Server password change problem

ucs-4-1

#1

Hi,

Two weeks ago I started getting an error from the cron that executes this script -> /usr/lib/univention-server/server_password_change. I took a look at the logfile /var/log/univention/server_password_change and found the following error messages:

Stopping Postfix Mail Transport Agent: postfix.
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-postgresql-password prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 prechange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-self-service prechange
Permission denied.
run-parts: executing /usr/lib/univention-server/server_password_change.d/50univention-mail-server nochange
File: /etc/listfilter.secret
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.groups
Multifile: /etc/postfix/ldap.canonicalsender
Multifile: /etc/postfix/ldap.sharedfolderlocal
Multifile: /etc/postfix/ldap.virtualwithcanonical
Multifile: /etc/postfix/ldap.sharedfolderremote
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.virtualdomains
Starting Postfix Mail Transport Agent: postfix.
Unsetting mail/postfix/stoppedbyserverpasswordchange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-bind nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-libnss-ldap nochange
File: /etc/libnss-ldap.conf
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-nscd nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-postgresql-password nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-s4-connector nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 nochange
run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-self-service nochange
failed to change server password for cn=masterdc01,cn=dc,cn=computers,dc=idicat,dc=net

Then, I tried to manually trigger the server password change by doing this:

univention-config-registry set server/password/interval=-1
/usr/lib/univention-server/server_password_change
univention-config-registry set server/password/interval=21

This returned the same errors and from that execution on, I started getting authentication errors from different scripts (ldap_bind errors). The latest error I got was from this cron -> [ -x /usr/lib/univention-pam/ldap-group-to-file.py ] && /usr/lib/univention-pam/ldap-group-to-file.py --check_member (ldap.INVALID_CREDENTIALS: {‘desc’: ‘Invalid credentials’}). When that error happens, I can’t even perform an univention-ldapsearch.

I tried changing the password from udm with:

udm computers/domaincontroller_master modify --set password="cat /etc/machine.secret" --dn “cn=masterdc01,cn=dc,cn=computers,ucr get ldap/base” --binddn=“cn=admin,ucr get ldap/base” --bindpwd="cat /etc/ldap.secret"

And once i do it, it works. But after aproximately 15min, it gives the same error again. Is there anything that can mess up with the passwords?

Thanks,

Cristina.


#2

Hi Cristina,

I’m not aware of anything else but the server password change routine that can mess up with the passwords. And setting the content of /etc/machine.secret as password via udm (just as you did) should acutally resolve the problem.

I’m not sure if I understand this part correctly:

What works and what gives you which error? :slight_smile: I do have some assumptioms, but I want to be sure (the ldap-group-to-file.py cronjob runs every 15 minutes, if I recall correctly).


#3

I am not sure if the error in the log is not just a cosmetic one. In case the quoted “permission denied” and the subsequent call of “univention-self-service” later is the only error I’d first check the permissions of this script and if this is correct just look what the script is about to do and check the permissions of the /etc/*secret files referred .