Attachment #10844 for bug #53182

View | Details | Raw Unified | Return to bug 53182
Collapse All | Expand All

Lines 183-186 custom_groupname() { Link Here

(-)a/base/univention-lib/shell/base.sh (+7 lines)
183	echo -n "${result:-$name}"	183	echo -n "${result:-$name}"
184	}	184	}
185		185
		186	#
		187	# Echo with timestamp
		188	#
		189	echowithtimestamp() {
		190	echo "[$(date '+%F %T.%N')] $@"
		191	}
		192
186	# vim:set sw=4 ts=4 noet:	193	# vim:set sw=4 ts=4 noet:




	exec 3>>/var/log/univention/server_password_change.log
fi

echowithtimestamp "Starting server password change" >&3
FAIL () { # log error message to log file and std-err, then fail
	msg=$(echowithtimestamp "$@")
	echo "$msg" >&3
	echo "$msg" >&2
	exit 1
}
try_ldap () { # try to connect LDAP server

# 2 -> empty
is_ucr_true server/password/change
if [ $? = 1 ]; then
	echowithtimestamp "Server password change is disabled by the UCR variable server/password/change" >&3
	exit 0
fi

[ -n "$server_role" ] ||
	FAIL "failed to change server password: empty config-registry variable server/role"
[ -n "$ldap_hostdn" ] ||
	FAIL "failed to change server password: empty config-registry variable ldap/hostdn"
[ -e "$MSECRET" ] ||
	FAIL "failed to change server password: $MSECRET not found"
[ -e "/var/lib/univention-directory-replication/failed.ldif" ] &&
	FAIL "failed to change server password: /var/lib/univention-directory-replication/failed.ldif exists"

# Allow password change only if it is scheduled.
epoch_last_change="$(stat --format %Y "$MSECRET")"

seconds_last_change="$((epoch- epoch_last_change))"
days_last_change="$((seconds_last_change/60/60/24))"
if [ "$server_password_interval" -gt "$days_last_change" ]; then
	echowithtimestamp "No server password change scheduled for today, terminating without a change" >&3
	exit 0
fi

echowithtimestamp "Proceeding with regular server password change scheduled for today" >&3

# Try to use a trivial command just to check that LDAP server is reachable.
univention-ldapsearch -D "$ldap_hostdn" -y "$MSECRET" -s base 1.1 >/dev/null 2>&3 ||
	FAIL "failed to contact LDAP server: cannot connect with univention-ldapsearch"

old_pass="$(mktemp "$MSECRET.XXXXXXXX")"
new_pass="$(mktemp "$MSECRET.XXXXXXXX")"

# shellcheck disable=SC2015
create_machine_password >"$new_pass" &&
	[ -s "$new_pass" ] ||
	FAIL "failed to change server password: create_machine_password() returned an empty password"

if ! run_hooks prechange
then
	run_hooks nochange
	FAIL "run-parts failed during prechange, rolling back with nochange, server password unchanged"
fi

# check if we are in sync with the Primary Directory Node, if not then rollback with "nochange".

			read -r lid </var/lib/univention-directory-listener/notifier_id
			if [ -x "/usr/share/univention-directory-listener/get_notifier_id.py" ]; then
				nid=$(/usr/share/univention-directory-listener/get_notifier_id.py 2>&3) ||
					echowithtimestamp "Could not get notifier id from Primary Directory Node!" >&3
			fi
			[ "${lid:-0}" = "${nid:-1}" ] &&
					return 0
		fi
		echowithtimestamp "Pending listener transactions (lid=$lid < nid=$nid), waiting ..." >&3
		sleep 2
	done
	run_hooks nochange
	FAIL "Pending listener transactions timeout, rolling back with nochange, server password unchanged"
}
check_in_sync


# then rollback the previous run-parts operation. 
then
	run_hooks nochange
	FAIL "failed to change server password for $ldap_hostdn"
fi

# If the changed server password has really been set correctly, then we can already use it.

		change_password "$new_pass" "$old_pass"

		run_hooks nochange
		FAIL "resetting old server password for $ldap_hostdn, because access to Primary Directory Node LDAP did not work with the new password"
fi

# Now that we are sure the new password already works with Primary Directory Node LDAP,

# if samba-tool user setpassword fails, reset the old password.
then
	revert_password_change
	FAIL "Failed to set new password in samba, machine password set back to old password for $ldap_hostdn."
fi

