Webinterface not available since Update to UCS 4.2-1


#1

Hi together,

I am using UCS scince one year and I am very happy with it. Because of my old Hardeware I decided to build a new Computer to be ready for the future.

Hardware:
Motherboard = ASRock J3455-ITX
1x SSD = 64GB Transcend SSD340K
2x Hard drive = WD Red 8 TB

Because the Motherboard could only handle Grub < Version 2 I used UCS Version 4.1-0 for the Installation.
I choose for both WD Red 8 TB Raid 1. There was no Problem with the Installation.

Everything with the updates worked fine as well until I installed UCS Version 4.2-1. After the Update it is not possible anymore to log in on the webinterface. It is still possible to add the Name (“Administrator”) and Password. After using the log in Botton it starts to log in but the webinterface never pops up.

The console is still working.
1.I tried to install UCS again
2.I checked with dpgk --audit if there are Problems listed (no Problems)
3.I updated with dpgk --conifgure -a if there is a mistake (no Problems)
4.I updated UCS to Version 4.2-3 on the console to find out if the update is solving the Problem (Problem not solved)
5. I did univention-ldapsearch and checked after it the /var/log/univention/management-console-*.log.

there are a couple Errors in the logfile listed. See attached Pictures.

Hope someone has an idea what I can try, to get the webinterface working with UCS Version > 4.2-1

Thank you very much in advance

SKIP300


#2

Hey,

did you modify the configuration of the Apache web server somehow?

What’s the output of univention-check-templates?

Kind regards,
mosu

PS: Screenshots are nice in some situations, but not for pasting log files. It would have been better for us if you had simply pasted their content as text — easier to read, to search etc. For the future.


#3

Hi Moritz,

thank you very much for your response. I appreciate it.
I would like to provide you in the future the logs as text file.
My Linux skills are not the best at the Moment because I took Pictures the first time.
Is there a possibility to get the log files on an usb Stick so that I can provide it in the future.
Maybe you can give me a console code for that.

So back to your question.
If I use the command “univention-check-templates” as root, there is no Output on the console.
I tried “sudo univention-check-templates” as well but there is the same.

Is there anything else I can try?

SKIP300


#4

Hi Moritz,

I learned this morning how to mount a usb stick to provide the logs as text files in the future.
So I thought, that I should provide you the logs again to make it easier for you. But now I have only information included in

  1. management-console-server.log
  2. management-console-web-Server.log
    All the other log files are empty now.

management-console-server.log (2.0 KB)
management-console-web-server.log (273 Bytes)


#5

Did you clear your web-browser cache after upgrade to 4.2 - or try a differnent web browser - as i had this to do after the upgrade sometimes

rg
Christian


#6

Hi externa1

I use two Browsers at the Moment. IE11 Update Version 11.0.50 and Firefox 58.0.2.
Firefox on a WIN 10, WIN 7 and Linux Mint. IE only on the WIN 10 and WIN 7 Computer.
I cleared all 5 Browsers and did a new Installation of Firefox on the WIN 10 Computer.
Unfortunatly nothing changed. It is still not possible to log in to the web Interface.

But there is maybe something interessting for you I recognized today.
Before I did the update to UCS 4.2-1 it was possible to use the https://ucs-2018a… address to come to the log in area.
Now it is only possible with the IP Address.

Thank you very much for all your help


#7

Hey,

A couple of general tips:

I gather that you’re posting to this forum from a different computer than your UCS server. In general you don’t need to use USB thumbdrives or other external means for copying stuff to other computers. Instead you should probably just copy the files we ask for via ssh. There are a plethora of Free/Open Source software that you can use, e.g. WinSCP (Windows only), FileZilla (Windows/Linux/macOS) or scp (part of the OpenSSH project, command-line only). Start the program, log into the server with user root and the corresponding password, copy the file to your desktop, post it.

Similarly if we ask you to post the output of some command, you can just start an ssh client such as Putty (Windows only) or ssh (command-line only, all platforms), log in to the server as root, execute the command & then copy the output directly from the ssh program.

