Bug 40745 - replace windows password service with python samba drsuapi.DsGetNCChangesRequest8/samr.SetUserInfo
replace windows password service with python samba drsuapi.DsGetNCChangesRequ...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector - Windows password service
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-1-errata
Assigned To: Stefan Gohmann
Arvid Requate
:
: 40732 40756 (view as bug list)
Depends on:
Blocks: 41220 41247 41632
  Show dependency treegraph
 
Reported: 2016-02-22 15:12 CET by Felix Botner
Modified: 2016-09-21 20:34 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
get-ad-nthash.py (5.21 KB, text/x-python)
2016-02-22 15:13 CET, Felix Botner
Details
set-ad-password.py (2.84 KB, text/x-python)
2016-02-22 15:13 CET, Felix Botner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2016-02-22 15:12:57 CET
Here two python scripts for setting/getting the nt hash on/from a windows ad server.
Maybe as replacement for our password service:

NT get: uses drsuapi.DsGetNCChangesRequest8() - https://msdn.microsoft.com/en-us/library/dd207691.aspx

NT set: samr.SetUserInfo - https://msdn.microsoft.com/en-us/library/cc245793.aspx
Comment 1 Felix Botner univentionstaff 2016-02-22 15:13:20 CET
Created attachment 7493 [details]
get-ad-nthash.py
Comment 2 Felix Botner univentionstaff 2016-02-22 15:13:35 CET
Created attachment 7494 [details]
set-ad-password.py
Comment 3 Felix Botner univentionstaff 2016-03-14 10:28:40 CET
Better use NT4 Account name without domain part when looking for user dn:

req = drsuapi.DsNameRequest1()
names = drsuapi.DsNameString()
names.str = user
req.format_offered = drsuapi.DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT_NAME_SANS_DOMAIN
req.format_desired = drsuapi.DRSUAPI_DS_NAME_FORMAT_FQDN_1779
req.count = 1
req.names = [names]
i, o = drs.DsCrackNames(drsuapi_handle, 1, req)
user_dn = o.array[0].result_name
Comment 4 Stefan Gohmann univentionstaff 2016-03-16 08:28:02 CET
A test case has been added: 55_adconnector/050sync_password_sync (r68120).
Comment 5 Stefan Gohmann univentionstaff 2016-03-16 09:31:59 CET
I've integrated the patches from Felix into the AD Connector and the synchronization works as expected: r68121

I've also removed the old Windows daemon and adjusted the UMC module: r68122 + r68124 + r68126 + r68127

The following steps need to be done:
 - YAML file
 - Tests with the wizard in AD member and ad connector setups
 - Jenkins tests
 - Tests with thousands of users

The documentation can be adjusted after the release.
Comment 6 Stefan Gohmann univentionstaff 2016-03-17 08:16:02 CET
(In reply to Stefan Gohmann from comment #5)
> I've integrated the patches from Felix into the AD Connector and the
> synchronization works as expected: r68121
> 
> I've also removed the old Windows daemon and adjusted the UMC module: r68122
> + r68124 + r68126 + r68127

+ r68159

> The following steps need to be done:
>  - YAML file

univention-ad-connector.yaml (r68157 + r68158 + r68160)

>  - Tests with the wizard in AD member and ad connector setups
Done

>  - Jenkins tests
http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-1/job/ADConnectorMultiEnv/13/

>  - Tests with thousands of users

My tests were successful.

