SSH-Verbindung zu anderem UCS-Server fehlgeschlagen!

german

#1

Hallo zusammen,

ich habe folgende Fehlermeldung in der System-Fehlerdiagnose meines AD-Masters:

[quote]Die SSH-Verbindung zu mindestens einem anderen UCS Server ist fehlgeschlagen. Die folgende Liste zeigt die betroffenen entfernten Rechner und den Grund für die fehlgeschlagene SSH-Verbindung.

ucs-fileserver - Authentifizierung mit dem Maschinen-Konto ist fehlgeschlagen!
ucs-fileserver.bundr.intranet - Authentifizierung mit dem Maschinen-Konto ist fehlgeschlagen!

Authentifizierung mit dem Maschinen-Konto ist fehlgeschlagen - Der Login auf dem entfernten Rechner mit der uid admaster$ und dem Passwort aus /etc/machine.secret is fehlgeschlagen. Bitte prüfen Sie /var/log/auth.log auf dem entfernten Rechner für weitere Informationen.[/quote]

Scenario: Server 1 ist als AD-Master konfiguriert, Server 2 ist der “ucs-fileserver”.
Auf dem AD-Master läuft auch Nagios, und auch Nagios wirft Fehlermeldungen raus, das kein SSH-Zugriff vom Ad-Master auf den UCS-Filserver möglich ist.

Per Putty kann ich mich allerdings über SSH als root auf den Fileserver einloggen.

Hier noch der Inhalt von /var/log/auth.log auf dem Fileserver:

Dec 8 10:57:28 ucs-fileserver sshd[32082]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=admaster.bundr.intranet user=admaster$ Dec 8 10:57:28 ucs-fileserver sshd[32082]: pam_krb5(sshd:auth): authentication failure; logname=admaster$ uid=0 euid=0 tty=ssh ruser= rhost=admaster.bundr.intranet Dec 8 10:57:29 ucs-fileserver sshd[32080]: error: PAM: Authentication service cannot retrieve authentication info for admaster$ from admaster.bundr.intranet Dec 8 10:57:29 ucs-fileserver sshd[32085]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=admaster.bundr.intranet user=admaster$ Dec 8 10:57:29 ucs-fileserver sshd[32085]: pam_krb5(sshd:auth): authentication failure; logname=admaster$ uid=0 euid=0 tty=ssh ruser= rhost=admaster.bundr.intranet Dec 8 10:57:30 ucs-fileserver sshd[32083]: error: PAM: Authentication service cannot retrieve authentication info for admaster$ from admaster.bundr.intranet

Wie bekomme ich es hin, das sich AD-Master mit seinem MAschinen-Konto wieder mit dem UCS-Fileserver verbinden kann ?

Scheine hier den Wald vor lauter Bäumen nicht zu sehen ^^

MfG

O. Bertgen


#2

Welche Rolle hat denn der Fileserver? Bitte mal folgendes auf ihm ausführen:

ucr get server/role

#3

Hallo SirTux,

ist ein memberserver.

[quote]root@ucs-fileserver:~# ucr get server/role
memberserver
[/quote]


#4

Ok, können sich andere Domänen-Accounts auf dem Fileserver einloggen? Sonst würde ich mal das Paßwort von dem FIleserver neu setzen.


#5

Jo, alles andere geht.

Ich habe auch noch einen Mail-Server unter UCS als Memberserver laufen.

Das geht ohne Probleme.

Das root-Passwort vom FileServer hatte ich auch schon einmal geändert, das Problem ist leider geblieben.


