After upgrade to UCS 5.0 - no user except root can login through web portal

Does anyone know how I can reset the Amdinistrator password - it was set in original installation but was somehow changed in the upgrade. I can still login through SSL with root, password is same… I can login to the web portal using the root and password, but it does not see the original Administrator password I had from 4.4-8 errata995. The root password does not work with the Administrator username to login as it should…thanks for the help

If I try:

root@ucs-bdc:~# udm users/user modify --dn uid=Administrator,cn=users,"$(ucr get ldap/base)" \

–set password=??11des**
–set overridePWHistory=1
–set pwdChangeNextLogin=0

It returns: > Value may not change: key=pwdChangeNextLogin old=None new=0

Hi,

“pwdChangeNextLogin” can’t be set to “0”. This is a special attribute which can only be set in case you want to enforce a password change on the next login. Please just try the command without this option.

As a remark: Passwords for “root” and “Administrator” are initialized during installation of the first UCS instance to the same value, but are handeled as separate accounts afterwards. For example you can change the Administrator password on a joined Windows Client.

Ingo

Awesome! Thank you for the response - it seems we made progress, but still shows:
udm users/user modify --dn uid=Administrator,cn=users,"$(ucr get ldap/base)" \

–set password=??11des**
–set overridePWHistory=1 \

Value may not change: key=password old={KINIT} new=??11des**

and in UCM

image

I can login with root privileges, but of course there is nothing there to look at! Is there a chance I need to reset the account due to too many login attempts, as in this post: Password, locked out

I did find this in management-console-server.log in /var/log/univention:

28.06.21 09:24:46.108 MAIN ( PROCESS ) : LDAP bind for user ‘uid=Administrator,cn=users,dc=belldesign,dc=com’.
28.06.21 09:24:46.154 LOCALE ( WARN ) : Could not find translation file: ‘udm.mo’
28.06.21 09:24:46.155 LOCALE ( WARN ) : Could not find translation file: ‘udm-saml.mo’
28.06.21 09:24:46.155 LOCALE ( WARN ) : Could not find translation file: ‘mrtg.mo’
28.06.21 09:24:46.155 LOCALE ( WARN ) : Could not find translation file: ‘appcenter.mo’
28.06.21 09:24:46.155 LOCALE ( WARN ) : Could not find translation file: ‘join.mo’
28.06.21 09:24:46.155 LOCALE ( WARN ) : Could not find translation file: ‘ucr.mo’
28.06.21 09:24:46.156 LOCALE ( WARN ) : Could not find translation file: ‘lib.mo’
28.06.21 09:24:46.156 LOCALE ( WARN ) : Could not find translation file: ‘top.mo’
28.06.21 09:24:46.156 LOCALE ( WARN ) : Could not find translation file: ‘apps.mo’
28.06.21 09:24:46.156 LOCALE ( WARN ) : Could not find translation file: ‘reboot.mo’
28.06.21 09:24:46.156 LOCALE ( WARN ) : Could not find translation file: ‘diagnostic.mo’
28.06.21 09:24:46.156 LOCALE ( WARN ) : Could not find translation file: ‘serveroverview.mo’
28.06.21 09:24:46.156 LOCALE ( WARN ) : Could not find translation file: ‘ipchange.mo’
28.06.21 09:24:46.156 LOCALE ( WARN ) : Could not find translation file: ‘updater.mo’
28.06.21 09:24:46.157 LOCALE ( WARN ) : Could not find translation file: ‘services.mo’
28.06.21 09:24:46.157 LOCALE ( WARN ) : Could not find translation file: ‘adconnector.mo’
28.06.21 09:24:46.157 LOCALE ( WARN ) : Could not find translation file: ‘sysinfo.mo’
28.06.21 09:24:46.157 LOCALE ( WARN ) : Could not find translation file: ‘setup.mo’
28.06.21 09:24:46.157 LOCALE ( WARN ) : Could not find translation file: ‘quota.mo’
28.06.21 09:24:47.379 MAIN ( PROCESS ) : LDAP bind for user ‘uid=Administrator,cn=users,dc=belldesign,dc=com’.
28.06.21 09:25:25.025 DEBUG_INIT
28.06.21 09:25:25.026 MAIN ( PROCESS ) : The UMC server is still running. Will wait for 5 seconds
28.06.21 09:25:25.026 MAIN ( WARN ) : Shutting down all open connections
28.06.21 09:25:25.026 MAIN ( WARN ) : Shutting down all open connections
28.06.21 09:28:26.082 DEBUG_INIT
28.06.21 09:29:18.142 MAIN ( PROCESS ) : Server started
28.06.21 09:37:12.629 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
28.06.21 09:37:13.321 MODULE ( PROCESS ) : Setting auth type to None
28.06.21 09:37:13.644 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
28.06.21 09:37:13.906 MAIN ( PROCESS ) : LDAP bind for user ‘uid=Administrator,cn=users,dc=belldesign,dc=com’.
28.06.21 09:37:13.946 LOCALE ( WARN ) : Could not find translation file: ‘udm.mo’
28.06.21 09:37:13.946 LOCALE ( WARN ) : Could not find translation file: ‘udm-saml.mo’
28.06.21 09:37:13.947 LOCALE ( WARN ) : Could not find translation file: ‘mrtg.mo’
28.06.21 09:37:13.947 LOCALE ( WARN ) : Could not find translation file: ‘appcenter.mo’
28.06.21 09:37:13.947 LOCALE ( WARN ) : Could not find translation file: ‘join.mo’
28.06.21 09:37:13.947 LOCALE ( WARN ) : Could not find translation file: ‘ucr.mo’
28.06.21 09:37:13.947 LOCALE ( WARN ) : Could not find translation file: ‘lib.mo’
28.06.21 09:37:13.947 LOCALE ( WARN ) : Could not find translation file: ‘top.mo’
28.06.21 09:37:13.947 LOCALE ( WARN ) : Could not find translation file: ‘apps.mo’
28.06.21 09:37:13.948 LOCALE ( WARN ) : Could not find translation file: ‘reboot.mo’
28.06.21 09:37:13.948 LOCALE ( WARN ) : Could not find translation file: ‘diagnostic.mo’
28.06.21 09:37:13.948 LOCALE ( WARN ) : Could not find translation file: ‘serveroverview.mo’
28.06.21 09:37:13.948 LOCALE ( WARN ) : Could not find translation file: ‘ipchange.mo’
28.06.21 09:37:13.948 LOCALE ( WARN ) : Could not find translation file: ‘updater.mo’
28.06.21 09:37:13.948 LOCALE ( WARN ) : Could not find translation file: ‘services.mo’
28.06.21 09:37:13.948 LOCALE ( WARN ) : Could not find translation file: ‘adconnector.mo’
28.06.21 09:37:13.949 LOCALE ( WARN ) : Could not find translation file: ‘sysinfo.mo’
28.06.21 09:37:13.949 LOCALE ( WARN ) : Could not find translation file: ‘setup.mo’
28.06.21 09:37:13.949 LOCALE ( WARN ) : Could not find translation file: ‘quota.mo’

