Bug 32522 – Endless sync of the new school DC password

Bug 32522 - Endless sync of the new school DC password


Summary:	Endless sync of the new school DC password

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	Samba 4 - Slave PDC
Version:	unspecified
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 3.1 R2 Errata
Assigned To:	Stefan Gohmann
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-09-09 06:58 CEST by Stefan Gohmann
Modified:	2013-10-07 20:17 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2013-09-09 06:58:21 CEST

Seen in a customer environment with Samba 4 on the school DCs and the DC master.

The password of the school DC was changed by the password change scripts. The password change script changed the password in S4 on the school DC and in OpenLDAP on the master. The OpenLDAP password was synced back to the school DC and the password between OpenLDAP and S4 on the school DC was in sync.

Currently we do not sync the password from UCS OpenLDAP into S4. From modules/univention/s4connector/s4/password.py in function password_sync_ucs_to_s4:
    services=res[0][1].get('univentionService', [])
    if 'Samba 4' in services:
        ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: %s is a S4 server, skip password sync" % ucs_object['dn'])
        return

Since the connector did not change the password from UCS to S4, S4 has the old password. Thus the connector changed other attributes of the school DC object, the old password was synced back from S4 to OpenLDAP.

Workaround is to ignore the S4 school DCs:
 ucr set connector/s4/mapping/dc/ignorelist="schooldc1,schooldc2,..."

Comment 1 Stefan Gohmann

2013-09-09 16:26:01 CEST

The slave pdc package should add a server password change script which changes the password in the central S4 before the password is changed via UDM. 

The school slave can check for other S4 or S4 Connector systems in this way:
 univention-ldapsearch '(univentionService=S4 Connector)' dn -LLL

If the server finds more than only himself, the password should be changed. Preferable on the S4 connector host.

Comment 2 Stefan Gohmann

2013-09-25 17:13:37 CEST

I've checked this issue a little bit more. The problem is the first join of the school dc because at that point the slave is a standard s4 slave, not a school dc. So it is joined and the password of the slave is set.

I changed the slavepdc join script that it sets the password to the current password but I don't have credentials to do that at a later point because S4 does not allow the password change as server.

So, role back. I'll add a univentionService for the slave pdcs and the connector will ignore these objects.

Comment 3 Stefan Gohmann

2013-09-26 06:54:57 CEST

S4 Connector bug to ignore these objects: Bug #32690

Code UCS@school: r44470
Changelog UCS@school: r44471

Code UCS@school 3.2: r44472
Changelog UCS@school 3.2: I think it is not necessary.

Comment 4 Felix Botner

2013-09-26 10:35:18 CEST

OK - ucsschool-3.1-R2, 96univention-samba4slavepdc add service "S4 SlavePDC"
OK - Changelog

OK - ucs-school-3.2

Comment 5 Sönke Schwardt-Krummrich

2013-10-07 20:17:55 CEST

UCS@school 3.1 R2-2 has been released:
http://download.univention.de/doc/release-notes-ucsschool-3.1-rev2-2.pdf

If this error occurs again, please use "Clone This Bug".