Bug 35501 - listener module "well-known-sid-name-mapping" needs to recognize SID changes.
listener module "well-known-sid-name-mapping" needs to recognize SID changes.
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: PAM
UCS 3.2
Other Linux
: P5 enhancement (vote)
: UCS 3.2-2-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on: 35346
Blocks: 34091
  Show dependency treegraph
 
Reported: 2014-07-28 18:24 CEST by Arvid Requate
Modified: 2014-08-07 17:49 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2014-07-28 18:24:11 CEST
In AD member mode, the AD-Connector may create objects in OpenLDAP with non-english names which have Well Known SIDs in Active Directory.

In OpenLDAP the AD-Connector creates them with unspecific SIDs, so the Listner module "well-known-sid-name-mapping" does not recognize them. That's ok.

When AD takeover is run in such a case, then the SIDs of OpenLDAP objects which correspond to Well Known SIDs in Active Directory are rewritten to the Well Knwon SIDs.

The listener module "well-known-sid-name-mapping" needs to be adjusted to recognize when e.g. the SID of the "Gast" object is modified into a Well Known SID.


+++ This bug was initially created as a clone of Bug #35346 +++

It should be possible to take over the AD domain at a later point.
Comment 1 Arvid Requate univentionstaff 2014-07-28 18:47:55 CEST
The listener module has been adjusted.

Advisory: 2014-07-28-univention-pam.yaml
Comment 2 Felix Botner univentionstaff 2014-08-01 11:07:41 CEST
-> univention-ldapsearch cn=Dom*nenc* sambaSID -LLL | ldapsearch-decode64 
dn: cn=Domänencomputer,cn=users,dc=w2k12,dc=test
sambaSID: S-1-5-21-3746100450-113509357-4236447858-11023
dn: cn=Domänencontroller,cn=users,dc=w2k12,dc=test
sambaSID: S-1-5-21-3746100450-113509357-4236447858-11025

-> ucr search groups/default
groups/default/domainadmins: Domänen-Admins
groups/default/domainguests: Domänen-Gäste
groups/default/domainusers: Domänen-Benutzer
groups/default/printoperators: Printer-Admins

-> udm groups/group modify --dn "cn=Domänencomputer,cn=users,dc=w2k12,dc=test" \
   --set sambaRID=515

-> udm groups/group modify --dn "cn=Domänencontroller,cn=users,dc=w2k12,dc=test" \
   --set sambaRID=516

-> ucr search groups/default
groups/default/domaincomputers: Domänencomputer
groups/default/domaincontrollers: Domänencontroller
groups/default/domainadmins: Domänen-Admins
groups/default/domainguests: Domänen-Gäste
groups/default/domainusers: Domänen-Benutzer
groups/default/printoperators: Printer-Admins

and the other way:

-> udm groups/group modify --dn "cn=Domänencomputer,cn=users,dc=w2k12,dc=test" \
   --set name=domcomp

-> udm groups/group modify --dn \
  "cn=Domänencontroller,cn=users,dc=w2k12,dc=test" --set name=domcontr

-> ucr get groups/default/domaincomputers 
domcomp
-> ucr get groups/default/domaincontrollers 
domcontr

OK - YAML
Comment 3 Janek Walkenhorst univentionstaff 2014-08-07 17:49:12 CEST
http://errata.univention.de/ucs/3.2/173.html