#6

Und auf dem Master ist auch alles in Ordnung? Geht

univention-ldapsearch cn=admaster

#7

[quote]# extended LDIF

LDAPv3

base <dc=bundr,dc=intranet> (default) with scope subtree

filter: cn=admaster

requesting: ALL

admaster, dc, computers, bundr.intranet

dn: cn=admaster,cn=dc,cn=computers,dc=bundr,dc=intranet
cn: admaster
krb5PrincipalName: host/admaster.bundr.intranet@BUNDR.INTRANET
objectClass: top
objectClass: person
objectClass: univentionHost
objectClass: univentionDomainController
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: univentionObject
objectClass: univentionNagiosHostClass
uidNumber: 2001
sambaAcctFlags: [S ]
krb5MaxLife: 86400
uid: admaster$
krb5MaxRenew: 604800
loginShell: /bin/sh
univentionObjectType: computers/domaincontroller_master
krb5KDCFlags: 126
univentionServerRole: master
displayName: admaster
associatedDomain: bundr.intranet
sn: admaster
homeDirectory: /dev/null
gidNumber: 5005
univentionNagiosEnabled: 1
sambaPrimaryGroupSID: S-1-5-21-1929849559-3446259309-261520240-1105
univentionOperatingSystem: Univention Corporate Server
sambaSID: S-1-5-21-1929849559-3446259309-261520240-1000
aRecord: 192.168.9.1
macAddress: 00:22:64:c4:e9:d0
univentionOperatingSystemVersion: 4.1-0
univentionService: LDAP
univentionService: NFS
univentionService: DNS
univentionService: Samba 4
univentionService: S4 Connector
univentionService: NAGIOS
univentionService: univention-saml
univentionService: Univention Management Console
krb5Key::
krb5Key::
krb5Key::
krb5Key::
krb5Key::
krb5Key::
krb5Key::
krb5KeyVersionNumber: 7
userPassword::
sambaNTPassword:

search result

search: 3
result: 0 Success

numResponses: 2

numEntries: 1

[/quote]

Passwörthashes hab ich mal gelöscht.


#8

Gibt es relevante Unterschiede zwischen den beiden Memberservern bei

ucr search auth/sshd

#9

Nein, keine Unterschiede.

Bei beiden Memberserver kommen keine Angaben.


#10

Geht ein manueller SSH-Login mit admaster$ am Memberserver? Das einzige, das ich mir jetzt noch vorstellen könnte, ist daß das in der Nagios-Konfiguration hinterlegte Paßwort falsch ist.


#11

Kann mich bei beiden Memberservern mit dem Konto nicht einloggen,
weil ich das Passwort dazu gar nicht kenne.

Vergibt sich der AD-Master hier selber eines ?

Weil das root-Passwort des ADs ist es nicht.


#12

Hallo!

Die Authentifizierung läuft über das LDAP. Da es sich bei ucs-fileserver.bundr.intranet um einen Server der Rolle Member handelt, greift dieser auf das LDAP zu welches auf admaster.bundr.intranet läuft. Aus auth.log geht hervor, dass der Zugriff auf das LDAP auf admaster fehl schlug. Können die folgenden Befehle korrekt auf ucs-fileserver ausgeführt werden?

[code]host admaster.bundr.intranet
ssh ucs-fileserver$@admaster.bundr.intranet

Passwort des Rechners steht in /etc/machine.secret

[/code]

Ist ein Login als Benutzer Administrator möglich? root ist ein lokales Konto auf ucs-fileserver, daher ist die Anmeldung darüber möglich.

Zeigt die System-Fehlerdiagnose auf ucs-fileserver irgendwelche Fehler auf?

Viele Grüße
Dr. Alexander Kläser


#13

[quote=“O. Bertgen”]Vergibt sich der AD-Master hier selber eines ?

Weil das root-Passwort des ADs ist es nicht.[/quote]

Der Vollständigkeit halber, beim initialen Aufsetzen eines UCS-Systems wird in /etc/machine.secret ein Passwort automatisch generiert welches dann für das LDAP-Konto des Systems beim Join-Vorgang gesetzt wird.

Gruß
Dr. Alexander Kläser


#14

Hallo Herr Kläser,

Login auf ucs-fileserver als User “Administrator” ist ohne Probleme möglich. Sowohl über ssh als auf auch über das Web-Frontend.

