First Last Prev Next    This bug is not in your last search results.
Bug 55873 - AD-Member: univention-samba joinscript doesn't store machine secret for samba idmap and ldap access
AD-Member: univention-samba joinscript doesn't store machine secret for samba...
Status: NEW
Product: UCS
Classification: Unclassified
Component: Samba
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
https://git.knut.univention.de/univen...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2023-03-13 14:38 CET by Arvid Requate
Modified: 2024-02-12 08:45 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.114
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2023030721000686, 2024020721000168
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2023-03-13 14:38:38 CET 
In AD-Member mode, the joinscript of univention-samba doesn't store the machine secret for samba idmap and ldap access. Support re-ran the joinscript, but it didn't update the password stored in `secrets.tdb`.

Note: This resulted in `WBC_ERR_DOMAIN_NOT_FOUND` messages when accessing file shares or when running `wbinfo --sid-to-uid=<Well-Known-SID-of-Administrator>`. Due to the invalid LDAP-password, the "winbindd: idmap child" failed to initialize the default idmap backend and then apparently also skipped intialization of idmap_nss for the domain.
Comment 1 Christina Scheinig univentionstaff 2024-02-07 12:12:56 CET 
Now this occured after server-password-change and therefore after running 26univention-samba.inst

========================
Stopping winbind (via systemctl): winbind.service.
Setting samba/user
Not updating samba/user/pwdfile
Multifile: /etc/samba/smb.conf
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
Setting stored password for "cn=ucs-fs02,cn=memberserver,cn=computers,dc=uni,dc=schein,dc=intranet" in secrets.tdb
New SMB password:Failed to read new password!
setting idmap secret for '*' from /etc/machine.secret
Secret stored
Stopping smbd (via systemctl): smbd.service.
Stopping nmbd (via systemctl): nmbd.service.
Starting nmbd (via systemctl): nmbd.service.
Starting smbd (via systemctl): smbd.service.
Object modified: cn=ucs-fs02,cn=memberserver,cn=computers,dc=uni,dc=schein,dc=intranet
Failed to join domain: failed to lookup DC info for domain 'UNI.SCHEIN.INTRANET' over rpc: The attempted logon is invalid. This is either due to a bad username or authentication information.
Failed to join domain: failed to find DC for domain UNI - A domain controller for this domain was not found.
Failed to join domain: failed to find DC for domain UNI - A domain controller for this domain was not found.
ERROR: Failed to join via net ads join. Please check your Samba DCs and your DNS and WINS configuration.
EXITCODE=1

==============================
First Last Prev Next    This bug is not in your last search results.