Failed to load License - Invalid credentials

UCS - Univention Corporate Server
#1

Hello,
Can you please point me to the files or environment ucr variables that controls the success of the following error

ucr commit

======
File: /usr/share/univention-management-console/modules/apps.xml
04.08.15 16:03:39.247 MODULE ( WARN ) : Failed to load license information: {‘desc’: ‘Invalid credentials’}

          How can I reset this passwords or credentials  via console.

Rolando Riley

#2

Hi,

the only official component using credentials I am aware of is Open-Xchange.
Are you using a commercial subscription or the community version of OX?

Best Regards,
Dirk Ahrnke

#3

Commercial Subscription.

Rolando Riley

#4

I’d check (or maybe better renew) the credentials in the “OX License Management” module.

#5

I am running an upgrade to try to get rid of some of the errors the server is dropping. I am also seeing invalid credentials while performing this task

======
oot@mail:~# univention-upgrade --ignoreterm --ignoressh

Starting univention-upgrade. Current UCS version is 3.2-6 errata340

Checking for local repository: none
Checking for release updates: found: UCS 4.0-0

Do you want to update to 4.0-0 [Y|n]? Y

Starting update to UCS version 4.0-0

HINT:
Please check the release notes carefully BEFORE updating to UCS 4.0-0:
English version: docs.univention.de/release-notes-4.0-0-en.html
German version: docs.univention.de/release-notes-4.0-0-de.html

Please also consider documents of following release updates and
3rd party components.

Do you want to continue [Y/n]? Y

ldap_bind: Invalid credentials (49)
ldap_bind: Invalid credentials (49)
ldap_bind: Invalid credentials (49)
ldap_bind: Invalid credentials (49)
ldap_bind: Invalid credentials (49)
ldap_bind: Invalid credentials (49)
ldap_bind: Invalid credentials (49)

========

     The following command is running nice  over /etc/ldap.secret

=======

       ldapsearch -h localhost -p 7389 -x -D cn=admin,$(ucr get ldap/base) -w $(cat /etc/ldap.secret) cn=admin
             .......
              ......
        univentionLicenseSupport: 0

univentionLicenseType: UCS
univentionLicenseUsers: unlimited
univentionLicenseVersion: 2
univentionLicenseVirtualDesktopClients: 0
univentionLicenseVirtualDesktopUsers: 0
univentionObjectType: settings/license

search result

search: 2
result: 0 Success

numResponses: 3

numEntries: 2

==================

R Riley

#6

Hello,
Anyone has an answer as to why it fails to bind during upgrade?

Rolando

#7

Hello?

#8

Regarding: “ldap_bind: Invalid credentials (49)”
Unfortunately slapd always returns “Invalid credentials” in case of failed bind for security reasons. See here: openldap.org/faq/data/cache/231.html
I would first check the credentials and the bindDN as suggested in the link.

#9

Thanks winter,
My previous email shows a successful query for ldapsearch.

=====
ldapsearch -h mail.airesistemas.com -p 7389 -x -D cn=admin,$(ucr get ldap/base) -w $(cat /etc/ldap.secret) cn=admin

 ....

univentionLicenseSupport: 0
univentionLicenseType: UCS
univentionLicenseUsers: unlimited
univentionLicenseVersion: 2
univentionLicenseVirtualDesktopClients: 0
univentionLicenseVirtualDesktopUsers: 0
univentionObjectType: settings/license

search result

search: 2
result: 0 Success

numResponses: 3

numEntries: 2

====================

                 What is the script that might be parsing incorrectly hostdn/domaindn on  this attempt to bind when issuing          univention- pgrade.       Are there any UCR variable I should revise?

Rolando Riley

#10 
ucr get connector/ldap/binddn

should be the same as

ucr get ucr get ldap/hostdn

If that is not the case you can do

ucr set connector/ldap/binddn=$(ucr get ldap/hostdn) invoke-rc.d univention-s4-connector restart

#11

Winter,
I found the line that is giving me problems with authentication on one of the scripts. Problem is on /etc/machine.secret

=========

ldapsearch -x -ZZ -D “$ldap_hostdn” -y /etc/machine.secret ‘(&(univentionService=Samba 3)(objectClass=univentionDomainController))’ -LLL dn | ldapsearch-wrapper | sed -ne ‘s|dn: ||p’

ldap_bind: Invalid credentials (49)

========
this line was found on the scripts /usr/lib/univention-install/96univention-samba4.inst

===============


Module: ox-config
Multifile: /etc/samba/smb.conf
Stopping NTP server: ntpd.
Starting NTP server: ntpd.
Restarting univention-directory-listener daemon.
ok: run: univention-directory-listener: (pid 18370) 0s, normally down
done.
Calling joinscript 96univention-samba4.inst …
ldap_bind: Invalid credentials (49)
Traceback (most recent call last):
File “”, line 4, in

=============================================

         How do I update  this secret so it lets me authenticate???
#12

Like I’ve said in the other thread you’ve opened a couple of days ago: the computer account might not actually exist anymore. Please verify that it still exist. You can use the cn=admin… DN for authentication as you’ve shown that this still works. Something like the following should show the computer’s object:

ldapsearch -h $(ucr get ldap/master) -p 7389 -x -D cn=admin,$(ucr get ldap/base) -w $(cat /etc/ldap.secret) -b $(ucr get ldap/hostdn)

If that computer account still exists then you might be able to change the passwort to the one that is currently stored in /etc/machine.secret. Note that I haven’t tried this myself. The command would look something like this:

ldappasswd -h $(ucr get ldap/master) -p 7389 -x -D cn=admin,$(ucr get ldap/base) -w $(cat /etc/ldap.secret) -s $(cat /etc/machine.secret) $(ucr get ldap/hostdn)

Verify the success by running the command you’ve found failing before.

If, on the other hand, the computer account does not exist anymore then I suggest restoring from backups.

In any case this amounts to mucking about with the innards of a sensitive system. I highly suggest you obtain professional support from Univention for clearing this up in case the manual password change mentioned above doesn’t work.

#13

Dear Moritz,

         Thank you  for your help.   Here is how to replicate this problem

              1)  [wiki.univention.de/index.php?tit ... nd_Restore](http://wiki.univention.de/index.php?title=Single_Server_Backup_and_Restore)
              2)  Hostname can't be the same as domain name according Samba4;  This wasn't prevented on earlier version of UCS
              3)  Server requires either hostname change or migration for further upgrades
              4)  The new name of the computer [b]does not match[/b] previous name when performing  step 1)   resulting on  invalid credentials  == > due to 32 No Such Object


           Professional help is given here.  That is what I understand this forum is for  and you guys are

thanks,

Rolando Riley

#14

Dear Mr. Riley,
We would like to help you with your issue and follow the forum regularly, unfortunatly we are at a point, where the forum is not the best means to this end.
We conferenced with our partner and we would like to help you with a reference to Mr. Bunkus - Linet. I will send the contact- data via private message. I am sure that is way more helpfull then forum messages at this point.

Kind regards,
Jens Thorp-Hansen

Head of Support
Univention GmbH

#15

Hello Guys,
Problem was fixed. Created a new ldif with the matching current name. Afterwards, reinstalled some packages that were giving problems ( samba4, cyrus, postfix).
ldapadd -x -D “cn=admin,$(ucr get ldap/base)” -w “$(cat /etc/ldap.secret)” -f machine.txt

        The above command did the trick.

thanks,

Rolando Riley

Mastodon