Univention Bugzilla – Bug 30621
winbind on memberserver fails to access idmap LDAP backend after password rotation.
Last modified: 2013-11-19 06:42:17 CET
+++ This bug was initially created as a clone of Bug #30170 +++ (In reply to comment #11) > Please reopen this bug. I updated the server to errata60 and after a reboot I > had to use 'smbpasswd -w $(</etc/machine.secret)' again to make idmap work.
We should check it with 3.1-1.
Two questions: 1. Is the UCR variable samba/user on the UCS memberserver the same as ldap/hostdn (it should be). Practically speaking, calling 'smbpasswd -w' should not make a difference for two reasons: * In this case server_password_change calls 'smbpasswd -w' (and restarts winbind after that). * This command sets the LDAP access credentials for the passdb backend (man smbpasswd), which is only used when LDAP is configured as passdb backend, which ist not the case unless samba/memberserver/passdb/ldap is set to 'yes' 2. So, is samba/memberserver/passdb/ldap set? The password for the idmap backend should be set in server_password_change using: net idmap secret '*' "$(</etc/machine.secret)" /etc/init.d/samba restart sleep 3 /etc/init.d/winbind restart
Well, all I can say that I get the error when I reboot the VM and it is fixed as soon as I do the smbpasswd incarnation and restart winbind :) root@vp-s11:~# ucr get samba/user cn=vp-s11,cn=memberserver,cn=computers,dc=doa,dc=example,dc=net root@vp-s11:~# ucr get ldap/hostdn cn=vp-s11,cn=memberserver,cn=computers,dc=doa,dc=example,dc=net root@vp-s11:~# ucr get samba/memberserver/passdb/ldap root@vp-s11:~#
BTW: The password rotation has happened already weeks ago. It looks like the password isn't propagated from /etc/machine.secret to the proper store (whichever that is) on boot. Why it isn't committed to disk and stick around on a reboot in the first place I have no clue. Doesn't the smbpasswd also set the PAM LDAP credentials? I can't really recall how I debugged this in the first place but I faintly remember that I wasn't able to log in via SSH as a domain user as long as the password wasn't set. Or something.
I tried to collect the server data via univention-support-info and ran into bug 30630. Looks like it generated something anyway which I uploaded as upload_RJHwYo.bz2
> BTW: The password rotation has happened already weeks ago. It looks like the > password isn't propagated from /etc/machine.secret to the proper store > (whichever that is) on boot. Why it isn't committed to disk and stick around > on a reboot in the first place I have no clue. Bug 30539 should fix this, we should check this specific Bug again later. > Doesn't the smbpasswd also set the PAM LDAP credentials? "smbpasswd -w" stores a given password as cleartext in secrets.tdb for samba. Later, in case samba has passdb backend "ldapsam" configured, it uses this password to bind to the ldap server. UCS memberservers do not directly use any passdb backend by default (but use a winbind DC connection instead) unless explicitely configured via UCR "samba/memberserver/passdb/ldap".
The issues reported and discussed here probably have been caused by Bug 31289 and should be fixed now by the errata update for that bug. Please repoen this bug in case the issues discussed here still persist. *** This bug has been marked as a duplicate of bug 31289 ***
We will not ship a UCS 3.1-2 release; the next UCS release will be UCS 3.2. As such, this bug is moved to the new target milestone.
Please reopen, this was never fixed by bug 31289 which isn't really related since this happens after a reboot. This just happened again on the same customer machine: The machine password got rotated and the file server failed. I still have to verify but I'm pretty sure the password was rotated on 2013-06-17: [2013/06/17 01:01:08.495636, 0] lib/smbldap.c:1225(smbldap_connect_system) failed to bind to server ldap://vp-s01.doa.example.net:7389 with dn="cn=vp-s11,cn=memberserver,cn=computers,dc=doa,dc=example,dc=net" Error: Invalid credentials (unknown) $ ls -l /etc/machine.secret -rw------- 1 root root 8 Jun 17 01:00 /etc/machine.secret Even after a reboot the problem persists. I just did the well-known 'smbpasswd -w $(</etc/machine.secret)' and have to verify that this fixed the issue. $ univention-upgrade --check Starting univention-upgrade. Current UCS version is 3.1-1 errata112 Checking for local repository: skipped Checking for release updates: none Checking for package updates: found Please rerun command without --check argument to install.
Cloned as bug 31774.
OK, this issue will be checked via Bug #31774. *** This bug has been marked as a duplicate of bug 31774 ***
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".