First Last Prev Next    This bug is not in your last search results.
Bug 41407 - Schooladmins can no longer alter password of computers
Schooladmins can no longer alter password of computers
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: ucs-test
UCS@school 4.1 R2
Other Linux
: P5 normal (vote)
: UCS@school 4.1 R2
Assigned To: Sönke Schwardt-Krummrich
Florian Best
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-01 15:25 CEST by Sönke Schwardt-Krummrich
Modified: 2016-09-29 17:24 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2016-06-01 15:25:36 CEST 
It looks like the school admins have no longer access to sambaNTPassword attributes of computer accounts. This was an undocumented und untested feature: in the past, schooladmins were able to (re)join (windows) computers into the UCS@school domain.
From my point of view, I would remove this feature since this permission would allow schooladmins to reset a schoolserver password and use the schoolserver's machine account for further actions in LDAP with more privileges.

http://jenkins.knut.univention.de:8080/job/UCSschool%204.1/job/UCSschool%204.1%20%28R2%29%20Singleserver/lastCompletedBuild/SambaVersion=s3/testReport/90_ucsschool/75_ldap_acls_admins/test/

Traceback (most recent call last):
  File "75_ldap_acls_admins", line 74, in <module>
    main()
  File "75_ldap_acls_admins", line 63, in main
    acl.assert_computers(computers_dns[0], 'write')
  File "/usr/share/ucs-test/90_ucsschool/essential/acl.py", line 389, in assert_computers
    self.assert_acl(computer_dn, access, attrs)
  File "/usr/share/ucs-test/90_ucsschool/essential/acl.py", line 159, in assert_acl
    raise FailAcl('Access (%s) by (%s) to (%s) not expected %r' % (access, self.auth_dn, target_dn, result))
essential.acl.FailAcl: Access (write) by (uid=kyqwsg5otq,cn=admins,cn=users,ou=j9ytoov96m,dc=autotest200,dc=local) to (cn=x6o6fw3ffn,cn=computers,ou=j9ytoov96m,dc=autotest200,dc=local) not expected 'write access to sambaNTPassword: DENIED'
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2016-06-01 15:27:30 CEST 
@Jan Christoph, Stefan: are there any objections?
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2016-06-03 11:22:20 CEST 
(In reply to Sönke Schwardt-Krummrich from comment #1)
> @Jan Christoph, Stefan: are there any objections?

Discussed this question with Jan Christoph and Stefan: no objections.

ucs-test-ucsschool (3.0.5-38):
r69770 | Bug #41407: removed ACL test for sambaNTPassword from 75_ldap_acls_admins
Comment 3 Florian Best univentionstaff 2016-06-13 13:44:39 CEST 
I added a YAML entry - please have a look at it.
Comment 4 Florian Best univentionstaff 2016-06-28 18:24:59 CEST 
UCS@school 4.1 R2 has been released:
http://docs.software-univention.de/release-notes-ucsschool-4.1R2v1-de.pdf

If this error occurs again, please use "Clone This Bug".
First Last Prev Next    This bug is not in your last search results.