Hello!
Since a few days - more precisely since applying THIS guide we have the following problem:
Starting server password change (Thu Jul 30 01:03:12 CEST 2020)
Proceeding with regular server password change scheduled for today
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/70kopano prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/portal-server-password-rotate prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-admin-diary prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-dhcp prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-directory-manager-rest prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 prechange
Permission denied.
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server nochange
File: /etc/listfilter.secret
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.groups
Multifile: /etc/postfix/ldap.external_aliases
Multifile: /etc/postfix/ldap.sharedfolderlocal
Multifile: /etc/postfix/ldap.virtualwithcanonical
Multifile: /etc/postfix/ldap.virtual_mailbox
Multifile: /etc/postfix/ldap.sharedfolderremote
Multifile: /etc/postfix/ldap.sharedfolderlocal_aliases
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
Multifile: /etc/postfix/ldap.canonicalsender
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.virtualdomains
run-parts: executing /usr/lib/univention-server/server_password_change.d/70kopano nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/portal-server-password-rotate nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-admin-diary nochange
SOMEUUID
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-dhcp nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-directory-manager-rest nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap nochange
File: /etc/libnss-ldap.conf
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 nochange
failed to change server password for cn=someUCS,cn=dc,cn=computers,dc=DOMAIN,dc=local
Similar to: Server password change problem
I can’t get any further at this point, because I don’t know which permissions I should compare and which password change I can/should do manually - the system is operational and I don’t want to risk a failure due to failed logins.
Can someone help me with this, please?
Best regards,
TP
SirTux
July 30, 2020, 9:11am
2
Hi, I can confirm this issue.
EDIT: The error message “Permission denied.” can be produced only in the script /usr/lib/univention-server/server_password_change.d/univention-samba4 or in the main script /usr/lib/univention-server/server_password_change itself.
Running “/usr/lib/univention-server/server_password_change.d/univention-samba4 prechange” should do nothing except of the eval statement. So I would guess the error occurs in the main script:
run-parts --verbose --arg prechange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
# If ANY of the scripts fails while doing "prechange", then rollback with "nochange".
if [ $? != 0 ]; then
# Use run-parts without --exit-on-error; go through all scripts.
run-parts --verbose --arg nochange -- /usr/lib/univention-server/server_password_change.d >&3 2>&3
FAIL "run-parts failed during prechange, rolling back with nochange, server password unchanged"
fi
But I don’t see any reason why the run-parts should produce the error message “Permission denied.”
1 Like
I think you can have a look here: https://forge.univention.org/bugzilla/show_bug.cgi?id=51676
It has something to do with the ppolicy
-setting in LDAP. I didn’t apply the patch and wait for an errata?!
Best,
Bernd
2 Likes
SirTux
July 30, 2020, 11:53am
4
The fix in comment 22 works:
eval "$(ucr shell)"; echo -e "dn: cn=default,cn=ppolicy,cn=univention,$ldap_base\nchangetype: modify\nreplace: pwdAllowUserChange\npwdAllowUserChange: TRUE" \
| ldapmodify -D "cn=admin,$ldap_base" -y /etc/ldap.secret
3 Likes
Hello,
many thanks!
The "dn: cn=default,cn=ppolicy,cn=univention,
part must be adapted to the respective domain (instead of “cn=univention”), or is it the same for all installations?
Best regards,
TP
SirTux
July 30, 2020, 1:02pm
6
It’s the same on all installations.
1 Like
SirTux:
eval "$(ucr shell)"; echo -e "dn: cn=default,cn=ppolicy,cn=univention,$ldap_base\nchangetype: modify\nreplace: pwdAllowUserChange\npwdAllowUserChange: TRUE" \
| ldapmodify -D "cn=admin,$ldap_base" -y /etc/ldap.secret
OK,
I’ve tried - let’s see if it helps!
SirTux
July 30, 2020, 1:20pm
8
You can run the script manually:
/usr/lib/univention-server/server_password_change
1 Like
Output is good:
Starting server password change (Do 30. Jul 15:55:09 CEST 2020)
Proceeding with regular server password change scheduled for today
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/70kopano prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/portal-server-password-rotate prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-admin-diary prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-dhcp prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-directory-manager-rest prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 prechange
Object modified: cn=someUCS,cn=dc,cn=computers,dc=DOMAIN,dc=local
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 localchange
--> Modified 1 records successfully
--> Changed password OK
Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
Stopping smbd (via systemctl): smbd.service.
Stopping nmbd (via systemctl): nmbd.service.
Starting nmbd (via systemctl): nmbd.service.
Starting smbd (via systemctl): smbd.service.
Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server postchange
File: /etc/listfilter.secret
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.groups
Multifile: /etc/postfix/ldap.external_aliases
Multifile: /etc/postfix/ldap.sharedfolderlocal
Multifile: /etc/postfix/ldap.virtualwithcanonical
Multifile: /etc/postfix/ldap.virtual_mailbox
Multifile: /etc/postfix/ldap.sharedfolderremote
Multifile: /etc/postfix/ldap.sharedfolderlocal_aliases
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
Multifile: /etc/postfix/ldap.canonicalsender
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.virtualdomains
run-parts: executing /usr/lib/univention-server/server_password_change.d/70kopano postchange
Setting kopano/cfg/ldap/ldap_bind_passwd
Module: kopano-cfg
dpkg-query: Kein Paket gefunden, das auf kopano4ucs-multiserver passt
run-parts: executing /usr/lib/univention-server/server_password_change.d/portal-server-password-rotate postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-admin-diary postchange
~someUUID~
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind postchange
run-parts: /usr/lib/univention-server/server_password_change.d/univention-bind exited with return code 1
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-dhcp postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-directory-manager-rest postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap postchange
File: /etc/libnss-ldap.conf
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd postchange
Restarting nscd (via systemctl): nscd.service.
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector postchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange
--> done (Do 30. Jul 15:55:49 CEST 2020)
Thanks again!
Maybe a Mod could mark the answer from @SirTux ?
Best regards,
TP