Univention Bugzilla – Bug 38137
sysvol-sync.sh can't handle reinstalled systems (host key changes)
Last modified: 2015-09-24 14:37:08 CEST
Ticket#2013121121001491 sysvol-sync.sh fails more or less sinlently when a "downstream s4 dc" is reinstalled (e.g. SSH host key changes). Only the two messages like the following reach the log file as the rsync commands redirect stderr to /dev/null --- rsync: change_dir "/var/cache/univention-samba4/sysvol-sync/downstream-s4dc" failed: No such file or directory (2) rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1060) [sender=3.0.7] ---
Workaround (obviously): ssh-keygen -R downstream-s4dc
With Bug #38868 we already get an appropriate error message in /var/log/univention/sysvol-sync.log: 2015-09-19 05:45:08 ERROR [slave] rsync exitcode was 12. Will not sync to hot target! (@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is 44:95:18:40:18:7a:cf:48:c5:5a:52:65:91:38:9d:c9. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending RSA key in /root/.ssh/known_hosts:1 Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive). rsync: connection unexpectedly closed (0 bytes received so far) [Receiver] rsync error: error in rsync protocol data stream (code 12) at io.c(605) [Receiver=3.0.9]) Additionally, a new umc diagnostic plugin ssh_connection has been added to check host keys and machine authentication via ssh (python-paramiko) for all UCS DC's and memberserver. YAML: 2015-09-22-univention-management-console-module-diagnostic.yaml merged to 4.1-0
Ok, works. Advisory ok. Merged to UCS 4.1. The new dependency on python-paramiko works, it's maintained.
The error handling of the diagnostic plugin should be enhanced a little bit. getMachineConnection may raise IOError or ldap.LDAPError if unjoined/broken join status/no password file/wrong password.
fixed and merged YAML: 2015-09-22-univention-management-console-module-diagnostic.yaml
The module is now showing (in an error case): """ SSH-Verbindung zu anderem UCS Server fehlgeschlagen! [Errno 2] Datei oder Verzeichnis nicht gefunden: '/etc/machine.secret' """ Well, not the best usability thing but okay for now.
<http://errata.software-univention.de/ucs/4.0/335.html>