Back to your problem. Have you tried using the full server name including its domain name? E.g. in my test domain my server is called master, and the domain is mbu-test.intranet, so the full URL would be https://master.mbu-test.intranet/. Please give that full URL a try (replacing master.mbu-test.intranet with appropriate values for your server & domain).

Next please try the old login method which doesn’t use SAML. Try the following URL for logging in: https://master.mbu-test.intranet/univention/login/ (again replacing master.mbu-test.intranet with your server’s fully-qualified domain name).

Kind regards,
mosu


#8

Hi mosu,

thank you very much for your tips. I appreciate it. I choose Filezilla. It is so much easier to get access to the files. I am learning so much from you guys.

Back to my problem.
I tried https://ucs-2018a.baer.internal/ and https://ucs-2018a.baer.internal/univention/login/ in the past and today again with clearing the browser cache before.
But only with the ip it is possible to come to the login area at the moment. But I know, that before the update to 4.2-1 was done the URL`s above worked fine because I was a couple times on the webinterface to do the updates and I did not use the ip to access the webinterface.

Today I found out, that if I wait maybe 10-15 minutes after I did the login (with ip) the server is calling back failure 502.

Hope this can help to come closer to my problem.

Thank`s to everybody who is helping me in this case.

Best regards

SKIP300


#9

Hey,

Just to make sure I understand you correctly. When you use the host name to connect, e.g. https://ucs-2018a.baer.internal/, then you do see the Univention interface, and you do get the login screen, but after entering your credentials you only get a blank screen?

Next: please verify that the server’s date & time settings are correct. Log in via ssh as root and execute date in order to see what the server’s current date & time is.

Afterwards please run the following two commands and paste its output:

lsof -PniTCP:6670 -iTCP:6669 -iTCP:8090 -sTCP:LISTEN
openssl s_client -connect 127.0.0.1:6670

Kind regards,
mosu


#10

Hi mosu,

thank you for your quick response.

When I use the host Name to connect (in my case https://ucs-2018a.baer.internal/) I do not see the Univention interface.
My Browser is letting me know that the site is not reachable.
Only if I use the ip it is possible to put in the credentials. But after this I see only the UCS logo until the failure 502 is popping up after 10 - 15 min. I also can provide you screenshot if it helps.

Attached the Outputs:

root@ucs-2018a:~# date
Di 13. Feb 19:09:44 CET 2018
root@ucs-2018a:~# lsof -PniTCP:6670 -iTCP:6669 -iTCP:8090 -sTCP:LISTEN
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
univentio 1705 root    4u  IPv6  21119      0t0  TCP *:6669 (LISTEN)
univentio 1757 root    5u  IPv6  25958      0t0  TCP *:6670 (LISTEN)
univentio 2512 root   10u  IPv4  24334      0t0  TCP 127.0.0.1:8090 (LISTEN)
root@ucs-2018a:~# openssl s_client -connect 127.0.0.1:6670
CONNECTED(00000003)
depth=1 C = DE, ST = DE, L = DE, O = baer, OU = Univention Corporate Server, CN = Univention Corporate Server Root CA (ID=RKsOSYE5), emailAddress = ssl@baer.internal
verify return:1
depth=0 C = DE, ST = DE, L = DE, O = baer, OU = Univention Corporate Server, CN = ucs-2018a.baer.internal, emailAddress = ssl@baer.internal
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=DE/L=DE/O=baer/OU=Univention Corporate Server/CN=ucs-2018a.baer.internal/emailAddress=ssl@baer.internal
   i:/C=DE/ST=DE/L=DE/O=baer/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=RKsOSYE5)/emailAddress=ssl@baer.internal
 1 s:/C=DE/ST=DE/L=DE/O=baer/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=RKsOSYE5)/emailAddress=ssl@baer.internal
   i:/C=DE/ST=DE/L=DE/O=baer/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=RKsOSYE5)/emailAddress=ssl@baer.internal
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBtzELMAkGA1UEBhMCREUx
CzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTENMAsGA1UEChMEYmFlcjEkMCIGA1UE
CxMbVW5pdmVudGlvbiBDb3Jwb3JhdGUgU2VydmVyMTowOAYDVQQDEzFVbml2ZW50
aW9uIENvcnBvcmF0ZSBTZXJ2ZXIgUm9vdCBDQSAoSUQ9UktzT1NZRTUpMR0wGwYJ
KoZIhvcNAQkBFg5zc2xAYmFlci5ncm91cDAeFw0xODAyMDYyMTAwNTJaFw0yMzAy
MDUyMTAwNTJaMIGaMQswCQYDVQQGEwJERTELMAkGA1UECBMCREUxCzAJBgNVBAcT
AkRFMQ0wCwYDVQQKEwRiYWVyMSQwIgYDVQQLExtVbml2ZW50aW9uIENvcnBvcmF0
ZSBTZXJ2ZXIxHTAbBgNVBAMTFHVjcy0yMDE4YS5iYWVyLmdyb3VwMR0wGwYJKoZI
hvcNAQkBFg5zc2xAYmFlci5ncm91cDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ3IszOTikZur4rlvFC1y+jyjseigBs0FUNGnzcQruSjTq8rLaFWHA+
Lx0n275LsIc06cTHwmQWEvzsQH3hax1utI63txFPGeKu6VRZimyi+cOHDN5Ia4hy
Fk91zEBxjyV3lTpRER4L3aUYlFibu6riJckbfRS0lA1sQlwlaQuIU9h18NW/DyFP
FD3q5QA/R4o6SgxtsQ2FuLUG1kf3sHfut66ITQvotTXwOMgkRAk+EmW7dg2UGqqr
QmgaWUis3k9puGhgKKF/71O2v+ON8cooyPhzSRXgHvJvpzrrmeqou7xrPqHmyRGT
d4IoPeswsyYkHbu7ZJDAOlFuPN0klfUCAwEAAaOCAVYwggFSMAkGA1UdEwQCMAAw
HQYDVR0OBBYEFIxu+O1tRKYaunH34xB/RAQA6rTAMIHsBgNVHSMEgeQwgeGAFDb1
Fb2NyPtF6hnR9RMQxv3h8x8OoYG9pIG6MIG3MQswCQYDVQQGEwJERTELMAkGA1UE
CBMCREUxCzAJBgNVBAcTAkRFMQ0wCwYDVQQKEwRiYWVyMSQwIgYDVQQLExtVbml2
ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIxOjA4BgNVBAMTMVVuaXZlbnRpb24gQ29y
cG9yYXRlIFNlcnZlciBSb290IENBIChJRD1SS3NPU1lFNSkxHTAbBgkqhkiG9w0B
CQEWDnNzbEBiYWVyLmdyb3VwggkAoWWFC2jIK88wCwYDVR0PBAQDAgXgMCoGA1Ud
EQQjMCGCFHVjcy0yMDE4YS5iYWVyLmdyb3Vwggl1Y3MtMjAxOGEwDQYJKoZIhvcN
AQELBQADggEBAJ5qq9tLUUr1vH/MuBA3DFYMv8FkbrqDcO7RXxTi1BDBoAIR1qHt
cVzTN/VTau/hDopIPFXNM4hIZibagThuAExxnuqJj9eRMJjLaNSUFDLqMlzB5qH9
Zcsz9BtafNqYmpk3kW8En8INdhjk4rxkhfvJZUzBDN52JPNsKLlokr5aRRH+zFxg
sqaaDnyMhp4k6JIjuRVb5S+XOQERQPHI+BF/6wrAZvFQSTzqwTyVpcIaV3D3R0z+
pGCKfLOCxaSQdyUFVPUuW7vq4hbKukFuwo41hQuBvz96nEomp4pWLsV4dan7mxBX
ZW4pDwtImyXyPb6LwLpAMpbeHaF9ZLs+AM0=
-----END CERTIFICATE-----
subject=/C=DE/ST=DE/L=DE/O=baer/OU=Univention Corporate Server/CN=ucs-2018a.baer.internal/emailAddress=ssl@baer.internal
issuer=/C=DE/ST=DE/L=DE/O=baer/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=RKsOSYE5)/emailAddress=ssl@baer.internal
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
---
SSL handshake has read 3108 bytes and written 613 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: D4C72A483D45B6ED49986B55109714B3E75554B40DCC2EE2662FF033ED4F6226
    Session-ID-ctx:
    Master-Key: 7245F775A6330A87CDC94A3A5E34E598093D11884EC7C7A60A1CDD575EBCE3CB808E45297C051453115DD353669D247B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ec 69 2b 9c 82 9d f1 04-e9 53 0e f7 01 ed a4 ac   .i+......S......
    0010 - 65 55 3f fb 38 03 98 43-de 86 d5 4f d4 e4 a5 10   eU?.8..C...O....
    0020 - 76 be 5b 6d f9 8c 35 c3-63 c7 b8 d4 82 19 65 ce   v.[m..5.c.....e.
    0030 - 85 da a4 1a 95 bb c5 07-e4 ea 78 3a 80 59 74 91   ..........x:.Yt.
    0040 - 5f 75 26 37 fe 9b 91 86-8d a4 aa 78 39 4f 99 19   _u&7.......x9O..
    0050 - d8 b9 62 99 84 c5 53 47-1f ec 0f 12 43 ee b7 5e   ..b...SG....C..^
    0060 - 3b 70 33 a6 37 19 23 41-37 d6 0a 99 b0 94 04 d8   ;p3.7.#A7.......
    0070 - ac 06 ff e4 a7 c5 df f1-c5 30 dd 24 83 4e ed 61   .........0.$.N.a
    0080 - be ca fd 61 a5 a5 11 1e-1a 92 60 1d ae 4f 0f 47   ...a......`..O.G
    0090 - 95 b8 bc 84 7e 67 0d 35-3c ba fc 37 c4 4b c2 ac   ....~g.5<..7.K..

