Univention Bugzilla – Bug 53062
Server password change can cause ppolicy lockout
Last modified: 2023-04-17 12:11:05 CEST
In a customer environment a server password change caused several ppolicy lockouts; but not every time. I now found that univention-dhcp server is not stopped in pre script. Actual there is host in customer network, that is not configured and dhcp has no pool, so there are several request in the minute. As dhcp is only restarted after the server password change the lockout of machine account happend already during the password change. But also after a restart of univention-dhcp the lockout took place. I'm not sure but I read the restart not reload the dhcp.config and read the secret from file. So it must be, from my understanding, a stop and a start. I changed /usr/lib/univention-server/server_password_change.d/univention-dhcp in pre from "nothing to be done..." to systemctl stop dhcp and the nochange and post to systemctl start univention-dhcp serverpasswordchange worked without lockout.
It looks like the nscd is locking out the machine without changing prechange to stopping the daemon, also. Happened in my test environment two times this evening, but not every time. So not 100% reproduceable. The problem seems to be, that if the daemons are not stopped (samba can not be stopped as far as I know) they will use the old PW during the change and can lock out the machine then.
See the discussion at Univention Help: https://help.univention.com/t/server-password-change-on-dc-master-fails-reproducible/21289/8