Univention Bugzilla – Bug 48142
Samba 4.9.x - connector password change
Last modified: 2019-07-23 07:38:10 CEST
+++ This bug was initially created as a clone of Bug #48084 +++ -> udm users/user modify --dn uid=Administrator,cn=users,dc=sambatest,dc=local --set password=univention -> univention-s4connector-list-rejected UCS rejected 1: UCS DN: uid=Administrator,cn=users,dc=sambatest,dc=local S4 DN: cn=administrator,cn=users,DC=sambatest,DC=local Filename: /var/lib/univention-connector/s4/1542110904.178630 connector.log: 13.11.2018 13:10:46,518 LDAP (INFO ): calculate_supplementalCredentials: building Primary:Kerberos-Newer-Keys blob 13.11.2018 13:10:46,518 LDAP (INFO ): calculate_supplementalCredentials: building Primary:Kerberos blob 13.11.2018 13:10:46,519 LDAP (INFO ): password_sync_ucs_to_s4: pwdLastSet in modlist: 131865845040000000 13.11.2018 13:10:46,519 LDAP (INFO ): password_sync_ucs_to_s4: modlist: [(1, 'unicodePwd', '\xdaJ\xaf\x8e\xfe\x0f\xd0\x97\x88KW\xef\xa09\xcd\x84'), (0, 'unicodePwd', '\xca\xa1#\x9dD\xda~\xdf\x92k\xce9\xf5\xc6]\x0f'), (1, 'supplementalCredentials', '\x00\x00\x00\x00X\x08\x00\x00\x00\x00\x00\x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00P\x00\x04\x006\x00\xe0\x01\x01\x00P\x00r\x00i\x00m\x00a\x00r\x00y\x00:\x00K\x00e\x00r\x00b\x00e\x00r\x00o\x00s\x00-\x00N\x00e\x00w\x00e\x00r\x00-\x00K\x00e\x00y\x00s\x000400000004000000000000003800380078000000001000000000000000000000001000001200000020000000B00000000000000000000000001000001100000010000000D00000000000000000000000001000000300000008000000E00000000000000000000000001000000100000008000000E8000000530041004D004200410054004500530054002E004C004F00430041004C00410064006D0069006E006900730074007200610074006F007200AEB95C4FA6B8A08BACEE7AF153E641D62093DA2E24D4A3F2943E6B3B9DF2D3C90EB61A8E3FC9C81E53665F25AE3FFC6ECBDC204FAEBF988CCBDC204FAEBF988C \x00(\x01\x01\x00P\x00r\x00i\x00m\x00a\x00r\x00y\x00:\x00K\x00e\x00r\x00b\x00e\x00r\x00o\x00s\x000300000002000000380038004C0000000000000000000000030000000800000084000000000000000000000001000000080000008C0000000000000000000000000000000000000000000000530041004D004200410054004500530054002E004C004F00430041004C00410064006D0069006E006900730074007200610074006F007200CBDC204FAEBF988CCBDC204FAEBF988C\x10\x00\x90\x00\x02\x00P\x00a\x00c\x00k\x00a\x00g\x00e\x00s\x004B00650072006200650072006F0073002D004E0065007700650072002D004B0065007900730000004B00650072006200650072006F00730000005700440069006700650073007400\x1e\x00\xc0\x03\x01\x00P\x00r\x00i\x00m\x00a\x00r\x00y\x00:\x00W\x00D\x00i\x00g\x00e\x00s\x00t\x003100011D0000000000000000000000007B9CF26B744BD4EE4B0CA3665EB1A5EFC26B8847E3A0138B602E903BAFB3B32072F760E5AED8367CD0F2A9A61A7604137B9CF26B744BD4EE4B0CA3665EB1A5EF89A9688CE342C1DDDBAB5A95777AA9437BE6F638C59035C8102467FE23E9F3A348AB349E4AACC96210C8027523465DD15EEA3B7D84A6242A2F1E2DCDED83D75279A581B2D7C4212F6ECD5DBA1FFCFCD1333106DB7282BF22C80336ABAC6C3E6938697D56217B6A7E926B34DAE4BD275F5EEA3B7D84A6242A2F1E2DCDED83D752D63BF7934EFD7A7CB58BA8769234A987065219696F03ED349BB2B7B0C171ED851C91378A242C44851DBC57F8FFBFE193C2AC18195507D5BAB1F531932609646F9929639EB76AE151EE9ECECD1EF79A8E21FFBD5B43760AAA2D996CE2E87C749C2904CBEB333C726E9F506B277DBB2C154A52F7FB01CB88544DA8A54BE55E8E885DF59C4FC26B3D86F17030657150ACEA768D7F5956D08B7AE9B049ED47F2CFC814CB177893CB28E200179062C6B56009BBD1AFF30BAD6D222FC3DBB502BDD5D9AAA3E03B7405786A6910E89DF6076A154E320342ECC6F7FC71AA6CEFB7C88125D9695D015596FB42E1157010E3E8A8BF45BA9076B65BB2E61D1372603E1AC9F4EB4967C118C76001E015E5E40A8031F8\x00'), (0, 