Bareos: (unwanted) monthly re-generation of client passwords of an UCS domain member

bareos

#1

Hi forum,

since bareos update to version 16.2.5 (app center version) we regularly see a monthly (triggered on 1st of every month) re-generation of a client passwords in
/etc/bareos/autogenerated/clients/$CLIENT-HOST.include
which clearly leads in failed backup runs due to authentication errors. The client in this case in an Win 2012 R2 instance which acts as an (UCS) domain member (type: Windows Workstation/Server).
Any ideas why and which (script) re-generates the password in /etc/bareos/autogenerated/clients/$CLIENT-HOST.include of this bareos host?

btw: We reorganized to new bareos config style I described in this post.

THX in advance & best regards,
Robert


#2

The files /etc/bareos/autogenerated/clients/$CLIENT-HOST.include are generated by /usr/lib/univention-directory-listener/system/univention-bareos.py. It is called by UCS as soon as an LDAP object is changed.

I verified, that a call of

univention-directory-listener-ctrl resync bareos

indeed recreates the passwords in the *.include files.

However, I have no idea, why something like this should be called periodically on your system.

Have you got a cron job running for resynchronisation? Or do you change your LDAP objects periodically?

Anyhow, I created a bug report at https://bugs.bareos.org/view.php?id=850
However, I’m not sure, when it will be fixed.

regards,
Jörg


Bareos re-generates director exports
#3

Hi Jörg,

thx for your reply.

I manually did not create any cron job on this host nor changed any LDAP objects (manually). The affected Win 2012 R2 instance which acts as an (UCS) domain member was never re-joined or anything else.

But today I noticed some error-log- entries regarding to not fully removed ‘maildisclaimer’ App like:

13.10.17 16:14:27.173  DEBUG_INIT
13.10.17 16:14:27.485  ADMIN       ( ERROR   ) : admin.syntax.import_syntax_files: loading /usr/lib/pymodules/python2.7/univention/admin/syntax.d/maildisclaimer_syntax.py failed
13.10.17 16:14:27.487  ADMIN       ( ERROR   ) : admin.syntax.import_syntax_files: TRACEBACK:
Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/admin/syntax.py", line 80, in import_syntax_files
    exec fd in sys.modules[__name__].__dict__
  File "/usr/lib/pymodules/python2.7/univention/admin/syntax.d/maildisclaimer_syntax.py", line 5, in <module>
    from bitbone.config import MDConfigReader
ImportError: No module named bitbone.config

in many different log files under /var/log/univention/*.log.
I’m not sure, but deinstallation time of this app could be synchronized with first emerging of this issue.
No idea, if this is the reason, but for now I deleted affected maildisclaimer python scripts manually and will watch and wait.

THX & regards,
Robert


#4

Just for the record: Because issue hitted us again on Nov 1st, I (temporary) renamed and hided corresponding script
/usr/lib/univention-directory-listener/system/univention-bareos.py

regards,
Robert


#5

just a small fix. Discovered passwords were previously stored in /etc/bareos/autogenerated/fd-secrets/.

so change in /usr/lib/univention-directory-listener/system/univention-bareos.py
function CreateClientPassword, (line 128) to:

def createClientSecret(client_name):
    path=PATH_PREFIX+'/fd-secrets/'+client_name
    if os.path.isfile(path):
        with open(path,'r') as f:
            password=f.read()[:40]
    else:
        char_set = string.ascii_uppercase + string.digits + string.ascii_lowercase
        password=''.join(random.sample(char_set*40,40))
        with open(path,'w') as f:
            f.write(password)
    return password

so password is stored in fd-secrets/ and retrieved from there if the file exists.

Best
Tobias


#6

Just FYI: This issue still exists with the actual Bareos AppCenter version 17.2.6 from July 2018, so after updating we’ll have to fix this manually again :frowning_face:

regards,
Robert