Bug 41517

Summary: sambaPwdLastSet not updated after machine password rotation
Product: UCS Reporter: Stefan Gohmann <gohmann>
Component: UMC - ComputersAssignee: Stefan Gohmann <gohmann>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P5 CC: best, denissen, gohmann, grandjean, klaeser, requate
Version: UCS 3.2   
Target Milestone: UCS 3.2-8-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Bug Report What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.091 Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 41367    
Bug Blocks:    

Description Stefan Gohmann univentionstaff 2016-06-09 20:08:46 CEST 
Backport to UCS 3.2

+++ This bug was initially created as a clone of Bug #41367 +++

Running a Samba/NT environment with Samba version 2:4.3.7-1.827.201604141315, we experienced some strange behaviours after some time.

Running a DC Slave as Server role: ROLE_DOMAIN_PDC and memberservers as Server role: ROLE_DOMAIN_MEMBER, when the memberserver has its password rotation every 21 days, it seems to do everything as intended:

run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba postchange
machine password stored successfully in secrets.tdb
Setting stored password for "<memberserver dn>" in secrets.tdb
setting idmap secret for '*' from /etc/machine.secret
Secret stored
Stopping Samba daemons: nmbd smbd.
Starting Samba daemons: nmbd smbd.
Stopping the Winbind daemon: winbind.
Starting the Winbind daemon: winbind.

Looking at the LDAP attributes userPassword and sambaNTPassword, they changed, but sambaPwdLastSet is set not to the time the password was changed!

What now happes is that after the Samba password expiry time in sambaDomainName, attribute sambaMaxPwdAge, the memberservers cannot connect to the PDC again, getting the following possible error messages:

Nagios CRITICAL: wbinfo failed: wbcCheckTrustCredentials(<NT DOMAIN NAME>): error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233):failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR:Could not check secret:checking the trust secret for domain <NT DOMAIN NAME> via RPC calls failed

When logging in to a Samba share on the memberserver using smbclient, the following error message comes up: NT_STATUS_NO_LOGON_SERVERS

Looking at the log.smbd on the PDC, the following error message comes up:
[2016/05/26 15:40:08.687318,  0] ../source3/rpc_server/srv_pipe.c:1197(api_pipe_alter_context)
  Auth step returned an error (NT_STATUS_PASSWORD_EXPIRED)

Long story short: when the server password is changed, the Samba password "last set" value for servers providing Samba shares is not updated. As soon as "sambaPwdLastSet" from the memberserver) plus "sambaMaxPwdAge" are in the past, winbind refuses to work. Prior to the update to Samba 4.3 due to the badlock-update, everything worked fine.
Comment 1 Stefan Gohmann univentionstaff 2016-06-10 07:54:46 CEST 
Fixed with r70057 and r70058

YAML r70061

Waiting for UCS 4.1-2-errata test results (Bug #41367)
Comment 2 Arvid Requate univentionstaff 2016-06-14 18:29:04 CEST 
* Code review: Ok
* Update via /usr/lib/univention-server/server_password_change - Ok
* Advisory: Ok
Comment 3 Janek Walkenhorst univentionstaff 2016-06-15 11:43:00 CEST 
<http://errata.software-univention.de/ucs/3.2/434.html>