[RESOLVED] UNIVENTION_LDAP_AUTH is CRITICAL on UCS Master

openldap
ucs-4-2

#1

Hi,

I’ve updated my UCS master and backup 3 months ago to 4.2. But I forgot to doublecheck all functions, because UMC was fine and the shares where reachable. Yesterday I repaired the the samba drs replication and rejoinend the backup AD-Controller.

  • Master (SV002):
    UCS: 4.2-2 errata204
    App Center compatibility: 4
    Installed: cups=1.7.5 dhcp-server=11.0.0 mailserver=11 mobydick=1.0.0 nagios=3.5 pkgdb=10 samba4=4.6 squid=3.4
    Upgradable:

  • Backup (S005):
    UCS: 4.2-2 errata204
    App Center compatibility: 4
    Installed: mobydick=1.0.0 pkgdb=10 squid=3.4
    Upgradable:

On both (AD-master and -backup) I have the system diagnostic problem “Check validity of SSL certificates” with this python stack.

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 263, in execute
    result = execute(umc_module, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/02_certificate_check.py", line 287, in run
    cert_verify = list(verify_local(all_certificates))
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/02_certificate_check.py", line 258, in verify_local
    for error in verifier.verify_root():
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/02_certificate_check.py", line 202, in verify_root
    for error in self.verify(self.root_cert_path):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/02_certificate_check.py", line 206, in verify
    for error in self._verify_timestamps(cert_path):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/02_certificate_check.py", line 171, in _verify_timestamps
    valid_from = self.parse_generalized_time(cert.get_notBefore())
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/02_certificate_check.py", line 141, in parse_generalized_time
    date = datetime.datetime.strptime(sans_mircoseconds, date_format)
ImportError: Failed to import _strptime because the import lockis held by another thread.
Univention Support Database - Renewing the TLS/SSL certificates

On the AD-Master-Server I’ve additionally the nagios alarm UNIVENTION_LDAP_AUTH is CRITICAL and hourly cronjob-error-mails like this:

could not open policy for cn=sv002,cn=dc,cn=computers,dc=intra,dc=domain,dc=com

could not open policy for cn=sv002,cn=dc,cn=computers,dc=intra,dc=domain,dc=com

run-parts: /usr/lib/univention-directory-policy/univention-policy-maintenance exited with return code 49
could not open policy for cn=sv002,cn=dc,cn=computers,dc=intra,dc=domain,dc=com


run-parts: /usr/lib/univention-directory-policy/univention-policy-repository-sync exited with return code 1
could not open policy for cn=sv002,cn=dc,cn=computers,dc=intra,dc=domain,dc=com


run-parts: /usr/lib/univention-directory-policy/univention-policy-set-repository-server exited with return code 1
could not open policy for cn=sv002,cn=dc,cn=computers,dc=intra,dc=domain,dc=com

run-parts: /usr/lib/univention-directory-policy/univention-policy-update-config-registry exited with return code 1

Where is the basic error an how can I repair this?

Thanks
Ulf


Nach UCS 4.2-2 (-3) Upgrade: System Fehlerdiagnose "Fehler traten auf bei der Ausführung von `kinit` oder `nsupdate`."
#2

Good afternoon Ulf,

it can be that the certificate is expired. Below is a guide to checking if the Certificate is valid, and also on how to renew it.

Regards
Anna Takang


#3

Hi Anna,

The certificate of my ucs-master is valid:

root@sv002:~# univention-certificate dump -name sv002.intra.domain.com
Dump certificate: sv002.intra.domain.com
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, ST=DE, L=DE, O=XXXXXXX, OU=Univention Corporate Server, CN=Univention Corporate Server Root CA (ID=ee4KkQBj)/emailAddress=ssl@intra.domain.com
        Validity
            Not Before: Sep  6 12:44:25 2015 GMT
            Not After : Sep  4 12:44:25 2020 GMT

I think there is a problem with the machine account password, because actually the dhcpd won’t start, because

Nov  7 15:49:07 sv002 dhcpd: Error: Cannot login into ldap server sv002.intra.domain.com:7389: Invalid credentials
Nov  7 15:49:07 sv002 dhcpd: Configuration file errors encountered -- exiting
Nov  7 15:49:07 sv002 dhcpd:
Nov  7 15:49:07 sv002 dhcpd: If you think you have received this message due to a bug rather
Nov  7 15:49:07 sv002 dhcpd: than a configuration issue please read the section on submitting
Nov  7 15:49:07 sv002 dhcpd: bugs on either our web page at www.isc.org or in the README file
Nov  7 15:49:07 sv002 dhcpd: before submitting a bug.  These pages explain the proper
Nov  7 15:49:07 sv002 dhcpd: process and the information we find helpful for debugging..
Nov  7 15:49:07 sv002 dhcpd:
Nov  7 15:49:07 sv002 dhcpd: exiting.

I copied the password vom /etc/machine.secret in the password fields of the computer account in UMC: no login via ldap.
I pasted a new password in /etc/machine.secret and the password fields in the computer account in UMC: no luck, no login via ldap.

root@sv002:~# univention-ldapsearch '(uid=Administrator)'
ldap_bind: Invalid credentials (49)
root@sv002:~# univention-ldapsearch '(uid=Administrator)' -x -D uid=Administrator,cn=users,dc=intra,dc=domain,dc=com -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=intra,dc=domain,dc=com> (default) with scope subtree
# filter: (uid=Administrator)
# requesting: ALL
#

# Administrator, users, intra.domain.com
dn: uid=Administrator,cn=users,dc=intra,dc=domain,dc=com
.....

How can I reset the computer password of the domain master computer account? Or do I have to change it in more files?

Thanks
Ulf


#4

Good afternoon Ulf,

The command below will help you to reset the password of the domain master computer account :

udm computers/domaincontroller_master modify --dn "$(ucr get ldap/hostdn)" --set password="NewPassword"
  • You then have to write it into the /etc/machine.secret.
 echo -n 'NewPassword' > /etc/machine.secret

Maybe the article below will be helpful.

https://help.univention.com/t/manually-trigger-server-password-change/6376

Regards

Anna Takang


UCS 4.2.2 kann nicht mehr mit LDAP verbinden
#5

Good morning Anna,

thanks a lot for the informations. I didn’t found this lines and the articel anymore :-(. I knew, I’ve seen it anywhere.

After setting the password via udm and /etc/machine.secret the LDAP-Connection works again and the DHCP-Server started successfully. Only the system check said kinit could not be initialized. So I followed the steps in the linked sdb article and triggered a password change. After that I have no system errors.

Thanks a lot for you support.

Ulf