Anzeige System-Fehlerdiagnose auf ucs-fileserver:[quote]Warnung: Paketstatus korrupt
Der Paketstatus von 8 Paketen ist korrupt.
Um den Paketstatus zu korrigieren loggen Sie sich am System per ssh als root ein und führen Sie das Kommando “dpkg --configure -a” aus.
Weitere Informationen über die Ursache können durch Ausführen von “dpkg --audit” erhalten werden.[/quote]

Das Kommando führe ich gleich mal aus.

[quote]Administrator@ucs-fileserver:~$ host admaster.bundr.intranet
admaster.bundr.intranet has address 192.168.9.1
[/quote]

Hier hatte ich schonmal das Passwort aus der gleichen Datei vom AD-Master eingesetzt, allerdings brachte das keine Besserung.

O. Bertgen


#15

Ergebnis von dpkg --configure -a :

[quote]root@ucs-fileserver:~# dpkg --configure -a
univention-management-console-web-server (5.0.63-5.1192.201511191842) wird einge richtet …
Module: setup_saml_sp
skipping UCR registration
File: /usr/share/univention-management-console-frontend/entries.json
File: /etc/apache2/sites-available/univention-management-console
[info] Starting Univention Management Console Web Server.
done.
Module proxy already enabled
Considering dependency proxy for proxy_connect:
Module proxy already enabled
Module proxy_connect already enabled
Considering dependency proxy for proxy_http:
Module proxy already enabled
Module proxy_http already enabled
Module headers already enabled
Site univention-management-console already enabled
[ ok ] Restarting web server: apache2 … waiting .
W: The config registry variable ‘umc/web/timeout’ does not exist
W: The config registry variable ‘umc/web/language’ does not exist
W: The config registry variable ‘umc/web/response/timeout’ does not exist
W: The config registry variable ‘umc/raw/debug/level’ does not exist
W: The config registry variable ‘umc/raw/response/timeout’ does not exist
W: The config registry variable ‘umc/module/watchdog/timeout’ does not exist
Not updating umc/http/session/timeout
Not updating umc/http/autostart
Not updating umc/http/port
Not updating umc/http/interface
Not updating umc/server/upload/min_free_space
Trigger für python-support werden verarbeitet …
univention-updater (11.0.7-6.1436.201512011855) wird eingerichtet …
Not updating update/warning
Not updating update/warning/coloured
Not updating update/warning/lang
Not updating update/warning/tty
Not updating update/umc/nextversion
Not updating repository/online
Not updating repository/online/server
Not updating repository/online/unmaintained
Not updating repository/mirror
Not updating repository/mirror/threads
Not updating repository/mirror/recreate_packages
Not updating repository/mirror/basepath
Not updating repository/credentials/Univention Software Repository/uris
Not updating update/custom/preup
Not updating update/custom/postup
Not updating update/commands/update
Not updating update/commands/show
Not updating update/commands/install
Not updating update/commands/install/interactive
Not updating update/commands/remove
Not updating update/commands/remove/interactive
Not updating update/commands/configure
Not updating update/commands/distupgrade/simulate
Not updating update/commands/distupgrade
Not updating update/commands/upgrade/simulate
Not updating update/commands/upgrade
Not updating update/check/cron/enabled
Not updating update/check/cron/debug
Not updating update/check/cron/entry
Not updating update/check/boot/enabled
Not updating update/check/boot/debug
Not updating update/available
Not updating version/version
Not updating version/patchlevel
Not updating version/erratalevel
Setting version/releasename
Not updating uuid/system
File: /etc/lsb-release
File: /etc/cron.d/univention-updater-check
File: /etc/apt/apt.conf.d/55user_agent
File: /etc/logrotate.d/univention-updater
File: /etc/apt/sources.list.d/20_ucs-online-component.list
File: /etc/apt/mirror.list
File: /etc/apt/sources.list.d/15_ucs-online-version.list
waiting for listener modules to finish
waiting for listener modules to finish
waiting for listener modules to finish
waiting for listener modules to finish
waiting for listener modules to finish
waiting for listener modules to finish
listener shutdown done
univention-management-console-module-updater (11.0.7-6.1436.201512011855) wird eingerichtet …
[info] Reloading Univention Management Console Server.
done.
Trigger für univention-config werden verarbeitet …
univention-management-console-module-appcenter (5.0.19-10.73.201511251502) wird eingerichtet …
[info] Reloading Univention Management Console Server.
done.
Not updating repository/app_center/server
Not updating appcenter/domainwide
univention-management-console-module-apps (5.0.19-10.73.201511251502) wird eingerichtet …
File: /usr/share/univention-management-console/modules/apps.xml
File: /usr/share/univention-management-console/i18n/de/apps.mo
[info] Reloading Univention Management Console Server.
done.
Trigger für python-support werden verarbeitet …
[/quote]

