Bug 50937

Summary: pkgdb: (postgresql) password-authenticication for user "host$" fails
Product: UCS Reporter: office
Component: pkgdbAssignee: UCS maintainers <ucs-maintainers>
Status: REOPENED --- QA Contact: UCS maintainers <ucs-maintainers>
Severity: normal    
Priority: P5 CC: best, botner, damrose, erdemiroglu, gulden, hahn, scheinig, schnick
Version: UCS 4.4   
Target Milestone: ---   
Hardware: amd64   
OS: All   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=50858
https://forge.univention.org/bugzilla/show_bug.cgi?id=48677
https://forge.univention.org/bugzilla/show_bug.cgi?id=52790
https://forge.univention.org/bugzilla/show_bug.cgi?id=52791
https://forge.univention.org/bugzilla/show_bug.cgi?id=55073
What kind of report is it?: Bug Report What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.091 Enterprise Customer affected?: Yes
School Customer affected?: Yes ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2020071021000589, 2020110721000318, 2022072621000359 Bug group (optional): Regression
Max CVSS v3 score:
Attachments: patch new appcenter_umc_test

Description office 2020-03-12 12:51:05 CET 
recently I saw the following error during package update (on the web-frontend and also on univention-upgrade): 

...
Trigger für libc-bin (2.24-11+deb9u4) werden verarbeitet ...
Traceback (most recent call last):
  File "/usr/sbin/univention-pkgdb-scan", line 37, in <module>
    univention.pkgdb.main()
  File "/usr/lib/python2.7/dist-packages/univention/pkgdb.py", line 579, in main
    connection = open_database_connection(config_registry, pkgdbu=False)
  File "/usr/lib/python2.7/dist-packages/univention/pkgdb.py", line 561, in open_database_connection
    connection = pgdb.connect(database=connectstring)
  File "/usr/lib/python2.7/dist-packages/pgdb.py", line 1615, in connect
    cnx = _connect(dbname, dbhost, dbport, dbopt, dbuser, dbpasswd)
pg.InternalError: FATAL:  Passwort-Authentifizierung für Benutzer »drude$« fehlgeschlagen
....

running "/usr/sbin/univention-pkgdb-scan --scan" also shows this error.

After some debugging I found in "/var/log/postgresql/postgresql-9.6-main.log":

> 2020-03-12 12:16:54 CET [25684-1] ucs-master$@pkgdb FATAL:  Passwort-Authentifizierung für Benutzer »ucs-master$« fehlgeschlagen
> 2020-03-12 12:16:54 CET [25684-2] ucs-master$@pkgdb DETAIL:  Benutzer »ucs-master$« hat kein Passwort zugewiesen.
>         Verbindung stimmte mit pg_hba.conf-Zeile 98 überein: »host    all         all         172.16.1.1/16          md5«

This shows that the "/etc/univention/templates/files/etc/postgresql/9.6/main/pg_hba.conf.d/10-pg_hba.conf" (hba.conf for pkgdb) will not be evaluated as the "/etc/univention/templates/files/etc/postgresql/9.6/main/pg_hba.conf.d/10-appcenter" rules match first.
Comment 1 office 2020-03-12 12:51:44 CET 
Quick fix was:

 mv 10-pkgdb_hba.conf 09-pkgdb_hba.conf

but this fails to process when running "ucr commit"
Comment 2 Erik Damrose univentionstaff 2020-03-12 13:00:15 CET 
Thank you for the report, this is probably a regression from bug 50858.
Comment 3 Felix Botner univentionstaff 2020-03-12 13:32:56 CET 
Is our system's ip part of the default docker-compose network 172.16.1.1/16?

If so, please switch to a different docker-compose network:

 ucr set appcenter/docker/compose/network='172.18.1.1/16'
 service postgresql restart

Does this help?

We will add a check for this situation in the diagnostic module/appcenter and/or try to figure out if rearranging the entries in the pg_hba.conf helps.
Comment 4 office 2020-03-12 15:04:10 CET 
rearranging the entries helps, this I tried manually. Based on this I tried to change the order of entries permanent by swapping the order of "10-appcenter" and "10-pg_hba.conf" templates.
Comment 5 office 2020-03-16 11:09:18 CET 
>  ucr set appcenter/docker/compose/network='172.18.1.1/16'

fixed it also after reboot
Comment 6 Felix Botner univentionstaff 2020-03-16 13:17:57 CET 
Created attachment 10312 [details]
patch new appcenter_umc_test
Comment 7 Dirk Schnick univentionstaff 2020-07-14 10:55:22 CEST 
School Customer with the same problem. Workaround of Felix (Comment 3) work also in that environment.
Comment 8 Florian Best univentionstaff 2020-08-19 09:56:17 CEST 
happened also in our test environment: 1 times in /var/log/univention/join.log:
Traceback (most recent call last):
  File "/usr/sbin/univention-pkgdb-scan", line 37, in <module>
    univention.pkgdb.main()
  File "/usr/lib/pymodules/python2.7/univention/pkgdb.py", line 578, in main
    connection = open_database_connection(config_registry, pkgdbu=False)
  File "/usr/lib/pymodules/python2.7/univention/pkgdb.py", line 560, in open_database_connection
    connection = pgdb.connect(database=connectstring)
  File "/usr/lib/python2.7/dist-packages/pgdb.py", line 1615, in connect
    cnx = _connect(dbname, dbhost, dbport, dbopt, dbuser, dbpasswd)
pg.InternalError: FATAL:  PAM-Authentifizierung für Benutzer »master071c$« fehlgeschlagen
Comment 11 Philipp Hahn univentionstaff 2022-08-01 16:23:01 CEST 
Again:
- customer host is using 172.161.20/24, which conflicts with our docker IP range
- /etc/postgresql/9.6/main/pg_hba.conf is evaluated in order:
  - 10-appcenter matches the docker IP range first fast
  - 10-pg_hba.conf is not considered

Possible solutions:
- ucr set appcenter/docker/compose/network=… 
- mv 10-pkgdb_hba.conf 09-pkgdb_hba.conf
Comment 12 Mirac Erdemiroglu univentionstaff 2022-08-01 17:04:20 CEST 
Customer runs into this issue:

Host is using the IP range 172.16.1.10 and runs into the conflict with docker IP range.

Traceback (most recent call last):
  File "/usr/sbin/univention-pkgdb-scan", line 37, in <module>
    univention.pkgdb.main()
  File "/usr/lib/python3/dist-packages/univention/pkgdb.py", line 578, in main
    connection = open_database_connection(config_registry, pkgdbu=False)
  File "/usr/lib/python3/dist-packages/univention/pkgdb.py", line 560, in open_database_connection
    connection = pgdb.connect(database=connectstring)
  File "/usr/lib/python3/dist-packages/pgdb.py", line 1619, in connect
    cnx = _connect(dbname, dbhost, dbport, dbopt, dbuser, dbpasswd)
pg.InternalError: FATAL:  password authentication failed for user "home$"

dist-update finished at Sat Jul 30 14:41:17 2022...


Possible Solution : 
edit /etc/postgresql/9.6/main/pg_hba.conf and move up this entries under local all :

local pkgdb pkgdbu md5
hostssl pkgdb +pkgdbg 0.0.0.0/0 pam
hostssl pkgdb +pkgdbg ::/0 pam


A small note, it would be advisable if before the installation of the docker a check of the ip range is carried out. in case of arising conflicts one could set up in advance for the docker another ip. because there are enough systems that run in this bug.