# The password is changed on the Primary Directory Node now, but it is not clear if

		# changes that would only worsen the situation. Instead, try to rollback.
		# Reset the old password with UDM and give up.
		revert_password_change
		FAIL "Access to local LDAP did not work with the new password, machine password set back to old password for $ldap_hostdn."
fi

# At this point the server password has been changed.


run_hooks postchange

echowithtimestamp "done" >&3
exec 3<&-

exit 0

Line 1 Link Here

(-)a/doc/doc-common (-1 / +1 lines)
1	Subproject commit b774b248b0b8af18853a1d25c802fb1989cb5f44	1	Subproject commit 5dc4ea65f95535aa2b6986463cad9e90d158244c

Lines 6-11 src: univention-mail-postfix Link Here

(-)a/doc/errata/staging/univention-mail-postfix.yaml (-2 / +1 lines)
6	fix: 14.0.1-3A~5.0.0.202110081518	6	fix: 14.0.1-3A~5.0.0.202110081518
7	desc: \|	7	desc: \|
8	This update addresses the following issue:	8	This update addresses the following issue:
9	* Time-stamps were added to the logger output of the server password change	9	* Server password change now logs timestamps.
10	call.
11	bug: [53182]	10	bug: [53182]

Lines 6-10 src: univention-server Link Here

(-)a/doc/errata/staging/univention-server.yaml (-1 / +1 lines)
6	fix: 15.0.4-5A~5.0.0.202110081514	6	fix: 15.0.4-5A~5.0.0.202110081514
7	desc: \|	7	desc: \|
8	This update addresses the following issue:	8	This update addresses the following issue:
9	* Time-stamps were added to the logger output of the password change.	9	* Server password change now logs timestamps.
10	bug: [53182]	10	bug: [53182]

Lines 31-36 Link Here

(-)a/services/univention-samba4/server_password_change.d/univention-samba4 (-3 / +5 lines)
31		31
32	eval "$(univention-config-registry shell)"	32	eval "$(univention-config-registry shell)"
33		33
		34	. /usr/share/univention-lib/base.sh
		35
34	set_machine_secret() {	36	set_machine_secret() {
35	## 1. store password locally in secrets.ldb	37	## 1. store password locally in secrets.ldb
36	old_kvno=$(ldbsearch -H /var/lib/samba/private/sam.ldb samAccountName="${hostname}\$" msDS-KeyVersionNumber \| sed -n 's/msDS-KeyVersionNumber: $.*$/\1/p')	38	old_kvno=$(ldbsearch -H /var/lib/samba/private/sam.ldb samAccountName="${hostname}\$" msDS-KeyVersionNumber \| sed -n 's/msDS-KeyVersionNumber: $.*$/\1/p')
Lines 50-56 set_machine_secret() { Link Here
50	-	52	-
51	%EOF	53	%EOF
52	if [ "$?" -ne "0" ]; then	54	if [ "$?" -ne "0" ]; then
53	echo "ERROR: Storing new password in samba secrets.ldb failed."	55	echowithtimestamp "ERROR: Storing new password in samba secrets.ldb failed." \| logger -t "server-password-change"
54	install -m 0600 /etc/krb5.keytab.SAVE /etc/krb5.keytab	56	install -m 0600 /etc/krb5.keytab.SAVE /etc/krb5.keytab
55	exit 1	57	exit 1
56	fi	58	fi
Lines 64-71 if [ "$1" = "localchange" ]; then Link Here
64		66
65	## if samba-tool user setpassword fails, revert changes to secrets.ldb and krb5.keytab	67	## if samba-tool user setpassword fails, revert changes to secrets.ldb and krb5.keytab
66	if [ "$?" -ne "0" ]; then	68	if [ "$?" -ne "0" ]; then
67	echo "ERROR: Changing machine password in Samba failed."	69	echowithtimestamp "ERROR: Changing machine password in Samba failed." \| logger -t "server-password-change"
68	echo "INFO: Restoring secrets.ldb and krb5.keytab."	70	echowithtimestamp "INFO: Restoring secrets.ldb and krb5.keytab." \| logger -t "server-password-change"
69	old_password=$(tail -n 1 /etc/machine.secret.old \| sed -n 's/^[0-9]*: //p')	71	old_password=$(tail -n 1 /etc/machine.secret.old \| sed -n 's/^[0-9]*: //p')
70	ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF	72	ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF
71	dn: flatname=${windows_domain},cn=Primary Domains	73	dn: flatname=${windows_domain},cn=Primary Domains