Fehlermeldung am AD-Master ist immer noch vorhanden.

Fehlermeldung der System-Fehlerdiagnos beim ucs-fileserver: Erfolg: Es wurden keine Probleme entdeckt.


#16

Hallo Herr Bertgen,

OK, gut.

Sehr gut.

Hier hatte ich schonmal das Passwort aus der gleichen Datei vom AD-Master eingesetzt, allerdings brachte das keine Besserung.
[/quote]

Ich vermute, dass etwas mit dem Rechnerkonto des admaster nicht ganz stimmt. Können Sie dazu bitte einmal den folgenden Befehl als root auf admaster, ucs-fileserver und gerne auch auf dem Mail-Server ausführen und das Ergebnis angeben:

eval "$(ucr shell)"; univention-ldapsearch -LLL objectClass=univentionHost cn | sed -n '/cn:/p' | while read cn ihost; do echo "### Connecting to $ihost as $hostname\$ ###"; univention-ssh /etc/machine.secret "$hostname\$@$ihost.$domainname" /usr/sbin/ucr search ^version/ & wait; done

Hiermit wird versucht sich mit dem Konto des lokalen Rechners auf allen existierenden Hosts zu verbinden und es wird die UCR-Version abgefragt. Das sollte uns zeigen welche Rechnerkonten sich wohin verbinden können und mit welchem Konto es potentiell Probleme gibt.

Viele Grüße
Dr. Alexander Kläser


#17

Habe jetzt noch etwas festgestellt.

Wenn ich auf dem ucs-mailserver die Systemfehlerdiagnos starte, kommt die gleiche Fehlermeldung wie auf dem AD-Master:

[quote]ucs-fileserver - Authentifizierung mit dem Maschinen-Konto ist fehlgeschlagen!
ucs-fileserver.bundr.intranet - Authentifizierung mit dem Maschinen-Konto ist fehlgeschlagen![/quote]

Den gleichen Fehler zeigt auch der DC-Backup.

Vielleicht hilft das weiter ?

Dann scheint es ja eher ein Problem des ucs-fileservers zu sein. Gibt es irgendwie eine Variable, die verhindert,
das sich Rechner über das Maschinenkonto in den ucs-fileserver einloggen können ?

Ausgabe AD-Master:

[quote]root@admaster:~# eval “$(ucr shell)”; univention-ldapsearch -LLL objectClass=univentionHost cn | sed -n ‘/cn:/p’ | while read cn ihost; do echo “### Connecting to $ihost as $hostname$ ###”; univention-ssh /etc/machine.secret “$hostname$@$ihost.$domainname” /usr/sbin/ucr search ^version/ & wait; done

Connecting to admaster as admaster$

Could not chdir to home directory /dev/null: Not a directory
version/erratalevel: 14
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed errata updates.

version/patchlevel: 0
Four types of Univention Configuration Registry updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed patch level release.

version/releasename: Vahr
This variable contains the codename of the UCS release.

version/version: 4.1
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of major and minor update.

Connecting to MOBIL1-OLLI-PC as admaster$

ssh: connect to host MOBIL1-OLLI-PC.bundr.intranet port 22: No route to host

Connecting to ucs-fileserver as admaster$

Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).

Connecting to dc-backup as admaster$

Could not chdir to home directory /dev/null: Not a directory
version/erratalevel: 14
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed errata updates.

version/patchlevel: 0
Four types of Univention Configuration Registry updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed patch level release.

version/releasename: Vahr
This variable contains the codename of the UCS release.

version/version: 4.1
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of major and minor update.

