Unable to update Office 365 connector from 3.1 to 3.2

tcb · March 10, 2020, 3:52pm

I tried to update the office 365 connector from cli/web. But everytime i got the following error message

[CRITICAL]: Error: The package univention-saml on the DC Master (ucs.***.***) must at least be 5.0.4-26 before the app can be updated. Please update the DC Master to at least erratalevel 159.

The DC Master is at errata level 4.4.3-456, univention-saml has the version 6.0.2-24A~4.4.0.202002110948. I don’t get the point why the update failed.

damrose · March 11, 2020, 11:07am

The check that is executed here tries to connect to the DC Master via ssh as the authenticated user and read the univention-saml package version.

Maybe there is an issue connecting to the DC Master via ssh, or the access is restricted by UCR? Are there additional errors visible in /var/log/univention/appcenter.log?

tcb · March 13, 2020, 7:01pm

Hi, i checked /var/log/univention/appcenter.log and found this error message:

109717 actions.upgrade 20-03-13 19:56:10 [ INFO]: Going to upgrade Microsoft Office 365 Connector (3.2)
109717 actions.upgrade 20-03-13 19:56:19 [ DEBUG]: Calling prescript (preinst)
109717 actions.upgrade 20-03-13 19:56:19 [ DEBUG]: Calling /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/office365_20200217114223.preinst --binddn uid=Administrator,cn=users,dc=example,dc=de --bindpwdfile /tmp/tmpGkZGhG --error-file /tmp/tmpeNL99C --version 3.2 --old-version 3.1
109717 actions.upgrade 20-03-13 19:56:26 [ WARNING]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
109717 actions.upgrade 20-03-13 19:56:27 [ DEBUG]: /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/office365_20200217114223.preinst returned with 1
109717 actions.upgrade 20-03-13 19:56:27 [CRITICAL]: Error: The package univention-saml on the DC Master (ucs.example.de) must at least be 5.0.4-26 before the app can be updated. Please update the DC Master to at least erratalevel 159.

109717 actions.upgrade 20-03-13 19:56:27 [CRITICAL]: Unable to upgrade office365. Aborting…
109717 actions.upgrade.progress 20-03-13 19:56:27 [ DEBUG]: 100

There is a permission denied error, but i don’t know what is causing this issue.

tcb · March 15, 2020, 4:32pm

I tried to uninstall and reinstall the office 365 connector via cli and the result was the same error i cannot install the office 365 connector v3.2 on my ucs 4.4-3 errata482 dc.

damrose · March 16, 2020, 12:30pm

As suspected, the ssh connection to the DC Master failed. Please reenable ssh access for the Administrator to the DC Master. For debugging, the following command has to work, i.e. open a ssh connection as Administrator: univention-ssh [pwdfile] Administrator@$(ucr get ldap/master) - [pwdfile] is a file with the Administrator password.

You can also temporarily disable the check by editing the cached preinst file and put an exit 0 or something similar at the beginning of /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/office365_20200217114223.preinst

tcb · March 16, 2020, 1:19pm

I have not deliberately deactivated or restricted the SSH service. Since SSH is only used by me through the root account, this error was not noticed before.
How can i reenable the ssh account for the administrator user?

damrose · March 16, 2020, 1:42pm

I do not know how it was disabled, so i can only guess. SSH seems to be running, so we can rule that out. Check the UCR variables for ssh auth and compare with the defaults on the DC master

root@ucsmaster:~# ucr search --brief auth/sshd
auth/sshd/group/Administrators: yes
auth/sshd/group/Computers: yes
auth/sshd/group/DC Backup Hosts: yes
auth/sshd/group/DC Slave Hosts: yes
auth/sshd/group/Domain Admins: yes
auth/sshd/restrict: yes
auth/sshd/user/root: yes

In any case, you can disable the check in the preinst script as i mentioned above.

tcb · March 16, 2020, 1:50pm

I will try the hack of the preinst script later, but first i get the exact same output as you showed when i run the ucr variable check

root@ucs:~# ucr search --brief auth/sshd
auth/sshd/group/Administrators: yes
auth/sshd/group/Computers: yes
auth/sshd/group/DC Backup Hosts: yes
auth/sshd/group/DC Slave Hosts: yes
auth/sshd/group/Domain Admins: yes
auth/sshd/restrict: yes
auth/sshd/user/root: yes

I think it’s weird, i havent touched sshd, the ucr variables seem ok and i can login as root user

damrose · March 16, 2020, 2:08pm

You could add -vvv to the univention-ssh call to get more debug output and see where it fails - but if there is no really obvious error i cannot help any further

tcb · March 16, 2020, 2:16pm

Hi, i tried to connect through univention-ssh using -vvv option. Maybe you get a information from the output. I didnt find anything helpful.

OpenSSH_7.4p1 Debian-10+deb9u7, OpenSSL 1.0.2u 20 Dec 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 28: Applying options for *
debug2: resolving “ucs.example.de” port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to ucs.example.de [192.168.5.10] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u7
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to ucs.example.de:22 as ‘Administrator’
debug3: hostkeys_foreach: reading file “/root/.ssh/known_hosts”
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:4
debug3: load_hostkeys: loaded 1 keys from ucs.example.de
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com ,ecdsa-sha2-nistp384-cert-v01@openssh.com ,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com ,ecdsa-sha2-nistp384-cert-v01@openssh.com ,ecdsa-sha2-nistp521-cert-v01@openssh.com ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com ,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com ,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com ,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com ,umac-128-etm@openssh.com ,hmac-sha2-256-etm@openssh.com ,hmac-sha2-512-etm@openssh.com ,hmac-sha1-etm@openssh.com ,umac-64@openssh.com ,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com ,umac-128-etm@openssh.com ,hmac-sha2-256-etm@openssh.com ,hmac-sha2-512-etm@openssh.com ,hmac-sha1-etm@openssh.com ,umac-64@openssh.com ,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com ,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com ,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com ,umac-128-etm@openssh.com ,hmac-sha2-256-etm@openssh.com ,hmac-sha2-512-etm@openssh.com ,hmac-sha1-etm@openssh.com ,umac-64@openssh.com ,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com ,umac-128-etm@openssh.com ,hmac-sha2-256-etm@openssh.com ,hmac-sha2-512-etm@openssh.com ,hmac-sha1-etm@openssh.com ,umac-64@openssh.com ,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:yLgwxqQrDHTcqEXzNpLPLWtg3QcxuCk9nL9wcBV5K4s
debug3: hostkeys_foreach: reading file “/root/.ssh/known_hosts”
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:4
debug3: load_hostkeys: loaded 1 keys from ucs.example.de
debug3: hostkeys_foreach: reading file “/root/.ssh/known_hosts”
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from 192.168.5.10
debug1: Host ‘ucs.example.de’ is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:4
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug2: key: /root/.ssh/id_ecdsa ((nil))
debug2: key: /root/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0)

debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0)

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
debug1: read_passphrase: can’t open /dev/tty: No such device or address
debug1: permanently_drop_suid: 0
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
debug1: read_passphrase: can’t open /dev/tty: No such device or address
debug1: permanently_drop_suid: 0
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
debug1: read_passphrase: can’t open /dev/tty: No such device or address
debug1: permanently_drop_suid: 0
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).