Bug 49649 - sync_to_ucs: Password sync for machine accounts fails silently
sync_to_ucs: Password sync for machine accounts fails silently
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-0-errata
Assigned To: Arvid Requate
Florian Best
:
: 45416 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-06-13 18:09 CEST by Arvid Requate
Modified: 2019-08-08 12:19 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.137
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2019060521000496
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2019-06-13 18:09:13 CEST
Currently the password sync for machine accounts fails silently, because the password.py tries to use UDM module 'users/user' and that doesnt' work any longer.

===========================================================================
13.06.2019 17:17:36.865 LDAP        (PROCESS): sync to ucs:   [windowscomputer] [    modify] cn=foo,ou=computers,dc=bar,dc=net
[...]
13.06.2019 17:17:36.940 LDAP        (INFO   ): get_object: got object: CN=FOO,OU=Computers,DC=bar,DC=net
13.06.2019 17:17:36.941 LDAP        (INFO   ): encode_s4_object: attrib objectGUID ignored during encoding
13.06.2019 17:17:36.941 LDAP        (INFO   ): samaccount_dn_mapping: premapped S4 object found
13.06.2019 17:17:36.941 LDAP        (INFO   ): samaccount_dn_mapping: check newdn for key olddn: None
13.06.2019 17:17:36.942 LDAP        (INFO   ): password_sync_s4_to_ucs: pwdLastSet from S4: 132025752399355870 ({'pwdLastSet': ['132025752399355870'], 'objectSid': ['\x01\x05\x00\x00\x00\x00\x00\x01\x02\x00\x00\x00\x059\x93\xd0D\x99$\x1b\x05O[\x8d\x80\x0e\x00\x00']})
13.06.2019 17:17:36.943 LDAP        (INFO   ): password_sync_s4_to_ucs: sambaPwdLastSet: 1458730459
13.06.2019 17:17:36.944 LDAP        (INFO   ): calculate_krb5key: parsing Primary:Kerberos-Newer-Keys blob
13.06.2019 17:17:36.944 LDAP        (INFO   ): calculate_krb5key: ctr4.key.keytype: 18
13.06.2019 17:17:36.944 LDAP        (INFO   ): calculate_krb5key: ctr4.key.keytype: 17
13.06.2019 17:17:36.944 LDAP        (INFO   ): calculate_krb5key: ctr4.key.keytype: 3
13.06.2019 17:17:36.944 LDAP        (INFO   ): calculate_krb5key: ctr4.key.keytype: 1
13.06.2019 17:17:36.944 LDAP        (INFO   ): calculate_krb5key: parsing Primary:Kerberos blob
13.06.2019 17:17:36.944 LDAP        (INFO   ): calculate_krb5key: parsing Packages blob
13.06.2019 17:17:36.945 LDAP        (INFO   ): calculate_krb5key: parsing Primary:WDigest blob
13.06.2019 17:17:36.945 LDAP        (ALL    ): password_sync_s4_to_ucs: updating shadowLastChange
13.06.2019 17:17:36.945 LDAP        (ERROR  ): get_ucs_object: could not identify UDM object type: cn=foo,ou=computers,dc=bar,dc=net
13.06.2019 17:17:36.945 LDAP        (PROCESS): get_ucs_object: using default: users/user
13.06.2019 17:17:36.947 LDAP        (INFO   ): get_ucs_object: object search failed: cn=foo,ou=computers,dc=bar,dc=net
13.06.2019 17:17:36.948 LDAP        (WARNING): get_ucs_object: failure was: 
        
13.06.2019 17:17:36.949 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 999, in get_ucs_object
    ucs_object = univention.admin.objects.get(module, co=None, lo=self.lo, position='', dn=searchdn)
  File "/usr/lib/pymodules/python2.7/univention/admin/objects.py", line 113, in get
    return module.object(co, lo, position, dn, superordinate=superordinate, attributes=attributes)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1243, in __init__
    univention.admin.handlers.simpleLdap.__init__(self, co, lo, position, dn, superordinate, attributes=attributes)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 232, in __init__
    raise univention.admin.uexceptions.wrongObjectType('%s is not recognized as %s.' % (self.dn, self.module))
wrongObjectType: cn=foo,ou=computers,dc=bar,dc=net is not recognized as users/user.

