Bug 48142 - Samba 4.9.x - connector password change
Samba 4.9.x - connector password change
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.4
Other Linux
: P5 enhancement (vote)
: UCS 4.4
Assigned To: Arvid Requate
Felix Botner
:
Depends on:
Blocks: 48084
  Show dependency treegraph
 
Reported: 2018-11-13 13:16 CET by Felix Botner
Modified: 2019-07-23 07:38 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
password.py.patch (2.12 KB, patch)
2018-11-13 13:32 CET, Felix Botner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2018-11-13 13:16:18 CET
+++ This bug was initially created as a clone of Bug #48084 +++

-> udm users/user modify --dn uid=Administrator,cn=users,dc=sambatest,dc=local --set password=univention

-> univention-s4connector-list-rejected 

UCS rejected

    1:   UCS DN: uid=Administrator,cn=users,dc=sambatest,dc=local
          S4 DN: cn=administrator,cn=users,DC=sambatest,DC=local
         Filename: /var/lib/univention-connector/s4/1542110904.178630

connector.log:

13.11.2018 13:10:46,518 LDAP        (INFO   ): calculate_supplementalCredentials: building Primary:Kerberos-Newer-Keys blob
13.11.2018 13:10:46,518 LDAP        (INFO   ): calculate_supplementalCredentials: building Primary:Kerberos blob
13.11.2018 13:10:46,519 LDAP        (INFO   ): password_sync_ucs_to_s4: pwdLastSet in modlist: 131865845040000000
13.11.2018 13:10:46,519 LDAP        (INFO   ): password_sync_ucs_to_s4: modlist: [(1, 'unicodePwd', '\xdaJ\xaf\x8e\xfe\x0f\xd0\x97\x88KW\xef\xa09\xcd\x84'), (0, 'unicodePwd', '\xca\xa1#\x9dD\xda~\xdf\x92k\xce9\xf5\xc6]\x0f'), (1, 'supplementalCredentials', '\x00\x00\x00\x00X\x08\x00\x00\x00\x00\x00\x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00P\x00\x04\x006\x00\xe0\x01\x01\x00P\x00r\x00i\x00m\x00a\x00r\x00y\x00:\x00K\x00e\x00r\x00b\x00e\x00r\x00o\x00s\x00-\x00N\x00e\x00w\x00e\x00r\x00-\x00K\x00e\x00y\x00s\x000400000004000000000000003800380078000000001000000000000000000000001000001200000020000000B00000000000000000000000001000001100000010000000D00000000000000000000000001000000300000008000000E00000000000000000000000001000000100000008000000E8000000530041004D004200410054004500530054002E004C004F00430041004C00410064006D0069006E006900730074007200610074006F007200AEB95C4FA6B8A08BACEE7AF153E641D62093DA2E24D4A3F2943E6B3B9DF2D3C90EB61A8E3FC9C81E53665F25AE3FFC6ECBDC204FAEBF988CCBDC204FAEBF988C \x00(\x01\x01\x00P\x00r\x00i\x00m\x00a\x00r\x00y\x00:\x00K\x00e\x00r\x00b\x00e\x00r\x00o\x00s\x000300000002000000380038004C0000000000000000000000030000000800000084000000000000000000000001000000080000008C0000000000000000000000000000000000000000000000530041004D004200410054004500530054002E004C004F00430041004C00410064006D0069006E006900730074007200610074006F007200CBDC204FAEBF988CCBDC204FAEBF988C\x10\x00\x90\x00\x02\x00P\x00a\x00c\x00k\x00a\x00g\x00e\x00s\x004B00650072006200650072006F0073002D004E0065007700650072002D004B0065007900730000004B00650072006200650072006F00730000005700440069006700650073007400\x1e\x00\xc0\x03\x01\x00P\x00r\x00i\x00m\x00a\x00r\x00y\x00:\x00W\x00D\x00i\x00g\x00e\x00s\x00t\x003100011D0000000000000000000000007B9CF26B744BD4EE4B0CA3665EB1A5EFC26B8847E3A0138B602E903BAFB3B32072F760E5AED8367CD0F2A9A61A7604137B9CF26B744BD4EE4B0CA3665EB1A5EF89A9688CE342C1DDDBAB5A95777AA9437BE6F638C59035C8102467FE23E9F3A348AB349E4AACC96210C8027523465DD15EEA3B7D84A6242A2F1E2DCDED83D75279A581B2D7C4212F6ECD5DBA1FFCFCD1333106DB7282BF22C80336ABAC6C3E6938697D56217B6A7E926B34DAE4BD275F5EEA3B7D84A6242A2F1E2DCDED83D752D63BF7934EFD7A7CB58BA8769234A987065219696F03ED349BB2B7B0C171ED851C91378A242C44851DBC57F8FFBFE193C2AC18195507D5BAB1F531932609646F9929639EB76AE151EE9ECECD1EF79A8E21FFBD5B43760AAA2D996CE2E87C749C2904CBEB333C726E9F506B277DBB2C154A52F7FB01CB88544DA8A54BE55E8E885DF59C4FC26B3D86F17030657150ACEA768D7F5956D08B7AE9B049ED47F2CFC814CB177893CB28E200179062C6B56009BBD1AFF30BAD6D222FC3DBB502BDD5D9AAA3E03B7405786A6910E89DF6076A154E320342ECC6F7FC71AA6CEFB7C88125D9695D015596FB42E1157010E3E8A8BF45BA9076B65BB2E61D1372603E1AC9F4EB4967C118C76001E015E5E40A8031F8\x00'), (0, 'supplementalCredentials', '\x00\x00\x00\x00\x04\x06\x00\x00\x00\x00\x00\x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00P\x00\x03\x006\x00 \x03\x01\x00P\x00r\x00i\x00m\x00a\x00r\x00y\x00:\x00K\x00e\x00r\x00b\x00e\x00r\x00o\x00s\x00-\x00N\x00e\x00w\x00e\x00r\x00-\x00K\x00e\x00y\x00s\x0004000000040000000400000038003800d800000000000000000000000000000000000000120000002000000010010000000000000000000000000000110000001000000030010000000000000000000000000000030000000800000040010000000000000000000000000000010000000800000048010000000000000000000000100000120000002000000050010000000000000000000000100000110000001000000070010000000000000000000000100000030000000800000080010000000000000000000000100000010000000800000088010000530041004d004200410054004500530054002e004c004f00430041004c00410064006d0069006e006900730074007200610074006f00720086fc37ad73891d59b3cdd69b57da1796a1c977fce19084495c3bcaae039634702c9e4aba0841829759e79157ba06ecdd45f4d6fb027a0e9b45f4d6fb027a0e9baeb95c4fa6b8a08bacee7af153e641d62093da2e24d4a3f2943e6b3b9df2d3c90eb61a8e3fc9c81e53665f25ae3ffc6ecbdc204faebf988ccbdc204faebf988c\x10\x00p\x00\x02\x00P\x00a\x00c\x00k\x00a\x00g\x00e\x00s\x004B00650072006200650072006F0073002D004E0065007700650072002D004B0065007900730000004B00650072006200650072006F007300 \x00\x98\x01\x01\x00P\x00r\x00i\x00m\x00a\x00r\x00y\x00:\x00K\x00e\x00r\x00b\x00e\x00r\x00o\x00s\x000300000002000200380038007400000000000000000000000300000008000000ac00000000000000000000000100000008000000b400000000000000000000000300000008000000bc00000000000000000000000100000008000000c40000000000000000000000000000000000000000000000530041004d004200410054004500530054002e004c004f00430041004c00410064006d0069006e006900730074007200610074006f00720045f4d6fb027a0e9b45f4d6fb027a0e9bcbdc204faebf988ccbdc204faebf988c\x00'), (2, 'pwdLastSet', '131865845040000000'), (2, 'badPwdCount', '0'), (2, 'badPasswordTime', '0'), (2, 'lockoutTime', '0')] 
13.11.2018 13:10:46,528 LDAP        (WARNING): sync failed, saved as rejected 
        /var/lib/univention-connector/s4/1542110904.178630 
13.11.2018 13:10:46,530 LDAP        (WARNING): Traceback (most recent call last): 
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 909, in __sync_file_from_ucs 
    if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))): 
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2750, in sync_from_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", line 652, in password_sync_ucs_to_s4
    s4connector.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), modlist, serverctrls=[ctrl_bypass_password_hash])
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 374, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
NO_SUCH_ATTRIBUTE: {'info': "attribute 'unicodePwd': no matching attribute value while deleting attribute on 'CN=Administrator,CN=Users,DC=sambatest,DC=local'", 'desc': 'No such attribute'}
Comment 1 Felix Botner univentionstaff 2018-11-13 13:32:37 CET
Created attachment 9741 [details]
password.py.patch

