Bypass Active Directory Connection

Hello,

We are facing an issue with a univention mail server and an Active Directory 2003 Integration. The problem starts with the error:

root@ucs:/var/log/univention# univention-adsearch cn=ucs-lda
kdestroy: krb5_cc_destroy: Did not find a plugin for ccache_ops
kinit: Password incorrect
Traceback (most recent call last):
  File "/usr/sbin/univention-adsearch", line 163, in <module>
    get_kerberos_ticket()
  File "/usr/sbin/univention-adsearch", line 156, in get_kerberos_ticket
    raise kerberosAuthenticationFailed('The following command failed: "%s"' % string.join(cmd_block))
__main__.kerberosAuthenticationFailed: The following command failed: "kinit --no-addresses --password-file=/etc/machine.secret ucs-ldap$"

 --- connect failed, failure was: ---
Traceback (most recent call last):
  File "/usr/share/pyshared/univention/connector/ad/main.py", line 303, in main
    connect()
  File "/usr/share/pyshared/univention/connector/ad/main.py", line 191, in connect
    baseConfig['%s/ad/listener/dir' % CONFIGBASENAME]
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 839, in __init__
    self.open_ad()
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 1038, in open_ad
    self.get_kerberos_ticket()
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 1016, in get_kerberos_ticket
    raise kerberosAuthenticationFailed('The following command failed: "%s" (%s): %s' % (string.join(cmd_block), p1.returncode, stdout))
kerberosAuthenticationFailed: The following command failed: "kinit --no-addresses --password-file=/etc/machine.secret ucs-ldap$" (1): kinit: Password incorrect
Jul  4 13:40:01 ucs-ldap CRON[18687]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul  4 13:40:01 ucs-ldap CRON[18689]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul  4 13:40:01 ucs-ldap CRON[18688]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul  4 13:40:01 ucs-ldap ldapsearch: DIGEST-MD5 common mech free
Jul  4 13:40:01 ucs-ldap ldapsearch: DIGEST-MD5 common mech free
Jul  4 13:40:01 ucs-ldap ldapsearch: DIGEST-MD5 common mech free
Jul  4 13:40:01 ucs-ldap CRON[18688]: pam_env(cron:session): Unrecognized Option: XDG_DATA_DIRS=/usr/share:/usr/share/univention-kde-profiles/default/.local/share#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18688]: pam_env(cron:session): Unrecognized Option: XDG_CONFIG_DIRS=:/usr/share/univention-kde-profiles/default/.config:/etc/xdg/#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18688]: pam_env(cron:session): Unrecognized Option: KDEDIRS=/usr/share/univention-kde-profiles/default/.kde#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18687]: pam_env(cron:session): Unrecognized Option: XDG_DATA_DIRS=/usr/share:/usr/share/univention-kde-profiles/default/.local/share#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18687]: pam_env(cron:session): Unrecognized Option: XDG_CONFIG_DIRS=:/usr/share/univention-kde-profiles/default/.config:/etc/xdg/#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18687]: pam_env(cron:session): Unrecognized Option: KDEDIRS=/usr/share/univention-kde-profiles/default/.kde#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18689]: pam_env(cron:session): Unrecognized Option: XDG_DATA_DIRS=/usr/share:/usr/share/univention-kde-profiles/default/.local/share#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18689]: pam_env(cron:session): Unrecognized Option: XDG_CONFIG_DIRS=:/usr/share/univention-kde-profiles/default/.config:/etc/xdg/#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18689]: pam_env(cron:session): Unrecognized Option: KDEDIRS=/usr/share/univention-kde-profiles/default/.kde#012 - ignoring line
Jul  4 13:40:01 ucs-ldap CRON[18688]: pam_unix(cron:session): session closed for user root
Jul  4 13:40:01 ucs-ldap CRON[18687]: pam_unix(cron:session): session closed for user root
Jul  4 13:40:01 ucs-ldap CRON[18689]: pam_unix(cron:session): session closed for user root
Jul  4 13:41:26 ucs-ldap nscd: nss_ldap: failed to bind to LDAP server ldap://ucs-ldap.DOMAIN.DOM:7389: Invalid credentials
Jul  4 13:41:26 ucs-ldap nscd: nss_ldap: reconnecting to LDAP server...
Jul  4 13:41:26 ucs-ldap nscd: nss_ldap: failed to bind to LDAP server ldap://ucs-ldap.DOMAIN.DOM:7389: Invalid credentials
Jul  4 13:41:26 ucs-ldap nscd: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
Jul  4 13:41:27 ucs-ldap nscd: nss_ldap: failed to bind to LDAP server ldap://ucs-ldap.DOMAIN.DOM:7389: Invalid credentials
Jul  4 13:41:27 ucs-ldap nscd: nss_ldap: could not search LDAP server - Server is unavailable
Jul  4 13:41:27 ucs-ldap python2.7: pam_unix(univention-management-console:auth): check pass; user unknown
Jul  4 13:41:27 ucs-ldap python2.7: pam_unix(univention-management-console:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jul  4 13:41:27 ucs-ldap python2.7: pam_krb5(univention-management-console:auth): user administrator authenticated as administrator@DOMAIN.DOM
Jul  4 13:41:27 ucs-ldap python2.7: pam_unix(univention-management-console:account): could not identify user (from getpwnam(administrator))