13.06.2019 17:17:36.950 LDAP        (ERROR  ): password_sync_s4_to_ucs: couldn't get user-object from UCS
13.06.2019 17:17:36.950 LDAP        (INFO   ): Call post_ucs_modify_functions: <function password_sync_s4_to_ucs_no_userpassword at 0x7f7d2ed18320> (done)
13.06.2019 17:17:36.950 LDAP        (INFO   ): Call post_ucs_modify_functions: <function checkAndConvertToMacOSX at 0x7f7d0a9a78c0>
===========================================================================
Comment 1 Arvid Requate univentionstaff 2019-06-13 18:14:16 CEST
7e35f8aa14 | Fix traceback password sync_to_ucs for machine accounts
434a0e8251 | Advisory
Comment 2 Florian Best univentionstaff 2019-06-13 18:15:06 CEST
Regression since: Bug #48390
Comment 3 Florian Best univentionstaff 2019-06-13 18:31:27 CEST
OK: problem reproduced
$ udm computers/linux modify --dn cn=jxipxyjynw,l=school,l=dev --set password=foobar123
07.06.2019 13:57:24.941 LDAP        (PROCESS): sync from ucs: [            dc] [    modify] CN=jxipxyjynw,DC=school,DC=dev
07.06.2019 13:57:26.499 LDAP        (PROCESS): sync to ucs:   [            dc] [    modify] cn=jxipxyjynw,l=school,l=dev
07.06.2019 13:57:26.517 LDAP        (ERROR  ): get_ucs_object: could not identify UDM object type: cn=jxipxyjynw,l=school,l=dev
07.06.2019 13:57:26.517 LDAP        (PROCESS): get_ucs_object: using default: users/user
07.06.2019 13:57:26.519 LDAP        (WARNING): get_ucs_object: failure was:

07.06.2019 13:57:26.520 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 999, in get_ucs_object
    ucs_object = univention.admin.objects.get(module, co=None, lo=self.lo, position='', dn=searchdn)
  File "/usr/lib/pymodules/python2.7/univention/admin/objects.py", line 113, in get
    return module.object(co, lo, position, dn, superordinate=superordinate, attributes=attributes)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1243, in __init__
    univention.admin.handlers.simpleLdap.__init__(self, co, lo, position, dn, superordinate, attributes=attributes)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 232, in __init__
    raise univention.admin.uexceptions.wrongObjectType('%s is not recognized as %s.' % (self.dn, self.module))
wrongObjectType: cn=jxipxyjynw,l=school,l=dev is not recognized as users/user.

07.06.2019 13:57:26.520 LDAP        (ERROR  ): password_sync_s4_to_ucs: couldn't get user-object from UCS

OK: fixed
07.06.2019 14:05:17.153 LDAP        (PROCESS): sync from ucs: [            dc] [    modify] cn=jxipxyjynw,DC=school,DC=dev
07.06.2019 14:05:18.797 LDAP        (PROCESS): sync to ucs:   [            dc] [    modify] cn=jxipxyjynw,l=school,l=dev
07.06.2019 14:05:25.389 LDAP        (PROCESS): sync from ucs: [            dc] [    modify] cn=jxipxyjynw,DC=school,DC=dev

OK: pwdLastSet is changed afterwards (univention-s4search doesn't find the password attribute)
~OK: YAML

Some student could write a test case...
Comment 4 Arvid Requate univentionstaff 2019-06-19 15:52:45 CEST
<http://errata.software-univention.de/ucs/4.4/155.html>
Comment 5 Florian Best univentionstaff 2019-08-08 12:19:10 CEST
*** Bug 45416 has been marked as a duplicate of this bug. ***