Bug 49590 – ADC Traceback in password_sync_ucs: "TypeError: Odd-length string" / Hash UCS: NO PASSWORDXXXXXX

Bug 49590 - ADC Traceback in password_sync_ucs: "TypeError: Odd-length string" / Hash UCS: NO PASSWORDXXXXXX


Summary:	ADC Traceback in password_sync_ucs: "TypeError: Odd-length string" / Hash UC...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	AD Connector
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-8-errata
Assigned To:	Arvid Requate
QA Contact:	Florian Best

URL:
Keywords:

Depends on:
Blocks:	53757
	Show dependency tree / graph

Reported:	2019-06-04 10:18 CEST by Christian Völker
Modified:	2021-09-15 18:07 CEST (History)
CC List:	4 users (show)

See Also:	48231 708
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.069
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019042421000374, 2019110721000375, 2021020921000259, 2020121821000706
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Florian Best

2019-06-04 13:23:34 CEST

Patch?

diff --git a/services/univention-ad-connector/modules/univention/connector/ad/password.py b/services/univention-ad-connector/modules/univention/connector/ad/password.py
index 7a97f986e4..044890edee 100644
--- a/services/univention-ad-connector/modules/univention/connector/ad/password.py
+++ b/services/univention-ad-connector/modules/univention/connector/ad/password.py
@@ -245,6 +245,7 @@ def password_sync_ucs(connector, key, object):

        if pwd in ['NO PASSWORDXXXXXX', 'NO PASSWORD*********************']:
                ud.debug(ud.LDAP, ud.PROCESS, "The sambaNTPassword hash is set to %s. Skip the synchronisation of this hash to AD." % pwd)
+               return

        res = connector.lo_ad.lo.search_s(univention.connector.ad.compatible_modstring(object['dn']), ldap.SCOPE_BASE, '(objectClass=*)', ['pwdLastSet', 'objectSid'])
        pwdLastSet = None

Comment 2 Arvid Requate

2019-06-19 14:54:01 CEST

This happend after upgrade from 4.2 (?) to 4.4 (see Ticket 2019042421000374)

Comment 3 Christian Völker

2019-06-26 09:13:20 CEST

Is there the possibility to have a workaround? ie by re-setting the user's password in AD? Or modifying users through udm?

Comment 4 Arvid Requate

2019-06-26 13:48:44 CEST

Both should work.

Comment 5 Nico Stöckigt

2019-11-11 17:32:44 CET

Changing the Password via Win 10 will lead to this situation. Re-/Changing the password has no effect.

UCS 4.4-1 as member in MS/AD

Comment 6 Dirk Schnick

2021-02-12 19:47:59 CET

Another Customer (Partner) complaints the missing patch. Find details in ticket 2021020921000259 and corresponding.

Comment 8 Arvid Requate

2021-08-30 20:51:50 CEST

https://git.knut.univention.de/univention/ucs/-/tree/arequate/bug49590-password_sync_ucs-NO-PASSWORDXXXXXX

Comment 9 Arvid Requate

2021-08-31 19:11:25 CEST

Ticket 2020121821000706 reported other peculiarities:

- Come customer had: NO PASSWORDXXXXXXX  (Note: 7xX !?)
- In UCS: /usr/share/univention-heimdal/kerberos_now:     if not attrs['sambaNTPassword'][0] == "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX":

Comment 10 Arvid Requate

2021-09-07 13:01:40 CEST

8805e3f590 | Skip sambaNTPassword sync if invalid
4356de7313 | Advisory

Comment 11 Florian Best

2021-09-08 17:50:22 CEST

OK: skipping of various invalid password values
OK: advisory
OK: Code review & comments

Comment 12 Erik Damrose

2021-09-15 18:07:59 CEST

<https://errata.software-univention.de/#/?erratum=4.4x1047>