We have checked the configuration file /etc/machine.secret and the AD user who performs the AD Queries and the password doesn’t match. When we fix the issue the sync starts and the AD Connection works based on the logs but then we have authentication error on Roundcube webmail and email access via outlook with all users to authenticate we get authentication error message.

As a workaround we would like to bypass the AD passwords and change them somehow via the UCS management console. The problem is the UCS doesn’t allow this action because of the AD Integration.

Is there any way to bypass this issue until we replace the mail server? Unfortunately there is no window for tests/interruptions!

image

Thanks in advance,

George

How did you fix the sync issue exactly ? i have a problem with user who are not sync from Active Directory to my server ( LDAP Directory missing users )

Thanks for your help !

Hello,

Unfortunately we haven’t fixed yet this issue… We changed the ldap query username/password on both Active Directory and Univention at “password-file=/etc/machine.secret” and the replication works after that but when the replication is performed looks like the roundcube/dovecot webmail is getting locked out for some reason and the users can’t log in on their webmail…

This could be a bug but not really sure…

https://docs.software-univention.de/developer-reference-4.4.html#settings:ldapschema

You can also check your “/var/log/univention/connector-status.log” log file for more details…

/var/log/univention# cat connector-status.log

— retry in 30 seconds —
Fri Nov 15 15:12:21 2019
Fri Nov 15 15:12:22 2019
— connect failed, failure was: —
Traceback (most recent call last):
File “/usr/share/pyshared/univention/connector/ad/main.py”, line 303, in main
connect()
File “/usr/share/pyshared/univention/connector/ad/main.py”, line 191, in connect
baseConfig[’%s/ad/listener/dir’ % CONFIGBASENAME]
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 839, in init
self.open_ad()
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 1038, in open_ad
self.get_kerberos_ticket()
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 1016, in get_kerberos_ticket
raise kerberosAuthenticationFailed(‘The following command failed: “%s” (%s): %s’ % (string.join(cmd_block), p1.returncode, stdout))
kerberosAuthenticationFailed: The following command failed: “kinit --no-addresses --password-file=/etc/machine.secret ucs-ldap$” (1): kinit: Password incorrect

I think we must run those univention scripts: 4.4. LDAP secrets

https://docs.software-univention.de/developer-reference-4.4.html#join:serverPassword:example

I m just looking at this password change step on the developer’s manual which says that there should be a cron job for this process… Unfortunately I can’t find any script into my directory. Is there any into yours? Unfortunately I haven’t found any reference with the default cron scripts into the documentation.

image

I am not sure if anyone has deleted it…

image

This is what i see in the file /var/log/univention/connector-status.log

Mon Nov 18 10:43:55 2019
Mon Nov 18 10:43:56 2019
— connect failed, failure was: —
Traceback (most recent call last):
File “/usr/share/pyshared/univention/connector/ad/main.py”, line 303, in main
connect()
File “/usr/share/pyshared/univention/connector/ad/main.py”, line 191, in connect
baseConfig[’%s/ad/listener/dir’ % CONFIGBASENAME]
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 839, in init
self.open_ad()
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 1038, in open_ad
self.get_kerberos_ticket()
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 1016, in get_kerberos_ticket
raise kerberosAuthenticationFailed(‘The following command failed: “%s” (%s): %s’ % (string.join(cmd_block), p1.returncode, stdout))
kerberosAuthenticationFailed: The following command failed: “kinit --no-addresses --password-file=/etc/machine.secret cloud$” (1): kinit: Password incorrect