this works for me
Comment 2 Arvid Requate univentionstaff 2018-11-13 16:32:26 CET
Yes, the S4-Connector did a naive DELETE of the old and ADD of the new hashes, but this DELETE/ADD has a special semantics in Active Directory: https://ldapwiki.com/wiki/Passwords%20Using%20LDIF
Since we don't have clear text passwords, we cannot use the DELETE/ADD, and should use MODIFY instead (i.e. administrative password reset).

Patch committed to branch arequate/samba-4.9, package built in release-scope ucs_4.3-0-samba-4.9 (version 12.0.2-38A~4.3.0.201811131626).
Comment 3 Felix Botner univentionstaff 2018-12-17 12:02:51 CET
please merge to 4.4
Comment 4 Arvid Requate univentionstaff 2018-12-17 19:26:48 CET
Merged and rebuilt, changelog-4.4.0.xml adjusted.
Comment 5 Felix Botner univentionstaff 2018-12-20 13:31:32 CET
OK - merged
OK - connector
OK - changelog
Comment 6 Florian Best univentionstaff 2019-03-12 13:40:41 CET
UCS 4.4 has been released:
 https://docs.software-univention.de/release-notes-4.4-0-en.html
 https://docs.software-univention.de/release-notes-4.4-0-de.html

If this error occurs again, please use "Clone This Bug".