Bug 48421 – new module "unique_object_sids" prevents modification of objectSid in samba

Bug 48421 - new module "unique_object_sids" prevents modification of objectSid in samba


Summary:	new module "unique_object_sids" prevents modification of objectSid in samba

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4
Assigned To:	Felix Botner
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-01-03 14:24 CET by Felix Botner
Modified:	2019-05-15 13:35 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2019-01-03 14:24:39 CET

which is bad for UCS@school

Traceback (most recent call last):
  File "<string>", line 9, in <module>
  File "ldap_glue_s4.py", line 161, in set_attribute_with_provision_ctrl
    [(ldap.MOD_REPLACE, key, value)], serverctrls=ctrls)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 374, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
ldap.UNWILLING_TO_PERFORM: {'info': '00002035: Modify of CN=grp1,DC=w2k12,DC=test rejected, as it is modifying an objectSID\n', 'desc': 'Server is unwilling to

Comment 1 Felix Botner

2019-01-03 14:32:13 CET

samba commit 4d5da6c7

Comment 2 Felix Botner

2019-01-03 17:39:06 CET

Until a better idea, we expose the control DSDB_CONTROL_REPLICATED_UPDATE_OID (which bypasses unique_object_sids test) in samba and use it in the connector and the tests for samba modifications.

This could lead to sid duplicates (e.g re-join of samba dc's in the school central environment).

Comment 3 Felix Botner

2019-01-03 17:41:06 CET

samba (4.9.3-1A~4.4.0.20190103163) - 
  added 93_expose_control_replicated_update_oid.quilt


5713c6a590bb1724e8c38a87f6dd0bdf9a2aecc5 - 
  added DSDB_CONTROL_REPLICATED_UPDATE_OID control to ucs-test and connector

Comment 4 Arvid Requate

2019-01-28 14:33:53 CET

Ok, it works.

Comment 5 Florian Best

2019-03-11 14:32:42 CET

There is no changelog entry in changelog-4.4-0.xml.

Comment 6 Florian Best

2019-03-12 13:41:06 CET

UCS 4.4 has been released:
 https://docs.software-univention.de/release-notes-4.4-0-en.html
 https://docs.software-univention.de/release-notes-4.4-0-de.html

If this error occurs again, please use "Clone This Bug".