Univention Bugzilla – Bug 41407
Schooladmins can no longer alter password of computers
Last modified: 2016-09-29 17:24:03 CEST
It looks like the school admins have no longer access to sambaNTPassword attributes of computer accounts. This was an undocumented und untested feature: in the past, schooladmins were able to (re)join (windows) computers into the UCS@school domain. From my point of view, I would remove this feature since this permission would allow schooladmins to reset a schoolserver password and use the schoolserver's machine account for further actions in LDAP with more privileges. http://jenkins.knut.univention.de:8080/job/UCSschool%204.1/job/UCSschool%204.1%20%28R2%29%20Singleserver/lastCompletedBuild/SambaVersion=s3/testReport/90_ucsschool/75_ldap_acls_admins/test/ Traceback (most recent call last): File "75_ldap_acls_admins", line 74, in <module> main() File "75_ldap_acls_admins", line 63, in main acl.assert_computers(computers_dns[0], 'write') File "/usr/share/ucs-test/90_ucsschool/essential/acl.py", line 389, in assert_computers self.assert_acl(computer_dn, access, attrs) File "/usr/share/ucs-test/90_ucsschool/essential/acl.py", line 159, in assert_acl raise FailAcl('Access (%s) by (%s) to (%s) not expected %r' % (access, self.auth_dn, target_dn, result)) essential.acl.FailAcl: Access (write) by (uid=kyqwsg5otq,cn=admins,cn=users,ou=j9ytoov96m,dc=autotest200,dc=local) to (cn=x6o6fw3ffn,cn=computers,ou=j9ytoov96m,dc=autotest200,dc=local) not expected 'write access to sambaNTPassword: DENIED'
@Jan Christoph, Stefan: are there any objections?
(In reply to Sönke Schwardt-Krummrich from comment #1) > @Jan Christoph, Stefan: are there any objections? Discussed this question with Jan Christoph and Stefan: no objections. ucs-test-ucsschool (3.0.5-38): r69770 | Bug #41407: removed ACL test for sambaNTPassword from 75_ldap_acls_admins
I added a YAML entry - please have a look at it.
UCS@school 4.1 R2 has been released: http://docs.software-univention.de/release-notes-ucsschool-4.1R2v1-de.pdf If this error occurs again, please use "Clone This Bug".