After installing a Freenas I attempted to connect the Freenas server to my AD compatible UCS domain without success and decided to postpone the attempt. Then I realized that I had lost login to all my units
Further investigations showed to my surprise that the entire folder “/etc/univention/ssl/master.domain.local” had vanish on my domain master server.
I can find older versions on the server but not the current version. This has now domainwide implications, cannot login anywhere but with root account. And my mailserver cannot be used. I also lost access to my LDAP server I cannot query the LDAP.
How can the “/etc/univention/ssl/master.domain.local” folder just vanish without user intervention.
Is there any way to recreate the folder and certificates.
this is quite unfortunate. All other folders underneath /etc/univention/ssl are still present, especially ucsCA? If so, you should be able to create a new valid certificate for your UCS Master using the following command:
# Create a backup of the directory:
cp -a /etc/univention/ssl /etc/univention/ssl.backup_$(date --iso)
# Check if your master is really gone:
univention-certificate list
# Create a new certificate:
univention-certificate new -name "$(hostname -f)" -days "$(ucr get ssl/default/days)"
# Restart all services or simply
reboot
I am not aware of any automation that touches this folder that could actually delete it. The file write permissions are restricted to the machine account (e.g. master$) and root. But the machine account is not able to renew its certificate on its own - this has to be done manually, e.g. as soon as the certificates expire (see Renewing the SSL certificates).
I guess you don’t have a backup at hand? The manual has some recommendations regarding which folders to include in your backup (Univention Corporate Server).
As long as the root certificate is still present, you can create new certificates for all hosts using univention-certificate. If you also loose the Root Certificate of the CA (in /etc/univention/ssl/ucsCA/), you will need to re-create the whole chain, see Renewing the complete SSL certificate chain.
Thanks, that took care of the first error.
I still cannot login Administrator is unauthorized.
Checking the apache2 status points me to this error. The server master1.domain.local is a decomissioned server and shouldn’t be there. I elevated master2 to primary domain controller when I decommisioned master1.
Nov 27 10:36:41 master2 simplesamlphp[5568]: 3 [6f870d8770] 4 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Message.php:236 (SAML2_Message::validate)
Nov 27 10:36:41 master2 simplesamlphp[5568]: 3 [6f870d8770] 3 /usr/share/simplesamlphp/modules/saml/lib/Message.php:201 (sspmod_saml_Message::checkSign)
Nov 27 10:36:41 master2 simplesamlphp[5568]: 3 [6f870d8770] 2 /usr/share/simplesamlphp/modules/saml/lib/Message.php:258 (sspmod_saml_Message::validateMessage)
Nov 27 10:36:41 master2 simplesamlphp[5568]: 3 [6f870d8770] 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:305 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
Nov 27 10:36:41 master2 simplesamlphp[5568]: 3 [6f870d8770] 0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)
Nov 27 10:36:41 master2 simplesamlphp[5568]: 3 [6f870d8770] Error report with id a79a32ff generated.
Nov 27 10:36:41 master22 simplesamlphp[5568]: 3 [6f870d8770] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/master1.domain.local.socket (tcp 0, udp 0) failed with: Read failed (socket
Nov 27 10:36:41 master2 simplesamlphp[5568]: 3 [6f870d8770] Backtrace:
Nov 27 10:36:41 master2 simplesamlphp[5568]: 3 [6f870d8770] 10 /usr/share/simplesamlphp/www/_include.php:84 (SimpleSAML_error_handler)
Nov 27 10:36:41 ucs-pdc02 simplesamlphp[5568]: 3 [6f870d8770] 9 [builtin] (MemcachePool::get)
This took care of all apache2 error. Still cannot Login using Administrator.
I can now login to all servers except for my domain master
/var/log/univention/management-console-server.log
27.11.18 11:37:57.881 AUTH ( WARN ) : Canonicalization of username was not possible: {‘desc’: ‘Invalid credentials’}
27.11.18 11:38:00.550 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
27.11.18 11:38:00.550 AUTH ( ERROR ) : The authentication has failed, please login again.
27.11.18 11:38:01.393 LOCALE ( WARN ) : Could not find translation file: ‘umc-core.mo’
27.11.18 11:38:02.206 AUTH ( WARN ) : Canonicalization of username was not possible: {‘desc’: ‘Invalid credentials’}
27.11.18 11:38:02.215 AUTH ( ERROR ) : PAM: authentication error: (‘Insufficient credentials to access authentication data’, 8)
27.11.18 11:38:02.215 AUTH ( ERROR ) : Insufficient credentials to access authentication data
/var/log/univention/management-console-web-server.log
27.11.18 11:44:11.071 MAIN ( PROCESS ) : SessionClient(0x7fbba8478850): _authenticated: success=False status=401 message=The authentication has failed, please login again.
27.11.18 11:44:11.072 MAIN ( PROCESS ) : CPAuth (192.168.0.99:40886) response status code: 401
27.11.18 11:44:11.072 MAIN ( PROCESS ) : CPAuth (192.168.0.99:40886) response message: The authentication has failed, please login again.
27.11.18 11:44:11.072 MAIN ( PROCESS ) : CPAuth (192.168.0.99:40886) response result: {}
27.11.18 11:44:12.658 MAIN ( PROCESS ) : SessionClient(0x7fbba84a1dd0): _authenticated: success=False status=401 message=Insufficient credentials to access authentication data
27.11.18 11:44:12.658 MAIN ( PROCESS ) : CPAuth (192.168.0.99:40912) response status code: 401
27.11.18 11:44:12.659 MAIN ( PROCESS ) : CPAuth (192.168.0.99:40912) response message: Insufficient credentials to access authentication data
27.11.18 11:44:12.659 MAIN ( PROCESS ) : CPAuth (192.168.0.99:40912) response result: {}