Return to bug 53182

Lines 49-58 else Link Here

(-)a/base/univention-server/server_password_change (-21 / +22 lines)
49	exec 3>>/var/log/univention/server_password_change.log	49	exec 3>>/var/log/univention/server_password_change.log
50	fi	50	fi
51		51
52	echo "($(date '+%F %T.%N')) Starting server password change" >&3	52	echowithtimestamp "Starting server password change" >&3
53	FAIL () { # log error message to log file and std-err, then fail	53	FAIL () { # log error message to log file and std-err, then fail
54	echo "$@" >&3	54	msg=$(echowithtimestamp "$@")
55	echo "$@" >&2	55	echo "$msg" >&3
		56	echo "$msg" >&2
56	exit 1	57	exit 1
57	}	58	}
58	try_ldap () { # try to connect LDAP server	59	try_ldap () { # try to connect LDAP server
Lines 91-108 restart_udl () { Link Here
91	# 2 -> empty	92	# 2 -> empty
92	is_ucr_true server/password/change	93	is_ucr_true server/password/change
93	if [ $? = 1 ]; then	94	if [ $? = 1 ]; then
94	echo "($(date '+%F %T.%N')) Server password change is disabled by the UCR variable server/password/change" >&3	95	echowithtimestamp "Server password change is disabled by the UCR variable server/password/change" >&3
95	exit 0	96	exit 0
96	fi	97	fi
97		98
98	[ -n "$server_role" ] \|\|	99	[ -n "$server_role" ] \|\|
99	FAIL "($(date '+%F %T.%N')) failed to change server password: empty config-registry variable server/role"	100	FAIL "failed to change server password: empty config-registry variable server/role"
100	[ -n "$ldap_hostdn" ] \|\|	101	[ -n "$ldap_hostdn" ] \|\|
101	FAIL "($(date '+%F %T.%N')) failed to change server password: empty config-registry variable ldap/hostdn"	102	FAIL "failed to change server password: empty config-registry variable ldap/hostdn"
102	[ -e "$MSECRET" ] \|\|	103	[ -e "$MSECRET" ] \|\|
103	FAIL "($(date '+%F %T.%N')) failed to change server password: $MSECRET not found"	104	FAIL "failed to change server password: $MSECRET not found"
104	[ -e "/var/lib/univention-directory-replication/failed.ldif" ] &&	105	[ -e "/var/lib/univention-directory-replication/failed.ldif" ] &&
105	FAIL "($(date '+%F %T.%N')) failed to change server password: /var/lib/univention-directory-replication/failed.ldif exists"	106	FAIL "failed to change server password: /var/lib/univention-directory-replication/failed.ldif exists"
106		107
107	# Allow password change only if it is scheduled.	108	# Allow password change only if it is scheduled.
108	epoch_last_change="$(stat --format %Y "$MSECRET")"	109	epoch_last_change="$(stat --format %Y "$MSECRET")"
Lines 110-124 epoch="$(date +%s)" Link Here
110	seconds_last_change="$((epoch- epoch_last_change))"	111	seconds_last_change="$((epoch- epoch_last_change))"
111	days_last_change="$((seconds_last_change/60/60/24))"	112	days_last_change="$((seconds_last_change/60/60/24))"
112	if [ "$server_password_interval" -gt "$days_last_change" ]; then	113	if [ "$server_password_interval" -gt "$days_last_change" ]; then
113	echo "($(date '+%F %T.%N')) No server password change scheduled for today, terminating without a change" >&3	114	echowithtimestamp "No server password change scheduled for today, terminating without a change" >&3
114	exit 0	115	exit 0
115	fi	116	fi
116		117
117	echo "($(date '+%F %T.%N')) Proceeding with regular server password change scheduled for today" >&3	118	echowithtimestamp "Proceeding with regular server password change scheduled for today" >&3
118		119
119	# Try to use a trivial command just to check that LDAP server is reachable.	120	# Try to use a trivial command just to check that LDAP server is reachable.
120	univention-ldapsearch -D "$ldap_hostdn" -y "$MSECRET" -s base 1.1 >/dev/null 2>&3 \|\|	121	univention-ldapsearch -D "$ldap_hostdn" -y "$MSECRET" -s base 1.1 >/dev/null 2>&3 \|\|
121	FAIL "($(date '+%F %T.%N')) failed to contact LDAP server: cannot connect with univention-ldapsearch"	122	FAIL "failed to contact LDAP server: cannot connect with univention-ldapsearch"
122		123
123	old_pass="$(mktemp "$MSECRET.XXXXXXXX")"	124	old_pass="$(mktemp "$MSECRET.XXXXXXXX")"
124	new_pass="$(mktemp "$MSECRET.XXXXXXXX")"	125	new_pass="$(mktemp "$MSECRET.XXXXXXXX")"
Lines 131-142 ln -f "$MSECRET" "$old_pass" Link Here
131	# shellcheck disable=SC2015	132	# shellcheck disable=SC2015
132	create_machine_password >"$new_pass" &&	133	create_machine_password >"$new_pass" &&
133	[ -s "$new_pass" ] \|\|	134	[ -s "$new_pass" ] \|\|
134	FAIL "($(date '+%F %T.%N')) failed to change server password: create_machine_password() returned an empty password"	135	FAIL "failed to change server password: create_machine_password() returned an empty password"
135		136
136	if ! run_hooks prechange	137	if ! run_hooks prechange
137	then	138	then
138	run_hooks nochange	139	run_hooks nochange