Connecting to ucs-mailserver as admaster$

Could not chdir to home directory /dev/null: Not a directory
version/erratalevel: 14
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed errata updates.

version/patchlevel: 0
Four types of Univention Configuration Registry updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed patch level release.

version/releasename: Vahr
This variable contains the codename of the UCS release.

version/version: 4.1
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of major and minor update.

Connecting to OLLI-MINI10 as admaster$

ssh: Could not resolve hostname OLLI-MINI10.bundr.intranet: Name or service not known

Connecting to Nuvera144 as admaster$

Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).

Connecting to ucs-4170-testrechner as admaster$

ssh: connect to host ucs-4170-testrechner.bundr.intranet port 22: No route to host

Connecting to CSIMON-PC as admaster$

ssh: connect to host CSIMON-PC.bundr.intranet port 22: No route to host
[/quote]

Ausgabe ucs-fileserver:

[quote]root@ucs-fileserver:~# eval “$(ucr shell)”; univention-ldapsearch -LLL objectClass=univentionHost cn | sed -n ‘/cn:/p’ | while read cn ihost; do echo “### Connecting to $ihost as $hostname$ ###”; univention-ssh /etc/machine.secret “$hostname$@$ihost.$domainname” /usr/sbin/ucr search ^version/ & wait; done

Connecting to admaster as ucs-fileserver$

Warning: the RSA host key for ‘admaster.bundr.intranet’ differs from the key for the IP address ‘192.168.9.1’
Offending key for IP in /root/.ssh/known_hosts:2
Matching host key in /root/.ssh/known_hosts:4
Could not chdir to home directory /dev/null: Not a directory
version/erratalevel: 14
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed errata updates.

version/patchlevel: 0
Four types of Univention Configuration Registry updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed patch level release.

version/releasename: Vahr
This variable contains the codename of the UCS release.

version/version: 4.1
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of major and minor update.

Connecting to MOBIL1-OLLI-PC as ucs-fileserver$

ssh: connect to host MOBIL1-OLLI-PC.bundr.intranet port 22: No route to host

Connecting to ucs-fileserver as ucs-fileserver$

Warning: Permanently added ‘ucs-fileserver.bundr.intranet,192.168.9.247’ (RSA) to the list of known hosts.
Could not chdir to home directory /dev/null: Not a directory
version/erratalevel: 14
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed errata updates.

version/patchlevel: 0
Four types of Univention Configuration Registry updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed patch level release.

version/releasename: Vahr
This variable contains the codename of the UCS release.

version/version: 4.1
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of major and minor update.

Connecting to dc-backup as ucs-fileserver$

Warning: Permanently added ‘dc-backup.bundr.intranet,192.168.9.8’ (RSA) to the list of known hosts.
Could not chdir to home directory /dev/null: Not a directory
version/erratalevel: 14
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed errata updates.

version/patchlevel: 0
Four types of Univention Configuration Registry updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed patch level release.

version/releasename: Vahr
This variable contains the codename of the UCS release.

version/version: 4.1
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of major and minor update.

Connecting to ucs-mailserver as ucs-fileserver$

Warning: Permanently added ‘ucs-mailserver.bundr.intranet,192.168.9.249’ (RSA) to the list of known hosts.
Could not chdir to home directory /dev/null: Not a directory
version/erratalevel: 14
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed errata updates.

version/patchlevel: 0
Four types of Univention Configuration Registry updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed patch level release.

version/releasename: Vahr
This variable contains the codename of the UCS release.

version/version: 4.1
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of major and minor update.

Connecting to OLLI-MINI10 as ucs-fileserver$

ssh: Could not resolve hostname OLLI-MINI10.bundr.intranet: Name or service not known

Connecting to Nuvera144 as ucs-fileserver$

Warning: Permanently added ‘nuvera144.bundr.intranet,192.168.9.210’ (RSA) to the list of known hosts.
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).