— retry in 30 seconds —

It’s always the same error again and again every 30 seconds

So im wondering how to change the password and what is this password exactly ?
Is it the password of the account to sync the active directory ?

How did you change it you ?

How can we retreive this information

Here is my cron.d directory

root@cloud:/etc/cron.d# pwd
/etc/cron.d
root@cloud:/etc/cron.d# ls -la
total 104
drwxr-xr-x 2 root root 4096 Nov 13 11:57 .
drwxr-xr-x 121 root root 12288 Nov 18 10:09 …
-rw-r–r-- 1 root root 273 Apr 10 2016 mrtg
-rw-r–r-- 1 root root 712 Jan 1 2017 php
-rw-r–r-- 1 root root 102 May 3 2015 .placeholder
-rw-r–r-- 1 root root 1672 Aug 26 10:54 postgresql
-rw-r–r-- 1 root root 396 May 25 2017 sysstat
-rw-r–r-- 1 root root 637 May 10 2019 univention-config-registry-backup
-rw-r–r-- 1 root root 573 Apr 1 2019 univention-directory-policy
-rw-r–r-- 1 root root 617 Nov 13 11:57 univention-directory-reports-cleanup
-rw-r–r-- 1 root root 707 May 8 2018 univention-home-mounter
-rw-r–r-- 1 root root 589 Nov 12 16:37 univention-ldap
-rw-r–r-- 1 root root 611 Nov 12 16:37 univention-ldap-server
-rw-r–r-- 1 root root 584 Aug 26 10:53 univention-mail-postfix
-rw-r–r-- 1 root root 539 May 8 2018 univention-mrtg
-rw-r–r-- 1 root root 596 Nov 12 16:38 univention-nagios
-rw-r–r-- 1 root root 608 Aug 26 10:53 univention-pam
-rw-r–r-- 1 root root 169 Feb 27 2018 univention-samba
-rw-r–r-- 1 root root 562 Nov 12 15:34 univention-server-master
-rw-r–r-- 1 root root 143 Dec 11 2017 univention-ssl
-rw-r–r-- 1 root root 620 Nov 12 15:34 univention-system-stats
-rw-r–r-- 1 root root 522 May 10 2019 univention-ucr-cronjobs
-rw-r–r-- 1 root root 246 Mar 12 2018 univention-updater
-rw-r–r-- 1 root root 845 Nov 12 15:32 univention-updater-check

Thanks !

Hello,

Yes, your info details look like my issue. I couldn’t get downtime to do some tests so I can’t tell you for sure how to fix it! I assume running those univention scripts for password change I mentioned on the previous should help with this issue to be fixed. Make sure though that you have changed the password on the user into your active directory first before you update the password with the scripts.

It’s always the same error again and again every 30 seconds - This is by default from UCS

So im wondering how to change the password and what is this password exactly ? Using the ldap.secret and machine.secret or running the univention-run-join-scripts

Is it the password of the account to sync the active directory ? yes

How did you change it you ? I have tried to change it into the active directory but still need to take time window to run the scripts

How can we retreive this information - I don’t think we can maybe if you open the txt files from the machine and ldap secret but I would recommend to change it and re-run the scripts

How exactly can i run the univention-run-join-scripts to join it back to my domain

You just type the command with root rights.

image

Ok ive done it but it did not fix anything

root@cloud:~# univention-adsearch CN=Administrator
kdestroy: krb5_cc_destroy: Did not find a plugin for ccache_ops
kinit: Password incorrect
Traceback (most recent call last):
File “/usr/sbin/univention-adsearch”, line 163, in
get_kerberos_ticket()
File “/usr/sbin/univention-adsearch”, line 156, in get_kerberos_ticket
raise kerberosAuthenticationFailed(‘The following command failed: “%s”’ % string.join(cmd_block))
main.kerberosAuthenticationFailed: The following command failed: “kinit --no-addresses --password-file=/etc/machine.secret cloud$”
root@cloud:~#