    Start Time: 1518545759
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
read:errno=0


#11

Hi,

may I assume your client is a Windows machine?
What happens when you open the command line and do a “ping ucs-2018a.baer.internal”?
Could you post the output of the above command and additionally of “ipconfig /all” on the client (not on the UCSsystem)?

/KNEBB


#12

Hey,

Let’s focus on this first. In addition to what knebb asked, please also post the output of the following commands from your server:

ip a
host ucs-2018a.baer.internal
iptables -L INPUT -nv

Thanks.

Kind regards,
mosu


#13

Hi together,

the first two Outputs are from win 10.
I also have the possibility to do it on a win 7 and Linux Mint if it helps.

attached the Outputs:

Ping wird ausgeführt für ucs-2018a.baer.internal [62.138.238.45] mit 32 Bytes Daten:
Antwort von 62.138.238.45: Bytes=32 Zeit=73ms TTL=250
Antwort von 62.138.238.45: Bytes=32 Zeit=33ms TTL=250
Antwort von 62.138.238.45: Bytes=32 Zeit=33ms TTL=250
Antwort von 62.138.238.45: Bytes=32 Zeit=33ms TTL=250

Ping-Statistik für 62.138.238.45:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 33ms, Maximum = 73ms, Mittelwert = 43ms
Windows-IP-Konfiguration

   Hostname  . . . . . . . . . . . . : DELL-Inspiron
   Primäres DNS-Suffix . . . . . . . : baer.internal
   Knotentyp . . . . . . . . . . . . : Broadcast
   IP-Routing aktiviert  . . . . . . : Nein
   WINS-Proxy aktiviert  . . . . . . : Nein
   DNS-Suffixsuchliste . . . . . . . : baer.internal
                                       fritz.box

Ethernet-Adapter Ethernet:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Realtek PCIe FE Family Controller
   Physische Adresse . . . . . . . . : 5C-F9-DD-5B-14-4A
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

Drahtlos-LAN-Adapter LAN-Verbindung* 2:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physische Adresse . . . . . . . . : 80-00-0B-F1-B6-03
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

Drahtlos-LAN-Adapter WLAN:

   Verbindungsspezifisches DNS-Suffix: fritz.box
   Beschreibung. . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6235
   Physische Adresse . . . . . . . . : 80-00-0B-F1-B6-02
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja
   Verbindungslokale IPv6-Adresse  . : fe80::e430:be3b:3d13:cd44%5(Bevorzugt)
   IPv4-Adresse  . . . . . . . . . . : 192.168.178.26(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Lease erhalten. . . . . . . . . . : Mittwoch, 14. Februar 2018 17:43:33
   Lease läuft ab. . . . . . . . . . : Samstag, 24. Februar 2018 17:43:33
   Standardgateway . . . . . . . . . : 192.168.178.1
   DHCP-Server . . . . . . . . . . . : 192.168.178.1
   DHCPv6-IAID . . . . . . . . . . . : 58720267
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-21-17-79-14-5C-F9-DD-5B-14-4A
   DNS-Server  . . . . . . . . . . . : 192.168.178.1
   NetBIOS über TCP/IP . . . . . . . : Aktiviert

Ethernet-Adapter Bluetooth-Netzwerkverbindung:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physische Adresse . . . . . . . . : 80-00-0B-F1-B6-06
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

Tunneladapter Teredo Tunneling Pseudo-Interface:

   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physische Adresse . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   IPv6-Adresse. . . . . . . . . . . : 2001:0:9d38:78cf:4fa:2b60:b030:804(Bevorzugt)
   Verbindungslokale IPv6-Adresse  . : fe80::4fa:2b60:b030:804%7(Bevorzugt)
   Standardgateway . . . . . . . . . : ::
   DHCPv6-IAID . . . . . . . . . . . : 100663296
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-21-17-79-14-5C-F9-DD-5B-14-4A
   NetBIOS über TCP/IP . . . . . . . : Deaktiviert
root@ucs-2018a:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN internal default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP internal default qlen 1000
    link/ether 70:85:c2:4d:b5:37 brd ff:ff:ff:ff:ff:ff
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP internal default qlen 1000
    link/ether 70:85:c2:4d:b5:37 brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.32/24 brd 192.168.178.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::7285:c2ff:fe4d:b537/64 scope link
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN internal default
    link/ether 02:42:ec:19:83:53 brd ff:ff:ff:ff:ff:ff
    inet 172.17.42.1/16 scope global docker0
       valid_lft forever preferred_lft forever
root@ucs-2018a:~# host ucs-2018a.baer.internal
ucs-2018a.baer.internal has address 192.168.178.32
root@ucs-2018a:~# iptables -L INPUT -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3272  649K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  790  566K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7636
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:111
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:32765:32769
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:137:139
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:544
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:88
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:49152:49215
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7389
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3268
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:464
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:88
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:2049
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5432
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:631
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:32765:32769
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3269
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:464
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6080
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:389
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2049
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5666
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:636
   25  4638 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:137:139
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:445
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6670
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:16514
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:389
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7777
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:7777
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:631
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6669
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:5900:5999
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3128
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:749
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:135
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:111
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1024
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:11212
    2   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       172.17.0.0/16        0.0.0.0/0            tcp dpt:3306
   16  1578 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Thank you very much for your help!


#14

Hey,

here’s the problem:

vs.

The host name is resolved to an external IP address when queried outside of your server. It is resolved correctly when queried on your server. The server’s host name must always resolve to its internal address.

You’ll have to figure out why the DNS server that your desktop(s) use returns an external IP address.

If you need to have your server available from outside the intranet, then you should rather add a totally independent DNS record for that and not try to re-use the server’s name.

Kind regards,
mosu


#15

Hi mosu,

thank you very much for your response.

I tried yesterday night and today a couple things to find the dns problem. But I have no clue where it comes from.

When I set on my Computer the dns Server 192.168.178.32 in the lan settings it is possible to connect
with https://ucs-2018a.baer.internal to the login area. Unfortunatly the login to the univention Interface is still not possible.

Like I said at the beginning of this topic I have a further UCS Master 4.2-2 (very old hardware) running in a seperate Network.

To find the DNS Problem I tried

  1. I disconnected the old UCS Master to test my new UCS Master in this Network. I had the same issues like in the test Network.
  2. I putted the old UCS Master in my test Network where I had my new UCS Master running. The old UCS Master is working fine in the test Network.
  3. I used a Fritz Box 4040 (wihtout DSL / factory reset) to created a third Network. Old one is working fine and the new one is not.

