Failed to change server password

The_Preacher · July 30, 2020, 8:23am

Hello!

Since a few days - more precisely since applying THIS guide we have the following problem:

Starting server password change (Thu Jul 30 01:03:12 CEST 2020)
Proceeding with regular server password change scheduled for today
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/70kopano prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/portal-server-password-rotate prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-admin-diary prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-dhcp prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-directory-manager-rest prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 prechange
Permission denied.
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server nochange
File: /etc/listfilter.secret
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.groups
Multifile: /etc/postfix/ldap.external_aliases
Multifile: /etc/postfix/ldap.sharedfolderlocal
Multifile: /etc/postfix/ldap.virtualwithcanonical
Multifile: /etc/postfix/ldap.virtual_mailbox
Multifile: /etc/postfix/ldap.sharedfolderremote
Multifile: /etc/postfix/ldap.sharedfolderlocal_aliases
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
Multifile: /etc/postfix/ldap.canonicalsender
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.virtualdomains
run-parts: executing /usr/lib/univention-server/server_password_change.d/70kopano nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/portal-server-password-rotate nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-admin-diary nochange
SOMEUUID
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-dhcp nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-directory-manager-rest nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap nochange
File: /etc/libnss-ldap.conf
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 nochange
failed to change server password for cn=someUCS,cn=dc,cn=computers,dc=DOMAIN,dc=local

Similar to: Server password change problem

I can’t get any further at this point, because I don’t know which permissions I should compare and which password change I can/should do manually - the system is operational and I don’t want to risk a failure due to failed logins.

Can someone help me with this, please?

Best regards,
TP

SirTux · July 30, 2020, 9:54am

Hi, I can confirm this issue.

EDIT: The error message “Permission denied.” can be produced only in the script /usr/lib/univention-server/server_password_change.d/univention-samba4 or in the main script /usr/lib/univention-server/server_password_change itself.

Running “/usr/lib/univention-server/server_password_change.d/univention-samba4 prechange” should do nothing except of the eval statement. So I would guess the error occurs in the main script:

run-parts --verbose --arg prechange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
# If ANY of the scripts fails while doing "prechange", then rollback with "nochange".
if [ $? != 0 ]; then
        # Use run-parts without --exit-on-error; go through all scripts.
        run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
        FAIL "run-parts failed during prechange, rolling back with nochange, server password unchanged"
fi

But I don’t see any reason why the run-parts should produce the error message “Permission denied.”

lebernd · July 30, 2020, 11:44am

I think you can have a look here: https://forge.univention.org/bugzilla/show_bug.cgi?id=51676

It has something to do with the ppolicy-setting in LDAP. I didn’t apply the patch and wait for an errata?!

Best,
Bernd

SirTux · July 30, 2020, 11:53am

The fix in comment 22 works:

eval "$(ucr shell)"; echo -e "dn: cn=default,cn=ppolicy,cn=univention,$ldap_base\nchangetype: modify\nreplace: pwdAllowUserChange\npwdAllowUserChange: TRUE" \
    | ldapmodify -D "cn=admin,$ldap_base" -y /etc/ldap.secret

The_Preacher · July 30, 2020, 1:00pm

Hello,

many thanks!

The "dn: cn=default,cn=ppolicy,cn=univention, part must be adapted to the respective domain (instead of “cn=univention”), or is it the same for all installations?

Best regards,
TP

SirTux · July 30, 2020, 1:02pm

It’s the same on all installations.

The_Preacher · July 30, 2020, 1:07pm

SirTux:

eval "$(ucr shell)"; echo -e "dn: cn=default,cn=ppolicy,cn=univention,$ldap_base\nchangetype: modify\nreplace: pwdAllowUserChange\npwdAllowUserChange: TRUE" \
    | ldapmodify -D "cn=admin,$ldap_base" -y /etc/ldap.secret

OK,
I’ve tried - let’s see if it helps!

SirTux · July 30, 2020, 1:20pm

You can run the script manually:

/usr/lib/univention-server/server_password_change

The_Preacher · July 30, 2020, 2:03pm

Output is good:

Starting server password change (Do 30. Jul 15:55:09 CEST 2020)
Proceeding with regular server password change scheduled for today
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/70kopano prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/portal-server-password-rotate prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-admin-diary prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-dhcp prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-directory-manager-rest prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 prechange
Object modified: cn=someUCS,cn=dc,cn=computers,dc=DOMAIN,dc=local
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 localchange
--> Modified 1 records successfully
--> Changed password OK
Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
Stopping smbd (via systemctl): smbd.service.
Stopping nmbd (via systemctl): nmbd.service.
Starting nmbd (via systemctl): nmbd.service.
Starting smbd (via systemctl): smbd.service.
Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server postchange
File: /etc/listfilter.secret
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.groups
Multifile: /etc/postfix/ldap.external_aliases
Multifile: /etc/postfix/ldap.sharedfolderlocal
Multifile: /etc/postfix/ldap.virtualwithcanonical
Multifile: /etc/postfix/ldap.virtual_mailbox
Multifile: /etc/postfix/ldap.sharedfolderremote
Multifile: /etc/postfix/ldap.sharedfolderlocal_aliases
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
Multifile: /etc/postfix/ldap.canonicalsender
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.virtualdomains
run-parts: executing /usr/lib/univention-server/server_password_change.d/70kopano postchange
Setting kopano/cfg/ldap/ldap_bind_passwd
Module: kopano-cfg
dpkg-query: Kein Paket gefunden, das auf kopano4ucs-multiserver passt
run-parts: executing /usr/lib/univention-server/server_password_change.d/portal-server-password-rotate postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-admin-diary postchange
~someUUID~
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind postchange
run-parts: /usr/lib/univention-server/server_password_change.d/univention-bind exited with return code 1
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-dhcp postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-directory-manager-rest postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap postchange
File: /etc/libnss-ldap.conf
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd postchange
Restarting nscd (via systemctl): nscd.service.
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange
--> done (Do 30. Jul 15:55:49 CEST 2020)

Thanks again!

Maybe a Mod could mark the answer from @SirTux?

Best regards,
TP