Connecting to ucs-4170-testrechner as ucs-fileserver$

ssh: connect to host ucs-4170-testrechner.bundr.intranet port 22: No route to host

Connecting to CSIMON-PC as ucs-fileserver$

ssh: connect to host CSIMON-PC.bundr.intranet port 22: No route to host
[/quote]

Ausgabe ucs-mailserver:

[quote]root@ucs-mailserver:~# eval “$(ucr shell)”; univention-ldapsearch -LLL objectClass=univentionHost cn | sed -n ‘/cn:/p’ | while read cn ihost; do echo “### Connecting to $ihost as $hostname$ ###”; univention-ssh /etc/machine.secret “$hostname$@$ihost.$domainname” /usr/sbin/ucr search ^version/ & wait; done

Connecting to admaster as ucs-mailserver$

Could not chdir to home directory /dev/null: Not a directory
version/erratalevel: 14
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed errata updates.

version/patchlevel: 0
Four types of Univention Configuration Registry updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed patch level release.

version/releasename: Vahr
This variable contains the codename of the UCS release.

version/version: 4.1
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of major and minor update.

Connecting to MOBIL1-OLLI-PC as ucs-mailserver$

ssh: connect to host MOBIL1-OLLI-PC.bundr.intranet port 22: No route to host

Connecting to ucs-fileserver as ucs-mailserver$

Warning: Permanently added ‘ucs-fileserver.bundr.intranet,192.168.9.247’ (RSA) to the list of known hosts.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).

Connecting to dc-backup as ucs-mailserver$

Warning: Permanently added ‘dc-backup.bundr.intranet,192.168.9.8’ (RSA) to the list of known hosts.
Could not chdir to home directory /dev/null: Not a directory
version/erratalevel: 14
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed errata updates.

version/patchlevel: 0
Four types of Univention Configuration Registry updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed patch level release.

version/releasename: Vahr
This variable contains the codename of the UCS release.

version/version: 4.1
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of major and minor update.

Connecting to ucs-mailserver as ucs-mailserver$

Warning: Permanently added ‘ucs-mailserver.bundr.intranet,192.168.9.249’ (RSA) to the list of known hosts.
Could not chdir to home directory /dev/null: Not a directory
version/erratalevel: 14
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed errata updates.

version/patchlevel: 0
Four types of Univention Configuration Registry updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of the installed patch level release.

version/releasename: Vahr
This variable contains the codename of the UCS release.

version/version: 4.1
Four types of UCS updates are differentiated: Major releases (released approximately every four years, may introduce bigger changes), minor releases (released approximately every 6-8 months, error corrections and new functions), patch level releases (released every 2-3 months, less changes compared to a minor release, focus on bugfixes) and errata updates (timely bugfixes for security problems and critical bugs). This variable is set automatically during updates and contains the version of major and minor update.

Connecting to OLLI-MINI10 as ucs-mailserver$

ssh: Could not resolve hostname OLLI-MINI10.bundr.intranet: Name or service not known

Connecting to Nuvera144 as ucs-mailserver$

Warning: Permanently added ‘nuvera144.bundr.intranet,192.168.9.210’ (RSA) to the list of known hosts.
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).

Connecting to ucs-4170-testrechner as ucs-mailserver$

ssh: connect to host ucs-4170-testrechner.bundr.intranet port 22: No route to host

Connecting to CSIMON-PC as ucs-mailserver$

ssh: connect to host CSIMON-PC.bundr.intranet port 22: No route to host
[/quote]


#18

Hallo zusammen,

Problem gelöst.

Auf dem ucs-fileserver stand in der UCR die Variable “sshd/passwordauthentication” auf “no”.
Nach Änderung auf “yes” gibt es jetzt keine Fehlermeldungen mehr in der System-Fehlerdiagnose der anderen Rechner.

Wahrscheinlich habe ich mir den Fehler selber eingebrockt. Allerdings frage ich mich jetzt gerade, warum kann ich mich dann
am ucs-fileserver per Webfrontend und per putty/ssh am Rechner mit Passwort anmelden ^^

Ein Dankeschön an alle, die mir im Forum geholfen haben.

