Univention Bugzilla – Bug 31649
Joinscript fails to create dns-service account as Samba4 rejects simplistic password
Last modified: 2013-06-19 14:34:59 CEST
The joinscript 98univention-samba4-dns failed in one project environment to create dns-service account as Samba4 rejected a simplistic password (contained only characters IIRC). We schould insure that the password is complex enough, as we do e.g. in setup-s4.sh. Maybe later this can be solved generically via Bug 31281.
This happened again in UCS@school 3.1R2 tests. The impact is more severe in UCS@school since local user creation is disabled later: ========================================================================= RUNNING 96univention-samba4slavepdc.inst Waiting for RID Pool replication: done. ERROR(ldb): Failed to add user 'dns-slave32': - 0000052D: Constraint violation - check_password_restrictions: the password does not meet the complexity criteria! EXITCODE=0 [...] RUNNING 98univention-samba4-dns.inst Waiting for RID Pool replication: done. univention_samaccountname_ldap_check: ldb_add of user and group object is disabled [...] RUNNING 98univention-samba4slavepdc-dns.inst dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable =========================================================================
The good news is, that we just need to fix create_spn_account.sh in univention-samba4, and we don't need to fix 96univention-samba4slavepdc.inst or any other UCS@school specific package.
The script now uses the generate_random_password python function from samba, which assures that Microsoft/Samba password complexity criteria are met. * To test repeatedly with UCS, the machine should be reverted. Otherwise the follwing commands might be useful: ====================================================================== eval "$(ucr shell)" udm users/user delete --dn "uid=dns-$hostname,cn=users,$ldap_base" sed -i '/^univention-samba4-dns/d' /var/univention-join/status univention-run-join-scripts ldbsearch -H /var/lib/samba/private/secrets.ldb \ "samaccountname=dns-$hostname" secret | sed -n 's/^secret: //p' \ | kinit --password-file=STDIN "dns-$hostname" && echo ok ====================================================================== * To test repeatedly with an UCS@school Samba4 Slave PDC, it's better to revert master+slave. Otherwise the following two commands must be used additionally to the above, to "unjoin" also libunivention-ldb-modules: ====================================================================== eval "$(ucr shell)" /usr/share/univention-samba4/scripts/register_ldb_module.py \ -H /var/lib/samba/private/sam.ldb --ignore-exists \ --remove $samba4_ldb_sam_module_prepend sed -i '/^libunivention-ldb-modules/d' /var/univention-join/status ====================================================================== Advisory: 2013-06-10-univention-samba4.yaml The fix has not been merged into ucs_3.2-0 because Bug 31281 addresses this problem more generally.
I've added a test case: /usr/share/ucs-test/51_samba4/53create_spn_account 3.1-1: OK YAML: OK 3.2: OK, through Bug #31281 Changelog: Failed: not found
(In reply to Stefan Gohmann from comment #4) > Changelog: Failed: not found Is not necessary.
Verified
http://errata.univention.de/ucs/3.1/129.html