Univention Bugzilla – Attachment 10844 Details for
Bug 53182
Debugging of failed server_password_change not possible because timestamps are missing
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Bug53182QA.diff
Bug53182QA.diff (text/plain), 11.60 KB, created by
Arvid Requate
on 2021-10-15 14:21:20 CEST
(
hide
)
Description:
Bug53182QA.diff
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2021-10-15 14:21:20 CEST
Size:
11.60 KB
patch
obsolete
>diff --git a/base/univention-lib/shell/base.sh b/base/univention-lib/shell/base.sh >index 90c7478a02..52806fd7cc 100644 >--- a/base/univention-lib/shell/base.sh >+++ b/base/univention-lib/shell/base.sh >@@ -183,4 +183,11 @@ custom_groupname() { > echo -n "${result:-$name}" > } > >+# >+# Echo with timestamp >+# >+echowithtimestamp() { >+ echo "[$(date '+%F %T.%N')] $@" >+} >+ > # vim:set sw=4 ts=4 noet: >diff --git a/base/univention-server/server_password_change b/base/univention-server/server_password_change >index 2a4f2a9b05..ccf10fee80 100755 >--- a/base/univention-server/server_password_change >+++ b/base/univention-server/server_password_change >@@ -49,10 +49,11 @@ else > exec 3>>/var/log/univention/server_password_change.log > fi > >-echo "($(date '+%F %T.%N')) Starting server password change" >&3 >+echowithtimestamp "Starting server password change" >&3 > FAIL () { # log error message to log file and std-err, then fail >- echo "$@" >&3 >- echo "$@" >&2 >+ msg=$(echowithtimestamp "$@") >+ echo "$msg" >&3 >+ echo "$msg" >&2 > exit 1 > } > try_ldap () { # try to connect LDAP server >@@ -91,18 +92,18 @@ restart_udl () { > # 2 -> empty > is_ucr_true server/password/change > if [ $? = 1 ]; then >- echo "($(date '+%F %T.%N')) Server password change is disabled by the UCR variable server/password/change" >&3 >+ echowithtimestamp "Server password change is disabled by the UCR variable server/password/change" >&3 > exit 0 > fi > > [ -n "$server_role" ] || >- FAIL "($(date '+%F %T.%N')) failed to change server password: empty config-registry variable server/role" >+ FAIL "failed to change server password: empty config-registry variable server/role" > [ -n "$ldap_hostdn" ] || >- FAIL "($(date '+%F %T.%N')) failed to change server password: empty config-registry variable ldap/hostdn" >+ FAIL "failed to change server password: empty config-registry variable ldap/hostdn" > [ -e "$MSECRET" ] || >- FAIL "($(date '+%F %T.%N')) failed to change server password: $MSECRET not found" >+ FAIL "failed to change server password: $MSECRET not found" > [ -e "/var/lib/univention-directory-replication/failed.ldif" ] && >- FAIL "($(date '+%F %T.%N')) failed to change server password: /var/lib/univention-directory-replication/failed.ldif exists" >+ FAIL "failed to change server password: /var/lib/univention-directory-replication/failed.ldif exists" > > # Allow password change only if it is scheduled. > epoch_last_change="$(stat --format %Y "$MSECRET")" >@@ -110,15 +111,15 @@ epoch="$(date +%s)" > seconds_last_change="$((epoch- epoch_last_change))" > days_last_change="$((seconds_last_change/60/60/24))" > if [ "$server_password_interval" -gt "$days_last_change" ]; then >- echo "($(date '+%F %T.%N')) No server password change scheduled for today, terminating without a change" >&3 >+ echowithtimestamp "No server password change scheduled for today, terminating without a change" >&3 > exit 0 > fi > >-echo "($(date '+%F %T.%N')) Proceeding with regular server password change scheduled for today" >&3 >+echowithtimestamp "Proceeding with regular server password change scheduled for today" >&3 > > # Try to use a trivial command just to check that LDAP server is reachable. > univention-ldapsearch -D "$ldap_hostdn" -y "$MSECRET" -s base 1.1 >/dev/null 2>&3 || >- FAIL "($(date '+%F %T.%N')) failed to contact LDAP server: cannot connect with univention-ldapsearch" >+ FAIL "failed to contact LDAP server: cannot connect with univention-ldapsearch" > > old_pass="$(mktemp "$MSECRET.XXXXXXXX")" > new_pass="$(mktemp "$MSECRET.XXXXXXXX")" >@@ -131,12 +132,12 @@ ln -f "$MSECRET" "$old_pass" > # shellcheck disable=SC2015 > create_machine_password >"$new_pass" && > [ -s "$new_pass" ] || >- FAIL "($(date '+%F %T.