Mit freundlichen Grüßen,

Oliver Bertgen


#19

Hallo Herr Bertgen!

Ich glaube gelöst ist das Problem noch nicht ganz, wir haben zunächst lediglich einen Workaround gefunden. Die UCR-Variable sshd/passwordauthentication ist standardmäßig auf “no” gesetzt, also sollte sie nicht das vorliegende Problem auslösen. Könnten Sie bitte den folgenden Befehl als root auf ucs-fileserver ausführen, der uns die UCR-Variablen sshd/* miteinander vergleichen lässt (es könnte sein, dass sshd/challengeresponse auf “no” gesetzt ist, sie sollte auf “yes” gesetzt sein):

eval "$(ucr shell)"; for ihost in admaster ucs-fileserver ucs-mailserver; do echo "### Connecting to $ihost as $hostname\$ ###"; univention-ssh /etc/machine.secret "$hostname\$@$ihost.$domainname" "/usr/sbin/ucr search --brief ^sshd | grep -v empty" & wait; done

Falls auf die UCR-Variable sshd/challengeresponse auf ucs-fileserver den Wert “yes” gesetzt hat, wäre meine nächste Vermutung, dass manuelle Änderungen an der Datei /etc/ssh/sshd_config vorgenommen wurden. Diese Datei kann aus den UCR-Variablen neu generiert und der SSH-Dienst neugestartet werden durch die Befehle:

ucr commit /etc/ssh/sshd_config
/etc/init.d/ssh restart

Der Zugang zum Webfrontend ist unabhängig vom SSH-Dienst, und die UCR-Variable bezieht sich lediglich auf den SSH-Zugriff. Über welche Authentifizierungsmethode der Zugriff via putty/ssh möglich war (publickey, keyboard-interactive, password etc.) ist mir nicht direkt ersichtlich, müsste aber über eine Debug-Ausgabe von putty herausfindbar sein.

Viele Grüße
Dr. Alexander Kläser


#20

Hallo Herr Kläser,

gerne können wir noch weitersuchen :slight_smile:

Hier der Ausdruck des Befehles als root auf ucs-filserver:

[code]root@ucs-fileserver:~# eval “$(ucr shell)”; for ihost in admaster ucs-fileserver ucs-mailserver; do echo “### Connecting to $ihost as $hostname$ ###”; univention-ssh /etc/machine.secret “$hostname$@$ihost.$domainname” “/usr/sbin/ucr search --brief ^sshd | grep -v empty” & wait; done

Connecting to admaster as ucs-fileserver$

[1] 19806
Warning: the RSA host key for ‘admaster.bundr.intranet’ differs from the key for the IP address ‘192.168.9.1’
Offending key for IP in /root/.ssh/known_hosts:2
Matching host key in /root/.ssh/known_hosts:4
Could not chdir to home directory /dev/null: Not a directory
sshd/autostart: yes
sshd/challengeresponse: yes
sshd/passwordauthentication: no
sshd/permitroot: yes
sshd/port: 22
sshd/xforwarding: no
[1]+ Fertig univention-ssh /etc/machine.secret “$hostname$@$ihost.$domainname” “/usr/sbin/ucr search --brief ^sshd | grep -v empty”

Connecting to ucs-fileserver as ucs-fileserver$

[1] 19809
Could not chdir to home directory /dev/null: Not a directory
sshd/autostart: yes
sshd/challengeresponse: yes
sshd/passwordauthentication: yes
sshd/permitroot: yes
sshd/port: 22
sshd/xforwarding: no
[1]+ Fertig univention-ssh /etc/machine.secret “$hostname$@$ihost.$domainname” “/usr/sbin/ucr search --brief ^sshd | grep -v empty”

Connecting to ucs-mailserver as ucs-fileserver$

[1] 19853
Could not chdir to home directory /dev/null: Not a directory
sshd/autostart: yes
sshd/challengeresponse: yes
sshd/passwordauthentication: no
sshd/permitroot: yes
sshd/port: 22
sshd/xforwarding: no
[1]+ Fertig univention-ssh /etc/machine.secret “$hostname$@$ihost.$domainname” “/usr/sbin/ucr search --brief ^sshd | grep -v empty”
[/code]

Die sshd/challengeresponse-Variable steht tatsächlich auf “yes”, allerdings bei den beiden anderen Servern auch.
Und die sshd-config habe ich nicht manuell geändert.

