Kinit broken in univention/ucs-master-amd64:4.2-1 after initial config and restart

On a clean ucs installation, users are not able to change their passwords on their own, after installing kopano-webapp. Before installing kopano-webapp there is no problem.

I reproduced this in the following way with my developer notebook with docker.

• adding the following entries into /etc/hosts:

127.0.0.1       company.localhost	company
127.0.0.1       ucs.company.localhost   ucs
127.0.0.1       ucs-sso.company.localhost ucs-sso

• create custom a docker bridge:
  docker network create --ip-range 172.25.2.0/24 --subnet 172.25.0.0/16 dockerInternalNet --ipv6=false

• startup dnsdock for custom docker internal dns resolving with the following docker-compose.yml file:

version: '2'

services:
  dnsdock:
    container_name: dnsdock
    hostname: dnsdock
    image: tonistiigi/dnsdock:amd64-1.13.1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    expose:
      - "53/udp"
    networks:
      dockerInternalNet:
        ipv4_address: 172.25.1.1
     networks:
       - dockerInternalNet
     command: -nameserver 8.8.8.8:53 -nameserver 8.8.4.4:53

networks:
  dockerInternalNet:
     external: true

• startup official clean ucs dockerhub image with the following docker-compose.yml file:

version: '2'

services:
  ucs:
    image: univention/ucs-master-amd64:latest
    hostname: ucs
    container_name: ucs
    domainname: company.localhost
    ports:
      - "8011:80"
    networks:
      - dockerInternalNet
    environment:
      - nameserver1=172.25.1.1
      - container=docker
      - DNSDOCK_ALIAS=ucs.company.localhost
      - rootpwd=gWXhwArA8pUe49oHES
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    tmpfs:
      - /run
      - /run/lock
    dns: 172.25.1.1
    restart: always
    cap_add:
      - SYS_ADMIN

networks:
  dockerInternalNet:
    external: true

• configure ucs using ucs.company.localhost:8011 in the browser with following settings:
  

• set the appcenter/docker=false ucr value, to be able to reach the appcenter inside the container:
  docker exec -it ucs ucr set appcenter/docker=false

• register ucs with licence to be able to install apps

• install kopano core

• create user (user is currently able to change its own password)

• breaking step: install kopano webapp (which throws an error):
  
  /var/log/univention/appcenter.log shows:

Kopano Sharing & Communication Software’), (‘de_DE’, ‘WebApp | Kopano Sharing & Communication Software’)], ‘icon’: ‘PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjwhLS0gR2VuZXJhdG9yOiBBZG9iZSBJbGx1c3RyYXRvciAxOS4yLjEsIFNWRyBFeHBvcnQgUGx1Zy1JbiAuIFNWRyBWZXJzaW9uOiA2LjAwIEJ1aWxkIDApICAtLT4NCjxzdmcgdmVyc2lvbj0iMS4xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCINCgkgdmlld0JveD0iMCAwIDI5Ni4yIDI5OC4zIiBzdHlsZT0iZW5hYmxlLWJhY2tncm91bmQ6bmV3IDAgMCAyOTYuMiAyOTguMzsiIHhtbDpzcGFjZT0icHJlc2VydmUiPg0KPHN0eWxlIHR5cGU9InRleHQvY3NzIj4NCgkuc3Qwe2ZpbGw6bm9uZTt9DQoJLnN0MXtmaWxsOiM0MTQwNDI7fQ0KCS5zdDJ7ZmlsbDojMDBCM0YwO30NCjwvc3R5bGU+DQo8ZyBpZD0iTGF5ZXJfMSI+DQoJPHJlY3QgeD0iLTAuNiIgeT0iMC43IiBjbGFzcz0ic3QwIiB3aWR0aD0iMjk3LjMiIGhlaWdodD0iMjk3LjMiLz4NCgk8Zz4NCgkJPGc+DQoJCQk8Zz4NCgkJCQk8cGF0aCBjbGFzcz0ic3QxIiBkPSJNMTQyLjksMjk3LjlMMTguNywxNzMuN2MtNi41LTYuNS0xMC4xLTE1LjItMTAuMS0yNC40YzAtOS4yLDMuNi0xNy45LDEwLjEtMjQuNEwxNDIuOSwwLjdsMjYuNywyNi43DQoJCQkJCUw1NC43LDE0Mi4zYy0xLjksMS45LTIuOSw0LjQtMi45LDdjMCwyLjYsMSw1LjEsMi45LDdsMTE0LjksMTE0LjlMMTQyLjksMjk3Ljl6Ii8+DQoJCQk8L2c+DQoJCTwvZz4NCgkJPHBhdGggY2xhc3M9InN0MiIgZD0iTTI4Ny41LDE0OS4zYzAtMi42LTEtNS4xLTIuOS03bC0zLjYtMy42YzAsMCwwLDAsMCwwbC03MS41LTcxLjVsLTIuNCwyLjRjLTEwLjMsMTAuNi0xOC40LDIyLjgtMjQuMSwzNi40DQoJCQljLTUuNywxMy43LTguNywyOC4yLTguNyw0My4yYzAsMTQuOCwyLjksMjkuMiw4LjcsNDIuOWM1LjcsMTMuNiwxMy45LDI1LjksMjQuMywzNi42bDIuNCwyLjRsNzEuMy03MS4zbDAsMGwzLjYtMy42DQoJCQlDMjg2LjQsMTU0LjQsMjg3LjUsMTUyLDI4Ny41LDE0OS4zeiIvPg0KCTwvZz4NCgk8cmVjdCB4PSItMC42IiB5PSIwLjciIGNsYXNzPSJzdDAiIHdpZHRoPSIyOTcuMyIgaGVpZ2h0PSIyOTcuMyIvPg0KPC9nPg0KPGcgaWQ9IkxheWVyXzIiPg0KPC9nPg0KPC9zdmc+DQo=’}
1388 portalentries 17-08-07 11:21:24 [ DEBUG]: Links: [‘http://ucs.company.localhost/webapp’, ‘http://172.25.2.2/webapp’, ‘https://ucs.company.localhost/webapp’, ‘https://172.25.2.2/webapp’]
1388 portalentries 17-08-07 11:21:24 [ DEBUG]: DN not found…
1388 portalentries 17-08-07 11:21:24 [ DEBUG]: … creating
1388 portalentries 17-08-07 11:21:24 [ ERROR]: Exception in UCR module create_portal_entries
Traceback (most recent call last):
File “/etc/univention/templates/modules/create_portal_entries.py”, line 225, in handler
_handler(ucr, changes)
File “/etc/univention/templates/modules/create_portal_entries.py”, line 205, in _handler
create_object_if_not_exists(‘settings/portal_entry’, lo, pos, **attrs)
File “/usr/lib/pymodules/python2.7/univention/appcenter/udm.py”, line 97, in create_object_if_not_exists
obj.create()
File “/usr/lib/pymodules/python2.7/univention/admin/handlers/init.py”, line 324, in create
dn = self._create(response=response, serverctrls=serverctrls)
File “/usr/lib/pymodules/python2.7/univention/admin/handlers/init.py”, line 812, in _create
self.lo.add(self.dn, al, serverctrls=serverctrls, response=response)
File “/usr/lib/pymodules/python2.7/univention/admin/uldap.py”, line 482, in add
raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: No such object