139	FAIL "($(date '+%F %T.%N')) run-parts failed during prechange, rolling back with nochange, server password unchanged"	140	FAIL "run-parts failed during prechange, rolling back with nochange, server password unchanged"
140	fi	141	fi
141		142
142	# check if we are in sync with the Primary Directory Node, if not then rollback with "nochange".	143	# check if we are in sync with the Primary Directory Node, if not then rollback with "nochange".
Lines 153-168 check_in_sync () { Link Here
153	read -r lid </var/lib/univention-directory-listener/notifier_id	154	read -r lid </var/lib/univention-directory-listener/notifier_id
154	if [ -x "/usr/share/univention-directory-listener/get_notifier_id.py" ]; then	155	if [ -x "/usr/share/univention-directory-listener/get_notifier_id.py" ]; then
155	nid=$(/usr/share/univention-directory-listener/get_notifier_id.py 2>&3) \|\|	156	nid=$(/usr/share/univention-directory-listener/get_notifier_id.py 2>&3) \|\|
156	echo "($(date '+%F %T.%N')) Could not get notifier id from Primary Directory Node!" >&3	157	echowithtimestamp "Could not get notifier id from Primary Directory Node!" >&3
157	fi	158	fi
158	[ "${lid:-0}" = "${nid:-1}" ] &&	159	[ "${lid:-0}" = "${nid:-1}" ] &&
159	return 0	160	return 0
160	fi	161	fi
161	echo " ($(date '+%F %T.%N')) Pending listener transactions (lid=$lid < nid=$nid), waiting ..." >&3	162	echowithtimestamp "Pending listener transactions (lid=$lid < nid=$nid), waiting ..." >&3
162	sleep 2	163	sleep 2
163	done	164	done
164	run_hooks nochange	165	run_hooks nochange
165	FAIL "($(date '+%F %T.%N')) Pending listener transactions timeout, rolling back with nochange, server password unchanged"	166	FAIL "Pending listener transactions timeout, rolling back with nochange, server password unchanged"
166	}	167	}
167	check_in_sync	168	check_in_sync
168		169
Lines 172-178 if ! change_password "$old_pass" "$new_pass" Link Here
172	# then rollback the previous run-parts operation.	173	# then rollback the previous run-parts operation.
173	then	174	then
174	run_hooks nochange	175	run_hooks nochange
175	FAIL "($(date '+%F %T.%N')) failed to change server password for $ldap_hostdn"	176	FAIL "failed to change server password for $ldap_hostdn"
176	fi	177	fi
177		178
178	# If the changed server password has really been set correctly, then we can already use it.	179	# If the changed server password has really been set correctly, then we can already use it.
Lines 187-193 then Link Here
187	change_password "$new_pass" "$old_pass"	188	change_password "$new_pass" "$old_pass"
188		189
189	run_hooks nochange	190	run_hooks nochange
190	FAIL "($(date '+%F %T.%N')) resetting old server password for $ldap_hostdn, because access to Primary Directory Node LDAP did not work with the new password"	191	FAIL "resetting old server password for $ldap_hostdn, because access to Primary Directory Node LDAP did not work with the new password"
191	fi	192	fi
192		193
193	# Now that we are sure the new password already works with Primary Directory Node LDAP,	194	# Now that we are sure the new password already works with Primary Directory Node LDAP,
Lines 221-227 if ! run_hooks localchange --regex '^univention-samba4' Link Here
221	# if samba-tool user setpassword fails, reset the old password.	222	# if samba-tool user setpassword fails, reset the old password.
222	then	223	then
223	revert_password_change	224	revert_password_change
224	FAIL "($(date '+%F %T.%N')) Failed to set new password in samba, machine password set back to old password for $ldap_hostdn."	225	FAIL "Failed to set new password in samba, machine password set back to old password for $ldap_hostdn."
225	fi	226	fi
226		227
227	# The password is changed on the Primary Directory Node now, but it is not clear if	228	# The password is changed on the Primary Directory Node now, but it is not clear if
Lines 234-240 then Link Here
234	# changes that would only worsen the situation. Instead, try to rollback.	235	# changes that would only worsen the situation. Instead, try to rollback.
235	# Reset the old password with UDM and give up.	236	# Reset the old password with UDM and give up.
236	revert_password_change	237	revert_password_change
237	FAIL "($(date '+%F %T.%N')) Access to local LDAP did not work with the new password, machine password set back to old password for $ldap_hostdn."	238	FAIL "Access to local LDAP did not work with the new password, machine password set back to old password for $ldap_hostdn."
238	fi	239	fi
239		240
240	# At this point the server password has been changed.	241	# At this point the server password has been changed.
Lines 252-258 esac Link Here
252		253
253	run_hooks postchange	254	run_hooks postchange
254		255
255	echo "($(date '+%F %T.%N')) done" >&3	256	echowithtimestamp "done" >&3
256	exec 3<&-	257	exec 3<&-
257		258
258	exit 0	259	exit 0

