Bug 40055 - adtakeover: Unable to parse search expression
adtakeover: Unable to parse search expression
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Takeover
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.4-0-errata
Assigned To: Fathan Vidjaja
Arvid Requate
:
: 45693 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-20 15:30 CET by Florian Best
Modified: 2019-05-08 13:26 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017103121000085
Bug group (optional): Error handling, External feedback
Max CVSS v3 score:
best: Patch_Available+


Attachments
patch (25.71 KB, patch)
2017-08-09 17:16 CEST, Florian Best
Details | Diff
qa-feedback.patch (1.89 KB, patch)
2019-04-11 16:42 CEST, Arvid Requate
Details | Diff
florian-feedback.diff (1.06 KB, patch)
2019-04-18 13:58 CEST, Arvid Requate
Details | Diff
patch (975 bytes, patch)
2019-04-30 11:44 CEST, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2015-11-20 15:30:02 CET
We received the following traceback, 4.1-0 errata1 (Vahr).

Die Ausführung des Kommandos 'connect' ist fehlgeschlagen:

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/modules/adtakeover/__init__.py", line 60, in _background
    result = func(self, request)
  File "%PY2.7%/univention/management/console/modules/adtakeover/__init__.py", line 102, in connect
    return takeover.count_domain_objects_on_server(ip, username, password, self.progress)
  File "%PY2.7%/univention/management/console/modules/adtakeover/takeover.py", line 244, in count_domain_objects_on_server
    ad.authenticate(username, password)
  File "%PY2.7%/univention/management/console/modules/adtakeover/takeover.py", line 674, in authenticate
    self.domain_info['ad_os'] = self.operatingSystem(self.domain_info["ad_netbios_name"])
  File "%PY2.7%/univention/management/console/modules/adtakeover/takeover.py", line 685, in operatingSystem
    attrs=["operatingSystem", "operatingSystemVersion", "operatingSystemServicePack"])
LdbError: (1, 'Unable to parse search expression')


Remark:
Migration von Resara Server
Comment 1 Florian Best univentionstaff 2017-08-09 17:16:59 CEST
Created attachment 9110 [details]
patch

Attached patch fixes all broken LDAP filters and DN operations.
Comment 2 Florian Best univentionstaff 2017-11-11 12:23:50 CET
*** Bug 45693 has been marked as a duplicate of this bug. ***
Comment 3 Florian Best univentionstaff 2017-11-29 16:16:00 CET
This happens when the PDC name of the Active Directory server contains any of the chars \x00 ( ) * \.
Comment 4 Stefan Gohmann univentionstaff 2019-01-03 07:21:06 CET
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
Comment 5 Fathan Vidjaja univentionstaff 2019-03-13 11:14:40 CET
I applied the patch in my own branch:
https://git.knut.univention.de/univention/ucs/commit/7e2c46777e7306f0d9070513a77c5ba0d3dafff5
Comment 6 Fathan Vidjaja univentionstaff 2019-03-13 13:03:01 CET
Added deleted changes from patched script and tested the script with takeover.
Comment 7 Arvid Requate univentionstaff 2019-04-11 16:42:34 CEST
Created attachment 9966 [details]
qa-feedback.patch

I think you changed something about the wait timeouts. The attached patch would revert these changes. In the past we had to increase the timeouts to the current values (Bug #46105, commit abec520531).

Otherwise the changes look ok.
Comment 8 Fathan Vidjaja univentionstaff 2019-04-16 12:52:04 CEST
Applied patch in commit:
https://git.knut.univention.de/univention/ucs/commit/2a6cee8ca255fc856681ad394634a34d36b11d41
Comment 9 Arvid Requate univentionstaff 2019-04-16 16:41:56 CEST
please check 7e2c46777e7 again, there is at least one other location where something strange happened:

arequate@braeda:~/git/ucs on fathan/40055 [?$]
$ git show 7e2c46777e7 | grep group.modify
-                       group.modify()
+                       return group.modify()
Comment 10 Fathan Vidjaja univentionstaff 2019-04-18 12:27:23 CEST
Patch merged in master.
Comment 11 Arvid Requate univentionstaff 2019-04-18 13:58:12 CEST
Created attachment 9984 [details]
florian-feedback.diff

Sorry, I misread the patch series: Florian just pointed out to me that the attached modification is actually intended and required. It's also in the original patch by Florian. Please apply this patch, import and build the patches, update the version number in the advisory. Sorry for the confusion!
Comment 12 Fathan Vidjaja univentionstaff 2019-04-18 15:43:36 CEST
I applied the changes and update in version number.
Comment 13 Florian Best univentionstaff 2019-04-18 15:59:31 CEST
I imported the package in our buildsystem and build it. Adjusted the YAML file accordingly.

univention-management-console-module-adtakeover.yaml
c7eab7a85be6 | YAML Bug #40055
d14ad045d21a | Bug #40055 : version added in YAML for
1092d50f9358 | YAML Bug #40055

univention-management-console-module-adtakeover (6.0.1-3)
62df59bc7a9c | Bug #40055 : last correction
ae1bfe9fac7c | Bug #40055: applied patch for changing timeouts
d08f2fe58bbd | Bug #40055: added previous deleted changes(primary interfaces etc.)
09c0ebaf1182 | Bug #40055 : applying patch given from bugzilla

univention-management-console-module-adtakeover (6.0.1-4)
4492cfb488f8 | Bug #40055: patched version cleanup
0648b011f48b | Bug #40055: applied patch from bug ticket
1092d50f9358 | YAML Bug #40055
2725b2f067ff | Bug #40055: Version Bump
Comment 14 Florian Best univentionstaff 2019-04-18 16:06:45 CEST
REOPEN: There is a undefined variable / missing import.
takeover.py|2493 col 17 error| undefined name 'string' [F821]

This is because on hunk of the patch was not taken:
https://forge.univention.org/bugzilla/attachment.cgi?id=9110&action=diff#a/management/univention-management-console-module-adtakeover/umc/python/adtakeover/takeover.py_sec33
Comment 15 Fathan Vidjaja univentionstaff 2019-04-25 12:26:21 CEST
I added the missing python imports and imported the package into our build system and build it. Changed the YAML accordingly.
https://git.knut.univention.de/univention/ucs/commit/aad0b88fbdf0344da14ebf959a09256f66a2dd67
Comment 16 Fathan Vidjaja univentionstaff 2019-04-25 13:34:28 CEST
I changed the script to the last missing changes from the patch and build it in our build system:
https://git.knut.univention.de/univention/ucs/commit/ea5a28efa1b7c7a839bbab2785586607f49b25ea
https://git.knut.univention.de/univention/ucs/commit/dec3fe191b109382aba1c92441515c93ac97c563
Comment 17 Fathan Vidjaja univentionstaff 2019-04-25 13:48:01 CEST
Patch is now imported and built in the version 6.0.1-6A~4.4.0.201904251341 univention-management-console-module-adtakeover.
Comment 18 Felix Botner univentionstaff 2019-04-30 11:23:47 CEST
The ad takeover tests fail,

Problem is

+ univention-check-join-status
[ucs] 2019-04-29T20:42:52.927629	Warning: 'univention-samba4-dns' is not configured.
[ucs] 2019-04-29T20:42:52.928821	Error: Not all install files configured: 1 missing
[ucs] 2019-04-29T20:42:52.928903	+ test 1 -eq 0
[ucs] 2019-04-29T20:42:52.928903	+ sleep 10
[ucs] 2019-04-29T20:43:02.930437	+ for i in $(seq 1 3)
[ucs] 2019-04-29T20:43:02.930437	+ univention-check-join-status
[ucs] 2019-04-29T20:43:03.754818	Warning: 'univention-samba4-dns' is not configured.
[ucs] 2019-04-29T20:43:03.765102	Error: Not all install files configured: 1 missing
[ucs] 2019-04-29T20:43:03.765207	+ test 1 -eq 0
[ucs] 2019-04-29T20:43:03.765207	+ sleep 10
[ucs] 2019-04-29T20:43:13.766811	+ for i in $(seq 1 3)
[ucs] 2019-04-29T20:43:13.766811	+ univention-check-join-status
[ucs] 2019-04-29T20:43:14.675717	Warning: 'univention-samba4-dns' is not configured.
[ucs] 2019-04-29T20:43:14.677706	Error: Not all install files configured: 1 missing
[ucs] 2019-04-29T20:43:14.678086	+ test 1 -eq 0
[ucs] 2019-04-29T20:43:14.678086	+ sleep 10


2019-04-29 20:42:23.678705942+02:00 (in joinscript_init)
Waiting for RID Pool replication: done.
E: Insufficient information: The following properties are missing:
primaryGroup
ERROR: could not create user account dns-ucs-adto
**************************************************************
* ERROR: Failed to create DNS spn account.                   *
*        Please check the samba and the s4-connector logfile.*
**************************************************************

The system can't create new users because the Domain Users has been renamed, but the default/settings object is not modified

-> univention-ldapsearch -b  cn=default,cn=univention,dc=adtakeover,dc=local -LLL univentionDefaultGroup
dn: cn=default,cn=univention,dc=adtakeover,dc=local
univentionDefaultGroup: cn=Domain Users,cn=groups,dc=adtakeover,dc=local

-> univention-ldapsearch  -LLL cn=Domain\ Users
-> univention-ldapsearch  -LLL cn=Domänen-Benutzer dn
dn:: Y249RG9tw6RuZW4tQmVudXR6ZXIsY249Z3JvdXBzLGRjPWFkdGFrZW92ZXIsZGM9bG9jYWw=


so the GroupRenameHandler in umc/python/adtakeover/takeover.py is broken, it should rename the group and update the group settings
Comment 19 Florian Best univentionstaff 2019-04-30 11:31:19 CEST
The problem is in UDM:

# udm groups/group modify --dn 'cn=Domain Users,cn=groups,dc=school,dc=local' --set name='Domain Users Benutzer'
Object modified: cn=Domain Users,cn=groups,dc=school,dc=local

It returns the old dn, while it is expected that it returns the new dn.
"return group.modify()"
Comment 20 Florian Best univentionstaff 2019-04-30 11:44:44 CEST
Created attachment 9998 [details]
patch

Maybe for now, we should fix it here instead of fixing UDM. For UDM there is somewhere a bugzilla entry, which I don't find atm.
Comment 21 Florian Best univentionstaff 2019-04-30 11:52:17 CEST
It's Bug #41694 which caused this. A patch is also available there.
Comment 22 Arvid Requate univentionstaff 2019-04-30 19:51:55 CEST
You have committed the patch as cc88f53e5b but the changelog entry was missing and thus the package cannot have been imported and built. Then some other developer came and commited other stuff, updated the changelog and built the package. So, your patch has silently made it into the binary that will be tested in tonights CI run. If that works, we can close the bug on thursday.
Comment 23 Fathan Vidjaja univentionstaff 2019-05-02 14:25:16 CEST
Takeover-test in Jenkins ran without errors.
Comment 24 Arvid Requate univentionstaff 2019-05-06 15:06:19 CEST
Ok
Comment 25 Arvid Requate univentionstaff 2019-05-08 13:26:15 CEST
<http://errata.software-univention.de/ucs/4.4/85.html>