Univention Bugzilla – Bug 35858
Check machine password
Last modified: 2018-02-02 07:48:35 CET
We should add a system diagnostic plugin which checks the machine password. If the account is not valid, it should be possible to reset the password.
Created attachment 8871 [details] 35858-diagnostic-machine-password-420.tar The attached patches implement an auth check `check_server_password.py` using the /etc/machine.secret against the local/master LDAP. In case of failure, a repair option is presented. Additionally this checks the UCR variables server/password/change and server/password/interval and gives the user the option to unset server/password/change and reset server/password/interval=21 if server/password/change=no or server/password/interval<1. To fix the broken machine password, the active UMC session is leveraged to acquire a writable connection to the master LDAP. The content of /etc/machine.secret is written to the password field of the corresponding computer object. If /etc/machine.secret is empty, a new password is generated. Afterwards the script `server_password_change` is executed. Access to the active UMC session required a slight rework of existing check plugins: the UMC instance passes a self-reference to the check plugins.
Committed in r81605 - r81606 (advisory r81649).
(In reply to Lukas Oyen from comment #2) > Committed in r81605 - r81606 (advisory r81649). Committed in r81597-r81599, sorry.
Created attachment 9145 [details] fix_server_password.patch The fixing part failed because the interval UCR variable was not successfully set to -1. Just this awkward handler_set behaviour. The attached patch fixes this. Also, the /etc/machine.secret should not get stripped (uldap does this, which is bad enough).
Can we also put this test up in the result list somehow (i.e. run it first)? If the machine.secret fails a lot of other tests fail too, which makes it unlikely that the customer will recognize this as the possible cause of all problems (and find the fix button). And there is a final observation here from my tests: At some point during debugging I got this traceback (line numbers may be different due to printf style debugging..), but I currently don't know how to trigger this code path again. Maybe it's just an artifact of my bogus test method: ==================================================================== Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 263, in execute result = execute(umc_module, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/check_server_password.py", line 69, in fix_machine_password restore_machine_password(role, umc_instance.get_user_ldap_connection()) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/check_server_password.py", line 134, in restore_machine_password udm_modules.init(ldap_connection, position, computers) File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 120, in init univention.admin.ucr_overwrite_properties(module, lo) File "/usr/lib/pymodules/python2.7/univention/admin/__init__.py", line 60, in ucr_overwrite_properties ucr_prefix = ucr_property_prefix % module.module AttributeError: 'NoneType' object has no attribute 'module' ==================================================================== Maybe something like modules.update() or modules.init(...) is missing for restore_machine_password to succceed?
(In reply to Arvid Requate from comment #5) See also Bug #45284.
(In reply to Arvid Requate from comment #5) > Can we also put this test up in the result list somehow (i.e. run it first)? > If the machine.secret fails a lot of other tests fail too, which makes it > unlikely that the customer will recognize this as the possible cause of all > problems (and find the fix button). All Diagnostic modules are now ordered. The JS Grid sorts by criticality and plugin name. A wrong /etc/machine.secret now results in a `Critical` error to actually show it at the top: 4.2-1: r82621-r82623, YAML: r82626 4.2-2: r82630-r82632, YAML: r82635
ok, nice!
<http://errata.software-univention.de/ucs/4.2/166.html>