thanks again

Did you activate account lockout options? Is the Administrator account locked due to too many login attempts with a wrong password?

Anyway: you can also add a new user using the “udm” command line tool and add him to the “Domain Admins” group - the user will have full acccess to the UMC then.

Well tbh, I am not sure! I didnt add anything in the upgrade process to 5.0 and it just ran as intended although there were a lot of bumps - it had changed the ip address and so I changed it back to the original but didnt change anything afaik - I will look for a post on adding, I havent added with the udm tool yet - like the new interface looks awesome - still need to get nextcloud running again but wekan and lets encrypt are up so getting closer…

I think it should go something like this, but not sure how the text to add to Domain Admin:

udm users/user create --ignore_exists
–superordinate cn=users,dc=internal,dc=belldesign,dc=com
–set overridePWHistory=1
–set overridePWLength=1
–set username=BellAdmin1
–set uidNumber=12345
–set firstname=Max
–set lastname=Ligner
–set unixhome=/home/BellAdmin1
–set shell=/bin/bash
–set password=??11des**
–set ‘primaryGroup=cn=Domain Users,cn=groups,dc=internal,dc=belldesign,dc=com’ \


hm so I must be missing something, I get error: No such object: No such object. I ran univention-directory-manager users/user list \ and found a couple users that were in the Domain Admins group and tried to login using the Active Directory-assigned passwords, but they also erred.
If I try to add one of the users from the list to Domain Admins group
I get:
root@ucs-bdc:~# udm users/user modify --dn “uid=chraynor,cn=users,$(ucr get ldap/base)” \

–append “groups=cn=Domain Admins,cn=groups,$(ucr get ldap/base)”
WARNING: cannot append cn=Domain Admins,cn=groups,dc=belldesign,dc=com to groups, value exists
No modification: uid=chraynor,cn=users,dc=belldesign,dc=com

It seems to be some disconnect in the web interface maybe? I do get this error

root@ucs-bdc:~# samba-tool domain passwordsettings show
ERROR(ldb): uncaught exception - ldb_search: invalid basedn ‘(null)’
File “/usr/lib/python3/dist-packages/samba/netcmd/init.py”, line 186, in _run
return self.run(*args, **kwargs)
File “/usr/lib/python3/dist-packages/samba/netcmd/domain.py”, line 1259, in run
“lockOutObservationWindow”])


and

root@ucs-bdc:~# udm settings/sambadomain list

DN: sambaDomainName=BELLDESIGN,cn=samba,dc=belldesign,dc=com
NextGroupRid: 1000
NextRid: None
NextUserRid: 1000
SID: S-1-5-21-1396051547-777176247-1858873345
badLockoutAttempts: None
disconnectTime: None
domainPasswordComplex: 1
domainPasswordStoreCleartext: 0
domainPwdProperties: 1
lockoutDuration: None
logonToChangePW: None
maxPasswordAge: None
minPasswordAge: None
name: BELLDESIGN
passwordHistory: None
passwordLength: 8
refuseMachinePWChange: None
resetCountMinutes: None

yeah, im stumped here nothing has worked and I am still unable to login to the web interface since the upgrade to 5.0 - any help appreciated! This error seems significant:

root@ucs-bdc:~# samba-tool domain passwordsettings show
ERROR(ldb): uncaught exception - ldb_search: invalid basedn ‘(null)’
File “/usr/lib/python3/dist-packages/samba/netcmd/init.py”, line 186, in _run
return self.run(*args, **kwargs)
File “/usr/lib/python3/dist-packages/samba/netcmd/domain.py”, line 1259, in run
“lockOutObservationWindow”])
root@ucs-bdc:~# samba-tool domain passwordsettings show
ERROR(ldb): uncaught exception - ldb_search: invalid basedn ‘(null)’
File “/usr/lib/python3/dist-packages/samba/netcmd/init.py”, line 186, in _run
return self.run(*args, **kwargs)
File “/usr/lib/python3/dist-packages/samba/netcmd/domain.py”, line 1259, in run
“lockOutObservationWindow”])

