diff --git a/base/univention-lib/shell/base.sh b/base/univention-lib/shell/base.sh index 90c7478a02..52806fd7cc 100644 --- a/base/univention-lib/shell/base.sh +++ b/base/univention-lib/shell/base.sh @@ -183,4 +183,11 @@ custom_groupname() { echo -n "${result:-$name}" } +# +# Echo with timestamp +# +echowithtimestamp() { + echo "[$(date '+%F %T.%N')] $@" +} + # vim:set sw=4 ts=4 noet: diff --git a/base/univention-server/server_password_change b/base/univention-server/server_password_change index 2a4f2a9b05..ccf10fee80 100755 --- a/base/univention-server/server_password_change +++ b/base/univention-server/server_password_change @@ -49,10 +49,11 @@ else exec 3>>/var/log/univention/server_password_change.log fi -echo "($(date '+%F %T.%N')) Starting server password change" >&3 +echowithtimestamp "Starting server password change" >&3 FAIL () { # log error message to log file and std-err, then fail - echo "$@" >&3 - echo "$@" >&2 + msg=$(echowithtimestamp "$@") + echo "$msg" >&3 + echo "$msg" >&2 exit 1 } try_ldap () { # try to connect LDAP server @@ -91,18 +92,18 @@ restart_udl () { # 2 -> empty is_ucr_true server/password/change if [ $? = 1 ]; then - echo "($(date '+%F %T.%N')) Server password change is disabled by the UCR variable server/password/change" >&3 + echowithtimestamp "Server password change is disabled by the UCR variable server/password/change" >&3 exit 0 fi [ -n "$server_role" ] || - FAIL "($(date '+%F %T.%N')) failed to change server password: empty config-registry variable server/role" + FAIL "failed to change server password: empty config-registry variable server/role" [ -n "$ldap_hostdn" ] || - FAIL "($(date '+%F %T.%N')) failed to change server password: empty config-registry variable ldap/hostdn" + FAIL "failed to change server password: empty config-registry variable ldap/hostdn" [ -e "$MSECRET" ] || - FAIL "($(date '+%F %T.%N')) failed to change server password: $MSECRET not found" + FAIL "failed to change server password: $MSECRET not found" [ -e "/var/lib/univention-directory-replication/failed.ldif" ] && - FAIL "($(date '+%F %T.%N')) failed to change server password: /var/lib/univention-directory-replication/failed.ldif exists" + FAIL "failed to change server password: /var/lib/univention-directory-replication/failed.ldif exists" # Allow password change only if it is scheduled. epoch_last_change="$(stat --format %Y "$MSECRET")" @@ -110,15 +111,15 @@ epoch="$(date +%s)" seconds_last_change="$((epoch- epoch_last_change))" days_last_change="$((seconds_last_change/60/60/24))" if [ "$server_password_interval" -gt "$days_last_change" ]; then - echo "($(date '+%F %T.%N')) No server password change scheduled for today, terminating without a change" >&3 + echowithtimestamp "No server password change scheduled for today, terminating without a change" >&3 exit 0 fi -echo "($(date '+%F %T.%N')) Proceeding with regular server password change scheduled for today" >&3 +echowithtimestamp "Proceeding with regular server password change scheduled for today" >&3 # Try to use a trivial command just to check that LDAP server is reachable. univention-ldapsearch -D "$ldap_hostdn" -y "$MSECRET" -s base 1.1 >/dev/null 2>&3 || - FAIL "($(date '+%F %T.%N')) failed to contact LDAP server: cannot connect with univention-ldapsearch" + FAIL "failed to contact LDAP server: cannot connect with univention-ldapsearch" old_pass="$(mktemp "$MSECRET.XXXXXXXX")" new_pass="$(mktemp "$MSECRET.XXXXXXXX")" @@ -131,12 +132,12 @@ ln -f "$MSECRET" "$old_pass" # shellcheck disable=SC2015 create_machine_password >"$new_pass" && [ -s "$new_pass" ] || - FAIL "($(date '+%F %T.%N')) failed to change server password: create_machine_password() returned an empty password" + FAIL "failed to change server password: create_machine_password() returned an empty password" if ! run_hooks prechange then run_hooks nochange - FAIL "($(date '+%F %T.