Univention Bugzilla – Bug 55940
Regression: Server password change doesn't work in AD membermode
Last modified: 2023-06-13 05:39:36 CEST
+++ This bug was initially created as a clone of Bug #54390 +++ In our automatic tests the server password change in AD membermode doesn't work any more on UCS5 nor UCS4. We don't know for how long this happens. At least for two months. The test history does not go back that far. The password change fails trying to set the password on the AD via the "net ads password" command due to a timeout trying to contact the AD. We can see in the logs: Password change failed: Cannot contact any KDC for requested realm Changing the password works with samba-tool user password -P --newpassword='xxx' or kpasswd though. The net tool seems to have become incompatible, if it's due to a change in the tool or AD is unclear. We should change the command to samba-tool. We should also consider changing the order of commands there. Right now, the whole password change in UCS happens before the password is changed in AD. In AD membermode it should be the other way around in my opinion because the AD is the leading system. The password change should also check if the password change in AD was successful. And only then change the secrets.tdb accordingly. TL;DR Setting the server password via "net ads" does not work in AD membermode any more. We should change the command to samba-tool.
We have another problem now. Normal server password change on the server with the ad connector package works. But we moved the critical "ad member server password" part from univention-samba to univention-ad-connector. As we also support additional (samba) servers in the member mode scenario, which only have univention-samba installed, this "ad member server password" part is now missing there and the server password change is incomplete. e.g. access to smb shares no longer works after the password change Workaround -> /usr/bin/samba-tool user password --newpassword=$(password from rrI0YKAHeIPVYg109wHv) -U "$(hostname)\$%$(old password from /etc/machine.secret.old)"
added workaround to scenarios/ad-membermode/autotest-223-admember-w2k12-german-slave.cfg, please remove after bug is fixed
*** Bug 56012 has been marked as a duplicate of this bug. ***
git log --grep "Bug #55940": 453c8bc368 | move univention-admember to univention-role-server-common 46b8992762 | Silence univention-admember script non-admember systems 06f3140362 | Remove test workaround 097ad26ee7 | Advisory update
scope: ucs_5.0-0-errata5.0-3 src: univention-ad-connector fix: 14.0.13-6A~5.0.0.202305021129 scope: ucs_5.0-0-errata5.0-3 src: univention-ad-connector fix: 15.0.7-3A~5.0.0.202305021145 OK - member mode script moved to univention-server OK - password changed ad member mode (on slave, without univention-samba) OK - yaml
<https://errata.software-univention.de/#/?erratum=5.0x676> <https://errata.software-univention.de/#/?erratum=5.0x677>
*** Bug 56138 has been marked as a duplicate of this bug. ***