Lets go back to the beginning of this topic. All the issues started with the update from 4.2-0 to 4.2-1.
Before running the update everything worked fine with the new UCS Master.
Because of this and the tests I did I am thinking the issues are coming from the new UCS Master at the moment.

What do you think? is that possible or I am on the wrong way?
Is there maybe something I can compare between the old UCS Master and the new one?
Could there be a dns server problem on the new UCS Master?

What would I do without you guys!

SKIP300


#16

As you posted, this is the DNS server your client queries. I assume this is the Fritz-Box! And I assume Fritz! has no clue about the DNS server of the master.

Make sure your DHCP-Server (I assume active on Fritz! for third network) gives the IP of your master, not of the Fritz!Box.

/KNEBB


#17

Hey,

as knebb has said: you should make sure all clients use the UCS DC Master as the DNS server, not your FritzBox.

I’m a bit confused about your multiple UCS DC Master servers. Are those set up with the same domain name? What are the DNS settings on the new DC Master (post the output of ucr search --brief nameserver)?

mosu


#18

Hi togehter,

I am thinking I found the DNS problem.

In my Network with my old UCS Master (ucs-2014.baer.internal) I did a dns route for baer.internal to (ucs-2014.baer.internal). Because of it the dns worked fine with my old UCS Master.

When I did the last test with using my new UCS Master (ucs-2018a.baer.internal) in this network, I forgot to change the dns route to (ucs-2018a.baer.internal). So I tried it again with the correct dns route and the pings are good now.

Here the current ping outputs (ucs-2018a = 192.168.100.3)

ping ucs-2018a.baer.internal

Ping wird ausgeführt für ucs-2018a.baer.internal [192.168.100.3] mit 32 Bytes Daten:
Antwort von 192.168.100.3: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.100.3: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.100.3: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.100.3: Bytes=32 Zeit<1ms TTL=64

Ping-Statistik für 192.168.100.3:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms
root@ucs-2018a:~# host ucs-2018a.baer.internal
ucs-2018a.baer.internal has address 192.168.100.3

What I learned:

  1. Never use a Fritz Box if you do a test Network, also if you consider in the dns settings your Server IP. It is not working like it should.
  2. If you have a dns route you have to change it before you use a different server.

Here the current output mosu asked for

root@ucs-2018a:~# ucr search --brief nameserver
dns/nameserver/registration/forward_zone: <empty>
dns/nameserver/registration/reverse_zone: <empty>
nameserver/external: false
nameserver/option/timeout: 2
nameserver1: 192.168.100.3
nameserver2: <empty>
nameserver3: <empty>

It is possible now to reach the server with https://ucs-2018a.baer.internal/ in the browser.
Unfortunatly I have still the problem with the login to the univention web interface.
After I did the login with my credentials there is still popping up after 10-15 min the “failure 502”.

Hope you have a further idea why it is not possible to reach the univention web interface.

Thank you very much for your help

SKIP300


#19

I’m confused. Ealier in a post you showed the output of ip a, and that shows your server ucs-2018a having the IP address 192.168.178.32. Now you’re stating it has the address 192.168.100.3?

There’s a reason I’m going on and on about DNS and IP addresses. Without a working and consistent DNS system a lot of services will fail subtly.


#20

Hi mosu,

bare with me. I am not an IT expert. please explain in more details why it is so important to have the same IP address the hole time.
I always thought that you could change IP addresses as you go along.

When I started this process to replace my old UCS Master (ucs2014.baer.internal = 192.168.100.0/24) with the new UCS Master (ucs-2018a.baer.internal) I assumed the IP Address for the initial installation is not important.
I thought you can change it at any time.

When I found out, that my test Network (192.168.178.0/24 with fritz box) is not working, but the existing Network (192.168.100.0/24) is working fine because of the dns route for “baer.internal” I did the change to the new IP range, which I would have done anyway as soon as I have the new UCS Master running.

If you don´t mind please go into more details.
Would it help if I sent you a network map of the test network (192.168.178.0/24) I used initily and my existing Network (192.168.100.0/24) where the new UCS Master should work in the future?

Thank you very much in advance

SKIP300