> The documentation can be adjusted after the release.Bug #40911
Comment 7 Stefan Gohmann univentionstaff 2016-03-17 09:57:15 CET
This happened in my test environment:

08.03.2016 21:57:34,680 LDAP        (PROCESS): sync to ucs:   [          user] [       add] uid=genuser-001198,cn=users,dc=deadlock12,dc=intranet
08.03.2016 21:57:34,682 LDAP        (WARNING): __set_values: The attributes for lastname have not been removed as it represents a mandatory attribute
08.03.2016 21:57:35,123 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
08.03.2016 21:57:35,123 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1281, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1135, in add_in_ucs
    return ucs_object.create() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 351, in create
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 725, in _create
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 2061, in _ldap_modlist
  File "/usr/lib/pymodules/python2.7/univention/admin/password.py", line 52, in crypt
IOError: [Errno 24] Too many open files: '/dev/urandom'
Comment 8 Stefan Gohmann univentionstaff 2016-03-20 11:14:14 CET
(In reply to Stefan Gohmann from comment #7)
> IOError: [Errno 24] Too many open files: '/dev/urandom'

Should be fixed with r68202:
* Create only one drs and samr connection per connector instance
  instead of creating a connection for every password sync (Bug #40745)
Comment 9 Felix Botner univentionstaff 2016-04-27 17:29:57 CEST
I always get "Failed to get Password-Hash from AD" after creating a user in UCS (syncmode write), the password is correct though

(PROCESS): sync from ucs: [          user] [       add] cn=test6,DC=w2k12r2,DC=test    
(ERROR  ): password_sync_ucs: Failed to get Password-Hash from AD 
(ERROR  ): password_sync_ucs: Hash AD and Hash UCS differ
(ERROR  ): res None, CAA1239D44DA7EDF926BCE39F5C65D0F
(ERROR  ): pwd_set True
(ERROR  ): pwd_ad None
(ERROR  ): password_sync_ucs: Failed to sync Password from AD 
(PROCESS): sync from ucs: [         group] [    modify] cn=domänen-benutzer,cn=users,DC=w2k12r2,DC=test
(PROCESS): sync from ucs: [          user] [    modify] cn=test6,DC=w2k12r2,DC=test 

-> smbclient  //10.200.7.140/sysvol -U test6%univention -c exit
Domain=[W2K12R2] OS=[Windows Server 2012 R2 Standard 9600] Server=[Windows Server 2012 R2 Standard 6.3]


Problem seems to be 
 if not pwd_set or pwd_ad:
in password_sync_ucs()

If a user is created in AD (via the connector) get_password_from_ad() returns None, this is stored in pwd_ad

 pwd_ad = get_password_from_ad(

If the UCS password and the AD password don't macht, we set the password
 
 if not pwd == pwd_ad:
   pwd_set = True
   res = set_password_in_ad(connector, object['...

Now pwd_set is True and pwd_ad is None and

 if not pwd_set or pwd_ad:
 ...
 else:
   ud.debug(ud.LDAP, ud.ERROR, "password_sync_ucs: Failed to sync Password from AD ")

Maybe it is just a wrong log message, but please check if this "if not pwd_set or pwd_ad:" block is necessary when creating users in UCS.
Comment 10 Stefan Gohmann univentionstaff 2016-04-29 06:23:15 CEST
(In reply to Felix Botner from comment #9)
> Maybe it is just a wrong log message, but please check if this "if not
> pwd_set or pwd_ad:" block is necessary when creating users in UCS.

The connector is currently unable to decide whether the user was just created. For me the block looks right and I've removed the message: r69007

* In case the user was just created in AD, the connector can't read a
  password hash for the new user in AD. An irritating debug message
  has been removed for this case (Bug #40745)
Comment 11 Arvid Requate univentionstaff 2016-05-04 15:46:43 CEST
Ok, works, advisory ok.
Comment 12 Janek Walkenhorst univentionstaff 2016-05-04 18:15:44 CEST
<http://errata.software-univention.de/ucs/4.1/173.html>
Comment 13 Stefan Gohmann univentionstaff 2016-06-06 09:24:58 CEST
*** Bug 40756 has been marked as a duplicate of this bug. ***
Comment 14 Stefan Gohmann univentionstaff 2016-06-06 09:25:01 CEST
*** Bug 40732 has been marked as a duplicate of this bug. ***