Univention Bugzilla – Bug 40155
Sync of (computer) accounts without krb5Principal, krb5KDCEntry, shadowAccount objectClass
Last modified: 2017-10-16 07:41:45 CEST
2015112421000359 2015120221000148 Two "old" customers reported computer accounts not without objectClass krb5Principal, krb5KDCEntry, shadowAccount in OpenLDAP. As those accounts are rather old the suggestion is that they have been joined into the NT domain (via samba) and have not been kerberized for some reason. As this is not an issue in first place (because the accounts do have the appropriate object classes in AD after migration and therefore work correctly) this will break trust relationship in scenarios where the s4-connector get resynced - like backup2master. The connector that removes (or re-creates?) the kerberos attributes in AD (as they don't exist in OpenLDAP). In current case, the connector shows a reject for affected clients (during initialization) because it can't write shadowLastChange back to OpenLDAP: OBJECT_CLASS_VIOLATION: {'info': "attribute 'shadowLastChange' not allowed", 'desc': 'Object class violation'} Could we "simply" copy the relevant attributes from AD to OpenLDAP if they don't exist there (plus appending the needed object classes of cause)?
*** Bug 39400 has been marked as a duplicate of this bug. ***
Instead of trying to fix it in the connector and change the objectClasses of these accounts automatically, I would rather create a SDB article with a script which modifies the entries.
I've added an article: https://help.univention.com/t/computer-is-not-synchronized-due-to-object-class-violation/6814 The article is currently unlisted and should be listed once it has been verified.
OK added "broken" windows host account -> service univention-s4-connector stop -> ldapadd # win2, four.two dn: cn=win2,dc=four,dc=two univentionServerRole: windows_client displayName: win2 cn: win2 loginShell: /bin/false univentionObjectType: computers/windows uidNumber: 2088 sambaAcctFlags: [W ] sn: win2 homeDirectory: /dev/null uid: win2$ gidNumber: 1005 sambaPrimaryGroupSID: S-1-5-21-3006362628-2186033213-1690935345-11011 objectClass: person objectClass: posixAccount objectClass: sambaSamAccount objectClass: top objectClass: univentionHost objectClass: univentionObject objectClass: univentionWindows sambaSID: S-1-5-21-3006362628-2186033213-1690935345-1113 got the s4 reject ): failed in post_con_modify_functions 02.10.2017 17:11:09,240 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1600, in sync_to_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", line 831, in password_sync_s4_to_ucs_no_userpassword password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=False) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", line 823, in password_sync_s4_to_ucs s4connector.lo.lo.modify(ucs_object['dn'], modlist) File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 475, in modify self.modify_ext_s(dn, ml, serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 516, in modify_ext_s rtype, rdata, rmsgid, resp_ctrls = self.lo.result3(msgid) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) OBJECT_CLASS_VIOLATION: {'info': "attribute 'shadowLastChange' not allowed", 'desc': 'Object class violation'} executed the script mentioned in https://help.univention.com/t/computer-is-not-synchronized-due-to-object-class-violation/6814 -> python /tmp/kerberize_from_samba4.py Username: Administrator Password: Can not find required account attributes in AD for 'cn=win1,dc=four,dc=two'... Adding Kerberos key for 'cn=win2,dc=four,dc=two'... done -> sync OK now -> no reject -> openldap object fixed # win2, four.two dn: cn=win2,dc=four,dc=two univentionServerRole: windows_client displayName: win2 cn: win2 loginShell: /bin/false univentionObjectType: computers/windows uidNumber: 2088 sambaAcctFlags: [W ] sn: win2 homeDirectory: /dev/null uid: win2$ gidNumber: 1005 sambaPrimaryGroupSID: S-1-5-21-3006362628-2186033213-1690935345-11011 objectClass: person objectClass: posixAccount objectClass: sambaSamAccount objectClass: top objectClass: univentionHost objectClass: univentionObject objectClass: univentionWindows objectClass: krb5Principal objectClass: krb5KDCEntry objectClass: shadowAccount sambaSID: S-1-5-21-3006362628-2186033213-1690935345-1113 krb5PrincipalName: win2$@FOUR.TWO krb5MaxLife: 86400 krb5MaxRenew: 604800 krb5KDCFlags: 126 krb5Key:: MB2hGzAZoAMCARehEgQQyqEjnUTaft+Sa8459cZdDw== krb5Key:: MFOhKzApoAMCARKhIgQgJS90jyoqkp9b+grfquu2xV5cj/TTBJm9XOt5udDun12iJDAi oAMCAQOhGwQZRk9VUi5UV09ob3N0d2luMi5mb3VyLnR3bw== krb5Key:: MEOhGzAZoAMCARGhEgQQhXuaxmYATtq5P0eodgmTkqIkMCKgAwIBA6EbBBlGT1VSLlRX T2hvc3R3aW4yLmZvdXIudHdv krb5Key:: MDuhEzARoAMCAQOhCgQI+wJ1vNnTLB+iJDAioAMCAQOhGwQZRk9VUi5UV09ob3N0d2lu Mi5mb3VyLnR3bw== krb5Key:: MDuhEzARoAMCAQGhCgQI+wJ1vNnTLB+iJDAioAMCAQOhGwQZRk9VUi5UV09ob3N0d2lu Mi5mb3VyLnR3bw== userPassword:: e0s1S0VZfQ== sambaNTPassword: CAA1239D44DA7EDF926BCE39F5C65D0F krb5KeyVersionNumber: 4 shadowLastChange: 17441 sambaPwdLastSet: 1506957366 I have "listed" the article.
OK, thanks. Issue can be closed.