Univention Bugzilla – Bug 54390
Server password change doesn't work in AD membermode
Last modified: 2023-04-24 15:09:06 CEST
In our automatic tests the server password change in AD membermode doesn't work any more on UCS5 nor UCS4. We don't know for how long this happens. At least for two months. The test history does not go back that far. The password change fails trying to set the password on the AD via the "net ads password" command due to a timeout trying to contact the AD. We can see in the logs: Password change failed: Cannot contact any KDC for requested realm Changing the password works with samba-tool user password -P --newpassword='xxx' or kpasswd though. The net tool seems to have become incompatible, if it's due to a change in the tool or AD is unclear. We should change the command to samba-tool. We should also consider changing the order of commands there. Right now, the whole password change in UCS happens before the password is changed in AD. In AD membermode it should be the other way around in my opinion because the AD is the leading system. The password change should also check if the password change in AD was successful. And only then change the secrets.tdb accordingly. TL;DR Setting the server password via "net ads" does not work in AD membermode any more. We should change the command to samba-tool.
Can you please provide a patch , which I can implement on the the customers server. I think I have two customers running in this issue, every 21 days # change password on ad in member mode if samba_role == 'memberserver' and univention.lib.admember.is_localhost_in_admember_mode(ucr=ucr): cmd = ['/usr/bin/net', 'ads', 'password', '-P'] cmd.append('%s$' % ucr.get('hostname', '').upper()) cmd.append('%s' % machine_password) process = subprocess.Popen(cmd) process.wait()
A workaround would be to deactivate the password change on the customer system.
I set the password in AD via kpasswd. After that a serverPasswortChange was done again. After that the new password did not work in AD but also did not the password set before by kpasswd but the one before that.
(In reply to Erik Damrose from comment #2) > A workaround would be to deactivate the password change on the customer > system. Yes, but the customers will know that, after the passwordchange failed, and opened a support ticket, after the support repaired the system. So prevent this from happening would be more important!
I tried the patch in one of the environments, and on the commandline and it failes, even if I changed the password in AD with kpasswd, it failed the server password change with the patched script. root@UCS:~# samba-tool user password --newpassword=urGXkp9aagprqeWt8lxp -U UCS$ -P ERROR: Failed to change password : (-1073741790, "Connection to SAMR pipe of PDC of domain 'BUGGS' failed: NT_STATUS_ACCESS_DENIED")
Packages builded.Packages builded. Server password change in ad membermode has been moved to the univention-ad-connector package to avoid problems on system that doesn't have univention-samba installed. (See: https://forge.univention.org/bugzilla/show_bug.cgi?id=55582)
Packages builded. Server password change in ad membermode has been moved to the univention-ad-connector package to avoid problems on system that doesn't have univention-samba installed. See: https://forge.univention.org/bugzilla/show_bug.cgi?id=55582 Package: univention-samba Version: 14.0.8-4A~5.0.0.202302171430 Branch: ucs_5.0-0 Scope: errata5.0-3 Package: univention-ad-connector Version: 14.0.13-3A~5.0.0.202302171446 Branch: ucs_5.0-0 Scope: errata5.0-3 univention-samba.yaml 60d45599a872 | Bug #54390: update advisory univention-samba (14.0.8-4) 85f88e3e1308 | Bug #54390: Move server password change in ad membermode out of univention-samba univention-ad-connector.yaml 60d45599a872 | Bug #54390: update advisory 85f88e3e1308 | Bug #54390: Move server password change in ad membermode out of univention-samba univention-ad-connector (14.0.13-3) 85f88e3e1308 | Bug #54390: Move server password change in ad membermode out of univention-samba ucs-test (10.0.10-2) 85f88e3e1308 | Bug #54390: Move server password change in ad membermode out of univention-samba
<https://errata.software-univention.de/#/?erratum=5.0x587> <https://errata.software-univention.de/#/?erratum=5.0x588>
*** Bug 55582 has been marked as a duplicate of this bug. ***