How can we update the user and password that connect to my AD Domain. What if someone change the password of that user. We need to change it on the UCS server too but i don’t find how

root@cloud:~# univention-run-join-scripts
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright © 2001-2019 Univention GmbH, Germany

Running pre-joinscripts hook(s): done
Running 01univention-ldap-server-init.inst skipped (already exec uted)
Running 02univention-directory-notifier.inst skipped (already exec uted)
Running 03univention-directory-listener.inst skipped (already exec uted)
Running 04univention-ldap-client.inst skipped (already exec uted)
Running 05univention-bind.inst skipped (already exec uted)
Running 08univention-apache.inst skipped (already exec uted)
Running 10univention-ldap-server.inst skipped (already exec uted)
Running 11univention-heimdal-init.inst skipped (already exec uted)
Running 11univention-pam.inst skipped (already exec uted)
Running 15univention-directory-notifier-post.inst skipped (already exec uted)
Running 15univention-heimdal-kdc.inst skipped (already exec uted)
Running 18python-univention-directory-manager.inst skipped (already exec uted)
Running 20univention-directory-policy.inst skipped (already exec uted)
Running 20univention-join.inst skipped (already exec uted)
Running 22univention-directory-manager-rest.inst skipped (already exec uted)
Running 26univention-nagios-common.inst skipped (already exec uted)
Running 26univention-samba.inst skipped (already exec uted)
Running 30univention-appcenter.inst skipped (already exec uted)
Running 30univention-nagios-client.inst skipped (already exec uted)
Running 31univention-nagios-ad-connector.inst skipped (already exec uted)
Running 33univention-portal.inst skipped (already exec uted)
Running 34univention-management-console-server.inst skipped (already exec uted)
Running 35univention-appcenter-docker.inst skipped (already exec uted)
Running 35univention-management-console-module-adconnector.skipped (already exec uted)
Running 35univention-management-console-module-appcenter.inskipped (already exec uted)
Running 35univention-management-console-module-diagnostic.iskipped (already exec uted)
Running 35univention-management-console-module-ipchange.insskipped (already exec uted)
Running 35univention-management-console-module-join.inst skipped (already exec uted)
Running 35univention-management-console-module-lib.inst skipped (already exec uted)
Running 35univention-management-console-module-mrtg.inst skipped (already exec uted)
Running 35univention-management-console-module-quota.inst skipped (already exec uted)
Running 35univention-management-console-module-reboot.inst skipped (already exec uted)
Running 35univention-management-console-module-services.insskipped (already exec uted)
Running 35univention-management-console-module-setup.inst skipped (already exec uted)
Running 35univention-management-console-module-sysinfo.instskipped (already exec uted)
Running 35univention-management-console-module-top.inst skipped (already exec uted)
Running 35univention-management-console-module-ucr.inst skipped (already exec uted)
Running 35univention-management-console-module-udm.inst skipped (already exec uted)
Running 35univention-management-console-module-updater.instskipped (already exec uted)
Running 35univention-server-overview.inst skipped (already exec uted)
Running 36univention-management-console-module-apps.inst skipped (already exec uted)
Running 40univention-postgresql.inst skipped (already exec uted)
Running 40univention-virtual-machine-manager-schema.inst skipped (already exec uted)
Running 50collabora.inst skipped (already exec uted)
Running 50nextcloud.inst skipped (already exec uted)
Running 81univention-ad-connector.inst skipped (already exec uted)
Running 81univention-nfs-server.inst skipped (already exec uted)
Running 90univention-bind-post.inst skipped (already exec uted)
Running 91univention-saml.inst skipped (already exec uted)
Running 92univention-management-console-web-server.inst skipped (already exec uted)
Running 98univention-pkgdb-tools.inst skipped (already exec uted)
Running post-joinscripts hook(s): done

Alright, I think it’s worthy to try the other two scripts for password changes. Check the highlighted part at the image above I posted it.

Hello,

Did you find any solution about this issue?