Logins to Univention Management Console (UMC) fail

umc
nagios

#1

The Univention Management Console (UMC) is a modularly designed, web-based application for the administration of individual Univention Corporate Server systems.

Should a problem arise when logging on to UMC, the following error message may appear, for example:

Authentication error: The UMC server has not answered the authentication request

This means that the UMC server has not reacted to the authentication request of the web frontend. As this can have many causes, a number of points – described in detail below – must be checked.

Is the UMC server running?

This could most likely be indicated by:

503 Internal server error: The service is temporarily not available.
check if the server and web-server are running and restart them if not

ps waux  |  grep  univention-management-console-server
/etc/init.d/univention-management-console-server restart
/etc/init.d/univention-management-console-web-server restart

Is the LDAP server running? (only on DC master, DC backup, DC slave)

univention-ldapsearch -s base -h $(ucr get hostname).$(ucr get domainname)

Checking SSL certificates

Is the system time correct?

date

The configuration of the system time is described in the UCS manual in the chapter “Time Synchronisation”

Have the SSL certificates expired?

univention-certificate dump -name $(ucr get hostname).$(ucr get domainname) | egrep -i -A2 'validity'; 

If the certificates have expired/are invalid: The renewal of SSL certificates is described in the SDB article Renewing the SSL certificates .

Checking name resolution

Are the Univention DNS services (univention-bind und univention-bind-proxy) running?

 ps waux | grep bind 

Are correct name servers set?

ucr search nameserver 

Can server name to IP and IP to server name be correctly resolved?

 host $(ucr get hostname).$(ucr get domainname)
host $(ucr get interfaces/eth0/address)

Is the Kerberos service record correctly resolvable?

host  -t  SRV  _kerberos._tcp.$(ucr get domainname)

Checking the Kerberos settings

Obtain Kerberos ticket with kinit

kinit Administrator
klist

Checking log files for relevant messages

/var/log/univention/management-console-server.log
/var/log/univention/management-console-web.log
/var/log/auth.log
/var/log/apache2/error.log
More messages may appear at an increased debug level. Proceed as follows to increase the debug level:

Stop the UMC server:

/etc/init.d/univention-management-console-server stop
/etc/init.d/univention-management-console-web-server stop
ucr set umc/server/debug/level=4
/etc/init.d/univention-management-console-server start
/etc/init.d/univention-management-console-web-server start 

Finally, perform a new log-in to UMC and check the /var/log/univention/management-console-server.log log file for relevant messages. After the test, the debug level should be returned to the original level.

Checking the translation files

It is possible that one of the translation files gets corrupt - you can determine this in the logs:

grep "error: unpack requires a string argument of length 4" /var/log/univention/management-console-server.log | echo $? 

If you receive “0” as a result (or find this string as a traceback by hand), the string was found in the logfile and the following steps should help:

mv /usr/share/ univention-management-console/i18n/de/apps.mo /root/apps.mo
/etc/init.d/univention-management-console-server restart

Univention Management Console Web Server could not be reached