Problem: OPSI on Memberserver is no working anymore

Knowledge Base Community
, ,
1

Problem:

with the login of the Opsiconfd client to the Opsimaster.
When you try to login via Client you get an “unauthorized

The auth.log shows:

Oct 28 14:35:32 opsimaster opsiconfd: pam_krb5(opsi-auth:auth): (user username) attempting authentication as username@SCHEIN.ME
Oct 28 14:35:32 opsimaster opsiconfd: pam_krb5(opsi-auth:auth): (user username) krb5_get_init_creds_password: unable to reach any KDC in realm SCHEIN.ME
Oct 28 14:35:32 opsimaster opsiconfd: pam_krb5(opsi-auth:auth): authentication failure; logname=username uid=2011 euid=2011 tty= ruser= rhost=
Oct 28 14:35:32 opsimaster opsiconfd: pam_krb5(opsi-auth:auth): pam_sm_authenticate: exit (failure)

So the cannot reach the primary.

Investigation:

You can do some tauthentication tests

opsiconfd -l8 test pam_auth
Testing PAM authentication
Enter username: cscheini
Enter password: *********
→ see the result.

opsiconfd -l5 test ldap_auth
Testing LDAP authentication
- LDAP URL
Examples:
    Active Directory / Samba 4
            ldaps: //ad.company.de/dc=company,dc=de
    OpenLDAP
            ldap: //dap.company.de: 7389/dc=company, dc=de
            ldaps: //10.10.1.2/dc=org, dc=tld
Enter LDAP URL: ldap: // master.schein.me: 7389/dc=schein,dc=me:
- Bind user (template)
{base) will be replaced with the base DN from the LDAP URL. 
{username} will be replaced with the username to authenticate.
Examples:
   Active Directory / Samba 4
             {username)@company.de
   OpenLDAP
             uid={username},ou=Users,dc=org, dc=tld
             uid={username},cn=Users,{base}
Enter bind user template: uid=(username}, cn=Users, (base}
- Group filter (optional)
The filter which is used when searching groups.
Examples:
     (objectclass=group)
Enter group filter (optional): (&(objectClass=univentionGroup)(cn=opsiadmin))
Use memberof RDN?
If active, the RDN of the memberof attribute will be used
to get the group name, without searching the group.
Use memberOf RDN? [y/n] (n): n
Enter username: cschein
Enter password:

Solution

  1. Install a new Memberserver as opsimasteror

or

  1. switch to openLdap authentication
    This can be done, with the “tool” introduced in the investigation part.
    opsiconfd test ldap_auth
    If the test is successfull, you will be asked, to save the configuration directly, so it is usefull, to save the opsi configuration before (/etc/opsi/opsi.conf)