Attachment #10844 for bug #53182

View | Details | Raw Unified | Return to bug 53182
Collapse All | Expand All

(-)a/base/univention-lib/shell/base.sh (+7 lines)

Lines 183-186 custom_groupname() {	Link Here

183

	echo -n "${result:-$name}"

183

	echo -n "${result:-$name}"

184

185

186

187

# Echo with timestamp

188

189

echowithtimestamp() {

190

	echo "[$(date '+%F %T.%N')] $@"

191

192

186

# vim:set sw=4 ts=4 noet:

193

# vim:set sw=4 ts=4 noet:




	exec 3>>/var/log/univention/server_password_change.log
fi

echowithtimestamp "Starting server password change" >&3
FAIL () { # log error message to log file and std-err, then fail
	msg=$(echowithtimestamp "$@")
	echo "$msg" >&3
	echo "$msg" >&2
	exit 1
}
try_ldap () { # try to connect LDAP server

# 2 -> empty
is_ucr_true server/password/change
if [ $? = 1 ]; then
	echowithtimestamp "Server password change is disabled by the UCR variable server/password/change" >&3
	exit 0
fi

[ -n "$server_role" ] ||
	FAIL "failed to change server password: empty config-registry variable server/role"
[ -n "$ldap_hostdn" ] ||
	FAIL "failed to change server password: empty config-registry variable ldap/hostdn"
[ -e "$MSECRET" ] ||
	FAIL "failed to change server password: $MSECRET not found"
[ -e "/var/lib/univention-directory-replication/failed.ldif" ] &&
	FAIL "failed to change server password: /var/lib/univention-directory-replication/failed.ldif exists"

# Allow password change only if it is scheduled.
epoch_last_change="$(stat --format %Y "$MSECRET")"

seconds_last_change="$((epoch- epoch_last_change))"
days_last_change="$((seconds_last_change/60/60/24))"
if [ "$server_password_interval" -gt "$days_last_change" ]; then
	echowithtimestamp "No server password change scheduled for today, terminating without a change" >&3
	exit 0
fi

echowithtimestamp "Proceeding with regular server password change scheduled for today" >&3

# Try to use a trivial command just to check that LDAP server is reachable.
univention-ldapsearch -D "$ldap_hostdn" -y "$MSECRET" -s base 1.1 >/dev/null 2>&3 ||
	FAIL "failed to contact LDAP server: cannot connect with univention-ldapsearch"

old_pass="$(mktemp "$MSECRET.XXXXXXXX")"
new_pass="$(mktemp "$MSECRET.XXXXXXXX")"

# shellcheck disable=SC2015
create_machine_password >"$new_pass" &&
	[ -s "$new_pass" ] ||
	FAIL "failed to change server password: create_machine_password() returned an empty password"

if ! run_hooks prechange
then
	run_hooks nochange
	FAIL "run-parts failed during prechange, rolling back with nochange, server password unchanged"
fi

# check if we are in sync with the Primary Directory Node, if not then rollback with "nochange".

			read -r lid </var/lib/univention-directory-listener/notifier_id
			if [ -x "/usr/share/univention-directory-listener/get_notifier_id.py" ]; then
				nid=$(/usr/share/univention-directory-listener/get_notifier_id.py 2>&3) ||
					echowithtimestamp "Could not get notifier id from Primary Directory Node!" >&3
			fi
			[ "${lid:-0}" = "${nid:-1}" ] &&
					return 0
		fi
		echowithtimestamp "Pending listener transactions (lid=$lid < nid=$nid), waiting ..." >&3
		sleep 2
	done
	run_hooks nochange
	FAIL "Pending listener transactions timeout, rolling back with nochange, server password unchanged"
}
check_in_sync


# then rollback the previous run-parts operation. 
then
	run_hooks nochange
	FAIL "failed to change server password for $ldap_hostdn"
fi

# If the changed server password has really been set correctly, then we can already use it.

		change_password "$new_pass" "$old_pass"

		run_hooks nochange
		FAIL "resetting old server password for $ldap_hostdn, because access to Primary Directory Node LDAP did not work with the new password"
fi

# Now that we are sure the new password already works with Primary Directory Node LDAP,

# if samba-tool user setpassword fails, reset the old password.
then
	revert_password_change
	FAIL "Failed to set new password in samba, machine password set back to old password for $ldap_hostdn."
fi

# The password is changed on the Primary Directory Node now, but it is not clear if

		# changes that would only worsen the situation. Instead, try to rollback.
		# Reset the old password with UDM and give up.
		revert_password_change
		FAIL "Access to local LDAP did not work with the new password, machine password set back to old password for $ldap_hostdn."
fi

# At this point the server password has been changed.


run_hooks postchange

echowithtimestamp "done" >&3
exec 3<&-

exit 0

(-)a/doc/doc-common (-1 / +1 lines)

Line 1	Link Here

Subproject commit b774b248b0b8af18853a1d25c802fb1989cb5f44

Subproject commit 5dc4ea65f95535aa2b6986463cad9e90d158244c

(-)a/doc/errata/staging/univention-mail-postfix.yaml (-2 / +1 lines)

Lines 6-11 src: univention-mail-postfix	Link Here

fix: 14.0.1-3A~5.0.0.202110081518

fix: 14.0.1-3A~5.0.0.202110081518

desc: |

desc: |

 This update addresses the following issue:

 This update addresses the following issue:

 * Time-stamps were added to the logger output of the server password change

 * Server password change now logs timestamps.

   call.

bug: [53182]

bug: [53182]

(-)a/doc/errata/staging/univention-server.yaml (-1 / +1 lines)

Lines 6-10 src: univention-server	Link Here

fix: 15.0.4-5A~5.0.0.202110081514

fix: 15.0.4-5A~5.0.0.202110081514

desc: |

desc: |

 This update addresses the following issue:

 This update addresses the following issue:

 * Time-stamps were added to the logger output of the password change.

