Hi,
Two weeks ago I started getting an error from the cron that executes this script -> /usr/lib/univention-server/server_password_change. I took a look at the logfile /var/log/univention/server_password_change and found the following error messages:
Stopping Postfix Mail Transport Agent: postfix.
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-postgresql-password prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-self-service prechange
Permission denied.
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server nochange
File: /etc/listfilter.secret
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.groups
Multifile: /etc/postfix/ldap.canonicalsender
Multifile: /etc/postfix/ldap.sharedfolderlocal
Multifile: /etc/postfix/ldap.virtualwithcanonical
Multifile: /etc/postfix/ldap.sharedfolderremote
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.virtualdomains
Starting Postfix Mail Transport Agent: postfix.
Unsetting mail/postfix/stoppedbyserverpasswordchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap nochange
File: /etc/libnss-ldap.conf
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-postgresql-password nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-self-service nochange
failed to change server password for cn=masterdc01,cn=dc,cn=computers,dc=idicat,dc=net
Then, I tried to manually trigger the server password change by doing this:
univention-config-registry set server/password/interval=-1
/usr/lib/univention-server/server_password_change
univention-config-registry set server/password/interval=21
This returned the same errors and from that execution on, I started getting authentication errors from different scripts (ldap_bind errors). The latest error I got was from this cron -> [ -x /usr/lib/univention-pam/ldap-group-to-file.py ] && /usr/lib/univention-pam/ldap-group-to-file.py --check_member (ldap.INVALID_CREDENTIALS: {‘desc’: ‘Invalid credentials’}). When that error happens, I can’t even perform an univention-ldapsearch.
I tried changing the password from udm with:
udm computers/domaincontroller_master modify --set password="cat /etc/machine.secret" --dn “cn=masterdc01,cn=dc,cn=computers,ucr get ldap/base” --binddn=“cn=admin,ucr get ldap/base” --bindpwd="cat /etc/ldap.secret"
And once i do it, it works. But after aproximately 15min, it gives the same error again. Is there anything that can mess up with the passwords?
Thanks,
Cristina.
I do have some assumptioms, but I want to be sure (the ldap-group-to-file.py cronjob runs every 15 minutes, if I recall correctly).