Univention Bugzilla – Bug 43524
with installed Samba4 the user option "samba" and "krb5Principal" is useless without POSIX but there is no hint about it
Last modified: 2019-01-03 07:23:57 CET
With installed Samba4 you can set "samba" and "krb5Principal" and expect to create an "AD-user only" but the match filter of the s4 connector says: match_filter='(&(|(&(objectClass=posixAccount)(objectClass=krb5Principal))(objectClass=user))(!(objectClass=univentionHost)))', So this user will not synced if the option POSIX is not activated as well. This should be hinted at in the UMC. Otherwise it is possible to misunderstand the option.
The filter contains objectClass=user which afaik does not even exists?!
(In reply to Florian Best from comment #1) > The filter contains objectClass=user which afaik does not even exists?! The filter is also used for the AD side and objectClass=user is used in AD.
This applies also to non-Samba user in UCS (users without the samba option). The connector syncs these users to Samba although i would expect them not to be synced, why else have a samba option. Ans this is not just a cosmetic issue, but the connector can't handle openLDAP users without the samba option. Set "changed password on next login" on a non-Samba user in UMC -> /var/log/univention/connector-s4.log 02.06.2017 11:05:35,259 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=nosamba,cn=users,dc=w2k12,dc=test ^[[A^[[A02.06.2017 11:06:01,525 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=nosamba,cn=users,DC=w2k12,DC=test 02.06.2017 11:06:02,627 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=nosamba,cn=users,dc=w2k12,dc=test 02.06.2017 11:06:02,655 LDAP (ERROR ): failed in post_con_modify_functions 02.06.2017 11:06:02,666 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1509, in sync_to_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", line 823, in password_sync_s4_to_ucs s4connector.lo.lo.modify(ucs_object['dn'], modlist) File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 471, in modify self.modify_s(dn, ml) File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 497, in modify_s self.lo.modify_ext_s(dn, ml) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 912, in modify_ext_s return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 336, in modify_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) OBJECT_CLASS_VIOLATION: {'info': "attribute 'sambaNTPassword' not allowed", 'desc': 'Object class violation'}
If this (comment 3) gets fixed, the xfail-Flag can be removed from the ucs-test line added in: ucs-test (7.0.21-33): r80010 | Bug #43524: add failing condition
Still an issue with the reworked users in UCS 4.3?
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.