Failed to load License - Invalid credentials

UCS - Univention Corporate Server
1

Hello,
Can you please point me to the files or environment ucr variables that controls the success of the following error

ucr commit

======
File: /usr/share/univention-management-console/modules/apps.xml
04.08.15 16:03:39.247 MODULE ( WARN ) : Failed to load license information: {‘desc’: ‘Invalid credentials’}

          How can I reset this passwords or credentials  via console.

Rolando Riley

2

Hi,

the only official component using credentials I am aware of is Open-Xchange.
Are you using a commercial subscription or the community version of OX?

Best Regards,
Dirk Ahrnke

3

Commercial Subscription.

Rolando Riley

4

I’d check (or maybe better renew) the credentials in the “OX License Management” module.

5

I am running an upgrade to try to get rid of some of the errors the server is dropping. I am also seeing invalid credentials while performing this task

======
oot@mail:~# univention-upgrade --ignoreterm --ignoressh

Starting univention-upgrade. Current UCS version is 3.2-6 errata340

Checking for local repository: none
Checking for release updates: found: UCS 4.0-0

Do you want to update to 4.0-0 [Y|n]? Y

Starting update to UCS version 4.0-0

HINT:
Please check the release notes carefully BEFORE updating to UCS 4.0-0:
English version: docs.univention.de/release-notes-4.0-0-en.html
German version: docs.univention.de/release-notes-4.0-0-de.html

Please also consider documents of following release updates and
3rd party components.

Do you want to continue [Y/n]? Y

ldap_bind: Invalid credentials (49)
ldap_bind: Invalid credentials (49)
ldap_bind: Invalid credentials (49)
ldap_bind: Invalid credentials (49)
ldap_bind: Invalid credentials (49)
ldap_bind: Invalid credentials (49)
ldap_bind: Invalid credentials (49)

========

     The following command is running nice  over /etc/ldap.secret

=======

       ldapsearch -h localhost -p 7389 -x -D cn=admin,$(ucr get ldap/base) -w $(cat /etc/ldap.secret) cn=admin
             .......
              ......
        univentionLicenseSupport: 0

univentionLicenseType: UCS
univentionLicenseUsers: unlimited
univentionLicenseVersion: 2
univentionLicenseVirtualDesktopClients: 0
univentionLicenseVirtualDesktopUsers: 0
univentionObjectType: settings/license

search result

search: 2
result: 0 Success

numResponses: 3

numEntries: 2

==================

R Riley

6

Hello,
Anyone has an answer as to why it fails to bind during upgrade?

Rolando

7

Hello?

8

Regarding: “ldap_bind: Invalid credentials (49)”
Unfortunately slapd always returns “Invalid credentials” in case of failed bind for security reasons. See here: openldap.org/faq/data/cache/231.html
I would first check the credentials and the bindDN as suggested in the link.

9

Thanks winter,
My previous email shows a successful query for ldapsearch.

=====
ldapsearch -h mail.airesistemas.com -p 7389 -x -D cn=admin,$(ucr get ldap/base) -w $(cat /etc/ldap.secret) cn=admin

 ....

univentionLicenseSupport: 0
univentionLicenseType: UCS
univentionLicenseUsers: unlimited
univentionLicenseVersion: 2
univentionLicenseVirtualDesktopClients: 0
univentionLicenseVirtualDesktopUsers: 0
univentionObjectType: settings/license

search result

search: 2
result: 0 Success

numResponses: 3

numEntries: 2

====================

                 What is the script that might be parsing incorrectly hostdn/domaindn on  this attempt to bind when issuing          univention- pgrade.       Are there any UCR variable I should revise?

Rolando Riley

10 
ucr get connector/ldap/binddn

should be the same as

ucr get ucr get ldap/hostdn

If that is not the case you can do

ucr set connector/ldap/binddn=$(ucr get ldap/hostdn) invoke-rc.d univention-s4-connector restart

11

Winter,
I found the line that is giving me problems with authentication on one of the scripts. Problem is on /etc/machine.secret

=========

ldapsearch -x -ZZ -D “$ldap_hostdn” -y /etc/machine.secret ‘(&(univentionService=Samba 3)(objectClass=univentionDomainController))’ -LLL dn | ldapsearch-wrapper | sed -ne ‘s|dn: ||p’

ldap_bind: Invalid credentials (49)

========
this line was found on the scripts /usr/lib/univention-install/96univention-samba4.inst

===============


Module: ox-config
Multifile: /etc/samba/smb.conf
Stopping NTP server: ntpd.
Starting NTP server: ntpd.
Restarting univention-directory-listener daemon.
ok: run: univention-directory-listener: (pid 18370) 0s, normally down
done.
Calling joinscript 96univention-samba4.inst …
ldap_bind: Invalid credentials (49)
Traceback (most recent call last):
File “”, line 4, in

=============================================

         How do I update  this secret so it lets me authenticate???
12

Like I’ve said in the other thread you’ve opened a couple of days ago: the computer account might not actually exist anymore. Please verify that it still exist. You can use the cn=admin… DN for authentication as you’ve shown that this still works. Something like the following should show the computer’s object:

ldapsearch -h $(ucr get ldap/master) -p 7389 -x -D cn=admin,$(ucr get ldap/base) -w $(cat /etc/ldap.secret) -b $(ucr get ldap/hostdn)

If that computer account still exists then you might be able to change the passwort to the one that is currently stored in /etc/machine.secret. Note that I haven’t tried this myself. The command would look something like this:

ldappasswd -h $(ucr get ldap/master) -p 7389 -x -D cn=admin,$(ucr get ldap/base) -w $(cat /etc/ldap.secret) -s $(cat /etc/machine.secret) $(ucr get ldap/hostdn)

Verify the success by running the command you’ve found failing before.

If, on the other hand, the computer account does not exist anymore then I suggest restoring from backups.

In any case this amounts to mucking about with the innards of a sensitive system. I highly suggest you obtain professional support from Univention for clearing this up in case the manual password change mentioned above doesn’t work.

13

Dear Moritz,

         Thank you  for your help.   Here is how to replicate this problem

              1)  [wiki.univention.de/index.php?tit ... nd_Restore](http://wiki.univention.de/index.php?title=Single_Server_Backup_and_Restore)
              2)  Hostname can't be the same as domain name according Samba4;  This wasn't prevented on earlier version of UCS
              3)  Server requires either hostname change or migration for further upgrades
              4)  The new name of the computer [b]does not match[/b] previous name when performing  step 1)   resulting on  invalid credentials  == > due to 32 No Such Object


           Professional help is given here.  That is what I understand this forum is for  and you guys are

thanks,

Rolando Riley

14

Dear Mr. Riley,
We would like to help you with your issue and follow the forum regularly, unfortunatly we are at a point, where the forum is not the best means to this end.
We conferenced with our partner and we would like to help you with a reference to Mr. Bunkus - Linet. I will send the contact- data via private message. I am sure that is way more helpfull then forum messages at this point.

Kind regards,
Jens Thorp-Hansen

Head of Support
Univention GmbH

15

Hello Guys,
Problem was fixed. Created a new ldif with the matching current name. Afterwards, reinstalled some packages that were giving problems ( samba4, cyrus, postfix).
ldapadd -x -D “cn=admin,$(ucr get ldap/base)” -w “$(cat /etc/ldap.secret)” -f machine.txt

        The above command did the trick.

thanks,

Rolando Riley