Univention Bugzilla – Bug 35467
AD Member Mode: server password change
Last modified: 2014-08-07 17:45:46 CEST
After a server_password_change kinit with the machine account and /etc/machine.secret is no longer possible. We need to set the new password also on the windows AD. The only method i found is "net ads password", but this needs a administrator username/password. Maybe we should disable server_password_change in Member Mode for now.
We already set "machine password timeout = 0", so no machine password change in samba. I added server/password/change=false for Member Mode and unset server/password/change for non Member Mode.
We should add the following line into server_password_change.d/univention-samba: net ads password -P "${hostname^^}\$" "$(cat /etc/machine.secret)" This needs to be done before storing the new password in secrets.tdb. With the following commands everything worked: ======================================================================= cat <<%EOF >/usr/lib/univention-server/server_password_change.d/univention-presamba #!/bin/sh net ads password -P 'MASTER70$' "$(cat /etc/machine.secret)" %EOF chmod 755 /usr/lib/univention-server/server_password_change.d/univention-presamba /usr/lib/univention-server/server_password_change net ads keytab create -P ======================================================================= After that I can grab a ticket for the machine account and use it for an GSSAPI-authenticated LDAP connection to the AD-Server: kinit --password-file=/etc/machine.secret 'MASTER70$' ldapsearch -Y GSSAPI -h <my-ad-server> \ samaccountname=<myhostname>\$ msds-keyversionnumber
added "net ads password" to server_password_change.d/univention-samba postchange for member mode, also added a prechange to check time diff between local and ad server in member mode. If the time diff is too bit (> 180s) to password change is aborted. YAML: * 2014-07-16-univention-samba.yaml * 2014-07-23-univention-lib.yaml
Apart from Bug 35520 Comment 5 this works.
Ok, works. Advisory Ok.
http://errata.univention.de/ucs/3.2/164.html
http://errata.univention.de/ucs/3.2/165.html