Bug 53298 – Administrator cannot authenticate on DC Backup after updating the primary DN to UCS-5

Bug 53298 - Administrator cannot authenticate on DC Backup after updating the primary DN to UCS-5


Summary:	Administrator cannot authenticate on DC Backup after updating the primary DN ...

Status:	CLOSED WORKSFORME

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P1 critical (vote)
Target Milestone:	UCS 5.0
Assigned To:	Arvid Requate
QA Contact:	Florian Best

URL:
Keywords:	interim-7

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-05-20 22:30 CEST by Arvid Requate
Modified:	2021-05-25 15:59 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2021-05-20 22:30:04 CEST

After Update of a UCS Samba/AD primary directory node to UCS 5, the Administrator cannot authenticate in the DC Backup:

root@ucs5-dc-primary:~# kinit Administrator
Administrator@TEST.DOM's Password: 
root@ucs5-dc-primary:~#   ## OK


root@ucs4-dc-backup:~# kinit Administrator
Administrator@TEST.DOM's Password: 
kinit: Password incorrect


This also blocks progressing with the update of the DC Backup in case Apps need to be uninstalled via univention-app remove, which require authenticating as Administrator.

Comment 1 Arvid Requate

2021-05-20 22:46:38 CEST

root@ucs4-dc-backup:~# ldapsearch -ZZ -h ucs4-dc-backup -p 7389 \
      -D uid=Administrator,cn=users,dc=test,dc=dom -W
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)

root@ucs4-dc-backup:~# ldapsearch -ZZ -h ucs5-dc-primary -p 7389 \
      -D uid=Administrator,cn=users,dc=test,dc=dom -W
Enter LDAP Password: 
### Works

Comment 2 Arvid Requate

2021-05-20 22:58:19 CEST

Something is fishy about LDAP replication:

root@ucs4-dc-backup:~# /usr/lib/nagios/plugins/check_univention_replication 
OK: replication complete (nid=461932 lid=461932)

but the attributes (in particular password hashes) differ between Primary and Backup:

32d31
< objectClass: automount
< objectClass: maildisclaimer
< maildisclaimerTemplate: 0
< univentionMailUserQuota: 0
< sambaPwdLastSet: 1621496919
---
> sambaPwdLastSet: 1483532178
77c74
< shadowLastChange: 18767
---
> shadowLastChange: 17170
28c28
< krb5PasswordEnd: 20400719000000Z
< krb5KeyVersionNumber: 36
---
> krb5PasswordEnd: 20360305000000Z
> krb5KeyVersionNumber: 35

Comment 3 Arvid Requate

2021-05-20 23:03:08 CEST

univention-replicate-one --dn uid=Administrator,dc=test,dc=dom

fixed the issue. I guess it's a problem of the cloned test env.

Comment 4 Florian Best

2021-05-21 17:08:07 CEST

(In reply to Arvid Requate from comment #3)
> univention-replicate-one --dn uid=Administrator,dc=test,dc=dom
> 
> fixed the issue. I guess it's a problem of the cloned test env.

OK: during the clone Administrator was not replicated due to DNS issues.

Comment 5 Florian Best

2021-05-25 15:59:38 CEST

UCS 5.0 has been released:
 https://docs.software-univention.de/release-notes-5.0-0-en.html
 https://docs.software-univention.de/release-notes-5.0-0-de.html

If this error occurs again, please use "Clone This Bug".