 * Server password change now logs timestamps.

bug: [53182]

bug: [53182]

(-)a/mail/univention-mail-postfix/usr/lib/univention-server/server_password_change.d/50univention-mail-server (-2 / +4 lines)

Lines 31-40	Link Here

eval "$(univention-config-registry shell)"

eval "$(univention-config-registry shell)"

. /usr/share/univention-lib/base.sh

if [ "$1" = "prechange" ] ; then

if [ "$1" = "prechange" ] ; then

	if /etc/init.d/postfix status | grep -q "is running" ; then

	if /etc/init.d/postfix status | grep -q "is running" ; then

		univention-config-registry set mail/postfix/stoppedbyserverpasswordchange=yes

		univention-config-registry set mail/postfix/stoppedbyserverpasswordchange=yes

		echo " ($(date '+%F %T.%N')) stopping postfix due to upcoming server password change" | logger -t "server-password-change"

		echowithtimestamp "stopping postfix due to upcoming server password change" | logger -t "server-password-change"

		/etc/init.d/postfix stop

		/etc/init.d/postfix stop

fi

fi

fi

fi

Lines 46-52 if [ "$1" = "postchange" -o "$1" = "nochange" ] ; then	Link Here

	univention-config-registry commit /etc/postfix/ldap.*

	univention-config-registry commit /etc/postfix/ldap.*

	# start postfix only if it has been stopped by this script

	# start postfix only if it has been stopped by this script

	if [ "$mail_postfix_stoppedbyserverpasswordchange" = "yes" ] ; then

	if [ "$mail_postfix_stoppedbyserverpasswordchange" = "yes" ] ; then

		echo "($(date '+%F %T.%N')) starting postfix after server password change" | logger -t "server-password-change"

		echowithtimestamp "starting postfix after server password change" | logger -t "server-password-change"

		/etc/init.d/postfix start

		/etc/init.d/postfix start

		univention-config-registry unset mail/postfix/stoppedbyserverpasswordchange

		univention-config-registry unset mail/postfix/stoppedbyserverpasswordchange

fi

fi

(-)a/services/univention-samba4/server_password_change.d/univention-samba4 (-3 / +5 lines)

Lines 31-36	Link Here

eval "$(univention-config-registry shell)"

eval "$(univention-config-registry shell)"

. /usr/share/univention-lib/base.sh

set_machine_secret() {

set_machine_secret() {

	## 1. store password locally in secrets.ldb

	## 1. store password locally in secrets.ldb

	old_kvno=$(ldbsearch -H /var/lib/samba/private/sam.ldb samAccountName="${hostname}\$" msDS-KeyVersionNumber | sed -n 's/msDS-KeyVersionNumber: \(.*\)/\1/p')

	old_kvno=$(ldbsearch -H /var/lib/samba/private/sam.ldb samAccountName="${hostname}\$" msDS-KeyVersionNumber | sed -n 's/msDS-KeyVersionNumber: \(.*\)/\1/p')

Lines 50-56 set_machine_secret() {	Link Here

	%EOF

	%EOF

	if [ "$?" -ne "0" ]; then

	if [ "$?" -ne "0" ]; then

		echo "ERROR: Storing new password in samba secrets.ldb failed."

		echowithtimestamp "ERROR: Storing new password in samba secrets.ldb failed." | logger -t "server-password-change"

		install -m 0600 /etc/krb5.keytab.SAVE /etc/krb5.keytab

		install -m 0600 /etc/krb5.keytab.SAVE /etc/krb5.keytab

		exit 1

		exit 1

fi

fi

Lines 64-71 if [ "$1" = "localchange" ]; then	Link Here

	## if samba-tool user setpassword fails, revert changes to secrets.ldb and krb5.keytab

	## if samba-tool user setpassword fails, revert changes to secrets.ldb and krb5.keytab

	if [ "$?" -ne "0" ]; then

	if [ "$?" -ne "0" ]; then

		echo "ERROR: Changing machine password in Samba failed."

		echowithtimestamp "ERROR: Changing machine password in Samba failed." | logger -t "server-password-change"

		echo "INFO: Restoring secrets.ldb and krb5.keytab."

		echowithtimestamp "INFO: Restoring secrets.ldb and krb5.keytab." | logger -t "server-password-change"

		old_password=$(tail -n 1 /etc/machine.secret.old | sed -n 's/^[0-9]*: //p')

		old_password=$(tail -n 1 /etc/machine.secret.old | sed -n 's/^[0-9]*: //p')

		ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF

		ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF

		dn: flatname=${windows_domain},cn=Primary Domains

		dn: flatname=${windows_domain},cn=Primary Domains

Return to bug 53182