Bug 35467

Summary: AD Member Mode: server password change
Product: UCS Reporter: Felix Botner <botner>
Component: SambaAssignee: Felix Botner <botner>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P5 CC: gohmann, walkenhorst
Version: UCS 3.2   
Target Milestone: UCS 3.2-2-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Felix Botner univentionstaff 2014-07-25 10:11:52 CEST 
After a server_password_change kinit with the machine account and /etc/machine.secret is no longer possible.

We need to set the new password also on the windows AD. The only method i found is "net ads password", but this needs a administrator username/password.

Maybe we should disable server_password_change in Member Mode for now.
Comment 1 Felix Botner univentionstaff 2014-07-25 10:25:28 CEST 
We already set "machine password timeout = 0", so no machine password change in samba.

I added server/password/change=false for Member Mode and unset server/password/change for non Member Mode.
Comment 2 Arvid Requate univentionstaff 2014-07-28 10:39:41 CEST 
We should add the following line into server_password_change.d/univention-samba:

  net ads password -P "${hostname^^}\$" "$(cat /etc/machine.secret)"

This needs to be done before storing the new password in secrets.tdb.

With the following commands everything worked:



=======================================================================
cat <<%EOF >/usr/lib/univention-server/server_password_change.d/univention-presamba
#!/bin/sh

net ads password -P 'MASTER70$' "$(cat /etc/machine.secret)"
%EOF
chmod 755 /usr/lib/univention-server/server_password_change.d/univention-presamba

/usr/lib/univention-server/server_password_change

net ads keytab create -P
=======================================================================

After that I can grab a ticket for the machine account and use it for an GSSAPI-authenticated LDAP connection to the AD-Server:

kinit --password-file=/etc/machine.secret 'MASTER70$'
ldapsearch -Y GSSAPI -h <my-ad-server> \
     samaccountname=<myhostname>\$ msds-keyversionnumber
Comment 3 Felix Botner univentionstaff 2014-07-28 15:54:56 CEST 
added "net ads password" to server_password_change.d/univention-samba postchange for member mode, also added a prechange to check time diff between local and ad server in member mode. If the time diff is too bit (> 180s) to password change is aborted.

YAML:  
 * 2014-07-16-univention-samba.yaml
 * 2014-07-23-univention-lib.yaml
Comment 4 Arvid Requate univentionstaff 2014-07-31 18:34:35 CEST 
Apart from Bug 35520 Comment 5 this works.
Comment 5 Arvid Requate univentionstaff 2014-08-04 13:29:00 CEST 
Ok, works. Advisory Ok.
Comment 6 Janek Walkenhorst univentionstaff 2014-08-07 17:45:16 CEST 
http://errata.univention.de/ucs/3.2/164.html
Comment 7 Janek Walkenhorst univentionstaff 2014-08-07 17:45:46 CEST 
http://errata.univention.de/ucs/3.2/165.html