Bug 30539 – net ads join should use the password from /etc/machine.secret

Bug 30539 - net ads join should use the password from /etc/machine.secret


Summary:	net ads join should use the password from /etc/machine.secret

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Samba
Version:	UCS 3.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.1-1
Assigned To:	Arvid Requate
QA Contact:	Stefan Gohmann

URL:
Keywords:

Duplicates:	23889 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-02-21 13:44 CET by Stefan Gohmann
Modified:	2013-04-17 11:35 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2013-02-21 13:44:54 CET

In some cases the AD password of a member server and the LDAP password of the member server is not equal after the join.

This is a timing problem in the S4 connector, see also Bug #18501.

net ads join should use the password from the file machine.secret as machine password.

Comment 1 Stefan Gohmann

2013-03-06 06:47:14 CET

With Bug #30183 I'll also change the dc objects that they set the sambaNTPassword during the password change. Thereby the password should also be used in any case, e.g. for "net rpc join"

Comment 2 Arvid Requate

2013-03-15 17:52:04 CET

* The univention-samba joinscript now calls "net (ads|rpc) join"
  with argument machinepass="$machine_secret". This uses the given password
  for the join and stores it in the secrets.tdb database.

* The Samba specific parts of server_password_change have been moved into
  server_password_change.d/univention-samba. They were not applicable to samba4.

* server_password_change.d/univention-samba additionally now updates
  the secrets.tdb database with the new machine.secret.

* "machine password timeout" is disabled in samba3 smb.conf, to disable the
  automatic weekly password rotation built into Samba.
  (can be overridden by samba/machine_password_timeout).
  Samba4 currently does not seem to perform this rotation, but to be safe, the
  parameter is adjusted in samba4 smb.conf as well.

* changelog-3.1-1 updated.

Comment 3 Stefan Gohmann

2013-03-19 21:42:04 CET

Successful tested:
New domain S4: OK

TODO:
Updated domain S4
New domain S3
Updated domain S3
Changelog

Comment 4 Stefan Gohmann

2013-03-20 08:13:21 CET

- Updated domain S4: OK
- New domain S3: OK
- Updated domain S3: OK
- Changelog: Failed

> The weekly Samba internal password rotation is now disabled

That's true, but the password is now rotated by the UCS scripts. Maybe you can write it more clearly?

Comment 5 Arvid Requate

2013-03-20 12:08:47 CET

Ok, changelog adjusted.

Comment 6 Stefan Gohmann

2013-03-20 12:10:01 CET

(In reply to comment #5)
> Ok, changelog adjusted.

OK

Comment 7 Stefan Gohmann

2013-03-25 19:57:26 CET

UCS 3.1-1 has been released: 
 http://download.univention.de/doc/release-notes-3.1-1_en.pdf
 http://download.univention.de/doc/release-notes-3.1-1.pdf

If this error occurs again, please use "Clone This Bug".

Comment 8 Arvid Requate

2013-04-17 11:35:05 CEST

*** Bug 23889 has been marked as a duplicate of this bug. ***