentionPortalEntryPortal) not indexed -> /usr/lib/univention-server/server_password_change and -> service slapd restart to simulate the connection timeout for the univention portal server connection -> kill -HUP 12696 (portal server refresh) Jun 28 13:16:01 master univention-portal-server[12696]: Traceback (most recent call last): Jun 28 13:16:01 master univention-portal-server[12696]: File "/usr/bin/univention-portal-server", line 180, in refresh Jun 28 13:16:01 master univention-portal-server[12696]: localhost = self.udm.obj_by_dn(ldap_hostdn) Jun 28 13:16:01 master univention-portal-server[12696]: File "/usr/lib/pymodules/python2.7/univention/udm/udm.py", line 241, in obj_by_dn Jun 28 13:16:01 master univention-portal-server[12696]: ldap_obj = self.connection.get(dn, attr=[str('univentionObjectType')]) Jun 28 13:16:01 master univention-portal-server[12696]: File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 708, in get Jun 28 13:16:01 master univention-portal-server[12696]: return self.lo.get(dn, attr, required) Jun 28 13:16:01 master univention-portal-server[12696]: File "/usr/lib/python2.7/dist-packages/univention/uldap.py", line 383, in get Jun 28 13:16:01 master univention-portal-server[12696]: result = self.lo.search_s(dn, ldap.SCOPE_BASE, '(objectClass=*)', attr) Jun 28 13:16:01 master univention-portal-server[12696]: File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 597, in search_s Jun 28 13:16:01 master univention-portal-server[12696]: return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout) Jun 28 13:16:01 master univention-portal-server[12696]: File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 993, in search_ext_s Jun 28 13:16:01 master univention-portal-server[12696]: return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs) Jun 28 13:16:01 master univention-portal-server[12696]: File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 935, in _apply_method_s Jun 28 13:16:01 master univention-portal-server[12696]: self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay) Jun 28 13:16:01 master univention-portal-server[12696]: File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 903, in reconnect Jun 28 13:16:01 master univention-portal-server[12696]: self._apply_last_bind() Jun 28 13:16:01 master univention-portal-server[12696]: File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 873, in _apply_last_bind Jun 28 13:16:01 master univention-portal-server[12696]: func(self,*args,**kwargs) Jun 28 13:16:01 master univention-portal-server[12696]: File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 223, in simple_bind_s Jun 28 13:16:01 master univention-portal-server[12696]: resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) Jun 28 13:16:01 master univention-portal-server[12696]: File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3 Jun 28 13:16:01 master univention-portal-server[12696]: resp_ctrl_classes=resp_ctrl_classes Jun 28 13:16:01 master univention-portal-server[12696]: File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4 Jun 28 13:16:01 master univention-portal-server[12696]: ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) Jun 28 13:16:01 master univention-portal-server[12696]: File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call Jun 28 13:16:01 master univention-portal-server[12696]: result = func(*args,**kwargs) Jun 28 13:16:01 master univention-portal-server[12696]: INVALID_CREDENTIALS: {'desc': 'Invalid credentials'} Yes, I am currently doing the same. We will fix that now. I added reconnection handling to the portal server and added a password rotation script which reloads-or-restarts the service. univention-portal (3.0.1-27) f96ab2d5f5e0 | Bug #49746: restart univention-portal-server on server password change univention-portal.yaml 9db78f709d44 | YAML Bug #49746 seen in the jenkins tests Jul 02 23:47:37 master091 univention-portal-server[31779]: refreshing cache Jul 02 23:47:37 master091 univention-portal-server[31779]: INFO:univention.portal.cache:refreshing cache Jul 02 23:47:37 master091 systemd[1]: Reloaded Univention Portal server. Jul 02 23:47:37 master091 univention-portal-server[31779]: Error during refresh Jul 02 23:47:37 master091 univention-portal-server[31779]: Traceback (most recent call last): Jul 02 23:47:37 master091 univention-portal-server[31779]: File "/usr/bin/univention-portal-server", line 181, in refresh Jul 02 23:47:37 master091 