Problem: User cannot login anymore via ssh and terminalserver

Knowledge Base Community
, , , ,
#1

Problem:

User cannot login anymore via ssh and terminalserver
Some users can login, some users cannot.

Investigation:

kinit Administrator → is working
id Administrator
shows

There is no such user
or
Einen solchen Benutzer gibt es nicht

Investigation:

univention-ldapsearch -LLL '(&(uid=Administrator)(objectClass=posixAccount))' objectClass
Here is no output, but the objectclass is found via normal univention-ldapsearch uid=Administrator

This points to a faulty ldap index
Addition how to fix this:
You can rebuild the index, but in this case, it was not the solution. (only as a supplement) Described in this article

You find in the auth.log

Jun 14 14:12:36 ucs01 sshd[14798]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.3
Jun 14 14:12:36 ucs01 sshd[14798]: pam_krb5(sshd:auth): authentication failure; logname=administrator uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.3
Jun 14 14:12:36 ucs01 sshd[14798]: pam_ldap: error trying to bind as user “uid=Administrator,cn=users,dc=schein,dc=me” (Invalid credentials)
Jun 14 14:12:38 ucs01 sshd[14796]: error: PAM: Authentication failure for illegal user administrator from 192.168.0.3
Jun 14 14:12:38 ucs01 sshd[14796]: Failed keyboard-interactive/pam for invalid user administrator from 192.168.0.3 port 56039 ssh2

The syslog shows:

Jun 16 08:44:07 ucs01 slapd[1705]: entry failed schema check: unrecognized objectClass ‘webweaverUser’

The listener.log shows:

14.06.21 14:00:34.050 LISTENER ( PROCESS ) : updating ‘cn=webweaver,cn=ldapschema,cn=univention,dc=schein,dc=me’ command d

Try slapschema to get information
slapschema

60cc90d7 UNKNOWN attributeDescription “WEBWEAVERACTIVATED” inserted.
#(65) Object class violation: unrecognized objectClass ‘webweaverUser’
dn: uid=Administrator,cn=users,dc=schein,dc=qa

Solution:

Try first:

nscd -i passwd
systemctl restart nscd.service

But in this case the schema from webweaver was removed.
If webweaver is still installed and should be in use you can reregister the schema like this:

root@ucs01:~# univention-app register webweaver --do-it
Registering component for webweaver=2.0.0-6
Creating data directories for webweaver...
Registering UCR for webweaver
Marking webweaver=2.0.0-6 as installed
Adding localhost to LDAP object
Registering schema /usr/share/univention-appcenter/apps/webweaver/webweaver.schema
Password for Administrator:
Object created: cn=webweaver,cn=ldapschema,cn=univention,dc=schein,dc=me

Object modified: cn=webweaver,cn=ldapschema,ccn=univention,dc=schein,dc=me

Waiting for activation of the extension object webweaver: ............OK
Registering attribute webweaverActivated

If webweaver is not longer used, you can remove the app and remove all references from ldap:
By default used schemas from an app are NOT autmatically removed and should not!

1 Like
#2
Mastodon