Univention Bugzilla – Full Text Bug Listing |
Summary: | AD Member Mode: server password change | ||
---|---|---|---|
Product: | UCS | Reporter: | Felix Botner <botner> |
Component: | Samba | Assignee: | Felix Botner <botner> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, walkenhorst |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 3.2-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Felix Botner
2014-07-25 10:11:52 CEST
We already set "machine password timeout = 0", so no machine password change in samba. I added server/password/change=false for Member Mode and unset server/password/change for non Member Mode. We should add the following line into server_password_change.d/univention-samba: net ads password -P "${hostname^^}\$" "$(cat /etc/machine.secret)" This needs to be done before storing the new password in secrets.tdb. With the following commands everything worked: ======================================================================= cat <<%EOF >/usr/lib/univention-server/server_password_change.d/univention-presamba #!/bin/sh net ads password -P 'MASTER70$' "$(cat /etc/machine.secret)" %EOF chmod 755 /usr/lib/univention-server/server_password_change.d/univention-presamba /usr/lib/univention-server/server_password_change net ads keytab create -P ======================================================================= After that I can grab a ticket for the machine account and use it for an GSSAPI-authenticated LDAP connection to the AD-Server: kinit --password-file=/etc/machine.secret 'MASTER70$' ldapsearch -Y GSSAPI -h <my-ad-server> \ samaccountname=<myhostname>\$ msds-keyversionnumber added "net ads password" to server_password_change.d/univention-samba postchange for member mode, also added a prechange to check time diff between local and ad server in member mode. If the time diff is too bit (> 180s) to password change is aborted. YAML: * 2014-07-16-univention-samba.yaml * 2014-07-23-univention-lib.yaml Apart from Bug 35520 Comment 5 this works. Ok, works. Advisory Ok. |