Bug 34208 – univention-run-join-scripts fails to read password with -dcpwd

Bug 34208 - univention-run-join-scripts fails to read password with -dcpwd


Summary:	univention-run-join-scripts fails to read password with -dcpwd

Status:	CLOSED INVALID

Product:	UCS
Classification:	Unclassified
Component:	Join (univention-join)
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.2-1-errata
Assigned To:	Philipp Hahn
QA Contact:	Lukas Walter

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-02-28 15:21 CET by Niko Wenselowski
Modified:	2014-04-07 15:40 CEST (History)
CC List:	1 user (show)

See Also:	14186 32005 20611
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Niko Wenselowski 2014-02-28 15:21:04 CET

I have some scripts to do an unattended setup of UCS machines. One of the things done there is to run univention-run-join-scripts if it detects I am setting up a slave. 
I always used the -dcpwd option to have this done unattended. Since UCS 3.2 this does fail. The same script does run without problems in UCS 3.0 and UCS 3.1. Manually running the script without -dcpwd and then entering the password does work.

Steps to reproduce:
1. Set up UCS master server
2. Set up UCS slave server
2.1 Try to run the join scripts with the password handed over in a file:
$ echo "secretDomainAdminPassword" > /tmp/domain_pwd.txt
$ univention-run-join-scripts -dcaccount Administrator -dcpwd /tmp/domain_pwd.txt

Expected behaviour: 
Slave runs the join scripts.

Experienced behaviour:
Script fails with message "Invalid credentials" even though they are correct.

Comment 1 Philipp Hahn

2014-04-03 12:35:49 CEST

(In reply to Niko Wenselowski from comment #0)
> I always used the -dcpwd option to have this done unattended. Since UCS 3.2
> this does fail.
...
> $ echo "secretDomainAdminPassword" > /tmp/domain_pwd.txt

Your file is terminated by a new-line, which some tools no longer like, for example "ldapsearch -y /tmp/domain_pwd.txt" uses the complete content of the file for binding. Most other UCS tools (udm, join, ...) now also have an option to read the password directly from a file and follow the same path to take the full content as-is.

Use »echo -n "secretDomainAdminPassword" > /tmp/domain_pwd.txt« (or printf) instead to generate the file.

FYI: The change regarding the terminating new-line was initiated by Bug #14186 for UCS-3.0-0, but the change was not announced in the release notes of 3.0-0.
It starts failing with 3.2 because of Bug #32005, which fixed several quoting problems with univention-run-join-scripts.
Bug #20611 will continue the work to get rid of password on the command-line.

Comment 2 Niko Wenselowski 2014-04-04 11:35:56 CEST

(In reply to Philipp Hahn from comment #1)

Hello Philipp,

thank you for your explanation.


> Use »echo -n "secretDomainAdminPassword" > /tmp/domain_pwd.txt« (or printf)
> instead to generate the file.

I am using this workaround now and it works fine.


Kind regards

Niko

Comment 3 Lukas Walter

2014-04-04 15:19:25 CEST

Reproduce the problem, but only because of the newline.

Verified invalid.

Comment 4 Stefan Gohmann

2014-04-07 15:40:07 CEST

OK, nothing to release.