Missing entries in the UMC Portal

UCS - Univention Corporate Server
,
#1

Hello all,

i noticed a while after the last upgrade, that most of the UMC portal entries are gone. basically only in category system there is language, networking and hardware-info left. How can i repair this? Installed portal modules are:

univention-management-console-module-join
univention-management-console-module-adtakeover
univention-management-console-module-quota
univention-management-console-module-services
univention-management-console-module-sysinfo
univention-management-console-module-mrtg
univention-management-console-module-lib
univention-management-console-module-adconnector
univention-management-console-module-reboot
univention-management-console-module-pkgdb
univention-management-console-module-ipchange
univention-management-console-module-diagnostic
univention-management-console-module-admindiary
univention-management-console-module-top
univention-management-console-module-ucr
univention-management-console-module-udm
univention-management-console-module-passwordchange
univention-management-console-module-updater
univention-management-console-module-apps
univention-management-console-module-setup
univention-management-console-module-appcenter
univention-management-console-module-welcome
univention-management-console-module-printers

I’m glad for any hint / help.

BR,
entirenet

#2

Hello entirenet,

where are you missing those entries, have you created your own portal or are you using the default one?
Can you paste us the output of the command (you can obfuscate your LDAP base and sensitive data):

udm portals/portal list | grep -E "(DN:|categories|showUmc)"

Best regards
Jan-Luca

#3

Hello Jan-Luca,

thank you for you reply. I did not created my own portal, i was just using the default one.

root@ucs02:~# udm portals/portal list | grep -E "(DN:|categories|showUmc)"
DN: cn=domain,cn=portal,cn=portals,cn=univention,dc=domainname,dc=intranet
  categories: cn=domain-service,cn=category,cn=portals,cn=univention,dc=domainname,dc=intranet
  categories: cn=domain-admin,cn=category,cn=portals,cn=univention,dc=domainname,dc=intranet
  showUmc: TRUE
DN: cn=local,cn=portal,cn=portals,cn=univention,dc=domainname,dc=intranet
  categories: cn=local-admin,cn=category,cn=portals,cn=univention,dc=domainname,dc=intranet
  showUmc: FALSE
DN: cn=self-service,cn=portal,cn=portals,cn=univention,dc=domainname,dc=intranet
  categories: cn=self-service-profile,cn=category,cn=portals,cn=univention,dc=domainname,dc=intranet
  categories: cn=self-service-password,cn=category,cn=portals,cn=univention,dc=domainname,dc=intranet
  categories: cn=self-service-new-account,cn=category,cn=portals,cn=univention,dc=domainname,dc=intranet
  showUmc: FALSE
root@ucs02:~#

I wonder when in the past this may have happened. Probably an update i ran from the CLI did not finish correctly or packages may have been removed. What are the default modules for the web manager console? Maybe i need to reinstall them.

Or can it be related with my other issue on this server, where the nextcloud join script is failing?

Best regards,
entirenet

#4

Hey entirement,

unfortunately I am unable to look into this further currently, but some guesses that I have:

  1. Looking at the entries that were still present it sounds like only the ones that are relevant for the local current server were shown and not the ones that have a use domain wide (hardware-info, processes, UCR are things present at every server for itself, things like user management is something you do for the whole UCS domain).
    From my memory there were ways were a server only served those tiles intentionally or unintentionally - Via udm computers/domaincontroller_master (or different roles) you can check the assigned portal and see if the DN matches or if maybe no or a wrong portal was assigned to the specific server
  2. I would not be surprised if a unsuccessful join or a broken package installation would be the cause for this - What is the status of univention-check-join-status?
  3. Perhaps it’s a caching issue - Do you have any reverse proxy or web cache in front of your UCS? Maybe it’s even a portal content cache in UCS, but I have not looked into that before.
#5

Hey jlk,

that you for the ideas. I noticed now, the web console manager obiously is also broken, not only nextcloud.

root@ucs02:~# univention-check-join-status
Warning: 'nextcloud' is not configured.
Warning: 'univention-management-console-web-server' is not configured.
Error: Not all install files configured: 2 missing
root@ucs02:~#

I need to figure out how i can run join scripts for the management-console-webserver manually.

BR,
entirenet

#6

That sounds promising - univention-run-join-scripts is what you are looking for. To run a specific script you can look up the name with ls /usr/lib/univention-install/*univention-management-console-web-server* and use it like univention-run-join-scripts --run-scripts <filename>. I cannot check that now, but I suspect something like 35univention-management-console-web-server.inst.

