Problem: univention-ssh or univention-scp is not working

computer-account
problem
ssh

#1

Issue

If you get the following error message, e.g in a join.log or updater.log when the server trys to connect or read from the master.

Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive)

Solution

Step 1

You can try to reset the password on the master from the server who cannot connect:

cat /etc/machine.secret ; echo
login to the master:
udm computers/domaincontroller_backup list --filter cn=backup | sed -ne 's/DN: //p'

udm computers/domaincontroller_backup modify --dn '< previous udm command output >' --set password= <cat command password>

Step 2

If there is still a problem you should check the server accout

univention-ldapsearch -LLLo ldif-wrap=no cn=backup krb5KeyVersionNumber shadowLastChange krb5PasswordEnd sambaPwdLastSet univentionPWExpiryInterval shadowMax
shadowLastChange: 16770
krb5PasswordEnd: 20160229000000Z
shadowMax: 100
krb5KeyVersionNumber: 4
sambaPwdLastSet: 1537320845

Step 3

If you find shadowMax shadowLastChange and krb5PasswordEnd set, you should remove them from the object:

root@master:~# ldapmodify -D "$( ucr get ldap/hostdn )" -y /etc/machine.secret <<EOR
dn: cn=backup,cn=dc,cn=computers,dc=schein,dc=ig
changetype: modify
delete: shadowMax
%EOR
root@master:~# ldapmodify -D "$( ucr get ldap/hostdn )" -y /etc/machine.secret <<EOR
dn: cn=backup,cn=dc,cn=computers,dc=schein,dc=ig
changetype: modify
delete: shadowLastChange
%EOR
root@master:~# ldapmodify -D "$( ucr get ldap/hostdn )" -y /etc/machine.secret <<EOR
dn: cn=backup,cn=dc,cn=computers,dc=schein,dc=ig
changetype: modify
delete: krb5PasswordEnd
%EOR

Problem: UMC Diagnose Module Complains about SSH Errors
#2