Bug 36285 - Joining into AD domain hangs if Admin password is expired
Joining into AD domain hangs if Admin password is expired
Status: RESOLVED WONTFIX
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-23 17:36 CEST by Dirk Wiesenthal
Modified: 2019-01-03 07:16 CET (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.057
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Attachments
kerberos_auth.py (304 bytes, text/plain)
2014-10-23 18:04 CEST, Arvid Requate
Details
check_for_expired_password.patch (1.54 KB, patch)
2015-01-05 16:37 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2014-10-23 17:36:22 CEST
Seen in System setup: The password is accepted by the connection check, but when it comes to actually joining, the join script hangs forever with:

  net ads join -UAdministrator

Turned out the password for the Administrator was expired and Kerberos waited for some user interaction.

No idea whether there are more reasons why the script may hang, maybe one should implement a timout? Or one may try to find out whether the password is expired?
Comment 1 Arvid Requate univentionstaff 2014-10-23 18:04:25 CEST
Created attachment 6211 [details]
kerberos_auth.py

We should either do a simple kinit first like

  kinit Administrator && echo ok

or implement something similar in python, see simple example script attached.
Comment 2 Arvid Requate univentionstaff 2014-12-15 11:55:54 CET
This would fit ideally with Bug 37243.
Comment 3 Arvid Requate univentionstaff 2015-01-05 16:37:32 CET
Created attachment 6569 [details]
check_for_expired_password.patch
Comment 4 Stefan Gohmann univentionstaff 2019-01-03 07:16:28 CET
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016.

Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.