#7

I ran this:

root@ucs02:~# univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright (c) 2001-2023 Univention GmbH, Germany

Enter Primary Directory Node Account : Administrator
Enter Primary Directory Node Password: 

Search LDAP binddn:                                        done
Running pre-joinscripts hook(s):                           done
Running 92univention-management-console-web-server.inst    failed (exitcode: 1)
Running post-joinscripts hook(s):                          done
root@ucs02:~#

I looked into the join.log but i wonder about this missing registry entries how to fix it…

univention-run-join-scripts started
Fr 14. Apr 13:26:54 CEST 2023

univention-join-hooks: looking for hook type "join/pre-joinscripts" on ucs01.domainname.intranet
Found hooks:
  
RUNNING 92univention-management-console-web-server.inst
2023-04-14 13:26:55.773627848+02:00 (in joinscript_init)
W: The config registry variable 'ucs/web/overview/entries/admin/umc/icon' does not exist
W: The config registry variable 'ucs/web/overview/entries/admin/umc/link' does not exist
W: The config registry variable 'ucs/web/overview/entries/admin/umc/link/de' does not exist
W: The config registry variable 'ucs/web/overview/entries/admin/umc/priority' does not exist
W: The config registry variable 'ucs/web/overview/entries/admin/umc/label' does not exist
W: The config registry variable 'ucs/web/overview/entries/admin/umc/label/de' does not exist
W: The config registry variable 'ucs/web/overview/entries/admin/umc/description' does not exist
W: The config registry variable 'ucs/web/overview/entries/admin/umc/description/de' does not exist
LDAP Error: No such object.
92univention-management-console-web-server.inst: 
EXITCODE=1
ca5cebee-f1c2-40d9-9718-e2b5e86c9ba0
univention-join-hooks: looking for hook type "join/post-joinscripts" on ucs01.domainname.intranet
Found hooks:
  

Fr 14. Apr 13:26:58 CEST 2023
univention-run-join-scripts finished

Can i fix those missing registry entries via the CLI ?

BR,
entirenet

#8

The warnings should not be the problem, they are just pointing out UCR variables that were not set, but expected. The LDAP Error: No such object. however means that an LDAP object was expected and is missing too - Taking both into account it seems like something more is missing and I would recommend to reinstall the packages related to the UMC server via

apt-get --reinstall install univention-management-console-server univention-management-console-web-server

If that does not fix the join I don’t know what you are missing without looking into the join script.

#9

The Reinstall went without any noticeable error, but the issue is still the same also another attempt to run the join script ended with the same exit code and entires in the join.log.

Here is the result from the reinstall:

