Univention Bugzilla – Bug 56138
Server password change doesn't work in AD membermode on UCS Memberserver
Last modified: 2023-07-07 13:09:40 CEST
Similar to Bug #54390 I had to run the password change via kpasswd on a UCS memberserver as it is described here: https://help.univention.com/t/problem-shares-and-ad-connector-are-not-working-anymore/20185 root@server:~# wbinfo -t checking the trust secret for domain DOMAIN via RPC calls failed wbcCheckTrustCredentials(DOMAIN): error code was NT_STATUS_LOGON_FAILURE (0xc000006d) failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR Could not check secret root@server:~# tail -1 /etc/machine.secret.old 2306110102: XXXX1 root@server:~# kinit server$ server$@DOMAIN.LOCAL's Password: root@server:~# cat /etc/machine.secret;echo XXX2 root@server:~# kpasswd server$ server$@DOMAIN.LOCAL's Password: New password for server$@DOMAIN.LOCAL: Verify password - New password for server$@DOMAIN.LOCAL: Success root@server:~# wbinfo -t checking the trust secret for domain DOMAIN via RPC calls succeeded root@server:~# univention-app info UCS: 5.0-3 errata664 Installed: dhcp-server=12.0 pkgdb=11.0 samba-memberserver=4.16 Upgradable: root@server:~# Server password change logfile: ------------------------------------------------------------------------------ [2023-06-11 01:02:17.369117647] Proceeding with regular server password change scheduled for today run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server prechange run-parts: executing /usr/lib/univention-server/server_password_change.d/portal-server-password-rotate prechange run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-admin-diary prechange run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-dhcp prechange run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap prechange run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd prechange run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-postgresql-password prechange run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba prechange [2023-06-11 01:02:18.181871449] Performing LDAP modification, set new password .. Object modified: cn=server,cn=memberserver,cn=computers,dc=domain,dc=local [2023-06-11 01:02:18.734701153] .. done run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server postchange File: /etc/listfilter.secret Multifile: /etc/postfix/ldap.canonicalsender Multifile: /etc/postfix/ldap.transport Multifile: /etc/postfix/ldap.virtual_mailbox Multifile: /etc/postfix/ldap.canonicalrecipient Multifile: /etc/postfix/ldap.distlist Multifile: /etc/postfix/ldap.sharedfolderremote Multifile: /etc/postfix/ldap.virtual Multifile: /etc/postfix/ldap.saslusermapping Multifile: /etc/postfix/ldap.sharedfolderlocal_aliases Multifile: /etc/postfix/ldap.sharedfolderlocal Multifile: /etc/postfix/ldap.groups Multifile: /etc/postfix/ldap.external_aliases Multifile: /etc/postfix/ldap.virtualdomains Multifile: /etc/postfix/ldap.virtualwithcanonical run-parts: executing /usr/lib/univention-server/server_password_change.d/portal-server-password-rotate postchange run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-admin-diary postchange b6a42fec-3905-4544-a65d-d80b06cca012 run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-dhcp postchange [2023-06-11 01:02:22.945138427] reload or restart isc-dhcp-server.service after server password change run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap postchange File: /etc/libnss-ldap.conf run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd postchange Restarting nscd (via systemctl): nscd.service. run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-postgresql-password postchange File: /etc/postgresql/pam_ldap.conf run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba postchange machine password stored successfully in secrets.tdb lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated Setting stored password for "cn=server,cn=memberserver,cn=computers,dc=domain,dc=local" in secrets.tdb setting idmap secret for '*' from /etc/machine.secret Secret stored Stopping smbd (via systemctl): smbd.service. Stopping nmbd (via systemctl): nmbd.service. Starting nmbd (via systemctl): nmbd.service. Starting smbd (via systemctl): smbd.service. Restarting winbind (via systemctl): winbind.service. [2023-06-11 01:02:30.519473818] done [2023-06-12 01:00:22.742630826] Starting server password change ------------------------------------------------------------------------------
With errata 676 univention-role-server-common (15.0.7-3A~5.0.0.202305021145) installs /usr/lib/univention-server/server_password_change.d/univention-admember to change the machine password with "samba-tool" on a ad member mode (https://errata.software-univention.de/#/?version=5.0-x&package=univention-server). So i would say WorksForMe. Is this enough or should we wait for the customer to confirm that it works (after the update)?
(In reply to Felix Botner from comment #1) > With errata 676 univention-role-server-common (15.0.7-3A~5.0.0.202305021145) > installs > /usr/lib/univention-server/server_password_change.d/univention-admember to > change the machine password with "samba-tool" on a ad member mode > (https://errata.software-univention.de/#/?version=5.0-x&package=univention- > server). > > So i would say WorksForMe. > > Is this enough or should we wait for the customer to confirm that it works > (after the update)? No, we can close it as duplicate. Thanks! *** This bug has been marked as a duplicate of bug 55940 ***