Bug 37596 – Takeover fails when sAMAccountName is missing for well known SID

Bug 37596 - Takeover fails when sAMAccountName is missing for well known SID


Summary:	Takeover fails when sAMAccountName is missing for well known SID

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	AD Takeover
Version:	UCS 4.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.0-1-errata
Assigned To:	Arvid Requate
QA Contact:	Stefan Gohmann

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-01-23 10:02 CET by Jan Christoph Ebersbach
Modified:	2015-03-25 16:38 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
ForeignSecurityPrincipals.patch (748 bytes, patch) 2015-01-23 13:31 CET, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jan Christoph Ebersbach

2015-01-23 10:02:36 CET

The following call in takeover.py causes the takeover process to die immediately:
ad_object_name = obj.get("sAMAccountName", [None])[0]

This LDAP object caused the problems:
dn: CN=S-1-5-1,CN=ForeignSecurityPrincipals,DC=xxxx,DC=local
objectClass: top
objectClass: foreignSecurityPrincipal
cn: S-1-5-1
instanceType: 4
whenCreated: 20080722231217.0Z
whenChanged: 20080722231217.0Z
uSNCreated: 7153
uSNChanged: 7153
showInAdvancedViewOnly: TRUE
name: S-1-5-1
objectGUID: xxxxxxxxxxxxxxxx
objectSid: S-1-5-1
objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=xxxx,DC=local
memberOf: CN=Users,CN=Builtin,DC=RDCL,DC=local
distinguishedName: CN=S-1-5-1,CN=ForeignSecurityPrincipals,DC=xxxx,DC=local

Comment 1 Jan Christoph Ebersbach

2015-01-23 10:31:25 CET

The corresponding ticket is #2015012221000631.

Comment 2 Arvid Requate

2015-01-23 13:31:59 CET

Created attachment 6628 [details]
ForeignSecurityPrincipals.patch

Interesting, usually that account is not in the domain partition:

dn: CN=Dialup,CN=WellKnown Security Principals,CN=Configuration,DC=ar40i1,DC=qa

So we should adjust the search filter, see proposed patch.

Comment 3 Arvid Requate

2015-03-18 22:12:55 CET

The package has been built in errata4.0-1 with the patch.

Advisory: 2015-03-17-univention-management-console-module-adtakeover.yaml

Comment 4 Stefan Gohmann

2015-03-19 09:39:19 CET

YAML: OK

Code review: OK

Tests: OK

Comment 5 Janek Walkenhorst

2015-03-25 16:38:56 CET

<http://errata.univention.de/ucs/4.0/132.html>