Univention Bugzilla – Attachment 9989 Details for
Bug 49193
Check if the samba4 Password is changed properly, after a server-password-change
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
1.diff
1.diff (text/plain), 4.72 KB, created by
Arvid Requate
on 2019-04-24 11:10:27 CEST
(
hide
)
Description:
1.diff
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2019-04-24 11:10:27 CEST
Size:
4.72 KB
patch
obsolete
>diff --git a/base/univention-server/server_password_change b/base/univention-server/server_password_change >index 99ea147498..362efee411 100755 >--- a/base/univention-server/server_password_change >+++ b/base/univention-server/server_password_change >@@ -178,10 +178,7 @@ echo -n "$new_password" >/etc/machine.secret > chmod 600 /etc/machine.secret > [ -e /etc/init.d/univention-directory-listener ] && invoke-rc.d univention-directory-listener restart >&3 > >-# change samba password locally >-run-parts --verbose --arg localchange --regex '^univention-samba4' -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 >-# if samba-tool user setpassword fails, reset the old password. >-if [ $? != 0 ]; then >+revert_password_change() { > # Reset to the old password with UDM > /usr/sbin/univention-directory-manager "computers/$server_role" modify --binddn "$ldap_hostdn" --bindpwd "$new_password" --dn "$ldap_hostdn" --set password="$old_password" >&3 2>&3 > >@@ -192,7 +189,14 @@ if [ $? != 0 ]; then > > # run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$') > run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 >+} >+ >+# change samba password locally >+run-parts --verbose --arg localchange --regex '^univention-samba4' -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 >+# if samba-tool user setpassword fails, reset the old password. >+if [ $? != 0 ]; then > FAIL "resetting old server password for $ldap_hostdn, because samba could not set the new password locally." >+ revert_password_change > fi > > # The password is changed on the master now, but it is not clear if >@@ -213,17 +217,8 @@ do > # been set with UDM but LDAP does't work with it. Do not continue with > # changes that would only worsen the situation. Instead, try to rollback. > # Reset the old password with UDM and give up. >- >- /usr/sbin/univention-directory-manager "computers/$server_role" modify --binddn "$ldap_hostdn" --bindpwd "$new_password" --dn "$ldap_hostdn" --set password="$old_password" >&3 2>&3 >- >- # Rollback /etc/machine.secret and restart listener >- awk '{pwd=$2}; END {printf("%s", pwd)}' /etc/machine.secret.old > /etc/machine.secret >- chmod 600 /etc/machine.secret >- [ -e /etc/init.d/univention-directory-listener ] && invoke-rc.d univention-directory-listener restart >&3 >- >- # run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$') >- run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3 > FAIL "resetting old server password for $ldap_hostdn, because access to local LDAP did not work with the new password" >+ revert_password_change > fi > trial_counter=$(( trial_counter - 1)) > done >diff --git a/services/univention-samba4/server_password_change.d/univention-samba4 b/services/univention-samba4/server_password_change.d/univention-samba4 >index 0d69c744ea..9745fe5e44 100755 >--- a/services/univention-samba4/server_password_change.d/univention-samba4 >+++ b/services/univention-samba4/server_password_change.d/univention-samba4 >@@ -36,6 +36,9 @@ set_machine_secret() { > old_kvno=$(ldbsearch -H /var/lib/samba/private/sam.ldb samAccountName="${hostname}\$" msDS-KeyVersionNumber | sed -n 's/msDS-KeyVersionNumber: \(.*\)/\1/p') > new_kvno=$(($old_kvno + 1)) > >+ ## Backup /etc/krb5.keytab to avoid key duplication in case a revert is necessary >+ install -m 0600 /etc/krb5.keytab /etc/krb5.keytab.SAVE >+ > ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF > dn: flatname=${windows_domain},cn=Primary Domains > changetype: modify >@@ -46,6 +49,10 @@ set_machine_secret() { > msDS-KeyVersionNumber: $new_kvno > - > %EOF >+ if [ "$?" -ne "0" ]; then >+ install -m 0600 /etc/krb5.keytab.SAVE /etc/krb5.keytab >+ exit 1 >+ fi > > ## 2. replace random machine secret in SAM with /etc/machine.secret > samba-tool user setpassword "${hostname}\$" --newpassword="$(cat /etc/machine.secret)" >@@ -54,22 +61,24 @@ set_machine_secret() { > if [ "$1" = "localchange" ]; then > set_machine_secret > >- ## if samba-tool user setpassword fails, revert changes to secrets.ldb >+ ## if samba-tool user setpassword fails, revert changes to secrets.ldb and krb5.keytab > if [ "$?" -ne "0" ]; then >+ old_password=$(tail -n 1 /etc/machine.secret.old | sed -n 's/^[0-9]*: //p') > ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF > dn: flatname=${windows_domain},cn=Primary Domains > changetype: modify > replace: secret >- secret: $(cat /etc/machine.secret.old | tail -n 1 | sed 's/[0-9]*: //g') >+ secret: $old_password > - > replace: msDS-KeyVersionNumber > msDS-KeyVersionNumber: $old_kvno > - > %EOF >- test -x /etc/init.d/samba && /etc/init.d/samba restart >+ >+ install -m 0600 /etc/krb5.keytab.SAVE /etc/krb5.keytab >+ > exit 1 > fi > > test -x /etc/init.d/samba && /etc/init.d/samba restart > fi >-
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9989">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 49193
: 9989 |
9997