Univention Bugzilla – Bug 30539
net ads join should use the password from /etc/machine.secret
Last modified: 2013-04-17 11:35:05 CEST
In some cases the AD password of a member server and the LDAP password of the member server is not equal after the join. This is a timing problem in the S4 connector, see also Bug #18501. net ads join should use the password from the file machine.secret as machine password.
With Bug #30183 I'll also change the dc objects that they set the sambaNTPassword during the password change. Thereby the password should also be used in any case, e.g. for "net rpc join"
* The univention-samba joinscript now calls "net (ads|rpc) join" with argument machinepass="$machine_secret". This uses the given password for the join and stores it in the secrets.tdb database. * The Samba specific parts of server_password_change have been moved into server_password_change.d/univention-samba. They were not applicable to samba4. * server_password_change.d/univention-samba additionally now updates the secrets.tdb database with the new machine.secret. * "machine password timeout" is disabled in samba3 smb.conf, to disable the automatic weekly password rotation built into Samba. (can be overridden by samba/machine_password_timeout). Samba4 currently does not seem to perform this rotation, but to be safe, the parameter is adjusted in samba4 smb.conf as well. * changelog-3.1-1 updated.
Successful tested: New domain S4: OK TODO: Updated domain S4 New domain S3 Updated domain S3 Changelog
- Updated domain S4: OK - New domain S3: OK - Updated domain S3: OK - Changelog: Failed > The weekly Samba internal password rotation is now disabled That's true, but the password is now rotated by the UCS scripts. Maybe you can write it more clearly?
Ok, changelog adjusted.
(In reply to comment #5) > Ok, changelog adjusted. OK
UCS 3.1-1 has been released: http://download.univention.de/doc/release-notes-3.1-1_en.pdf http://download.univention.de/doc/release-notes-3.1-1.pdf If this error occurs again, please use "Clone This Bug".
*** Bug 23889 has been marked as a duplicate of this bug. ***