%N')) run-parts failed during prechange, rolling back with nochange, server password unchanged" + FAIL "run-parts failed during prechange, rolling back with nochange, server password unchanged" fi # check if we are in sync with the Primary Directory Node, if not then rollback with "nochange". @@ -153,16 +154,16 @@ check_in_sync () { read -r lid &3) || - echo "($(date '+%F %T.%N')) Could not get notifier id from Primary Directory Node!" >&3 + echowithtimestamp "Could not get notifier id from Primary Directory Node!" >&3 fi [ "${lid:-0}" = "${nid:-1}" ] && return 0 fi - echo " ($(date '+%F %T.%N')) Pending listener transactions (lid=$lid < nid=$nid), waiting ..." >&3 + echowithtimestamp "Pending listener transactions (lid=$lid < nid=$nid), waiting ..." >&3 sleep 2 done run_hooks nochange - FAIL "($(date '+%F %T.%N')) Pending listener transactions timeout, rolling back with nochange, server password unchanged" + FAIL "Pending listener transactions timeout, rolling back with nochange, server password unchanged" } check_in_sync @@ -172,7 +173,7 @@ if ! change_password "$old_pass" "$new_pass" # then rollback the previous run-parts operation. then run_hooks nochange - FAIL "($(date '+%F %T.%N')) failed to change server password for $ldap_hostdn" + FAIL "failed to change server password for $ldap_hostdn" fi # If the changed server password has really been set correctly, then we can already use it. @@ -187,7 +188,7 @@ then change_password "$new_pass" "$old_pass" run_hooks nochange - FAIL "($(date '+%F %T.%N')) resetting old server password for $ldap_hostdn, because access to Primary Directory Node LDAP did not work with the new password" + FAIL "resetting old server password for $ldap_hostdn, because access to Primary Directory Node LDAP did not work with the new password" fi # Now that we are sure the new password already works with Primary Directory Node LDAP, @@ -221,7 +222,7 @@ if ! run_hooks localchange --regex '^univention-samba4' # if samba-tool user setpassword fails, reset the old password. then revert_password_change - FAIL "($(date '+%F %T.%N')) Failed to set new password in samba, machine password set back to old password for $ldap_hostdn." + FAIL "Failed to set new password in samba, machine password set back to old password for $ldap_hostdn." fi # The password is changed on the Primary Directory Node now, but it is not clear if @@ -234,7 +235,7 @@ then # changes that would only worsen the situation. Instead, try to rollback. # Reset the old password with UDM and give up. revert_password_change - FAIL "($(date '+%F %T.%N')) Access to local LDAP did not work with the new password, machine password set back to old password for $ldap_hostdn." + FAIL "Access to local LDAP did not work with the new password, machine password set back to old password for $ldap_hostdn." fi # At this point the server password has been changed. @@ -252,7 +253,7 @@ esac run_hooks postchange -echo "($(date '+%F %T.%N')) done" >&3 +echowithtimestamp "done" >&3 exec 3<&- exit 0 diff --git a/doc/doc-common b/doc/doc-common index b774b248b0..5dc4ea65f9 160000 --- a/doc/doc-common +++ b/doc/doc-common @@ -1 +1 @@ -Subproject commit b774b248b0b8af18853a1d25c802fb1989cb5f44 +Subproject commit 5dc4ea65f95535aa2b6986463cad9e90d158244c diff --git a/doc/errata/staging/univention-mail-postfix.yaml b/doc/errata/staging/univention-mail-postfix.yaml index 6b64c777a5..5cabcf1a19 100644 --- a/doc/errata/staging/univention-mail-postfix.yaml +++ b/doc/errata/staging/univention-mail-postfix.yaml @@ -6,6 +6,5 @@ src: univention-mail-postfix fix: 14.0.1-3A~5.0.0.202110081518 desc: | This update addresses the following issue: - * Time-stamps were added to the logger output of the server password change - call. + * Server