'supplementalCredentials', '\x00\x00\x00\x00\x04\x06\x00\x00\x00\x00\x00\x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00P\x00\x03\x006\x00 \x03\x01\x00P\x00r\x00i\x00m\x00a\x00r\x00y\x00:\x00K\x00e\x00r\x00b\x00e\x00r\x00o\x00s\x00-\x00N\x00e\x00w\x00e\x00r\x00-\x00K\x00e\x00y\x00s\x0004000000040000000400000038003800d800000000000000000000000000000000000000120000002000000010010000000000000000000000000000110000001000000030010000000000000000000000000000030000000800000040010000000000000000000000000000010000000800000048010000000000000000000000100000120000002000000050010000000000000000000000100000110000001000000070010000000000000000000000100000030000000800000080010000000000000000000000100000010000000800000088010000530041004d004200410054004500530054002e004c004f00430041004c00410064006d0069006e006900730074007200610074006f00720086fc37ad73891d59b3cdd69b57da1796a1c977fce19084495c3bcaae039634702c9e4aba0841829759e79157ba06ecdd45f4d6fb027a0e9b45f4d6fb027a0e9baeb95c4fa6b8a08bacee7af153e641d62093da2e24d4a3f2943e6b3b9df2d3c90eb61a8e3fc9c81e53665f25ae3ffc6ecbdc204faebf988ccbdc204faebf988c\x10\x00p\x00\x02\x00P\x00a\x00c\x00k\x00a\x00g\x00e\x00s\x004B00650072006200650072006F0073002D004E0065007700650072002D004B0065007900730000004B00650072006200650072006F007300 \x00\x98\x01\x01\x00P\x00r\x00i\x00m\x00a\x00r\x00y\x00:\x00K\x00e\x00r\x00b\x00e\x00r\x00o\x00s\x000300000002000200380038007400000000000000000000000300000008000000ac00000000000000000000000100000008000000b400000000000000000000000300000008000000bc00000000000000000000000100000008000000c40000000000000000000000000000000000000000000000530041004d004200410054004500530054002e004c004f00430041004c00410064006d0069006e006900730074007200610074006f00720045f4d6fb027a0e9b45f4d6fb027a0e9bcbdc204faebf988ccbdc204faebf988c\x00'), (2, 'pwdLastSet', '131865845040000000'), (2, 'badPwdCount', '0'), (2, 'badPasswordTime', '0'), (2, 'lockoutTime', '0')] 13.11.2018 13:10:46,528 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1542110904.178630 13.11.2018 13:10:46,530 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 909, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2750, in sync_from_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", line 652, in password_sync_ucs_to_s4 s4connector.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), modlist, serverctrls=[ctrl_bypass_password_hash]) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 374, in modify_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) NO_SUCH_ATTRIBUTE: {'info': "attribute 'unicodePwd': no matching attribute value while deleting attribute on 'CN=Administrator,CN=Users,DC=sambatest,DC=local'", 'desc': 'No such attribute'}
Created attachment 9741 [details] password.py.patch this works for me
Yes, the S4-Connector did a naive DELETE of the old and ADD of the new hashes, but this DELETE/ADD has a special semantics in Active Directory: https://ldapwiki.com/wiki/Passwords%20Using%20LDIF Since we don't have clear text passwords, we cannot use the DELETE/ADD, and should use MODIFY instead (i.e. administrative password reset). Patch committed to branch arequate/samba-4.9, package built in release-scope ucs_4.3-0-samba-4.9 (version 12.0.2-38A~4.3.0.201811131626).
please merge to 4.4
Merged and rebuilt, changelog-4.4.0.xml adjusted.
OK - merged OK - connector OK - changelog
UCS 4.4 has been released: https://docs.software-univention.de/release-notes-4.4-0-en.html https://docs.software-univention.de/release-notes-4.4-0-de.html If this error occurs again, please use "Clone This Bug".