and:

root@ucs-bdc:~# samba-tool domain passwordsettings pso show-user Administrator
ERROR(ldb): uncaught exception - ldb_search: invalid basedn ‘(null)’
File “/usr/lib/python3/dist-packages/samba/netcmd/init.py”, line 186, in _run
return self.run(*args, **kwargs)
File “/usr/lib/python3/dist-packages/samba/netcmd/pso.py”, line 667, in run
show_pso_for_user(self.outf, samdb, username)
File “/usr/lib/python3/dist-packages/samba/netcmd/pso.py”, line 135, in show_pso_for_user
attrs=[‘msDS-ResultantPSO’, ‘msDS-PSOApplied’])

and

root@ucs-bdc:~# samba-tool domain passwordsettings pso list
ERROR(ldb): uncaught exception - ldb_search: invalid basedn ‘(null)’
File “/usr/lib/python3/dist-packages/samba/netcmd/init.py”, line 186, in _run
return self.run(*args, **kwargs)
File “/usr/lib/python3/dist-packages/samba/netcmd/pso.py”, line 592, in run
expression="(objectClass=msDS-PasswordSettings)")


root@ucs-bdc:~# udm users/user list --filter uid=Administrator
uid=Administrator
DN: uid=Administrator,cn=users,dc=belldesign,dc=com
birthday: None
city: None
country: None
description: Built-in account for administering the computer/domain
disabled: 0
displayName: None
employeeNumber: None
employeeType: None
firstname: None
gecos: Administrator
gidNumber: 5001
groups: cn=Domain Admins,cn=groups,dc=belldesign,dc=com
groups: cn=Domain Users,cn=groups,dc=belldesign,dc=com
groups: cn=DC Backup Hosts,cn=groups,dc=belldesign,dc=com
groups: cn=Schema Admins,cn=users,dc=belldesign,dc=com
groups: cn=Enterprise Admins,cn=users,dc=belldesign,dc=com
groups: cn=Group Policy Creator Owners,cn=users,dc=belldesign,dc=com
homeShare: None
homeSharePath: None
homedrive: None
initials: None
jpegPhoto: None
lastbind: None
lastname: Administrator
locked: 0
lockedTime: 16010101000000Z
mailForwardCopyToSelf: 0
mailHomeServer: None
mailPrimaryAddress: None
nextcloudEnabled: 0
nextcloudQuota: None
objectFlag: synced
organisation: None
overridePWHistory: None
overridePWLength: None
password: {KINIT}
passwordexpiry: None
physicalDeliveryOfficeName: None
postcode: None
preferredDeliveryMethod: None
preferredLanguage: None
primaryGroup: cn=Domain Users,cn=groups,dc=belldesign,dc=com
profilepath: None
pwdChangeNextLogin: None
sambaLogonHours: None
sambaRID: 500
sambahome: None
scriptpath: None
shell: /bin/bash
street: None
title: None
uidNumber: 2002
umcProperty: appcenterDockerSeen = true
umcProperty: appcenterSeen = 2
umcProperty: udmUserGridView = default
umcProperty: favorites = udm:users/user,udm:groups/group,udm:computers/computer,appcenter:appcenter,updater,apps:wekan,apps:openid-connect-provider,apps:rocketchat,apps:kopano-meet
unixhome: /home/Administrator
unlock: None
unlockTime: unlimited
userexpiry: None
username: Administrator
wekanActivated: TRUE
univentionPolicyReference: cn=default-admins,cn=admin-settings,cn=users,cn=policies,dc=belldesign,dc=com


