diff --git a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py index 0622a89d4d..a441f52451 100644 --- a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py +++ b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py @@ -668,11 +668,6 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru object = s4connector._object_mapping(key, ucs_object, 'ucs') s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['objectSid', 'pwdLastSet']) - if s4connector.isInCreationList(object['dn']): - s4connector.removeFromCreationList(object['dn']) - ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: Synchronisation of password has been canceled. Object was just created.") - return - pwdLastSet = None if 'pwdLastSet' in s4_object_attributes: pwdLastSet = long(s4_object_attributes['pwdLastSet'][0]) @@ -683,11 +678,35 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru # if s4_object_attributes.has_key('objectSid'): # rid = str(univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]).split('-')[-1]) + ### get current Samba/AD attribute values filter_expr = format_escaped('(objectSid={0!e})', objectSid) res = s4connector.lo_s4.search(filter=filter_expr, attr=['unicodePwd', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd']) s4_search_attributes = res[0][1] - + msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0] + supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0] unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0] + + ### get current OpenLDAP attribute values + ucs_object_attributes = s4connector.lo.get(ucs_object['dn'], ['sambaPwdMustChange', 'sambaPwdLastSet', 'sambaNTPassword', 'sambaLMPassword', 'krb5PrincipalName', 'krb5Key', 'krb5KeyVersionNumber', 'userPassword', 'shadowLastChange', 'shadowMax', 'krb5PasswordEnd', 'univentionService']) + krb5Principal = ucs_object_attributes.get('krb5PrincipalName', [''])[0] + krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] + krb5Key_ucs = ucs_object_attributes.get('krb5Key', []) + + ### First handle the KeyVersionNumber, even if the user was just created + modlist = [] + if krb5Principal: + if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber): + modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber)) + + if s4connector.isInCreationList(object['dn']): + s4connector.removeFromCreationList(object['dn']) + ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: Synchronisation of password has been canceled. Object was just created.") + if len(modlist) > 0: + # ud.debug(ud.LDAP, ud.PROCESS, 'password_sync_s4_to_ucs: Only synchronizing KeyVersionNumber.') + ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: modlist: %s" % modlist) + s4connector.lo.lo.modify(ucs_object['dn'], modlist) + return + if unicodePwd_attr: ntPwd = binascii.b2a_hex(unicodePwd_attr).upper() @@ -696,15 +715,9 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru if dBCSPwd: lmPwd = binascii.b2a_hex(dBCSPwd).upper() - supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0] - msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0] - ntPwd_ucs = '' lmPwd_ucs = '' - krb5Principal = '' userPassword = '' - modlist = [] - ucs_object_attributes = s4connector.lo.get(ucs_object['dn'], ['sambaPwdMustChange', 'sambaPwdLastSet', 'sambaNTPassword', 'sambaLMPassword', 'krb5PrincipalName', 'krb5Key', 'krb5KeyVersionNumber', 'userPassword', 'shadowLastChange', 'shadowMax', 'krb5PasswordEnd', 'univentionService']) services = ucs_object_attributes.get('univentionService', []) if 'S4 SlavePDC' in services: @@ -715,8 +728,6 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru ntPwd_ucs = ucs_object_attributes['sambaNTPassword'][0] if 'sambaLMPassword' in ucs_object_attributes: lmPwd_ucs = ucs_object_attributes['sambaLMPassword'][0] - if 'krb5PrincipalName' in ucs_object_attributes: - krb5Principal = ucs_object_attributes['krb5PrincipalName'][0] if 'userPassword' in ucs_object_attributes: userPassword = ucs_object_attributes['userPassword'][0] sambaPwdLastSet = None @@ -727,9 +738,7 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru if 'sambaPwdMustChange' in ucs_object_attributes: sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0] ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange: %s" % sambaPwdMustChange) - krb5Key_ucs = ucs_object_attributes.get('krb5Key', []) userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0] - krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0] pwd_changed = False if ntPwd != ntPwd_ucs: @@ -744,10 +753,7 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru if krb5Principal: # decoding of Samba4 supplementalCredentials krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber)) - modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new)) - if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber): - modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber)) # Append modification as well to modlist, to apply in one transaction if modifyUserPassword: