Bug 35858 - Check machine password
Check machine password
Product: UCS
Classification: Unclassified
Component: UMC - System diagnostic
UCS 4.0
Other Linux
: P5 enhancement (vote)
: UCS 4.2-2-errata
Assigned To: Lukas Oyen
Arvid Requate
Depends on:
  Show dependency treegraph
Reported: 2014-09-10 08:28 CEST by Stefan Gohmann
Modified: 2018-02-02 07:48 CET (History)
4 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
oyen: Patch_Available+

35858-diagnostic-machine-password-420.tar (30.00 KB, application/x-tar)
2017-05-22 18:07 CEST, Lukas Oyen
fix_server_password.patch (1.06 KB, patch)
2017-08-24 22:43 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-09-10 08:28:36 CEST
We should add a system diagnostic plugin which checks the machine password. If the account is not valid, it should be possible to reset the password.
Comment 1 Lukas Oyen univentionstaff 2017-05-22 18:07:16 CEST
Created attachment 8871 [details]

The attached patches implement an auth check `check_server_password.py` using the /etc/machine.secret against the local/master LDAP. In case of failure, a repair option is presented.

Additionally this checks the UCR variables server/password/change and server/password/interval and gives the user the option to unset server/password/change and reset server/password/interval=21 if server/password/change=no or server/password/interval<1.

To fix the broken machine password, the active UMC session is leveraged to acquire a writable connection to the master LDAP. The content of /etc/machine.secret is written to the password field of the corresponding computer object. If /etc/machine.secret is empty, a new password is generated. Afterwards the script `server_password_change` is executed.

Access to the active UMC session required a slight rework of existing check plugins: the UMC instance passes a self-reference to the check plugins.
Comment 2 Lukas Oyen univentionstaff 2017-08-01 16:19:59 CEST
Committed in r81605 - r81606 (advisory r81649).
Comment 3 Lukas Oyen univentionstaff 2017-08-01 16:22:42 CEST
(In reply to Lukas Oyen from comment #2)
> Committed in r81605 - r81606 (advisory r81649).

Committed in r81597-r81599, sorry.
Comment 4 Arvid Requate univentionstaff 2017-08-24 22:43:10 CEST
Created attachment 9145 [details]

The fixing part failed because the interval UCR variable was not successfully set to -1. Just this awkward handler_set behaviour. The attached patch fixes this. Also, the /etc/machine.secret should not get stripped (uldap does this, which is bad enough).
Comment 5 Arvid Requate univentionstaff 2017-08-24 22:50:27 CEST
Can we also put this test up in the result list somehow (i.e. run it first)? If the machine.secret fails a lot of other tests fail too, which makes it unlikely that the customer will recognize this as the possible cause of all problems (and find the fix button).

And there is a final observation here from my tests: At some point during debugging I got this traceback (line numbers may be different due to printf style debugging..), but I currently don't know how to trigger this code path again. Maybe it's just an artifact of my bogus test method:

Traceback (most recent call last):
 File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 263, in execute
 result = execute(umc_module, **kwargs)
 File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/check_server_password.py", line 69, in fix_machine_password 
  restore_machine_password(role, umc_instance.get_user_ldap_connection())
 File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/check_server_password.py", line 134, in restore_machine_password
  udm_modules.init(ldap_connection, position, computers)
 File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 120, in init
  univention.admin.ucr_overwrite_properties(module, lo)
 File "/usr/lib/pymodules/python2.7/univention/admin/__init__.py", line 60, in ucr_overwrite_properties
  ucr_prefix = ucr_property_prefix % module.module AttributeError: 'NoneType' object has no attribute 'module'

Maybe something like modules.update() or modules.init(...) is missing for restore_machine_password to succceed?
Comment 6 Florian Best univentionstaff 2017-08-29 14:45:50 CEST
(In reply to Arvid Requate from comment #5)
See also Bug #45284.
Comment 7 Lukas Oyen univentionstaff 2017-09-04 15:53:22 CEST
(In reply to Arvid Requate from comment #5)
> Can we also put this test up in the result list somehow (i.e. run it first)?
> If the machine.secret fails a lot of other tests fail too, which makes it
> unlikely that the customer will recognize this as the possible cause of all
> problems (and find the fix button).

All Diagnostic modules are now ordered. The JS Grid sorts by criticality and plugin name. A wrong /etc/machine.secret now results in a `Critical` error to actually show it at the top:

4.2-1: r82621-r82623, YAML: r82626
4.2-2: r82630-r82632, YAML: r82635
Comment 8 Arvid Requate univentionstaff 2017-09-07 14:45:40 CEST
ok, nice!
Comment 9 Erik Damrose univentionstaff 2017-09-20 15:03:33 CEST