Bug 35467 - AD Member Mode: server password change
AD Member Mode: server password change
Product: UCS
Classification: Unclassified
Component: Samba
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-2-errata
Assigned To: Felix Botner
Arvid Requate
Depends on:
  Show dependency treegraph
Reported: 2014-07-25 10:11 CEST by Felix Botner
Modified: 2014-08-07 17:45 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2014-07-25 10:11:52 CEST
After a server_password_change kinit with the machine account and /etc/machine.secret is no longer possible.

We need to set the new password also on the windows AD. The only method i found is "net ads password", but this needs a administrator username/password.

Maybe we should disable server_password_change in Member Mode for now.
Comment 1 Felix Botner univentionstaff 2014-07-25 10:25:28 CEST
We already set "machine password timeout = 0", so no machine password change in samba.

I added server/password/change=false for Member Mode and unset server/password/change for non Member Mode.
Comment 2 Arvid Requate univentionstaff 2014-07-28 10:39:41 CEST
We should add the following line into server_password_change.d/univention-samba:

  net ads password -P "${hostname^^}\$" "$(cat /etc/machine.secret)"

This needs to be done before storing the new password in secrets.tdb.

With the following commands everything worked:

cat <<%EOF >/usr/lib/univention-server/server_password_change.d/univention-presamba

net ads password -P 'MASTER70$' "$(cat /etc/machine.secret)"
chmod 755 /usr/lib/univention-server/server_password_change.d/univention-presamba


net ads keytab create -P

After that I can grab a ticket for the machine account and use it for an GSSAPI-authenticated LDAP connection to the AD-Server:

kinit --password-file=/etc/machine.secret 'MASTER70$'
ldapsearch -Y GSSAPI -h <my-ad-server> \
     samaccountname=<myhostname>\$ msds-keyversionnumber
Comment 3 Felix Botner univentionstaff 2014-07-28 15:54:56 CEST
added "net ads password" to server_password_change.d/univention-samba postchange for member mode, also added a prechange to check time diff between local and ad server in member mode. If the time diff is too bit (> 180s) to password change is aborted.

 * 2014-07-16-univention-samba.yaml
 * 2014-07-23-univention-lib.yaml
Comment 4 Arvid Requate univentionstaff 2014-07-31 18:34:35 CEST
Apart from Bug 35520 Comment 5 this works.
Comment 5 Arvid Requate univentionstaff 2014-08-04 13:29:00 CEST
Ok, works. Advisory Ok.
Comment 6 Janek Walkenhorst univentionstaff 2014-08-07 17:45:16 CEST
Comment 7 Janek Walkenhorst univentionstaff 2014-08-07 17:45:46 CEST