First Last Prev Next    This bug is not in your last search results.
Bug 53661 - After a server-password-change the univention-s4search does not work anymore.
After a server-password-change the univention-s4search does not work anymore.
Status: NEW
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-16 11:48 CEST by Christina Scheinig
Modified: 2021-08-16 14:09 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.034
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021081221000287
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2021-08-16 11:48:02 CEST 
After a server-password-change the univention-s4search does not work anymore. The machine.secret is now base64 encrypted in the secrets.ldb.

cat /etc/machine.secret; echo
:1n,*#JNFQi]KbkfjNI*

ldbsearch -H /var/lib/samba/private/secrets.ldb samaccountname=ucs1$ secret
secret:: OjFuLCojSk5GUWldS2JrZmpOSSo=

ldbsearch -H /var/lib/samba/private/secrets.ldb samaccountname=ucs1$ secret|ldapsearch-decode64
:1n,*#JNFQi]KbkfjNI*


univention-s4search cn=Administrator

Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
Failed to connect to 'ldaps://ucs1.schein.de' with backend 'ldaps': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
Failed to connect to ldaps://ucs1.schein.de - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>

-------------------------------------------------------------------------
eval "$(ucr shell)"; kinit --password-file=/etc/machine.secret "$hostname$"; kdestroy; kinit -t /etc/krb5.keytab "${hostname^^}$"; kdestroy

works fine, no output

A new Server-password-change solves the issue, an other machine.secret without ":" was set.
Comment 1 Florian Best univentionstaff 2021-08-16 12:37:13 CEST 
this bug is tagged against UCS 4.4 - I assume this is correct?
Is this also the case in UCS 5.0?
Comment 2 Christina Scheinig univentionstaff 2021-08-16 13:29:00 CEST 
I haven't checked this. But the customers environment was 4.4-8 with errata 1020
Comment 3 Arvid Requate univentionstaff 2021-08-16 14:09:58 CEST 
Reproducible: That password breaks univention-s4search.

Moving the colon to the second character doesn't show the problem.
First Last Prev Next    This bug is not in your last search results.