I did find some errors in management-console-server.log related to LDAP:
28.06.21 14:28:48.244 MAIN ( PROCESS ) : LDAP bind for user ‘uid=Administrator,cn=users,dc=belldesign,dc=com’.
28.06.21 14:28:50.452 MAIN ( PROCESS ) : LDAP bind for user ‘uid=Administrator,cn=users,dc=belldesign,dc=com’.
28.06.21 14:28:51.043 MAIN ( PROCESS ) : running: [’/usr/bin/python2.7’, ‘/usr/sbin/univention-management-console-module’, ‘-m’, ‘udm’, ‘-s’, ‘/var/run/univention-management-console/5872-1624915731042.socket’, ‘-d’, ‘2’, ‘-l’, ‘en_US.UTF-8’]
28.06.21 14:28:51.067 MAIN ( PROCESS ) : running: [’/usr/bin/python2.7’, ‘/usr/sbin/univention-management-console-module’, ‘-m’, ‘appcenter’, ‘-s’, ‘/var/run/univention-management-console/5872-1624915731067.socket’, ‘-d’, ‘2’, ‘-l’, ‘en_US.UTF-8’]
28.06.21 14:28:51.087 MAIN ( PROCESS ) : running: [’/usr/bin/python2.7’, ‘/usr/sbin/univention-management-console-module’, ‘-m’, ‘updater’, ‘-s’, ‘/var/run/univention-management-console/5872-1624915731087.socket’, ‘-d’, ‘2’, ‘-l’, ‘en_US.UTF-8’]
28.06.21 14:28:51.207 MAIN ( PROCESS ) : running: [’/usr/bin/python2.7’, ‘/usr/sbin/univention-management-console-module’, ‘-m’, ‘adconnector’, ‘-s’, ‘/var/run/univention-management-console/5872-1624915731207.socket’, ‘-d’, ‘2’, ‘-l’, ‘en_US.UTF-8’]
28.06.21 14:38:52.472 MAIN ( WARN ) : Socket died (module=appcenter)
28.06.21 14:38:52.472 MAIN ( WARN ) : Module process appcenter died (pid: 9133, exit status: -1, signal: -1, status: -1)
28.06.21 14:38:52.472 MAIN ( WARN ) : Cleaning up requests
28.06.21 14:38:52.472 MAIN ( WARN ) : Remove inactivity timer
28.06.21 14:38:52.472 MAIN ( PROCESS ) : ModuleProcess: stopping 9133
28.06.21 14:38:52.472 MAIN ( WARN ) : Socket died (module=appcenter)
28.06.21 14:38:52.479 MAIN ( WARN ) : Socket died (module=udm)
28.06.21 14:38:52.479 MAIN ( WARN ) : Module process udm died (pid: 9131, exit status: -1, signal: -1, status: -1)
28.06.21 14:38:52.479 MAIN ( WARN ) : Cleaning up requests
28.06.21 14:38:52.479 MAIN ( WARN ) : Remove inactivity timer
28.06.21 14:38:52.479 MAIN ( PROCESS ) : ModuleProcess: stopping 9131
28.06.21 14:38:52.479 MAIN ( WARN ) : Socket died (module=udm)
28.06.21 14:38:52.604 MAIN ( WARN ) : Socket died (module=adconnector)
28.06.21 14:38:52.604 MAIN ( WARN ) : Module process adconnector died (pid: 9137, exit status: -1, signal: -1, status: -1)
28.06.21 14:38:52.604 MAIN ( WARN ) : Cleaning up requests
28.06.21 14:38:52.604 MAIN ( WARN ) : Remove inactivity timer
28.06.21 14:38:52.604 MAIN ( PROCESS ) : ModuleProcess: stopping 9137
28.06.21 14:38:52.604 MAIN ( WARN ) : Socket died (module=adconnector)
28.06.21 14:38:53.170 MAIN ( WARN ) : Socket died (module=updater)
28.06.21 14:38:53.170 MAIN ( WARN ) : Module process updater died (pid: 9136, exit status: -1, signal: -1, status: -1)
28.06.21 14:38:53.170 MAIN ( WARN ) : Cleaning up requests
28.06.21 14:38:53.170 MAIN ( PROCESS ) : ModuleProcess: stopping 9136
28.06.21 14:38:53.170 MAIN ( WARN ) : Socket died (module=updater)
28.06.21 14:38:57.946 MAIN ( WARN ) : Socket died (module=join)
28.06.21 14:38:57.946 MAIN ( WARN ) : Module process join died (pid: 8846, exit status: -1, signal: -1, status: -1)
28.06.21 14:38:57.947 MAIN ( WARN ) : Cleaning up requests
28.06.21 14:38:57.947 MAIN ( PROCESS ) : ModuleProcess: stopping 8846
28.06.21 14:38:57.947 MAIN ( WARN ) : Socket died (module=join)
29.06.21 06:06:05.304 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
29.06.21 06:06:05.473 MODULE ( PROCESS ) : Setting auth type to None
29.06.21 06:06:05.474 MAIN ( ERROR ) : The LDAP DN for user donaldbell could not be found (lo=<univention.admin.uldap.access instance at 0x7fbf41ce77e8>)
29.06.21 06:06:05.475 ACL ( WARN ) : Error reading credentials from LDAP: Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/univention/management/console/acl.py”, line 383, in _read_from_ldap
userdn = self.lo.searchDn(filter_format(’(&(objectClass=person)(uid=%s))’, [self.username]), unique=True)[0]
IndexError: list index out of range

30.06.21 13:43:29.830 MAIN ( PROCESS ) : Server started
30.06.21 13:44:52.209 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 13:44:52.321 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 13:44:56.541 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 13:45:14.679 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
30.06.21 13:45:14.679 AUTH ( ERROR ) : The authentication has failed, please login again.
30.06.21 13:45:14.689 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 13:45:32.153 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
30.06.21 13:45:32.153 AUTH ( ERROR ) : The authentication has failed, please login again.
30.06.21 13:45:32.163 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 13:45:32.275 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 13:45:39.330 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 13:45:57.226 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
30.06.21 13:45:57.226 AUTH ( ERROR ) : The authentication has failed, please login again.
30.06.21 13:46:44.882 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 13:47:02.702 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
30.06.21 13:47:02.702 AUTH ( ERROR ) : The authentication has failed, please login again.
30.06.21 13:52:26.608 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 13:52:44.379 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
30.06.21 13:52:44.379 AUTH ( ERROR ) : The authentication has failed, please login again.
30.06.21 14:16:00.760 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 14:16:00.876 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 14:16:05.997 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 14:16:23.726 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
30.06.21 14:16:23.726 AUTH ( ERROR ) : The authentication has failed, please login again.
30.06.21 14:16:25.642 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 14:16:43.628 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
30.06.21 14:16:43.628 AUTH ( ERROR ) : The authentication has failed, please login again.
30.06.21 16:59:43.702 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 16:59:43.816 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 16:59:59.862 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 17:00:17.177 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
30.06.21 17:00:17.177 AUTH ( ERROR ) : The authentication has failed, please login again.
30.06.21 17:01:23.990 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 17:01:41.127 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
30.06.21 17:01:41.127 AUTH ( ERROR ) : The authentication has failed, please login again.
30.06.21 19:11:34.397 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 19:11:34.512 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 19:11:49.757 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 19:12:07.643 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
30.06.21 19:12:07.643 AUTH ( ERROR ) : The authentication has failed, please login again.
30.06.21 19:12:15.870 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 19:12:34.290 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
30.06.21 19:12:34.290 AUTH ( ERROR ) : The authentication has failed, please login again.
30.06.21 19:14:58.321 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 19:15:16.777 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
30.06.21 19:15:16.777 AUTH ( ERROR ) : The authentication has failed, please login again.
30.06.21 19:15:31.516 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 19:15:49.176 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
30.06.21 19:15:49.177 AUTH ( ERROR ) : The authentication has failed, please login again.
30.06.21 19:17:29.733 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 19:17:48.259 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
30.06.21 19:17:48.259 AUTH ( ERROR ) : The authentication has failed, please login again.
30.06.21 19:27:18.904 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 19:27:19.016 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 19:27:41.374 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 19:27:41.482 MODULE ( PROCESS ) : Setting auth type to None
30.06.21 19:27:41.533 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 19:27:42.858 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
30.06.21 19:27:42.968 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
01.07.21 08:36:42.025 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
01.07.21 08:36:59.711 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
01.07.21 08:36:59.711 AUTH ( ERROR ) : The authentication has failed, please login again.
01.07.21 08:37:10.443 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
01.07.21 08:37:27.923 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
01.07.21 08:37:27.923 AUTH ( ERROR ) : The authentication has failed, please login again.
01.07.21 08:43:00.321 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
01.07.21 08:43:18.174 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
01.07.21 08:43:18.174 AUTH ( ERROR ) : The authentication has failed, please login again.

