All password authenticated users have to change their password. In psql, a superuser can change any user’s password with
\password user_name
You can get all users, you can use the following command:
sudo -u postgres psql -c "\du"
Now the output is:
root@srvr1:~# sudo -u postgres psql -c "\du"
could not change directory to "/root": Permission denied
List of roles
Role name | Attributes | Member of
-----------------+------------------------------------------------------------+-----------
admin-47384587$ | | {pkgdbg}
admindiary | | {}
keycl-08545455$ | | {pkgdbg}
keycloak | | {}
pkgdbg | Cannot login | {}
pkgdbu | Superuser, Create role, Create DB | {}
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
prome-34273249$ | | {pkgdbg}
prome-34690465$ | | {pkgdbg}
srvr1$ | | {pkgdbg}
srvr2$ | | {pkgdbg}
srvr3$ | | {pkgdbg}
This might be silly but we are just normal Univention users, not developers, and we don’t know which passwords these services expect - we set up only 1 Univention password when we installed Univention on our 3 servers. Do we assume we change passwords in all the services listed to the password we set when we installed Univention?
Thanks, we have left the password encryption method on ‘md5’ too and everything works fine. But as ‘md5’ method is considered insecure we are willing to set it to ‘scram-sha-256’ - just need to know which passwords the services listed by sudo -u postgres psql -c "\du" expect - same password as we set to Univention maybe? It would be good if one of Univention Support Team members could chip in here as the support article quoted in my post is not very clear.
It would not be possible easily, since you would have to find out where the PW were set in the config files of each and every package installed on the systems that used PG as a back end.
Then you have the issue of some of these packages might not have the correct client drivers for this new system.
It’s clearly NOT a well thought out upgrade, since the way to do this sort of thing is to always do the packages first with a client upgrade for PG ,so that you don’t break anything.
The client will then communicate with any PG version that is supported.
doing the “univention” way ,there is a significant danger that you upgrade the database, but squirreled away some place is a software package that is hard wired to an old version of the PG client.
ESP… if you are using docker containers…
Hello I have the same issue, followed the procedure to upgrade postgresql from 11 to 15,changed the password encryption from ‘md5’ to scram-sha-256 and now I’m not able to access the database:
univention-pkgdb-scan --test-superuser
Traceback (most recent call last):
File “/usr/sbin/univention-pkgdb-scan”, line 41, in
univention.pkgdb.main()
File “/usr/lib/python3/dist-packages/univention/pkgdb.py”, line 586, in main
connection = open_database_connection(config_registry, pkgdbu=True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/univention/pkgdb.py”, line 570, in open_database_connection
connection = pgdb.connect(database=connectstring)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/pgdb.py”, line 1670, in connect
cnx = _connect(dbname, dbhost, dbport, dbopt, dbuser, dbpasswd)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pg.InternalError: connection to server on socket “/var/run/postgresql/.s.PGSQL.5432” failed: FATAL: password authentication failed for user “pkgdbu”
Is there a way to find the default passwords for these users so they can be set again.
I’m having the same problems when following the guide for updating PostgreSQL.
Running just the steps from " Upgrade PostgreSQL from 11 to 15", without any changes to auth- or encryption method, nor setting new passwords (as suggested by talleyrand) leads to a functional system.
After this change, Keycloak no longer works either. Although I have reset the password in PGSQL and Keycloak, Keycloak no longer has DB access. “Rollback”.