I want to share my experience with AD Connector regarding a specific problem: the “Server Password Change” mechanism when the UCS server is in “AD Member Mode”.
It happened that the password of the machine account in AD could not be changed (caused by improper network setup at customer’s site). This left us with a weird state:
- the new password was recorded in /etc/machine.secret
- the machine account in AD kept the old password
This, in turn, caused the AD connector to fail with the error message every 30 seconds:
--- connect failed, failure was: --- Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/connector/ad/main.py", line 302, in main connect() File "/usr/lib/python2.7/dist-packages/univention/connector/ad/main.py", line 190, in connect baseConfig['%s/ad/listener/dir' % CONFIGBASENAME] File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 842, in __init__ self.open_ad() File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 1038, in open_ad self.get_kerberos_ticket() File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 1016, in get_kerberos_ticket raise kerberosAuthenticationFailed('The following command failed: "%s" (%s): %s' % (string.join(cmd_block), p1.returncode, stdout)) kerberosAuthenticationFailed: The following command failed: "kinit --no-addresses --password-file=/etc/machine.secret hostname$" (1): kinit: Password incorrect
One might think, ‘simply write the old password into /etc/machine.secret, and all will be ok’ but then we would have to re-invoke all the handlers in /usr/lib/univention-server/server_password_change.d with the right preconditions – better we avoid this: it’s too easy to confuse these scripts and leave the system with more inconsistencies than those we already have.