Univention Bugzilla – Full Text Bug Listing |
Summary: | sambaPwdLastSet not updated after machine password rotation | ||
---|---|---|---|
Product: | UCS | Reporter: | Timo Denissen <denissen> |
Component: | UMC - Computers | Assignee: | Stefan Gohmann <gohmann> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | best, gohmann, grandjean, requate |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.091 | Enterprise Customer affected?: | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 41573, 41516, 41517 |
Description
Timo Denissen
2016-05-27 09:33:50 CEST
To clarify
> When logging in to a Samba share on the memberserver using smbclient
The access is made with the machine account.
Thanks for reporting this. The regression fixes of Bug 41196 might change the behaviour but I haven't checked that yet. Stefan just reproduced it with UCS 3.2-8 latest errata (Samba 2:4.3.7) Take UCS 3.2 with Samba 2:4.1.0 (i.e. without latest errata) and set a very restrictive sambaMaxPwdAge in the sambaComain object. After that you directly get this for a memberserver: root@member392:~# smbclient "//$ldap_master/netlogon" -U"$hostname$"%"$(</etc/machine.secret)" - session setup failed: NT_STATUS_PASSWORD_EXPIRED but wbinfo still works in this situation: root@master391:~# wbinfo -t checking the trust secret for domain DEADLOCK39 via RPC calls succeeded But if you update (master AND member) to latest errata (e.g. 433) you get this: root@member392:~# wbinfo -t checking the trust secret for domain DEADLOCK39 via RPC calls failed wbcCheckTrustCredentials(DEADLOCK39): error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0 failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR Could not check secret I tested in UCS 4.0-0-e4 (Samba 4.2.3) and it was a bit different: the smbclient still worked but the wbinfo -t gave the same error after shortening the sambaMaxPwdAge. It might be part of these winbind changes: * https://www.samba.org/samba/history/samba-4.2.0.html I think we should change the UDM modules for the computer objects so that the attribute sambaPwdLastSet is set to the current date. (In reply to Stefan Gohmann from comment #4) > I think we should change the UDM modules for the computer objects so that > the attribute sambaPwdLastSet is set to the current date. done: r70053 YAML: r70054 Manual tests were successful, waiting for Jenkins: http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-2/job/AutotestJoin/44/ (In reply to Stefan Gohmann from comment #5) > Manual tests were successful, waiting for Jenkins: > http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-2/job/ > AutotestJoin/44/ Tests were successful. * Code review: Ok * Update via /usr/lib/univention-server/server_password_change - Ok * Initial join of Memberserver: Ok * Advisory: Ok |