Univention Bugzilla – Full Text Bug Listing |
Summary: | pkgdb: (postgresql) password-authenticication for user "host$" fails | ||
---|---|---|---|
Product: | UCS | Reporter: | office |
Component: | pkgdb | Assignee: | UCS maintainers <ucs-maintainers> |
Status: | REOPENED --- | QA Contact: | UCS maintainers <ucs-maintainers> |
Severity: | normal | ||
Priority: | P5 | CC: | best, botner, damrose, erdemiroglu, gulden, hahn, scheinig, schnick |
Version: | UCS 4.4 | ||
Target Milestone: | --- | ||
Hardware: | amd64 | ||
OS: | All | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=50858 https://forge.univention.org/bugzilla/show_bug.cgi?id=48677 https://forge.univention.org/bugzilla/show_bug.cgi?id=52790 https://forge.univention.org/bugzilla/show_bug.cgi?id=52791 https://forge.univention.org/bugzilla/show_bug.cgi?id=55073 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.091 | Enterprise Customer affected?: | Yes |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2020071021000589, 2020110721000318, 2022072621000359 | Bug group (optional): | Regression |
Max CVSS v3 score: | |||
Attachments: | patch new appcenter_umc_test |
Quick fix was: mv 10-pkgdb_hba.conf 09-pkgdb_hba.conf but this fails to process when running "ucr commit" Thank you for the report, this is probably a regression from bug 50858. Is our system's ip part of the default docker-compose network 172.16.1.1/16? If so, please switch to a different docker-compose network: ucr set appcenter/docker/compose/network='172.18.1.1/16' service postgresql restart Does this help? We will add a check for this situation in the diagnostic module/appcenter and/or try to figure out if rearranging the entries in the pg_hba.conf helps. rearranging the entries helps, this I tried manually. Based on this I tried to change the order of entries permanent by swapping the order of "10-appcenter" and "10-pg_hba.conf" templates. > ucr set appcenter/docker/compose/network='172.18.1.1/16'
fixed it also after reboot
Created attachment 10312 [details]
patch new appcenter_umc_test
School Customer with the same problem. Workaround of Felix (Comment 3) work also in that environment. happened also in our test environment: 1 times in /var/log/univention/join.log: Traceback (most recent call last): File "/usr/sbin/univention-pkgdb-scan", line 37, in <module> univention.pkgdb.main() File "/usr/lib/pymodules/python2.7/univention/pkgdb.py", line 578, in main connection = open_database_connection(config_registry, pkgdbu=False) File "/usr/lib/pymodules/python2.7/univention/pkgdb.py", line 560, in open_database_connection connection = pgdb.connect(database=connectstring) File "/usr/lib/python2.7/dist-packages/pgdb.py", line 1615, in connect cnx = _connect(dbname, dbhost, dbport, dbopt, dbuser, dbpasswd) pg.InternalError: FATAL: PAM-Authentifizierung für Benutzer »master071c$« fehlgeschlagen Again: - customer host is using 172.161.20/24, which conflicts with our docker IP range - /etc/postgresql/9.6/main/pg_hba.conf is evaluated in order: - 10-appcenter matches the docker IP range first fast - 10-pg_hba.conf is not considered Possible solutions: - ucr set appcenter/docker/compose/network=… - mv 10-pkgdb_hba.conf 09-pkgdb_hba.conf Customer runs into this issue: Host is using the IP range 172.16.1.10 and runs into the conflict with docker IP range. Traceback (most recent call last): File "/usr/sbin/univention-pkgdb-scan", line 37, in <module> univention.pkgdb.main() File "/usr/lib/python3/dist-packages/univention/pkgdb.py", line 578, in main connection = open_database_connection(config_registry, pkgdbu=False) File "/usr/lib/python3/dist-packages/univention/pkgdb.py", line 560, in open_database_connection connection = pgdb.connect(database=connectstring) File "/usr/lib/python3/dist-packages/pgdb.py", line 1619, in connect cnx = _connect(dbname, dbhost, dbport, dbopt, dbuser, dbpasswd) pg.InternalError: FATAL: password authentication failed for user "home$" dist-update finished at Sat Jul 30 14:41:17 2022... Possible Solution : edit /etc/postgresql/9.6/main/pg_hba.conf and move up this entries under local all : local pkgdb pkgdbu md5 hostssl pkgdb +pkgdbg 0.0.0.0/0 pam hostssl pkgdb +pkgdbg ::/0 pam A small note, it would be advisable if before the installation of the docker a check of the ip range is carried out. in case of arising conflicts one could set up in advance for the docker another ip. because there are enough systems that run in this bug. |
recently I saw the following error during package update (on the web-frontend and also on univention-upgrade): ... Trigger für libc-bin (2.24-11+deb9u4) werden verarbeitet ... Traceback (most recent call last): File "/usr/sbin/univention-pkgdb-scan", line 37, in <module> univention.pkgdb.main() File "/usr/lib/python2.7/dist-packages/univention/pkgdb.py", line 579, in main connection = open_database_connection(config_registry, pkgdbu=False) File "/usr/lib/python2.7/dist-packages/univention/pkgdb.py", line 561, in open_database_connection connection = pgdb.connect(database=connectstring) File "/usr/lib/python2.7/dist-packages/pgdb.py", line 1615, in connect cnx = _connect(dbname, dbhost, dbport, dbopt, dbuser, dbpasswd) pg.InternalError: FATAL: Passwort-Authentifizierung für Benutzer »drude$« fehlgeschlagen .... running "/usr/sbin/univention-pkgdb-scan --scan" also shows this error. After some debugging I found in "/var/log/postgresql/postgresql-9.6-main.log": > 2020-03-12 12:16:54 CET [25684-1] ucs-master$@pkgdb FATAL: Passwort-Authentifizierung für Benutzer »ucs-master$« fehlgeschlagen > 2020-03-12 12:16:54 CET [25684-2] ucs-master$@pkgdb DETAIL: Benutzer »ucs-master$« hat kein Passwort zugewiesen. > Verbindung stimmte mit pg_hba.conf-Zeile 98 überein: »host all all 172.16.1.1/16 md5« This shows that the "/etc/univention/templates/files/etc/postgresql/9.6/main/pg_hba.conf.d/10-pg_hba.conf" (hba.conf for pkgdb) will not be evaluated as the "/etc/univention/templates/files/etc/postgresql/9.6/main/pg_hba.conf.d/10-appcenter" rules match first.