Univention Bugzilla – Bug 40876
create_spn_account.sh allows special characters
Last modified: 2020-07-03 20:55:32 CEST
Created attachment 7526 [details] Patch file Hello everybody, I figured out, that the create_spn_account.sh script, which is located in /usr/share/univention-samba4/scripts/, allows you to use special characters while useing the paramter "--samaccoutname", for e.g. "--samaccountname imap/srv.my.dom". This shouldn't be allowed because otherwise this will result in multiple errors within the Univention Smaba 4 Connector. Replicable in the log file /var/log/univention/connector-s4.log, for e.g.: 04.03.2016 08:34:18,290 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=imap/srv.my.dom,CN=Users,DC=my,DC=dom 04.03.2016 08:34:18,297 LDAP (PROCESS): sync to ucs: [ user] [ add] uid=imap/srv.my.dom,cn=users,dc=my,dc=dom 04.03.2016 08:34:18,449 LDAP (ERROR ): InvalidSyntax: User name: Username must only contain numbers, letters and dots, and may not be 'admin'! (uid=imap/srv.my.dom,cn=users,dc=my,dc=dom) 04.03.2016 08:34:23,547 LDAP (PROCESS): sync to ucs: [ user] [ add] uid=srv2.my.dom,cn=users,dc=my,dc=dom 04.03.2016 08:34:23,697 LDAP (WARNING): __set_values: The attributes for lastname have not been removed as it represents a mandatory attribute This errors will show up again and again as long as the user isn't deleted. The user can be deleted in samba with the following command: samba-tool user delete imap/srv.my.dom I wrote a patch, eventually you will be able to integrate this in further releases, applicable with this command: patch -p0 < spn_no_special_characters.patch Best regards Stefan Elser P.S.: I've also created a forum entry (german) a few days ago: http://forum.univention.de/viewtopic.php?f=48&t=5175
Created attachment 8218 [details] connector-s4.log I can confirm this. Easily reproducable with: > /usr/share/univention-samba4/scripts/create_spn_account.sh \ > --samaccountname "test/test" \ > --serviceprincipalname 'TEST/ucs01.int.example.org' \ > --privatekeytab test.keytab "create_spn_account.sh" should not allow special characters for "--samaccountname". Since the S4-Connector refuses to sync the object (because the S4-Connector DOES a syntax check), the SPN is only available in Samba and the UMC cannot be used to delete it. Just in case, I attached a log file with one attempt with connector/debug/level at default value and one attempt with connector/debug/level='4' BTW this should be adapted, too: > Note: samba-tool user add is deprecated. Please use samba-tool user create for the same function.
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.