• the created user in not able to change it’s own password anymore, with the following error:

Errorcode 20: The new password could not be set.

The problem is reproducible. Every time i install kopano-webapp on an univention master image, ucs user are not able to set their own passwords. Nevertheless, the Administrator is still able to change the user’s password.

UPDATE:

• @fbartels: The kopano apps do not seem have any relation to the problem. Thanks for your insights so far.

• Thanks to @requate i was able to isolate the problem. Creating the container and running initial configuration, kinit works fine. After a restart of the container, heimdal-kdc is correctly started by systemd, but the kinit is not able to connect (failing with: kinit: krb5_get_init_creds: unable to reach any KDC in realm COMPANY.LOCALHOST) The problem of kinit is the main problem why the web password reset fails, as stated by @requate. Nevertheless i am not able to make it running and the statement of I had to do "things" to make it run it. is not very descriptive.

Hi @cguenther,

thanks for your detailed report. unfortunately this is something I am unable to reproduce when using one of the prebuild app appliances, does this only happen in Docker environments?

I tested only against the univention/ucs-master-amd64:4.2-1 image using docker. It might be possible, that this problem effects only the docker world of ucs. Does the kopano-webapp installation throws somewhere else this error (Exception in UCR module create_portal_entries)?

Hi,

thanks for the feedback. The traceback occurrs because univention-portal is not installed currently in the master container, I’ll check how to make this happen and possibly just upload updated images containing that package.
As a workaround you can just univention-install univention-portal from a root shell in the container (e.g. docker exec -it univention-install univention-portal) and reinstall the Kopano webapp package. When I did that the traceback disappeared and the installation finished without error message.

Regarding password change: you could check if the kdc is running in the container, e.g. by docker exec -it kinit user1.
In my quick test systemd (in the container) actually hadn’t started the kdc for some reason. I had to do “things” to make it run it. Once kinit worked, I was able to let the user change the password via UMC Web interface.

Hi @requate,

As stated in the update section i was able to reproduce without kopano, by simply restarting the ucs container after configuration. I am not able to fix the stuff by myself. After the restart systemctl status heimdal-kdc reports an active and running kdc server. Nevertheless kinit seems to be broken anyway (only after the restart):

root@ucs:/# kinit Administrator
Administrator@COMPANY.LOCALHOST’s Password:
kinit: krb5_get_init_creds: unable to reach any KDC in realm COMPANY.LOCALHOST

In front of the restart, this runs fine. So please provide me some details about your statement tog et kinit working again:

I had to do “things” to make it run it.

kinit is not broken. The kdc ist probably not running. You can check with “ps ax | grep kdc”. In two attempts I was unable to reproduce the issue yet. But I did this to make the kdc start again:

_SYSTEMCTL_SKIP_REDIRECT=yes /etc/init.d/heimdal-kdc restart

Thanks a lot for your help.

I was able to find the problem. I think some additional setup guidelines should be defined for the docker world. I runned into a dns overwriting problem between ucs and docker. Situation:

• UCS published correctly itself the domain internal dns server during inital configuration
• docker overwrites the /etc/resolv.conf during container restart
• when external dns is set to docker dns settings, ucs looses the domain internal dns entry on restart --> this breaks the kinit, because it is not able anymore to get the dns information of the kerberos server (hosted locally) which would be delivered by the ucs dns.

To solve the problem:

• i have to place as nameserver1 as well as the dns docker flag the domain dns (docker internal static ucs IP address; or the IP address of the docker host if dns port is mapped)
• external dns has to be defined after initial configuration in the web-ui

I think it should be defined from an official univention statement, if the nameserver1 and the --dns docker variable should be domain internal DNS server or external ones. Currently it seems to break some stuff on restart, when i use there domain external DNS entries.

Thanks for the feedback, I’ve opened Bug 45172 to address this.