Univention Bugzilla – Bug 34828
Provision failed due to password complexity criteria
Last modified: 2019-05-15 14:52:11 CEST
Happened during the installation tests from Philipp (DC Master with Samba 4): From join.log: Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups ERROR(ldb): uncaught exception - 0000052D: Constraint violation - check_password_restrictions: the password does not meet the complexity criteria! File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 401, in run use_rfc2307=use_rfc2307, skip_sysvolacl=False) File "/usr/lib/python2.6/dist-packages/samba/provision/__init__.py", line 2155, in provision skip_sysvolacl=skip_sysvolacl) File "/usr/lib/python2.6/dist-packages/samba/provision/__init__.py", line 1757, in provision_fill next_rid=next_rid, dc_rid=dc_rid) File "/usr/lib/python2.6/dist-packages/samba/provision/__init__.py", line 1436, in fill_samdb "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le')) File "/usr/lib/python2.6/dist-packages/samba/provision/common.py", line 50, in setup_add_ldif ldb.add_ldif(data, controls) File "/usr/lib/python2.6/dist-packages/samba/__init__.py", line 224, in add_ldif self.add(msg, controls) This is a little bit strange because we use "pwgen -1 -s -c -n 16" for the password generation at least for the Administrator. Maybe the KRBTGTPASS is generated in a different way?
There are AD specific complexity criteria, maybe pwgen doesn't always conform to those. Somewhere in samba there is a generator routine that should be used.
Happend again on jenkins The criteria is defined in: https://github.com/samba-team/samba/blob/v4-7-stable/lib/util/genrand_util.c#L62 The pwgen command in setup-s4.sh can generate password with only uppercase letters and numbers. Such a password does not meet the criteria. Possible patch: $(pwgen -1 -s -c -n 16) -> $(pwgen -1 -s -c -n 12)$(pwgen -1 -s -A -n 12) With 100 tries it took an average of 5306 calls to pwgen to generate a password that fails sambas password criteria.
Join script error: ERROR: Administrator password does not meet the default quality standards ERROR: Samba4 provision failed, exiting /usr/share/univention-samba4/scripts/setup-s4.sh
Notes: relevant code: setup-s4.sh -> run_samba_domain_provision() The problem does not seem to be the machine.secret. I hardcoded --machinepass="12345678" -> No Problem and --adminpass="12345678" -> Error At least to me it looks like adminpass is not the same as the machine.secret
Created attachment 9842 [details] 1.patch man pwgen: -n: "at least one number", so your idea could result in 24 digits, theoretically. The attached patch may fix this.
Created attachment 9843 [details] adminpass.patch Yes, Jürn, you may be right, that random password given to the --adminpass option is to weak. I guess we could just drop the option from the script, as samba generates a random one itself in that case.
I tested and merged the patch above.
Verified: * Change review * Functional test * Advisory I also checked, what happend if the /etc/machine.secret ist very simple: On my plain UCS 4.4 test-VM I've adjusted server-password-change to set "univention". After that I've run "univention-app install samba4", and everything worked. So Samba doesn't bail out if /etc/machine.secret accidentally doesn't match AD-specific password complexity criteria.
<http://errata.software-univention.de/ucs/4.4/106.html>