Upgrading 3.8.4 to 4.0.1 - Root password?

I’m working on upgrading our existing installation of RT 3.8.4 to RT 4.0.1, and I’ve encountered a bit of a strange problem. I can manually change root’s password (in RT) to something that I know (such as “password”) via a MySQL statement:

-MySQL Code-
UPDATE Users SET Password=md5(‘password’) WHERE Name=‘root’;
-/MySQL Code-

… and then logging in with the set password I choose works. However, if I log out and back in, I can no longer log in again with that same password and must reset it again to gain admin access again. Furthermore, if I set the password in the GUI to something else, it doesn’t appear to have an effect either, though this may be caused by the same thing.

What’s really weird though, is if I watch the root password entry in the database, the hash changes when I log in. So, say I log in with “password” … it changes to what appears to be a salted SHA hash instead.

Testing this further, I decided to start the DB over from scratch. I ran the upgrade processes, including the vulnerable-passwords script to upgrade the hashes, and that worked with the old password (it even flagged root as an account to update), but once again, after that first log in, I can no longer log back in.

What’s the deal? Did I just miss something? What do I need to do to get this working? If I can provide any other useful information, please let me know. This is running on an Ubuntu server (11.10) with the package-managed version of RT, which with Ubuntu is 4.0.1. The database is the only thing I ported over, as there were only a couple of small changes I made to the HTML code, I figured the pages would be different enough that I’d need to just re-do them anyway.

Thanks,
Johnathan

Johnathan Bell
Internet System Administrator, Baker College
Office Hours: 7A-4P Eastern, M-F

… and then logging in with the set password I choose works. However,
if I log out and back in, I can no longer log in again with that same
password and must reset it again to gain admin access again.
[snip]
What’s the deal? Did I just miss something? What do I need to do to
get this working?

This is an indication that you didn’t run the database upgrade steps
between 3.8.4 and 4.0.1. Please read the README, UPGRADING-3.8, and
UPGRADING-4.0 docs.

Please keep replies on the list.

Thanks. I’m glad to know that it’s something much simpler than I
expected. I did read those, but they only mentioned the “standard
database upgrade process” as far as I could see. Further research says
that’s probably going to be “rt-setup-database --action upgrade” or
something similar… yes?

Yes. The README refers to make upgrade-database. You’re running
Ubuntu packages, so the instructions we write aren’t exactly the same as
what you’ll need to do (they apply to the tarball we ship).

The Ubuntu packages don’t run the database upgrades for you; they just
install the new source.

What about the other parts like secure-passwords, etc… the other random
"little" scripts in etc/upgrade? Should those be run before or after the
rt-setup-database cmd?

Most are run after. The docs (docs/UPGRADING*) mention what needs to be
run during the middle of the upgrade.

We have a fresh installation of RT 4.0.5. with imported data from a former
version.
I can login as root, but there are two issues:

  1. When I logoff and I want to logon again, the root password is changed
    to somewhat! Than I have to reset it.
    I followed the instruction at:
    " UPGRADING FROM 3.8.8 and earlier - Changes:
    Previous versions of RT used a password hashing scheme which was too
    easy to reverse, which could allow attackers with read access to the RT
    database to possibly compromise users’ passwords. Even if RT does no
    password authentication itself, it may still store these weak password
    hashes – using ExternalAuth does not guarantee that you are not
    vulnerable! To upgrade stored passwords to a stronger hash,
    run: perl etc/upgrade/vulnerable-passwords "

I did that, but it didn’t solve the issue.
Can you give me a hint?

  1. Our system which is fresh installed:

Ubuntu 10.04.4 LTS

Apache Version Apache/2.2.14 (Ubuntu)
Apache API Version 20051115

PHP Version 5.3.2-1ubuntu4.14
mysql, Client API version 5.1.61
RT 4.0.5

Data of the former version were imported in a mysql-database (that
worked).

When I try to create a new request, I get the error message:
“Anfrage konnte aufgrund eines internen Fehlers nicht angelegt werden”
(query couldn’t be created because of an internal error).
The corresponding entry in the access-log is:
ip.ip.ip.ip - - [18/Apr/2012:08:21:14 +0200] “POST /index.html HTTP/1.1”
200 3736
What’s the problem of the system?

Kind regards

George

Thomas Sibley wrote:

Please keep replies on the list.

Thanks. I’m glad to know that it’s something much simpler than I
expected. I did read those, but they only mentioned the “standard
database upgrade process” as far as I could see. Further research says
that’s probably going to be “rt-setup-database --action upgrade” or
something similar… yes?

Yes. The README refers to make upgrade-database. You’re running
Ubuntu packages, so the instructions we write aren’t exactly the same as
what you’ll need to do (they apply to the tarball we ship).

The Ubuntu packages don’t run the database upgrades for you; they just
install the new source.

What about the other parts like secure-passwords, etc… the other random
“little” scripts in etc/upgrade? Should those be run before or after the
rt-setup-database cmd?

Most are run after. The docs (docs/UPGRADING*) mention what needs to be
run during the middle of the upgrade.

View this message in context: http://old.nabble.com/Upgrading-3.8.4-to-4.0.1---Root-password---tp33676179p33713298.html

We have a fresh installation of RT 4.0.5. with imported data from a former
version.
I can login as root, but there are two issues:

  1. When I logoff and I want to logon again, the root password is changed
    to somewhat! Than I have to reset it.
    I followed the instruction at:

This normally means you never ran make upgrade-database
and your schema is out of sync with 4.0.

Post the output of desc Users; if you’d like confirmation of that.

-kevin