univention-portal-server[31779]: fd = self._refresh() Jul 02 23:47:37 master091 univention-portal-server[31779]: File "/usr/bin/univention-portal-server", line 195, in _refresh Jul 02 23:47:37 master091 univention-portal-server[31779]: portal_dn = localhost.props.portal Jul 02 23:47:37 master091 univention-portal-server[31779]: AttributeError: 'ComputersAllObjectProperties' object has no attribute 'portal' Jul 02 23:47:37 master091 univention-portal-server[31779]: ERROR:univention.portal.cache:Error during refresh Jul 02 23:47:37 master091 univention-portal-server[31779]: Traceback (most recent call last): Jul 02 23:47:37 master091 univention-portal-server[31779]: File "/usr/bin/univention-portal-server", line 181, in refresh Jul 02 23:47:37 master091 univention-portal-server[31779]: fd = self._refresh() Jul 02 23:47:37 master091 univention-portal-server[31779]: File "/usr/bin/univention-portal-server", line 195, in _refresh Jul 02 23:47:37 master091 univention-portal-server[31779]: portal_dn = localhost.props.portal Jul 02 23:47:37 master091 univention-portal-server[31779]: AttributeError: 'ComputersAllObjectProperties' object has no attribute 'portal' Jul 02 23:47:37 master091 nrpe[1755]: Caught SIGTERM - shutting down... http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-0/job/AutotestJoin/SambaVersion=no-samba,Systemrolle=master/ws/test/journalctl.log/*view*/ > Traceback (most recent call last):
> File "/usr/bin/univention-portal-server", line 181, in refresh
> fd = self._refresh()
> File "/usr/bin/univention-portal-server", line 195, in _refresh
> portal_dn = localhost.props.portal
> AttributeError: 'ComputersAllObjectProperties' object has no attribute 'portal'
Hmm, I cannot trigger this. I tried:
Remove univentionPortalComputer attribute from the computer:
But obj.props.portal is None then.
I tried setting the DN to a not existing object and to an invalid value but it then contains that DN/value.
(In reply to Florian Best from comment #9) > > Traceback (most recent call last): > > File "/usr/bin/univention-portal-server", line 181, in refresh > > fd = self._refresh() > > File "/usr/bin/univention-portal-server", line 195, in _refresh > > portal_dn = localhost.props.portal > > AttributeError: 'ComputersAllObjectProperties' object has no attribute 'portal' > > Hmm, I cannot trigger this. I tried: > Remove univentionPortalComputer attribute from the computer: > But obj.props.portal is None then. > I tried setting the DN to a not existing object and to an invalid value but > it then contains that DN/value. Okay got it. This happens if the extended attribute does not exists (yet): cn=portal,cn=custom attributes,cn=univention,l=school,l=dev. Okay, the simple UDM API doesn't provide any ways to reset caching but I could find a way to reload the extended attributes in case they don't exists. univention-portal (3.0.1-28) 90a57cea93ec | Bug #49746: fix reloading of extended attributes Reconnection does not work yet. univention.udm.connections caches the machine connection, therefore recreating a UDM.machine() object does use the already initialized (and timed out) connection. => We could stop caching connections altogether? Also, UDM caches the modules to which it passes its connection. One needs to create a new module object with a new connection. => To not hit the cache, one could use the connection id instead of the binddn. This could free us from using private variables in the portal. [4.4-0] a8d6b13324 Bug #49746 udm: Remove caching of machine connections management/univention-directory-manager-modules/debian/changelog | 6 ++++++ .../modules/univention/udm/connections.py | 8 +++----- .../modules/univention/udm/connections.pyi | 1 - .../modules/univention/udm/udm.py | 2 +- .../modules/univention/udm/udm.pyi | 2 +- 5 files changed, 11 insertions(+), 8 deletions(-) Package: univention-directory-manager-modules Version: 14.0.12-43A~4.4.0.201907051641 Branch: ucs_4.4-0 Scope: errata4.4-0 [4.4-0] ff581787f0 Bug #49526: univention-directory-manager-modules 14.0.12-42A~4.4.0.201906261823 doc/errata/staging/univention-directory-manager-modules.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) [4.4-0] b9bb57cf87 Bug #49526: univention-directory-manager-modules 14.0.12-43A~4.4.0.201907051641 doc/errata/staging/univention-directory-manager-modules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) QA: See commit message for my test protocol OK, portal works now. |