mhm, that sounds to me like there were some major issues during the upgrade. To be honest, if possible I’d recommend to go back to a backup of your 4.4-8 installation and aim for a smooth upgrade. by analizing the upgrade log.

Ouch… yeah not possible! Thanks for trying. Guess we will be stuck with it until I can let UCS work bugs out and maybe try building a new one. I ran the check script a few times before the upgrade and it checked OK every time, ready for upgrade to 5.0

If a Backup is not available I suggest to check the upgrade log for errors as a starting point.

ok thank you. I dont see a logfile in var/log/univention except errata-updates.log and is blank! I did find an updater.log in there - does indicate it completed successfully:


  • THE UPDATE HAS BEEN FINISHED SUCCESSFULLY. *
  • Please make a page reload of UMC and login again *

done.
Tue 29 Jun 2021 02:45:57 PM PDT
warning: commands will be executed using /bin/sh
job 83 at Tue Jun 29 14:45:00 2021
Cannot find service-record of _pkgdb._tcp.
No DB-Server-Name found.
29.06.21 14:45:57.891 DEBUG_INIT
**** Starting univention-updater 5.0-0 with parameter=[’/usr/share/univention-updater/univention-updater’, ‘net’, ‘–updateto’, ‘5.0-0’, ‘–ignoressh’, ‘–ignoreterm’]
—>DBG:update_available(mode=net, cdrom_mount_point=/media/cdrom, iso=None)
Checking network repository
System is up to date (UCS 5.0-0)

to be sure that I didn’t misunderstood you:

You wrote earlier that the IP address of the UCS instance has changed during the upgrade and you had to change it back before you were able to finish the upgrade. Is my understaing correct?

If yes you should go back in the logfile to the point in time where the upgrade failed / changed the IP address.

If no I might be “over-dramatic” and you can go back to the initial issue.

btw: if “–append” for adding a user to a group gives you a “value exists” the user is already in the group

I’ll be offine for a while, in case you have further questions I hope someone else will jump in.

Oh no it completed successfully, but the ip address got changed in that process (guess it was set to dhcp from default perhaps) and I ran the command to change the ip address back, reloaded apache, and the portal came up with SSL still intact (via Lets Encrypt) with
ucr set interfaces/eno1/address=192.168.2.79
interfaces/eno1/broadcast=192.168.2.255
interfaces/eno1/netmask=24
interfaces/eno1/network=192.168.2.0
interfaces/eno1/start=true
interfaces/eno1/type=static

Our apps are working (except Nextcloud which has the mismatch between the Lets Encrypt SSL cert and the different internal domain name, which I am still trying to work through) - so the company is using Wekan fine (via the AD connector which still seems operational as all their logins from Active Directory are still working). I am just unable to login to the portal with Administrator/root password, or the password it had been changed to after the initial installation. The Administrator account doesnt use same password as root user to start, nor is it the password I had changed it to a couple years back when i first built this Univention server. There is an Administrator account in AD (Windows Server 2012 R2) so I kind of wonder if it is mixing the built-in UCS Administrator account with the one in Active Directory…

Thanks for your help!

Hi,

slowly things getting clearer to me :slight_smile:

  1. User Management & AD Connector

We have two modes for the Integration into an AD Domain. One is the “connector” mode where UCS and AD are separate domains (different domain names / DNS) and the connector syncs all information between these domains. I assume you are using the second mode, where UCS is a member of the AD Domain and syncs only informational attributes, but is configured to check passwords directly against an AD DC. My assumption is right if you find a computer/server object in your AD for the UCS instance.

I did this asumption because of the fact that you are unable to change you password in UCS. In this operation mode password changes using “udm” are deactivated on behalf. Any password validation or change by an user is send to an AD DC using the kerberos protocol. Normally there is an exception for Administrator, but looking at your error messages it might be the case that this exception has been invalidated.

Have you tried to log in using the password of Administrator that has been defined in AD? Can you add a user in the “Domain Admins” group in AD and use that user to administrate the UCS instance?

