Join after installation of OpenProject stucks at Download host certificate

jmboettger · October 4, 2017, 3:39pm

I installed OpenVPN on UCS 4.2 like described at https://www.univention.de/2017/05/sichere-automatische-samba-authentifizierungen-durch-openvpn/ . Therefore I did

ucr set ssl/host/objectclass= 'univentionDomainController, univentionMemberServer, univentionClient, univentionMobileClient, univentionCorporateClient, univentionWindows' and univention-directory-listener-ctrl resync gencertificate.

If i try now to install OpenProject via cli univention-app install openproject this installation stucks at

Download host certificate: …

the join.log does not show any errors, the listener neither. Does anyone has a idear what this could be related to?
Thanks

botner · October 23, 2017, 10:48am

Hi

"Download host certificate: " means that the “joining” hosts copies the /etc/univention/ssl/$HOSTNAME directory from the UCS Master (scp). Sometimes, i’m not sure why, this directory has not yet the correct permissions so that “$HOSTNAME” is not allowed the read these files. Is there such a directory (/etc/univention/ssl/openp*)

If i install openproject, the listener log looks like:

updating ‘cn=openp-54052695,cn=memberserver,cn=computers,dc=four,dc=two’ command a
23.10.17 12:43:25.375 LISTENER ( PROCESS ) : Generating krb5.keytab for openp-54052695
Creating certificate: openp-54052695.four.two
no certificate for openp-54052695.four.two registered
Generating RSA private key, 2048 bit long modulus

And i have a ssl directory:

lrwxrwxrwx 1 root nogroup 43 Okt 23 12:43 openp-54052695 -> /etc/univention/ssl/openp-54052695.four.two
drwxr-x— 2 openp-54052695$ DC Backup Hosts 4096 Okt 23 12:43 openp-54052695.four.two

Owner should be the name of the directory plus an extra ‘$’ (this is the uid for the computer account which ist created for the app during the join).

best regards,
Felix

jmboettger · November 9, 2017, 11:20am

thanks for your help, but it seems that the master does not generate the certs at all. For other domain joins of containers it works well but for openp it does not generate anything.

botner · November 9, 2017, 1:46pm

Can you provide the listener.log of your UCS master server (please make sure there there are no sensitive information in the log file)? During the installation of the app a host account for the app is created and on the master server a listener module should create a corresponding certificate file.

audiolinux · January 8, 2019, 3:25pm

Hi,

even this is a pretty old thread, I’ve got a similar behaviour in our environment. All the certificate files/folders have been created successfully on the DCMaster. When it comes to join part of the app installation, it hangs at Download host certificate.
In the DCMasters /var/log/auth.log I see something like this:

pam_access(sshd:account): access denied for user `openp-78073436$' from `192.168.0.10'
Jan  8 16:09:00 ucsmaster sshd[28465]: Failed password for openp-78073436$ from 192.168.0.10 port 47630 ssh2
Jan  8 16:09:00 ucsmaster sshd[28465]: fatal: Access denied for user openp-78073436$ by PAM account configuration [preauth]

Moritz_Bunkus · January 17, 2019, 3:36pm

Hey,

please post the output of ucr search --brief auth/sshd and getent passwd 'openp-78073436$' from your DC Master.

m.