Problem: univention-ssh or univention-scp is not working

Knowledge Base Community
, , ,
#1

Issue

If you get the following error message, e.g in a join.log or updater.log when the server trys to connect or read from the master.

Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive)
Also indicative messages are:
in sysvol-sync.log:

2021-08-12 13:20:34 ERROR [ucs1] Placing a trigger file failed.
2021-08-12 13:25:02 ERROR [ucs1] placing triggerfile with ssh failed with 1. (Password unchangedPassword unchangedPassword unchangedWARNING: Your password has expired.Password change required but no TTY available.)

or in U-M-C-server.log:

12.08.21 14:17:16.255 AUTH ( INFO ) : Trying to authenticate user u’ucs1$’
12.08.21 14:17:16.256 LDAP ( INFO ) : uldap.search filter=(&(uid=ucs1$)(objectClass=person)) base= scope=sub attr=[‘uid’] unique=1 required=0 timeout=-1 sizelimit=0
12.08.21 14:17:16.257 AUTH ( INFO ) : Canonicalized username: u’ucs1$’
12.08.21 14:17:16.259 AUTH ( INFO ) : PAM says: ‘Sie müssen Ihr Passwort sofort ändern (Passwortablauf).’
12.08.21 14:17:16.259 AUTH ( ERROR ) : PAM: authentication error: (‘Authentifizierungstoken ist nicht mehr gültig; neues erforderlich’, 12)
12.08.21 14:17:16.259 AUTH ( INFO ) : Das Passwort ist abgelaufen und muss erneuert werden.

You want try to execute the command directly i.e.:
root@backup:~# univention-ssh /etc/machine.secret "$(hostname)\$@master" ls

Solution

Step 1

You can try to reset the password on the master from the server who cannot connect.
On the slave do:

root@backup:~# cat /etc/machine.secret ; echo

Switch to the master. Remember to replace the domaincontroller_backup with the correct one for your server having issues (domaincontroller_backup, domaincontroller_slave or memberserver). You will get the distingueshed name of the server back:

root@master:~# udm computers/domaincontroller_backup list --filter cn=<HOSTNAME>  | sed -ne 's/DN: //p'

Now reset the existing password

root@master:~# udm computers/domaincontroller_backup modify --dn '<udm command output from above>' --set password= <cat command output>

Example:

root@backup-dc:~# cat /etc/machine.secret ; echo
ahpei1ooRoh1fietaiz9

root@master-dc:~# udm computers/domaincontroller_backup list --filter cn=backup-dc  | sed -ne 's/DN: //p'
cn=backup-dc,cn=dc,cn=computers,dc=ucs,dc=example

root@master-dc:~# udm computers/domaincontroller_backup modify --dn 'cn=backup-dc,cn=dc,cn=computers,dc=ucs,dc=example' --set password=ahpei1ooRoh1fietaiz9
Object modified: cn=backup-dc,cn=dc,cn=computers,dc=ucs,dc=example

Step 2

If there is still a problem you should check the server account.

root@master:~# univention-ldapsearch -LLLo ldif-wrap=no cn=<HOSTNAME> krb5KeyVersionNumber shadowLastChange krb5PasswordEnd sambaPwdLastSet univentionPWExpiryInterval shadowMax

dn: <HOSTNAME-DN>
shadowLastChange: 16770
krb5PasswordEnd: 20160229000000Z
shadowMax: 100
krb5KeyVersionNumber: 4
sambaPwdLastSet: 1537320845

Step 3

If you find shadowMax shadowLastChange and krb5PasswordEnd set, you should remove them from the object:

root@master:~# ldapmodify -D "$( ucr get ldap/hostdn )" -y /etc/machine.secret <<EOR
dn: cn=<HOSTNAME>,cn=dc,cn=computers,dc=<DOMAIN1>,dc=<DOMAIN2>
changetype: modify
delete: shadowMax
EOR

root@master:~# ldapmodify -D "$( ucr get ldap/hostdn )" -y /etc/machine.secret <<EOR
dn: cn=<HOSTNAME>,cn=dc,cn=computers,dc=<DOMAIN1>,dc=<DOMAIN2>
changetype: modify
delete: shadowLastChange
EOR

root@master:~# ldapmodify -D "$( ucr get ldap/hostdn )" -y /etc/machine.secret <<EOR
dn: cn=<HOSTNAME>,cn=dc,cn=computers,dc=<DOMAIN1>,dc=<DOMAIN2>
changetype: modify
delete: krb5PasswordEnd
EOR

Step 4

If you could not fix it with those steps, check your nameserver entries with

ucr search --brief nameserver
3 Likes
Problem: UMC Diagnostic Module Complains about SSH Errors
Problem: App Upgrade Fails With "ldapsearch -x failed"
Mastodon