Univention Bugzilla – Bug 53661
After a server-password-change the univention-s4search does not work anymore.
Last modified: 2021-08-16 14:09:58 CEST
After a server-password-change the univention-s4search does not work anymore. The machine.secret is now base64 encrypted in the secrets.ldb. cat /etc/machine.secret; echo :1n,*#JNFQi]KbkfjNI* ldbsearch -H /var/lib/samba/private/secrets.ldb samaccountname=ucs1$ secret secret:: OjFuLCojSk5GUWldS2JrZmpOSSo= ldbsearch -H /var/lib/samba/private/secrets.ldb samaccountname=ucs1$ secret|ldapsearch-decode64 :1n,*#JNFQi]KbkfjNI* univention-s4search cn=Administrator Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <> Failed to connect to 'ldaps://ucs1.schein.de' with backend 'ldaps': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <> Failed to connect to ldaps://ucs1.schein.de - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <> ------------------------------------------------------------------------- eval "$(ucr shell)"; kinit --password-file=/etc/machine.secret "$hostname$"; kdestroy; kinit -t /etc/krb5.keytab "${hostname^^}$"; kdestroy works fine, no output A new Server-password-change solves the issue, an other machine.secret without ":" was set.
this bug is tagged against UCS 4.4 - I assume this is correct? Is this also the case in UCS 5.0?
I haven't checked this. But the customers environment was 4.4-8 with errata 1020
Reproducible: That password breaks univention-s4search. Moving the colon to the second character doesn't show the problem.