Bug 35092 - UCS in Active Directory domain - kinit overlay module
UCS in Active Directory domain - kinit overlay module
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 3.2
Other Linux
: P5 enhancement (vote)
: UCS 3.2-2-errata
Assigned To: Stefan Gohmann
Felix Botner
Depends on:
Blocks: 34091
  Show dependency treegraph
Reported: 2014-06-11 08:19 CEST by Stefan Gohmann
Modified: 2014-07-14 10:50 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-06-11 08:19:02 CEST
An overlay module is needed which performs a kinit against an AD based kerberos server. See

+++ This bug was initially created as a clone of Bug #34091 +++

It should be possible to run UCS as part of an Active Directory domain. In this case UCS must not provide Kerberos, DNS or Samba domain controller functionality.

The synchronization of users, groups and computers will be done through the UCS AD connector. A password synchronization is not necessary, we will add an overlay module for OpenLDAP which uses the AD Kerberos as password verification backend for simple LDAP bind.

The UCS system should able to provide Samba shares.

Synchronized objects should be marked as synced (objectsuniventionObjectFlag: synced). In the default read mode of the connector it should not be possible to modify the synchronized attributes. The UDM modules property extension should be extended, for example "readonly_when_synced: True", default is False. Furthermore the object creation via UMC should display a warning that this object will not synchronized to AD.
Comment 1 Stefan Gohmann univentionstaff 2014-07-07 08:17:53 CEST
New overlay module has been added.

Code: r13196 + r13197

YAML: r51414
Comment 2 Felix Botner univentionstaff 2014-07-08 12:15:46 CEST
OK - tested against a local samba4

-> univention-ldapsearch uid=test1 userPassword | ldapsearch-decode64 
dn: uid=test1,dc=w2k12,dc=test
userPassword: {KINIT}

->  ldapsearch -D uid=test1,dc=w2k12,dc=test -w univention uid=test1 uid
dn: uid=test1,dc=w2k12,dc=test
uid: test1

-> ldapsearch -D uid=test1,dc=w2k12,dc=test -w univentiona uid=test1 uid
ldap_bind: Invalid credentials (49)

samba4 stopped
-> ldapsearch -D uid=test1,dc=w2k12,dc=test -w univention uid=test1
ldap_bind: Invalid credentials (49)
Jul  8 12:13:41 master slapd[18513]: conn=1082 op=0: pwd_scheme_kinit: krb5_get_init_creds_password: unable to reach any KDC in realm W2K12.TEST

If "Change password on next login" is activated, login is not possible.

Comment 3 Moritz Muehlenhoff univentionstaff 2014-07-14 10:50:00 CEST