%N')) failed to change server password: create_machine_password() returned an empty password" >+ FAIL "failed to change server password: create_machine_password() returned an empty password" > > if ! run_hooks prechange > then > run_hooks nochange >- FAIL "($(date '+%F %T.%N')) run-parts failed during prechange, rolling back with nochange, server password unchanged" >+ FAIL "run-parts failed during prechange, rolling back with nochange, server password unchanged" > fi > > # check if we are in sync with the Primary Directory Node, if not then rollback with "nochange". >@@ -153,16 +154,16 @@ check_in_sync () { > read -r lid </var/lib/univention-directory-listener/notifier_id > if [ -x "/usr/share/univention-directory-listener/get_notifier_id.py" ]; then > nid=$(/usr/share/univention-directory-listener/get_notifier_id.py 2>&3) || >- echo "($(date '+%F %T.%N')) Could not get notifier id from Primary Directory Node!" >&3 >+ echowithtimestamp "Could not get notifier id from Primary Directory Node!" >&3 > fi > [ "${lid:-0}" = "${nid:-1}" ] && > return 0 > fi >- echo " ($(date '+%F %T.%N')) Pending listener transactions (lid=$lid < nid=$nid), waiting ..." >&3 >+ echowithtimestamp "Pending listener transactions (lid=$lid < nid=$nid), waiting ..." >&3 > sleep 2 > done > run_hooks nochange >- FAIL "($(date '+%F %T.%N')) Pending listener transactions timeout, rolling back with nochange, server password unchanged" >+ FAIL "Pending listener transactions timeout, rolling back with nochange, server password unchanged" > } > check_in_sync > >@@ -172,7 +173,7 @@ if ! change_password "$old_pass" "$new_pass" > # then rollback the previous run-parts operation. > then > run_hooks nochange >- FAIL "($(date '+%F %T.%N')) failed to change server password for $ldap_hostdn" >+ FAIL "failed to change server password for $ldap_hostdn" > fi > > # If the changed server password has really been set correctly, then we can already use it. >@@ -187,7 +188,7 @@ then > change_password "$new_pass" "$old_pass" > > run_hooks nochange >- FAIL "($(date '+%F %T.%N')) resetting old server password for $ldap_hostdn, because access to Primary Directory Node LDAP did not work with the new password" >+ FAIL "resetting old server password for $ldap_hostdn, because access to Primary Directory Node LDAP did not work with the new password" > fi > > # Now that we are sure the new password already works with Primary Directory Node LDAP, >@@ -221,7 +222,7 @@ if ! run_hooks localchange --regex '^univention-samba4' > # if samba-tool user setpassword fails, reset the old password. > then > revert_password_change >- FAIL "($(date '+%F %T.%N')) Failed to set new password in samba, machine password set back to old password for $ldap_hostdn." >+ FAIL "Failed to set new password in samba, machine password set back to old password for $ldap_hostdn." > fi > > # The password is changed on the Primary Directory Node now, but it is not clear if >@@ -234,7 +235,7 @@ then > # changes that would only worsen the situation. Instead, try to rollback. > # Reset the old password with UDM and give up. > revert_password_change >- FAIL "($(date '+%F %T.%N')) Access to local LDAP did not work with the new password, machine password set back to old password for $ldap_hostdn." >+ FAIL "Access to local LDAP did not work with the new password, machine password set back to old password for $ldap_hostdn." > fi > > # At this point the server password has been changed. >@@ -252,7 +253,7 @@ esac > > run_hooks postchange > >-echo "($(date '+%F %T.%N')) done" >&3 >+echowithtimestamp "done" >&3 > exec 3<&- > > exit 0 >diff --git a/doc/doc-common b/doc/doc-common >index b774b248b0..5dc4ea65f9 160000 >--- a/doc/doc-common >+++ b/doc/doc-common >@@ -1 +1 @@ >-Subproject commit b774b248b0b8af18853a1d25c802fb1989cb5f44 >+Subproject commit 5dc4ea65f95535aa2b6986463cad9e90d158244c >diff --git a/doc/errata/staging/univention-mail-postfix.yaml b/doc/errata/staging/univention-mail-postfix.yaml >index 6b64c777a5..5cabcf1a19 100644 >--- a/doc/errata/staging/univention-mail-postfix.yaml >+++ b/doc/errata/staging/univention-mail-postfix.yaml >@@ -6,6 +6,5 @@ src: univention-mail-postfix > fix: 14.0.1-3A~5.0.0.202110081518 > desc: | > This update addresses the following issue: >- * Time-stamps were added to the logger output of the server password change >- call. >+ * Server password change now logs timestamps. > bug: [53182] >diff --git a/doc/errata/staging/univention-server.yaml b/doc/errata/staging/univention-server.yaml >index 141d39119f..971bdf879c 100644 >--- a/doc/errata/staging/univention-server.yaml >+++ b/doc/errata/staging/univention-server.yaml >@@ -6,5 +6,5 @@ src: univention-server > fix: 15.0.4-5A~5.0.0.202110081514 > desc: | > This update addresses the following issue: >- * Time-stamps were added to the logger output of the password change. >+ * Server password change now logs timestamps. > bug: [53182] >diff --git a/mail/univention-mail-postfix/usr/lib/univention-server/server_password_change.d/50univention-mail-server b/mail/univention-mail-postfix/usr/lib/univention-server/server_password_change.d/50univention-mail-server >index efbb7babf9..23016ce558 100755 >--- a/mail/univention-mail-postfix/usr/lib/univention-server/server_password_change.d/50univention-mail-server >+++ b/mail/univention-mail-postfix/usr/lib/univention-server/server_password_change.d/50univention-mail-server >@@ -31,10 +31,12 @@ > > eval "$(univention-config-registry shell)" > >+. /usr/share/univention-lib/base.sh >+ > if [ "$1" = "prechange" ] ; then > if /etc/init.d/postfix status | grep -q "is running" ; then > univention-config-registry set mail/postfix/stoppedbyserverpasswordchange=yes >- echo " ($(date '+%F %T.%N')) stopping postfix due to upcoming server password change" | logger -t "server-password-change" >+ echowithtimestamp "stopping postfix due to upcoming server password change" | logger -t "server-password-change" > /etc/init.d/postfix stop > fi > fi >@@ -46,7 +48,7 @@ if [ "$1" = "postchange" -o "$1" = "nochange" ] ; then > univention-config-registry commit /etc/postfix/ldap.* > # start postfix only if it has been stopped by this script > if [ "$mail_postfix_stoppedbyserverpasswordchange" = "yes" ] ; then >- echo "($(date '+%F %T.%N')) starting postfix after server password change" | logger -t "server-password-change" >+ echowithtimestamp "starting postfix after server password change" | logger -t "server-password-change" > /etc/init.d/postfix start > univention-config-registry unset mail/postfix/stoppedbyserverpasswordchange > fi >diff --git a/services/univention-samba4/server_password_change.d/univention-samba4 b/services/univention-samba4/server_password_change.d/univention-samba4 >index 47832c3600..e0b94aa1df 100755 >--- a/services/univention-samba4/server_password_change.d/univention-samba4 >+++ b/services/univention-samba4/server_password_change.d/univention-samba4 >@@ -31,6 +31,8 @@ > > eval "$(univention-config-registry shell)" > >+. /usr/share/univention-lib/base.sh >+ > set_machine_secret() { > ## 1. store password locally in secrets.ldb > old_kvno=$(ldbsearch -H /var/lib/samba/private/sam.ldb samAccountName="${hostname}\$" msDS-KeyVersionNumber | sed -n 's/msDS-KeyVersionNumber: \(.*\)/\1/p') >@@ -50,7 +52,7 @@ set_machine_secret() { > - > %EOF > if [ "$?" -ne "0" ]; then >- echo "ERROR: Storing new password in samba secrets.ldb failed." >+ echowithtimestamp "ERROR: Storing new password in samba secrets.ldb failed." | logger -t "server-password-change" > install -m 0600 /etc/krb5.keytab.SAVE /etc/krb5.keytab > exit 1 > fi >@@ -64,8 +66,8 @@ if [ "$1" = "localchange" ]; then > > ## if samba-tool user setpassword fails, revert changes to secrets.ldb and krb5.keytab > if [ "$?" -ne "0" ]; then >- echo "ERROR: Changing machine password in Samba failed." >- echo "INFO: Restoring secrets.ldb and krb5.keytab." >+ echowithtimestamp "ERROR: Changing machine password in Samba failed." | logger -t "server-password-change" >+ echowithtimestamp "INFO: Restoring secrets.ldb and krb5.keytab." | logger -t "server-password-change" > old_password=$(tail -n 1 /etc/machine.secret.old | sed -n 's/^[0-9]*: //p') > ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF > dn: flatname=${windows_domain},cn=Primary Domains
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=10844">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 53182
: 10844