Bug 56138 – Server password change doesn't work in AD membermode on UCS Memberserver

Bug 56138 - Server password change doesn't work in AD membermode on UCS Memberserver


Summary:	Server password change doesn't work in AD membermode on UCS Memberserver

Status:	CLOSED DUPLICATE of bug 55940

Product:	UCS
Classification:	Unclassified
Component:	Samba
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:	Samba maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-06-12 17:16 CEST by Stefan Gohmann
Modified:	2023-07-07 13:09 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.286
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2023052221000251
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2023-06-12 17:16:22 CEST

Similar to Bug #54390

I had to run the password change via kpasswd on a UCS memberserver as it is described here:

https://help.univention.com/t/problem-shares-and-ad-connector-are-not-working-anymore/20185

root@server:~# wbinfo -t
checking the trust secret for domain DOMAIN via RPC calls failed
wbcCheckTrustCredentials(DOMAIN): error code was NT_STATUS_LOGON_FAILURE (0xc000006d)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
root@server:~# tail -1  /etc/machine.secret.old
2306110102: XXXX1
root@server:~# kinit server$
server$@DOMAIN.LOCAL's Password:
root@server:~# cat /etc/machine.secret;echo
XXX2
root@server:~# kpasswd server$
server$@DOMAIN.LOCAL's Password:
New password for server$@DOMAIN.LOCAL:
Verify password - New password for server$@DOMAIN.LOCAL:
Success
root@server:~# wbinfo -t
checking the trust secret for domain DOMAIN via RPC calls succeeded
root@server:~# univention-app info
UCS: 5.0-3 errata664
Installed: dhcp-server=12.0 pkgdb=11.0 samba-memberserver=4.16
Upgradable: 
root@server:~#

Server password change logfile:
------------------------------------------------------------------------------
[2023-06-11 01:02:17.369117647] Proceeding with regular server password change scheduled for today
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/portal-server-password-rotate prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-admin-diary prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-dhcp prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-postgresql-password prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba prechange
[2023-06-11 01:02:18.181871449] Performing LDAP modification, set new password ..
Object modified: cn=server,cn=memberserver,cn=computers,dc=domain,dc=local
[2023-06-11 01:02:18.734701153] .. done
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server postchange
File: /etc/listfilter.secret
Multifile: /etc/postfix/ldap.canonicalsender
Multifile: /etc/postfix/ldap.transport
Multifile: /etc/postfix/ldap.virtual_mailbox
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.sharedfolderremote
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.sharedfolderlocal_aliases
Multifile: /etc/postfix/ldap.sharedfolderlocal
Multifile: /etc/postfix/ldap.groups
Multifile: /etc/postfix/ldap.external_aliases
Multifile: /etc/postfix/ldap.virtualdomains
Multifile: /etc/postfix/ldap.virtualwithcanonical
run-parts: executing /usr/lib/univention-server/server_password_change.d/portal-server-password-rotate postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-admin-diary postchange
b6a42fec-3905-4544-a65d-d80b06cca012
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-dhcp postchange
[2023-06-11 01:02:22.945138427] reload or restart isc-dhcp-server.service after server password change
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap postchange
File: /etc/libnss-ldap.conf
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd postchange
Restarting nscd (via systemctl): nscd.service.
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-postgresql-password postchange
File: /etc/postgresql/pam_ldap.conf
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba postchange
machine password stored successfully in secrets.tdb
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
Setting stored password for "cn=server,cn=memberserver,cn=computers,dc=domain,dc=local" in secrets.tdb
setting idmap secret for '*' from /etc/machine.secret
Secret stored
Stopping smbd (via systemctl): smbd.service.
Stopping nmbd (via systemctl): nmbd.service.
Starting nmbd (via systemctl): nmbd.service.
Starting smbd (via systemctl): smbd.service.
Restarting winbind (via systemctl): winbind.service.
[2023-06-11 01:02:30.519473818] done
[2023-06-12 01:00:22.742630826] Starting server password change
------------------------------------------------------------------------------

Comment 1 Felix Botner

2023-06-12 22:13:32 CEST

With errata 676 univention-role-server-common (15.0.7-3A~5.0.0.202305021145) installs /usr/lib/univention-server/server_password_change.d/univention-admember to change the machine password with "samba-tool" on a ad member mode (https://errata.software-univention.de/#/?version=5.0-x&package=univention-server).

So i would say WorksForMe.

Is this enough or should we wait for the customer to confirm that it works (after the update)?

Comment 2 Stefan Gohmann

2023-06-13 05:39:36 CEST

(In reply to Felix Botner from comment #1)
> With errata 676 univention-role-server-common (15.0.7-3A~5.0.0.202305021145)
> installs
> /usr/lib/univention-server/server_password_change.d/univention-admember to
> change the machine password with "samba-tool" on a ad member mode
> (https://errata.software-univention.de/#/?version=5.0-x&package=univention-
> server).
> 
> So i would say WorksForMe.
> 
> Is this enough or should we wait for the customer to confirm that it works
> (after the update)?

No, we can close it as duplicate. Thanks!

*** This bug has been marked as a duplicate of bug 55940 ***