  1. IP change

Changing the IP using the UCR variables might not be sufficient, depending on your setup. For a working setup of kerberos and SSL encrypted services, the IP adress must match the forward and reverse entries in DNS. Furthermore services might use a static IP adress, even some services on the UCS instance. To ensure the IP adress change is complete please

  • check the DNS service entries (forward and reverse) in UCS
  • check the DNS service entries in AD
  • dump all UCR variables to check whether the old address is still in use somewhere

Ok. Thank you - I tried several different Domain Admin accounts and couldnt get any to work, even after resetting the password from Windows server AD… I do see the ucs-bdc machine is registered in Windows AD as a “Computer”, and I think it was originally setup to just use the Active Directory for logins, not take over (using Ad Connector app). I did find an entry in the DNS Forward Lookup Zone under on main domain controller … it had the original ucs-bdc.com domain name and I changed it back to the FQDN . I am a bit unsure how to check the DNS in Univention, but I do see the area in Server 2012 for DNS - a bit unsure where to do the comparison! Hope this helps and thanks for your insight. We do have Wekan running ok and it uses our AD for users to login so it appears at least that portion is working correctly! There are 12-15 active AD users at a time in there

image

I also get this when tryign to upgrade or register apps:

root@ucs-bdc:~# univention-register-apps
univention-register-app is deprecated. Please use univention-app update; univent ion-app register instead.
Downloading “https://appcenter.software-univention.de/meta-inf/app-categories.in i”…
Downloading “https://appcenter.software-univention.de/meta-inf/rating.ini”…
Downloading "https://appcenter.software-univention.de/meta-inf/license_types.ini "…
Downloading “https://appcenter.software-univention.de/meta-inf/ucs.ini”…
Downloading “https://appcenter.software-univention.de/meta-inf/suggestions.json” …
Downloading "https://appcenter.software-univention.de/meta-inf/5.0/index.json.gz "…
Downloading “https://appcenter.software-univention.de/meta-inf/5.0/index.json.gz .gpg”…
Downloading “https://appcenter.software-univention.de/meta-inf/5.0/all.tar.gpg”. …
Downloading "https://appcenter.software-univention.de/meta-inf/4.4/index.json.gz "…
Downloading “https://appcenter.software-univention.de/meta-inf/4.4/index.json.gz .gpg”…
Downloading “https://appcenter.software-univention.de/meta-inf/4.4/all.tar.gpg”. …
Downloading "https://appcenter.software-univention.de/meta-inf/4.3/index.json.gz "…
Downloading “https://appcenter.software-univention.de/meta-inf/4.3/index.json.gz .gpg”…
Downloading “https://appcenter.software-univention.de/meta-inf/4.3/all.tar.gpg”. …
No repository to register
Registering component for letsencrypt=2.0.0-1
Component needs to be registered in the container
Component needs to be registered in the container
Component needs to be registered in the container
Creating data directories for adconnector…
Creating data directories for letsencrypt…
Creating data directories for nextcloud…
Copying /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/nex tcloud_20210520191840.schema
Creating data directories for wekan…
Creating data directories for wordpress…
No hostdn for admindiary-backend found. Nothing to remove
No hostdn for admindiary-frontend found. Nothing to remove
No hostdn for adtakeover found. Nothing to remove
No hostdn for benno-mailarchiv found. Nothing to remove
No hostdn for bluespice found. Nothing to remove
No hostdn for cups found. Nothing to remove
No hostdn for dhcp-server found. Nothing to remove
No hostdn for dudle found. Nothing to remove
No hostdn for egroupware found. Nothing to remove
No hostdn for ethercalc found. Nothing to remove
No hostdn for etherpad-lite found. Nothing to remove
No hostdn for fetchmail found. Nothing to remove
No hostdn for jitsimeet found. Nothing to remove
No hostdn for mailserver found. Nothing to remove
Already found cn=nextc-20607235,cn=memberserver,cn=computers,dc=belldesign,dc=co m as a host for nextcloud. Trying to retrieve machine secret.
No hostdn for odoo found. Nothing to remove
No hostdn for onlyoffice-ds found. Nothing to remove
No hostdn for onlyoffice-ds-integration found. Nothing to remove
No hostdn for openid-connect-provider found. Nothing to remove
No hostdn for owncloud found. Nothing to remove
No hostdn for ox-connector found. Nothing to remove
No hostdn for pkgdb found. Nothing to remove
No hostdn for radius found. Nothing to remove
No hostdn for riot found. Nothing to remove
No hostdn for rocketchat found. Nothing to remove
No hostdn for samba-memberserver found. Nothing to remove
No hostdn for samba4 found. Nothing to remove
No hostdn for seafile found. Nothing to remove
No hostdn for self-service found. Nothing to remove
No hostdn for self-service-backend found. Nothing to remove
No hostdn for squid found. Nothing to remove
No hostdn for synapse found. Nothing to remove
No hostdn for univention-demo-data found. Nothing to remove
Already found cn=wekan-70728811,cn=memberserver,cn=computers,dc=belldesign,dc=co m as a host for wekan. Trying to retrieve machine secret.
Already found cn=wordp-24068908,cn=memberserver,cn=computers,dc=belldesign,dc=co m as a host for wordpress. Trying to retrieve machine secret.
No hostdn for zammad found. Nothing to remove
Registering UCR for adconnector
Marking adconnector=12.0 as installed
Adding localhost to LDAP object
Registering UCR for letsencrypt
Marking letsencrypt=2.0.0-1 as installed
Adding localhost to LDAP object
Registering UCR for nextcloud
Marking 4.4/nextcloud=20.0.10-0 as installed
Setting ports for apache proxy
Creating /etc/init.d/docker-app-nextcloud
Adding localhost to LDAP object
Setting overview variables
Registering UCR for wekan
Marking 4.4/wekan=5.27 as installed
Setting ports for apache proxy
Adding localhost to LDAP object
Setting overview variables
Registering UCR for wordpress
Marking 4.4/wordpress=5.2.3 as installed
Setting ports for apache proxy
Creating /etc/init.d/docker-app-wordpress
Adding localhost to LDAP object
Setting overview variables
univention-postgresql was already set to manually installed.
Checking if database nextcloud exists (postgresql implementation)
Database nextcloud already exists
4.4/nextcloud=20.0.10-0 already has its database
univention-mariadb was already set to manually installed.
Checking if database wordpress exists (mysql implementation)
4.4/wordpress=5.2.3 already has its database
Registering schema /usr/share/univention-appcenter/apps/nextcloud/nextcloud.sche ma
Password for Administrator:
authentication error: Authentication failed