Erstelle die sshd-config einmal neu und poste anschliessend das Ergebnis.

Ergebnis:

[quote]root@ucs-fileserver:~# ucr commit /etc/ssh/sshd_config
File: /etc/ssh/sshd_config
root@ucs-fileserver:~# /etc/init.d/ssh restart
[ ok ] Restarting OpenBSD Secure Shell server: sshd.
root@ucs-fileserver:~# eval “$(ucr shell)”; for ihost in admaster ucs-fileserver ucs-mailserver; do echo “### Connecting to $ihost as $hostname$ ###”; univention-ssh /etc/machine.secret “$hostname$@$ihost.$domainname” “/usr/sbin/ucr search --brief ^sshd | grep -v empty” & wait; done

Connecting to admaster as ucs-fileserver$

[1] 20381
Warning: the RSA host key for ‘admaster.bundr.intranet’ differs from the key for the IP address ‘192.168.9.1’
Offending key for IP in /root/.ssh/known_hosts:2
Matching host key in /root/.ssh/known_hosts:4
Could not chdir to home directory /dev/null: Not a directory
sshd/autostart: yes
sshd/challengeresponse: yes
sshd/passwordauthentication: no
sshd/permitroot: yes
sshd/port: 22
sshd/xforwarding: no
[1]+ Fertig univention-ssh /etc/machine.secret “$hostname$@$ihost.$domainname” “/usr/sbin/ucr search --brief ^sshd | grep -v empty”

Connecting to ucs-fileserver as ucs-fileserver$

[1] 20384
Could not chdir to home directory /dev/null: Not a directory
sshd/autostart: yes
sshd/challengeresponse: yes
sshd/passwordauthentication: yes
sshd/permitroot: yes
sshd/port: 22
sshd/xforwarding: no
[1]+ Fertig univention-ssh /etc/machine.secret “$hostname$@$ihost.$domainname” “/usr/sbin/ucr search --brief ^sshd | grep -v empty”

Connecting to ucs-mailserver as ucs-fileserver$

[1] 20428
Could not chdir to home directory /dev/null: Not a directory
sshd/autostart: yes
sshd/challengeresponse: yes
sshd/passwordauthentication: no
sshd/permitroot: yes
sshd/port: 22
sshd/xforwarding: no
[1]+ Fertig univention-ssh /etc/machine.secret “$hostname$@$ihost.$domainname” “/usr/sbin/ucr search --brief ^sshd | grep -v empty”
[/quote]

-> Bei ucs-filserver die Variable “sshd/passwortauthentication” auf “No” gesetzt. sshd neugestartet auf ucs-filserver
-> “System-Fehlerdiagnose” auf ucs-admaster durchgeführt: Fehlermeldung wieder vorhanden

Inhalt der /etc/ssh/sshd_config auf ucs-fileserver:

[quote]# Warning: This file is auto-generated and might be overwritten by

univention-config-registry.

Please edit the following file(s) instead:

Warnung: Diese Datei wurde automatisch generiert und kann durch

univention-config-registry überschrieben werden.

Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):

/etc/univention/templates/files/etc/ssh/sshd_config

Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key

UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 600
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no

Change to yes to enable challenge-response passwords (beware issues with

some PAM modules and threads)

ChallengeResponseAuthentication yes
PasswordAuthentication yes

Kerberos options

KerberosAuthentication no
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
Subsystem sftp /usr/lib/sftp-server
UsePAM yes

Allow client to pass locale environment variables

AcceptEnv LANG LC_*

Port 22
PermitRootLogin yes
X11Forwarding no
[/quote]