chmod 600 /etc/machine.secret

chmod 600 /etc/machine.secret

[ -e /etc/init.d/univention-directory-listener ] && invoke-rc.d univention-directory-listener restart >&3

[ -e /etc/init.d/univention-directory-listener ] && invoke-rc.d univention-directory-listener restart >&3

	# Reset to the old password with UDM

	# Reset to the old password with UDM

	/usr/sbin/univention-directory-manager "computers/$server_role" modify --binddn "$ldap_hostdn" --bindpwd "$new_password" --dn "$ldap_hostdn" --set password="$old_password" >&3 2>&3

	/usr/sbin/univention-directory-manager "computers/$server_role" modify --binddn "$ldap_hostdn" --bindpwd "$new_password" --dn "$ldap_hostdn" --set password="$old_password" >&3 2>&3

	# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$')

	# run hook scripts for "nochange" (which are named '^[A-Za-z0-9_-]+$')

	run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3

	run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3

	FAIL "resetting old server password for $ldap_hostdn, because samba could not set the new password locally."

	FAIL "resetting old server password for $ldap_hostdn, because samba could not set the new password locally."

fi

fi

# The password is changed on the master now, but it is not clear if

# The password is changed on the master now, but it is not clear if

		# been set with UDM but LDAP does't work with it. Do not continue with

		# been set with UDM but LDAP does't work with it. Do not continue with

		# changes that would only worsen the situation. Instead, try to rollback.

		# changes that would only worsen the situation. Instead, try to rollback.

		# Reset the old password with UDM and give up.

		# Reset the old password with UDM and give up.

		FAIL "resetting old server password for $ldap_hostdn, because access to local LDAP did not work with the new password"

		FAIL "resetting old server password for $ldap_hostdn, because access to local LDAP did not work with the new password"

	fi

	fi

	trial_counter=$(( trial_counter - 1))

	trial_counter=$(( trial_counter - 1))

done

done

	old_kvno=$(ldbsearch -H /var/lib/samba/private/sam.ldb samAccountName="${hostname}\$" msDS-KeyVersionNumber | sed -n 's/msDS-KeyVersionNumber: \(.*\)/\1/p')

	old_kvno=$(ldbsearch -H /var/lib/samba/private/sam.ldb samAccountName="${hostname}\$" msDS-KeyVersionNumber | sed -n 's/msDS-KeyVersionNumber: \(.*\)/\1/p')

	new_kvno=$(($old_kvno + 1))

	new_kvno=$(($old_kvno + 1))

	ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF

	ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF

	dn: flatname=${windows_domain},cn=Primary Domains

	dn: flatname=${windows_domain},cn=Primary Domains

	changetype: modify

	changetype: modify

	msDS-KeyVersionNumber: $new_kvno

	msDS-KeyVersionNumber: $new_kvno

	-

	-

	%EOF

	%EOF

	## 2. replace random machine secret in SAM with /etc/machine.secret

	## 2. replace random machine secret in SAM with /etc/machine.secret

	samba-tool user setpassword "${hostname}\$" --newpassword="$(cat /etc/machine.secret)"

	samba-tool user setpassword "${hostname}\$" --newpassword="$(cat /etc/machine.secret)"

if [ "$1" = "localchange" ]; then

if [ "$1" = "localchange" ]; then

	set_machine_secret

	set_machine_secret

	if [ "$?" -ne "0" ]; then

	if [ "$?" -ne "0" ]; then

		ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF

		ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF

		dn: flatname=${windows_domain},cn=Primary Domains

		dn: flatname=${windows_domain},cn=Primary Domains

		changetype: modify

		changetype: modify

		replace: secret

		replace: secret

		-

		-

		replace: msDS-KeyVersionNumber

		replace: msDS-KeyVersionNumber

		msDS-KeyVersionNumber: $old_kvno

		msDS-KeyVersionNumber: $old_kvno

		-

		-

		%EOF

		%EOF

		exit 1

		exit 1

	fi

	fi

	test -x /etc/init.d/samba && /etc/init.d/samba restart

	test -x /etc/init.d/samba && /etc/init.d/samba restart

fi

fi