Problem: User cannot login anymore via ssh and terminalserver

Problem:

User cannot login anymore via ssh and terminalserver
Some users can login, some users cannot.

Investigation:

kinit Administrator → is working
id Administrator
shows

There is no such user
or
Einen solchen Benutzer gibt es nicht

univention-ldapsearch -LLL '(&(uid=Administrator)(objectClass=posixAccount))' objectClass
Here is no output, but the objectclass is found via normal univention-ldapsearch uid=Administrator

This points to a faulty ldap index
You can rebuild the index, but in this case, it was not the solution. (only as a supplement)

You find in the auth.log

Jun 14 14:12:36 ucs01 sshd[14798]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.3
Jun 14 14:12:36 ucs01 sshd[14798]: pam_krb5(sshd:auth): authentication failure; logname=administrator uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.3
Jun 14 14:12:36 ucs01 sshd[14798]: pam_ldap: error trying to bind as user “uid=Administrator,cn=users,dc=schein,dc=me” (Invalid credentials)
Jun 14 14:12:38 ucs01 sshd[14796]: error: PAM: Authentication failure for illegal user administrator from 192.168.0.3
Jun 14 14:12:38 ucs01 sshd[14796]: Failed keyboard-interactive/pam for invalid user administrator from 192.168.0.3 port 56039 ssh2

The syslog shows:

Jun 16 08:44:07 ucs01 slapd[1705]: entry failed schema check: unrecognized objectClass ‘webweaverUser’

The listener.log shows:

14.06.21 14:00:34.050 LISTENER ( PROCESS ) : updating ‘cn=webweaver,cn=ldapschema,cn=univention,dc=schein,dc=me’ command d

Try slapschema to get information
slapschema

60cc90d7 UNKNOWN attributeDescription “WEBWEAVERACTIVATED” inserted.
#(65) Object class violation: unrecognized objectClass ‘webweaverUser’
dn: uid=Administrator,cn=users,dc=schein,dc=qa

Solution:

In this case the schema from webweaver was removed.
If webweaver is still installed and should be in use you can reregister the schema like this:

root@ucs01:~# univention-app register webweaver --do-it
Registering component for webweaver=2.0.0-6
Creating data directories for webweaver...
Registering UCR for webweaver
Marking webweaver=2.0.0-6 as installed
Adding localhost to LDAP object
Registering schema /usr/share/univention-appcenter/apps/webweaver/webweaver.schema
Password for Administrator:
Object created: cn=webweaver,cn=ldapschema,cn=univention,dc=schein,dc=me

Object modified: cn=webweaver,cn=ldapschema,ccn=univention,dc=schein,dc=me

Waiting for activation of the extension object webweaver: ............OK
Registering attribute webweaverActivated

If webweaver is not longer used, you can remove the app and remove all references from ldap:
By default used schemas from an app are NOT autmatically removed and should not!