Hi,
i have been searching for this everywhere, but none of the hints helped to fix the issue.
Since an update to 4.4.4 we can’t login to UMC as Administrator anymore.
Root can still login to ssh, so we tried quite a few things, including resetting the Administrator password
udm users/user modify --dn uid=Administrator,cn=users,"$(ucr get ldap/base)" \
--set password=YourNewPassword \
--set overridePWHistory=1 \
--set pwdChangeNextLogin=0
or reissuing the complete Administrator account.
eval `univention-baseconfig shell ldap/base`
univention-admin users/user create --position cn=users,$ldap_base --set \
username=Administrator --set lastname=Administrator --set password=univention \
--set groups="cn=Domain Admins,cn=groups,$ldap_base" --policy-reference \
cn=default-admins,cn=admin-settings,cn=users,cn=policies,$ldap_base
We have also updated to 4.4-5 errata712 in the meantime, but we are still unable to log in.
After setting debug level to 4 we can see this in our management-console-web-server.log:
26.08.20 07:41:24.272 MAIN ( INFO ) : CPAuth/auth: got new auth request (78.94.179.71:50048 <=> )
26.08.20 07:41:24.272 MAIN ( INFO ) : auth: request: command=/auth
26.08.20 07:41:24.272 MAIN ( INFO ) : CPAuth (78.94.179.71:50048) pushed request(0x7fead1af6a10) to queue(0x7fead1af3950) - waiting for response
26.08.20 07:41:24.278 MAIN ( INFO ) : UMCP_Dispatcher: check_queue: new request: 0x7fead1af6a10
26.08.20 07:41:24.278 MAIN ( INFO ) : SessionClient(0x7fead1af6ad0): creating new session
26.08.20 07:41:24.279 MAIN ( INFO ) : Client.connect: SSL connection established
26.08.20 07:41:24.279 MAIN ( INFO ) : SessionClient(0x7fead1af6ad0): connected to UMC server
26.08.20 07:41:24.279 MAIN ( INFO ) : Sending authentication request for user u'Administrator'
26.08.20 07:41:24.279 MAIN ( INFO ) : SessionClient(0x7fead1af6ad0): sending request(159842048427241-0)
26.08.20 07:41:24.279 PROTOCOL ( INFO ) : Sending UMCP AUTH REQUEST 159842048427241-0
26.08.20 07:41:24.301 MAIN ( INFO ) : __verify_cert_cb: Got certificate subject: <X509Name object '/C=DE/ST=DE/L=DE/O=foo-bar.org/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=ialMhEW5)/emailAddress=ssl@ucs.foo-bar.org'>
26.08.20 07:41:24.302 MAIN ( INFO ) : __verify_cert_cb: Got certificate issuer: <X509Name object '/C=DE/ST=DE/L=DE/O=foo-bar.org/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=ialMhEW5)/emailAddress=ssl@ucs.foo-bar.org'>
26.08.20 07:41:24.302 MAIN ( INFO ) : __verify_cert_cb: errnum=0 depth=1 ok=1
26.08.20 07:41:24.302 MAIN ( INFO ) : __verify_cert_cb: Got certificate subject: <X509Name object '/C=DE/ST=DE/L=DE/O=foo-bar.org/OU=Univention Corporate Server/CN=ucs-master.ucs.foo-bar.org/emailAddress=ssl@ucs.foo-bar.org'>
26.08.20 07:41:24.302 MAIN ( INFO ) : __verify_cert_cb: Got certificate issuer: <X509Name object '/C=DE/ST=DE/L=DE/O=foo-bar.org/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=ialMhEW5)/emailAddress=ssl@ucs.foo-bar.org'>
26.08.20 07:41:24.302 MAIN ( INFO ) : __verify_cert_cb: errnum=0 depth=0 ok=1
26.08.20 07:41:26.517 PARSER ( INFO ) : UMCP RESPONSE 159842048427241-0 parsed successfully
26.08.20 07:41:26.517 PROTOCOL ( INFO ) : Received UMCP RESPONSE 159842048427241-0
26.08.20 07:41:26.517 MAIN ( PROCESS ) : SessionClient(0x7fead1af6ad0): _authenticated: success=False status=401 message=Authentisierung ist fehlgeschlagen. Bitte melden Sie sich erneut an. result={}
26.08.20 07:41:26.518 MAIN ( INFO ) : SessionClient(0x7fead1af6ad0): got response(159842048427241-0): status=401 queue=0x7fead1af3950
26.08.20 07:41:26.518 MAIN ( INFO ) : CPAuth (78.94.179.71:50048) got response(0x7fead1af6d50) from queue(0x7fead1af3950): status=401
26.08.20 07:41:26.518 MAIN ( PROCESS ) : CPAuth (78.94.179.71:50048) response status code: 401
26.08.20 07:41:26.518 MAIN ( PROCESS ) : CPAuth (78.94.179.71:50048) response message: Authentisierung ist fehlgeschlagen. Bitte melden Sie sich erneut an.
26.08.20 07:41:26.518 MAIN ( PROCESS ) : CPAuth (78.94.179.71:50048) response result: {}
Certificates are all valid, as i thought that maybe this could be the problem.
So, we’re pretty clueless at the moment…
Anything else you might want to point us to, any logs we would also want to have a look at?
Thanks
Sascha