ERROR: Failed to create settings/ldapschema object.
Registration of schema extension failed (Code: activation failed: {‘err’: ‘Error get_handler_message for handler ldap_extension: Authentication failed’} 1)

Found this in /var/log/univention/connector-ad-status.log

Tue Jul 6 14:39:46 2021
— connect failed, failure was: —
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/univention/connector/ad/main.py”, line 244, in main
connect(options)
File “/usr/lib/python3/dist-packages/univention/connector/ad/main.py”, line 116, in connect
ad.init_ldap_connections()
File “/usr/lib/python3/dist-packages/univention/connector/ad/init.py”, line 535, in init_ldap_connections
self.open_ad()
File “/usr/lib/python3/dist-packages/univention/connector/ad/init.py”, line 692, in open_ad
self.get_kerberos_ticket()
File “/usr/lib/python3/dist-packages/univention/connector/ad/init.py”, line 669, in get_kerberos_ticket
raise kerberosAuthenticationFailed(‘The following command failed: “%s” (%s): %s’ % (’ '.join(cmd_block), p1.returncode, stdout.decode(‘UTF-8’, ‘replace’)))
univention.connector.ad.kerberosAuthenticationFailed: The following command failed: “kinit --no-addresses --password-file=/tmp/tmph55do7jk ucs-bdc$” (1): kinit: krb5_get_init_creds: unable to reach any KDC in realm REALDOMAIN.COM

I am wondering if something went wrong with samba4 - I did have to reinstall it in the process of the upgrade - root@ucs-bdc:~# samba-tool drs showrepl
ERROR(<class ‘samba.drs_utils.drsException’>): DRS connection to ucs-bdc. failed - drsException: DRS connection to ucs-bdc. failed: (3221225524, ‘The object name is not found.’)
File “/usr/lib/python3/dist-packages/samba/netcmd/drs.py”, line 55, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File “/usr/lib/python3/dist-packages/samba/drs_utils.py”, line 63, in drsuapi_connect
raise drsException(“DRS connection to %s failed: %s” % (server, e))
root@ucs-bdc:~# samba-tool drs replicate destinationhost sourcehost dc=domain,dc=base
ERROR(<class ‘samba.drs_utils.drsException’>): DRS connection to destinationhost failed - drsException: DRS connection to destinationhost failed: (3221225524, ‘The object name is not found.’)
File “/usr/lib/python3/dist-packages/samba/netcmd/drs.py”, line 55, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File “/usr/lib/python3/dist-packages/samba/drs_utils.py”, line 63, in drsuapi_connect
raise drsException(“DRS connection to %s failed: %s” % (server, e))
root@ucs-bdc:~#

I am a little unsure at this point if samba4 is running - this seems to indicate no?

root@ucs-bdc:~# dpkg -l univention-samba4
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
++±=================-============-============-=================================
un univention-samba4 (no description available)
root@ucs-bdc:~# kinit --password-file=/etc/machine.secret $(hostname)$

kinit: krb5_get_init_creds: unable to reach any KDC in realm REALDOMAIN.COM
root@ucs-bdc:~# klist
klist: No ticket file: /tmp/krb5cc_0
root@ucs-bdc:~#


root@ucs-bdc:~# host -t srv “_domaincontroller_master._tcp.$(ucr get domainname).” 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

_domaincontroller_master._tcp.belldesign.com has SRV record 0 0 0 ucs-bdc.REALDOMAIN.com.
root@ucs-bdc:~# host -la multi.ucs
Trying “multi.ucs”
Host multi.ucs not found: 9(NOTAUTH)
; Transfer failed.
root@ucs-bdc:~# ucr dump| grep -E “samba/interfaces|interfaces/primary”
interfaces/primary: eno1


root@ucs-bdc:~# samba-tool fsmo show
ERROR(<class ‘AttributeError’>): uncaught exception - ‘NoneType’ object has no attribute ‘canonical_str’
File “/usr/lib/python3/dist-packages/samba/netcmd/init.py”, line 186, in _run
return self.run(*args, **kwargs)
File “/usr/lib/python3/dist-packages/samba/netcmd/fsmo.py”, line 444, in run
forest_dn = samba.dn_from_dns_name(samdb.forest_dns_name())
File “/usr/lib/python3/dist-packages/samba/samdb.py”, line 1001, in forest_dns_name
return forest_dn.canonical_str().split(’/’)[0]
root@ucs-bdc:~#

I guess I am wondering if I should try to reinstall samba4 but I dont want to interrupt the users accessing wekan without knowing the potential outcome, any help appreciated. This seems like it should show samba4 and not ldap?