Lines 31-40 Link Here

(-)a/mail/univention-mail-postfix/usr/lib/univention-server/server_password_change.d/50univention-mail-server (-2 / +4 lines)
31		31
32	eval "$(univention-config-registry shell)"	32	eval "$(univention-config-registry shell)"
33		33
		34	. /usr/share/univention-lib/base.sh
		35
34	if [ "$1" = "prechange" ] ; then	36	if [ "$1" = "prechange" ] ; then
35	if /etc/init.d/postfix status \| grep -q "is running" ; then	37	if /etc/init.d/postfix status \| grep -q "is running" ; then
36	univention-config-registry set mail/postfix/stoppedbyserverpasswordchange=yes	38	univention-config-registry set mail/postfix/stoppedbyserverpasswordchange=yes
37	echo " ($(date '+%F %T.%N')) stopping postfix due to upcoming server password change" \| logger -t "server-password-change"	39	echowithtimestamp "stopping postfix due to upcoming server password change" \| logger -t "server-password-change"
38	/etc/init.d/postfix stop	40	/etc/init.d/postfix stop
39	fi	41	fi
40	fi	42	fi
Lines 46-52 if [ "$1" = "postchange" -o "$1" = "nochange" ] ; then Link Here
46	univention-config-registry commit /etc/postfix/ldap.*	48	univention-config-registry commit /etc/postfix/ldap.*
47	# start postfix only if it has been stopped by this script	49	# start postfix only if it has been stopped by this script
48	if [ "$mail_postfix_stoppedbyserverpasswordchange" = "yes" ] ; then	50	if [ "$mail_postfix_stoppedbyserverpasswordchange" = "yes" ] ; then
49	echo "($(date '+%F %T.%N')) starting postfix after server password change" \| logger -t "server-password-change"	51	echowithtimestamp "starting postfix after server password change" \| logger -t "server-password-change"
50	/etc/init.d/postfix start	52	/etc/init.d/postfix start
51	univention-config-registry unset mail/postfix/stoppedbyserverpasswordchange	53	univention-config-registry unset mail/postfix/stoppedbyserverpasswordchange
52	fi	54	fi