Issue
If you get the following error message, e.g in a join.log or updater.log when the server trys to connect or read from the master.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive)
Also indicative messages are:
in sysvol-sync.log:
2021-08-12 13:20:34 ERROR [ucs1] Placing a trigger file failed.
2021-08-12 13:25:02 ERROR [ucs1] placing triggerfile with ssh failed with 1. (Password unchangedPassword unchangedPassword unchangedWARNING: Your password has expired.Password change required but no TTY available.)
or in U-M-C-server.log:
12.08.21 14:17:16.255 AUTH ( INFO ) : Trying to authenticate user u’ucs1$’
12.08.21 14:17:16.256 LDAP ( INFO ) : uldap.search filter=(&(uid=ucs1$)(objectClass=person)) base= scope=sub attr=[‘uid’] unique=1 required=0 timeout=-1 sizelimit=0
12.08.21 14:17:16.257 AUTH ( INFO ) : Canonicalized username: u’ucs1$’
12.08.21 14:17:16.259 AUTH ( INFO ) : PAM says: ‘Sie müssen Ihr Passwort sofort ändern (Passwortablauf).’
12.08.21 14:17:16.259 AUTH ( ERROR ) : PAM: authentication error: (‘Authentifizierungstoken ist nicht mehr gültig; neues erforderlich’, 12)
12.08.21 14:17:16.259 AUTH ( INFO ) : Das Passwort ist abgelaufen und muss erneuert werden.
You want try to execute the command directly i.e.:
root@backup:~# univention-ssh /etc/machine.secret "$(hostname)\$@master" ls
Solution
Step 1
You can try to reset the password on the master from the server who cannot connect.
On the slave do:
root@backup:~# cat /etc/machine.secret ; echo
Switch to the master. Remember to replace the domaincontroller_backup with the correct one for your server having issues (domaincontroller_backup, domaincontroller_slave or memberserver). You will get the distingueshed name of the server back:
root@master:~# udm computers/domaincontroller_backup list --filter cn=<HOSTNAME> | sed -ne 's/DN: //p'
Now reset the existing password
root@master:~# udm computers/domaincontroller_backup modify --dn '<udm command output from above>' --set password= <cat command output>
Example:
root@backup-dc:~# cat /etc/machine.secret ; echo
ahpei1ooRoh1fietaiz9
root@master-dc:~# udm computers/domaincontroller_backup list --filter cn=backup-dc | sed -ne 's/DN: //p'
cn=backup-dc,cn=dc,cn=computers,dc=ucs,dc=example
root@master-dc:~# udm computers/domaincontroller_backup modify --dn 'cn=backup-dc,cn=dc,cn=computers,dc=ucs,dc=example' --set password=ahpei1ooRoh1fietaiz9
Object modified: cn=backup-dc,cn=dc,cn=computers,dc=ucs,dc=example
Step 2
If there is still a problem you should check the server account.
root@master:~# univention-ldapsearch -LLLo ldif-wrap=no cn=<HOSTNAME> krb5KeyVersionNumber shadowLastChange krb5PasswordEnd sambaPwdLastSet univentionPWExpiryInterval shadowMax
dn: <HOSTNAME-DN>
shadowLastChange: 16770
krb5PasswordEnd: 20160229000000Z
shadowMax: 100
krb5KeyVersionNumber: 4
sambaPwdLastSet: 1537320845
Step 3
If you find shadowMax shadowLastChange and krb5PasswordEnd set, you should remove them from the object:
root@master:~# ldapmodify -D "$( ucr get ldap/hostdn )" -y /etc/machine.secret <<EOR
dn: cn=<HOSTNAME>,cn=dc,cn=computers,dc=<DOMAIN1>,dc=<DOMAIN2>
changetype: modify
delete: shadowMax
EOR
root@master:~# ldapmodify -D "$( ucr get ldap/hostdn )" -y /etc/machine.secret <<EOR
dn: cn=<HOSTNAME>,cn=dc,cn=computers,dc=<DOMAIN1>,dc=<DOMAIN2>
changetype: modify
delete: shadowLastChange
EOR
root@master:~# ldapmodify -D "$( ucr get ldap/hostdn )" -y /etc/machine.secret <<EOR
dn: cn=<HOSTNAME>,cn=dc,cn=computers,dc=<DOMAIN1>,dc=<DOMAIN2>
changetype: modify
delete: krb5PasswordEnd
EOR
Step 4
If you could not fix it with those steps, check your nameserver entries with
ucr search --brief nameserver