Univention Bugzilla – Bug 32322
Missing SID mapping compare function
Last modified: 2014-03-19 17:43:17 CET
The SID mapping uses the normal lowercase compare function. The comparison is always false. The result is a modreplace in S4 which costs a lot of time in an environment with 30.000 users.
A compare function has been added: Code: r43496 Changelog: r43497
Code: + r43499 + r43500 + r43502 + r43503
added some debug stuff in s4connector/s4/__init__.py and s4connector/__init__.py ... OK - SID Changed in UCS: ------------------------ -> udm users/user modify --dn uid=test1,dc=hans,dc=de --set sambaRID=1111 -> connector-s4.log sync from ucs: [ user] [ modify] cn=test1,dc=hans,dc=de attr objectSid ucs value ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00&3S\xd3Z\xf4\xee\x93V\xde\xe8 M\x01\x00\x00'] s4 value ['S-1-5-21-3545445158-2481910874-552132182-222'] values not equal modlist [(2, 'objectSid', ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00&3S\xd3Z\xf4\xee\x93V\xde\xe8 M\x01\x00\x00'])] -> univention-ldapsearch uid=test1 | grep sambaSID && univention-s4search cn=test1 | grep Sid sambaSID: S-1-5-21-3545445158-2481910874-552132182-333 objectSid: S-1-5-21-3545445158-2481910874-552132182-333 OK - displayName changed in UCS, SID not changed: ------------------------------------------------- -> udm users/user modify --dn uid=test1,dc=hans,dc=de --set displayName=name -> connector-s4.log sync from ucs: [ user] [ modify] cn=test1,dc=hans,dc=de attr objectSid ucs value ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00&3S\xd3Z\xf4\xee\x93V\xde\xe8 M\x01\x00\x00'] s4 value ['S-1-5-21-3545445158-2481910874-552132182-333'] values equal modlist [] OK - displayName changed S4, SID not changed: --------------------------------------------- -> ldbedit test1 (displayName) -> connector-s4.log sync to ucs: [ user] [ modify] uid=test1,dc=hans,dc=de attr sambaRID ucs value 333 s4 value 333 equal attr displayName ucs value nameS44 s4 value nameS444 not equal -> univention-ldapsearch uid=test1 | grep displayName && univention-s4search cn=test1 | grep displayName displayName: nameS444 displayName: nameS444 OK - New user in S4: -------------------- -> samba-tool user create test3 univention123AA -> connector-s4.log sync to ucs: [ user] [ add] uid=test3,cn=users,dc=hans,dc=de attr sambaRID ucs value None s4 value 1113 not equal attr username ucs value None s4 value test3 not equal OK - SID changed in S4: ----------------------- -> changed "/usr/share/univention-s4-connector/sync_krbtgt" to modify S4 sid ... def sync_password( self ): modlist=[] from samba.dcerpc import security from samba.ndr import ndr_pack, ndr_unpack sid = "S-1-5-21-3545445158-2481910874-552132182-555" sidValue = ndr_pack(security.dom_sid('%s' % sid)) attr = "objectSid" modlist.append((ldap.MOD_REPLACE, attr, sidValue)) dn = "CN=test1,DC=hans,DC=de" LDB_CONTROL_PROVISION_OID = '1.3.6.1.4.1.7165.4.3.16' controls = [ LDAPControl(LDB_CONTROL_PROVISION_OID,criticality=0) ] self.lo_s4.lo.modify_ext_s(dn, modlist, serverctrls=controls) ... -> connector-s4.log sync to ucs: [ user] [ modify] uid=test1,dc=hans,dc=de attr sambaRID ucs value 333 s4 value 555 not equal -> univention-s4search cn=test1 | grep -i objectSid && univention-ldapsearch uid=test1 | grep sambaSID objectSid: S-1-5-21-3545445158-2481910874-552132182-555 sambaSID: S-1-5-21-3545445158-2481910874-552132182-555 OK -Changelog
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".
*** Bug 27264 has been marked as a duplicate of this bug. ***