root@ucs02:~# apt-get --reinstall install univention-management-console-server univention-management-console-web-server
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.       
Statusinformationen werden eingelesen.... Fertig
0 aktualisiert, 0 neu installiert, 2 erneut installiert, 0 zu entfernen und 9 nicht aktualisiert.
Es müssen 164 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 0 B Plattenplatz zusätzlich benutzt.
Holen:1 https://updates.software-univention.de errata503/main amd64 univention-management-console-server all 12.0.17-9A~5.0.0.202303281750 [80,4 kB]
Holen:2 https://updates.software-univention.de errata503/main amd64 univention-management-console-web-server all 12.0.17-9A~5.0.0.202303281750 [83,3 kB]
Es wurden 164 kB in 0 s geholt (1.123 kB/s).                   
(Lese Datenbank ... 113701 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von .../univention-management-console-server_12.0.17-9A~5.0.0.202303281750_all.deb ...
Entpacken von univention-management-console-server (12.0.17-9A~5.0.0.202303281750) über (12.0.17-9A~5.0.0.202303281750) ...
univention-management-console-server.service is not active, cannot reload.
Vorbereitung zum Entpacken von .../univention-management-console-web-server_12.0.17-9A~5.0.0.202303281750_all.deb ...
Entpacken von univention-management-console-web-server (12.0.17-9A~5.0.0.202303281750) über (12.0.17-9A~5.0.0.202303281750) ...
univention-management-console-server (12.0.17-9A~5.0.0.202303281750) wird eingerichtet ...
Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf
File: /var/www/univention/meta.json
File: /etc/logrotate.d/univention-management-console
univention-management-console-server.service is not active, cannot reload.
Setting umc/web/cache_bust
File: /var/www/univention/meta.json
Not updating umc/server/debug/level
Not updating umc/server/autostart
Not updating umc/server/upload/max
Not updating umc/module/debug/level
Not updating umc/module/timeout
loaded json file /var/cache/univention-management-console/acls/root
warning: rule ucr/* already exists
warning: rule service/* already exists
warning: rule quota/* already exists
warning: rule top/* already exists
warning: rule reboot/* already exists
warning: rule services/* already exists
warning: rule sysinfo/* already exists
warning: rule updater/* already exists
warning: rule lib/* already exists
warning: rule join/* already exists
loaded json file /var/cache/univention-management-console/acls/root
warning: rule setup/* already exists
Setting security/packetfilter/package/univention-management-console-server/tcp/6670/all
Setting security/packetfilter/package/univention-management-console-server/tcp/6670/all/en
File: /etc/security/packetfilter.d/80_univention-firewall_policy.sh
File: /etc/security/packetfilter.d/10_univention-firewall_start.sh
univention-management-console-web-server (12.0.17-9A~5.0.0.202303281750) wird eingerichtet ...
File: /etc/apache2/sso-vhost.conf.d/01redirect.conf
File: /etc/apache2/sites-available/univention.conf
Module: setup_saml_sp
Try to download idp metadata (1/60)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5263    0  5263    0     0  19138      0 --:--:-- --:--:-- --:--:-- 19138
univention-management-console-web-server.service is not active, cannot reload.
Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf
Module: configure_umc_multiprocessing
Module wsgi already enabled
Module proxy already enabled
Considering dependency proxy for proxy_connect:
Module proxy already enabled
Module proxy_connect already enabled
Considering dependency proxy for proxy_http:
Module proxy already enabled
Module proxy_http already enabled
Module headers already enabled
Considering dependency proxy_balancer for lbmethod_bybusyness:
Considering dependency proxy for proxy_balancer:
Module proxy already enabled
Considering dependency alias for proxy_balancer:
Module alias already enabled
Considering dependency slotmem_shm for proxy_balancer:
Module slotmem_shm already enabled
Module proxy_balancer already enabled
Module lbmethod_bybusyness already enabled
Considering dependency proxy for proxy_balancer:
Module proxy already enabled
Considering dependency alias for proxy_balancer:
Module alias already enabled
Considering dependency slotmem_shm for proxy_balancer:
Module slotmem_shm already enabled
Module proxy_balancer already enabled
Site univention already enabled
httpd (pid 5654) already running
Not updating umc/http/session/timeout
Not updating umc/http/response-timeout
Not updating umc/http/autostart
Not updating umc/http/port
Not updating umc/http/interface
Not updating umc/server/upload/min_free_space
Not updating umc/http/content-security-policy/default-src
Not updating umc/http/content-security-policy/script-src
Not updating umc/http/content-security-policy/object-src
Not updating umc/http/content-security-policy/style-src
Not updating umc/http/content-security-policy/img-src
Not updating umc/http/content-security-policy/media-src
Not updating umc/http/content-security-policy/frame-src
Not updating umc/http/content-security-policy/font-src
Not updating umc/http/content-security-policy/connect-src
Not updating umc/http/content-security-policy/form-action
Not updating umc/http/content-security-policy/frame-ancestors
Not updating umc/login/content-security-policy/frame-ancestors
Trigger für univention-config (15.0.10-1A~5.0.0.202302031924) werden verarbeitet ...
root@ucs02:~#

Another idea?

BR,
entirenet

#10

I just looked into the joinscript (and encourage you to do so to), because we should find out which object reference leads to the script error’ing out.

General remarks:

  • This likely happens because of a udm command
  • If the line ends with || true it’s not responsible for stopping the joinscript execution

My first assumption is line 77:

if [ "$JS_LAST_EXECUTED_VERSION" -ge "5" -a "$JS_LAST_EXECUTED_VERSION" -lt "7" ]; then
	udm saml/serviceprovider remove "$@" --dn "SAMLServiceProviderIdentifier=https://$fqdn/univention-management-console/saml/metadata,cn=saml-serviceprovider,cn=univention,$ldap_base"
fi

Why? The mentioned UCR variables are in fact unset by the script, so the warnings you get suggest that they were already unset at this point. The given line trys to remove a SAML serviceprovider from UDM (and does not end in || true), so maybe that one was already deleted like the variables were unset.
As a workaround you can either recreate a serviceprovider with the mentioned DN or just comment the whole if condition out with # - But first we should double check that the provider is in fact not present anymore.

#11

Hi jIk,

i tried it with commenting out the lines:

#if [ "$JS_LAST_EXECUTED_VERSION" -ge "5" -a "$JS_LAST_EXECUTED_VERSION" -lt "7" ]; then
#	udm saml/serviceprovider remove "$@" --dn "SAMLServiceProviderIdentifier=https://$fqdn/univention-management-console/saml/metadata,cn=saml-serviceprovider,cn=univention,$ldap_base"
#fi

Still i get the same error. How can i maybe increase the loglevel?

Anf thank you sofar for al the help and ideas.

BR,
entirenet.

#12

Since it is a memberserver, no domainccontroller neither a backupcontroller, is univention-saml required to be installed on that server? Shouldn’t the memberserver contact the domaincontroller server for SAML stuff?

Best regards,
entirenet

#13

Hello all.

Anyone has maybe another idea? Otherwise i might have to go for a reinstall of that server. It’s annoying being not able to manage that machine though the Univention WebUI.

Best regards,
entirenet

Mastodon