root@ucs-bdc:~# ucr get dns/backend
ldap

and:

root@ucs-bdc:~# samba-tool drs showrepl
ERROR(<class ‘samba.drs_utils.drsException’>): DRS connection to ucs-bdc. failed - drsException: DRS connection to ucs-bdc. failed: (3221225524, ‘The object name is not found.’)
File “/usr/lib/python3/dist-packages/samba/netcmd/drs.py”, line 55, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File “/usr/lib/python3/dist-packages/samba/drs_utils.py”, line 63, in drsuapi_connect
raise drsException(“DRS connection to %s failed: %s” % (server, e))
root@ucs-bdc:~#

I am wondering if this process needs to be run:

1.1. Operating Samba 4 as a read-only domain controller(https://www.univention.com/feedback/?manual=samba:doc)

Active Directory offers an operating mode called read-only domain controller (RODC) with the following properties:

  • The data are only stored in read-only format; all write changes must be performed on another domain controller.
  • Consequently, replication is only performed in one direction.

A comprehensive description can be found in the Microsoft TechNet Library [technet-rodc].

A Samba 4 domain controller can be operated in RODC mode (on a slave domain controller for example). Prior to the installation of univention-samba4, the Univention Configuration Registry variable samba4/role must be set to RODC :

ucr set samba4/role=RODC univention-install univention-samba4 univention-run-join-scripts

Well, looks liek samba is at leats running

root@ucs-bdc:~# sudo systemctl status smbd
● smbd.service - LSB: Samba SMB/CIFS daemon (smbd)
Loaded: loaded (/etc/init.d/smbd; generated)
Active: active (running) since Tue 2021-07-06 14:13:02 PDT; 21h ago
Docs: man:systemd-sysv-generator(8)
Process: 1286 ExecStart=/etc/init.d/smbd start (code=exited, status=0/SUCCESS)
Tasks: 4 (limit: 4915)
Memory: 17.6M
CGroup: /system.slice/smbd.service
├─1417 /usr/sbin/smbd -D
├─1426 /usr/sbin/smbd -D
├─1427 /usr/sbin/smbd -D
└─1542 /usr/sbin/smbd -D

Jul 06 14:12:53 ucs-bdc systemd[1]: Starting LSB: Samba SMB/CIFS daemon (smbd)…
Jul 06 14:13:02 ucs-bdc smbd[1286]: Starting SMB/CIFS daemon: smbd.
Jul 06 14:13:02 ucs-bdc systemd[1]: Started LSB: Samba SMB/CIFS daemon (smbd).
Jul 06 14:13:10 ucs-bdc smbd[1417]: [2021/07/06 14:13:10.371966, 0] …/…/lib/util/become_daemon.c:136(daemon_ready)
Jul 06 14:13:10 ucs-bdc smbd[1417]: daemon_ready: daemon ‘smbd’ finished starting up and ready to serve connections

root@ucs-bdc:~# samba --version
Version 4.13.7-Univention
root@ucs-bdc:~#

I am unsure how to do these steps via the CLI (all I have acess to), couldnt find a good reference to do so:

  • check the DNS service entries (forward and reverse) in UCS

  • dump all UCR variables

So far, nothing changed, cannot login to web portal for administration of UCS with any ID except root - cannot use Administrators account, password fails even in command line use, no Administrator account will work, even those with Domain Admin group status in Server 2012 Active Directory. Wekan users are able to use Wekan with their Active Directory credentials, as before the Upgrade to UCS 5.0 but owncloud didnt make it through, and Nextcloud will not join the domain, likely due to mismatch in LetsEncrypt versus internal domain name of ucs system, which is different than FQDN reachable form the internet. Thanks for your help

To me, this looks the same bug present here: http://forge.univention.org/bugzilla/show_bug.cgi?id=43745

described here:

Any thoughts if this is the case, or how I can resolve this and use Univention again? Thanks for your help

root@ucs-bdc:~# samba-tool domain info 192.168.2.79
ERROR: Invalid IP address ‘192.168.2.79’!
root@ucs-bdc:~# samba-tool domain info 192.168.2.91
ERROR: Invalid IP address ‘192.168.2.91’!
root@ucs-bdc:~# samba-tool domain info 127.0.0.1
ERROR: Invalid IP address ‘127.0.0.1’!
root@ucs-bdc:~#

I may be getting closer!

root@ucs-bdc:~# univention-check-join-status
Warning: ‘nextcloud’ is not configured.
Warning: ‘univention-samba4’ is not configured.
Warning: ‘univention-samba4-dns’ is not configured.
Warning: ‘univention-samba4-saml-kerberos’ is not configured.
Error: Not all install files configured: 4 missing

and:

Running 50nextcloud.inst failed (exitcode: 1)
Running 50wekan.inst skipped (already exec uted)
Running 50wordpress.inst skipped (already exec uted)
Running 81univention-ad-connector.inst skipped (already exec uted)
Running 81univention-nfs-server.inst skipped (already exec uted)
Running 90univention-bind-post.inst skipped (already exec uted)
Running 91univention-saml.inst skipped (already exec uted)
Running 92univention-management-console-web-server.inst skipped (already exec uted)
Running 96univention-samba4.inst failed (exitcode: 1)
Running 98univention-pkgdb-tools.inst skipped (already exec uted)
Running 98univention-samba4-dns.inst failed (exitcode: 1)
Running 98univention-samba4-saml-kerberos.inst failed (exitcode: 1)
Running post-joinscripts hook(s): done