password change now logs timestamps. bug: [53182] diff --git a/doc/errata/staging/univention-server.yaml b/doc/errata/staging/univention-server.yaml index 141d39119f..971bdf879c 100644 --- a/doc/errata/staging/univention-server.yaml +++ b/doc/errata/staging/univention-server.yaml @@ -6,5 +6,5 @@ src: univention-server fix: 15.0.4-5A~5.0.0.202110081514 desc: | This update addresses the following issue: - * Time-stamps were added to the logger output of the password change. + * Server password change now logs timestamps. bug: [53182] diff --git a/mail/univention-mail-postfix/usr/lib/univention-server/server_password_change.d/50univention-mail-server b/mail/univention-mail-postfix/usr/lib/univention-server/server_password_change.d/50univention-mail-server index efbb7babf9..23016ce558 100755 --- a/mail/univention-mail-postfix/usr/lib/univention-server/server_password_change.d/50univention-mail-server +++ b/mail/univention-mail-postfix/usr/lib/univention-server/server_password_change.d/50univention-mail-server @@ -31,10 +31,12 @@ eval "$(univention-config-registry shell)" +. /usr/share/univention-lib/base.sh + if [ "$1" = "prechange" ] ; then if /etc/init.d/postfix status | grep -q "is running" ; then univention-config-registry set mail/postfix/stoppedbyserverpasswordchange=yes - echo " ($(date '+%F %T.%N')) stopping postfix due to upcoming server password change" | logger -t "server-password-change" + echowithtimestamp "stopping postfix due to upcoming server password change" | logger -t "server-password-change" /etc/init.d/postfix stop fi fi @@ -46,7 +48,7 @@ if [ "$1" = "postchange" -o "$1" = "nochange" ] ; then univention-config-registry commit /etc/postfix/ldap.* # start postfix only if it has been stopped by this script if [ "$mail_postfix_stoppedbyserverpasswordchange" = "yes" ] ; then - echo "($(date '+%F %T.%N')) starting postfix after server password change" | logger -t "server-password-change" + echowithtimestamp "starting postfix after server password change" | logger -t "server-password-change" /etc/init.d/postfix start univention-config-registry unset mail/postfix/stoppedbyserverpasswordchange fi diff --git a/services/univention-samba4/server_password_change.d/univention-samba4 b/services/univention-samba4/server_password_change.d/univention-samba4 index 47832c3600..e0b94aa1df 100755 --- a/services/univention-samba4/server_password_change.d/univention-samba4 +++ b/services/univention-samba4/server_password_change.d/univention-samba4 @@ -31,6 +31,8 @@ eval "$(univention-config-registry shell)" +. /usr/share/univention-lib/base.sh + set_machine_secret() { ## 1. store password locally in secrets.ldb old_kvno=$(ldbsearch -H /var/lib/samba/private/sam.ldb samAccountName="${hostname}\$" msDS-KeyVersionNumber | sed -n 's/msDS-KeyVersionNumber: \(.*\)/\1/p') @@ -50,7 +52,7 @@ set_machine_secret() { - %EOF if [ "$?" -ne "0" ]; then - echo "ERROR: Storing new password in samba secrets.ldb failed." + echowithtimestamp "ERROR: Storing new password in samba secrets.ldb failed." | logger -t "server-password-change" install -m 0600 /etc/krb5.keytab.SAVE /etc/krb5.keytab exit 1 fi @@ -64,8 +66,8 @@ if [ "$1" = "localchange" ]; then ## if samba-tool user setpassword fails, revert changes to secrets.ldb and krb5.keytab if [ "$?" -ne "0" ]; then - echo "ERROR: Changing machine password in Samba failed." - echo "INFO: Restoring secrets.ldb and krb5.keytab." + echowithtimestamp "ERROR: Changing machine password in Samba failed." | logger -t "server-password-change" + echowithtimestamp "INFO: Restoring secrets.ldb and krb5.keytab." | logger -t "server-password-change" old_password=$(tail -n 1 /etc/machine.secret.old | sed -n 's/^[0-9]*: //p') ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF dn: flatname=${windows_domain},cn=Primary Domains