Univention Bugzilla – Bug 49697
users/user: Invalid value in sambaBadPasswordTime causes traceback
Last modified: 2020-04-22 15:30:28 CEST
In a support case, users were converted during the UCS 4.2 -> 4.3 update, some users contained a unix timestamp in LDAP attribute sambaBadPasswordTime. UDM users/user expects a windows filetime (from code comment). udm and ad connector crashes with: # udm users/user list Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 218, in doit output = univention.admincli.admin.doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 408, in doit out = _doit(arglist) File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 977, in _doit for object in univention.admin.modules.lookup(module, co, lo, scope='sub', superordinate=superordinate, base=position.getDn(), filter=filter): File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 920, in lookup tmpres = module.lookup(co, lo, filter, base=base, superordinate=superordinate, scope=scope, unique=unique, required=required, timeout=timeout, sizelimit=sizelimit) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1719, in lookup result.append(cls(co, lo, None, dn=dn, superordinate=superordinate, attributes=attrs)) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1243, in __init__ univention.admin.handlers.simpleLdap.__init__(self, co, lo, position, dn, superordinate, attributes=attributes) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 235, in __init__ oldinfo = self.mapping.unmapValues(self.oldattr) File "/usr/lib/pymodules/python2.7/univention/admin/mapping.py", line 530, in unmapValues info = mapDict(self, oldattr) File "/usr/lib/pymodules/python2.7/univention/admin/mapping.py", line 586, in mapDict v = mapping.unmapValue(key, value) File "/usr/lib/pymodules/python2.7/univention/admin/mapping.py", line 524, in unmapValue return unmap_value(value) if unmap_value else value File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1154, in unmapWindowsFiletime return time.strftime('%Y%m%d%H%M%SZ', time.gmtime(unixtime)) ValueError: year out of range to reproduce: # cat modify.ldif dn: uid=univention,cn=users,dc=mydomain,dc=intranet changetype: modify replace: sambaBadPasswordTime sambaBadPasswordTime: 1532325946
Is it known what/who wrotes the wrong value into it? Is our UCS 4.3-users-migration script broken?
*** Bug 49703 has been marked as a duplicate of this bug. ***
Additional tracebacks caused by this in Bug 49703
See also a similar Bug #47170.
The wrong value brings additionally rejects when trying to sync to AD. UMC displays the traceback of udm, too. Customer wants to update it's production system which is hindered by this issue as it is not clear where the wrong value comes from.
A workaround was posted at the initial support ticket - set the sambaBadPasswordTime to 0 via ldapmodify. Does the value reappear after setting it to 0?
At least it is better to fix the issue before it happens... Because otherwise all affected users will be rejected by AD connector. Of course it can be fixed afterwards when it happens by a script to use udm to set all affected users. But there might be important users affected in an production environment where we do not want to have issues with... In the test environment there had been 59 rejects for users with this issue- there has been no issue before. Should we check the value before upgrading from UCS 4.2-5? Somehow I doubt it is wrong...
Got it. The attribute has been set somehow with or before UCS 4.2.x by whatever tool. UCS 4.2.x did not use this attribute.
The customer added some users, and now udm users/user list and the UMC does not work anymore. The users cannot be deleted via udm.
(In reply to Christina Scheinig from comment #9) > The customer added some users, and now udm users/user list and the UMC does > not work anymore. The users cannot be deleted via udm. NEEDMOREINFO I had a quick look at the referenced ticket. Please make sure this is the correct bug. The ticket has an ldif from a user object with sambaBadPasswordTime=0. At the ticket, the traceback is about an invalid value in shadowLastChange.
(In reply to Erik Damrose from comment #10) > (In reply to Christina Scheinig from comment #9) > > The customer added some users, and now udm users/user list and the UMC does > > not work anymore. The users cannot be deleted via udm. > > NEEDMOREINFO > I had a quick look at the referenced ticket. Please make sure this is the > correct bug. The ticket has an ldif from a user object with > sambaBadPasswordTime=0. > > At the ticket, the traceback is about an invalid value in shadowLastChange. I think this is not the same issue as mentioned in this bug. The customer does not have the ad-connector installed. I found an old ticket, where he had trouble with some old ldap attributes about 1 year ago. I change the bug status to new again.
(In reply to Erik Damrose from comment #6) > A workaround was posted at the initial support ticket - set the > sambaBadPasswordTime to 0 via ldapmodify. Does the value reappear after > setting it to 0? In Ticket 2020032321000357 is now more information, how to reproduce this issue in the customer environment. The traceback reappears after a certain time, so the workaround does not help for a long time.
If i understand the ticket correctly, repeated login failures due to a wrong password cause the user to get locked, and the timestamp is then written to LDAP. net use \\server\share /user:testuser wrongpassword Systemfehler 86 aufgetreten. Das angegebene Netzwerkkennwort ist falsch. net use \\server\share /user:testuser wrongpassword Systemfehler 1909 aufgetreten. Das angesprochene Konto ist momentan gesperrt und kann nicht für die Anmeldung verwendet werden. ldapsearch for the user object shows: modifiersName: cn=server,cn=dc,cn=computers,dc=ldap,dc=base modifyTimestamp: 20200327131114Z entryDN: uid=b95144,cn=users,dc=ldap,dc=base sambaBadPasswordTime 1585314674
The Attribute also causes a reject in s4connector. (and ad-connector) as the customer reported. 01.04.2020 16:27:16.367 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1585750985.393725 01.04.2020 16:27:16.368 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 891, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))): File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2610, in sync_from_ucs f(self, property_type, object) File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 111, in disable_user_from_ucs return s4connector.disable_user_from_ucs(key, object) File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 1983, in disable_user_from_ucs ucs_admin_object = univention.admin.objects.get(self.modules[object_key], co='', lo=self.lo, position='', dn=object_ucs['dn']) File "/usr/lib/python2.7/dist-packages/univention/admin/objects.py", line 108, in get obj = univention.admin.modules.lookup(module.module, co, lo, base=dn, superordinate=superordinate, scope='base', unique=True, required=True)[0] File "/usr/lib/python2.7/dist-packages/univention/admin/modules.py", line 916, in lookup tmpres = module.lookup(co, lo, filter, base=base, superordinate=superordinate, scope=scope, unique=unique, required=required, timeout=timeout, sizelimit=sizelimit) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1741, in lookup result.append(cls(co, lo, None, dn=dn, superordinate=superordinate, attributes=attrs)) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1280, in __init__ univention.admin.handlers.simpleLdap.__init__(self, co, lo, position, dn, superordinate, attributes=attributes) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 241, in __init__ oldinfo = self.mapping.unmapValues(self.oldattr) File "/usr/lib/python2.7/dist-packages/univention/admin/mapping.py", line 531, in unmapValues info = mapDict(self, oldattr) File "/usr/lib/python2.7/dist-packages/univention/admin/mapping.py", line 587, in mapDict v = mapping.unmapValue(key, value) File "/usr/lib/python2.7/dist-packages/univention/admin/mapping.py", line 525, in unmapValue return unmap_value(value) if unmap_value else value File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1186, in unmapWindowsFiletime return time.strftime('%Y%m%d%H%M%SZ', time.gmtime(unixtime)) ValueError: year out of range
Repairing with this fix: ------------------------------------------------------------------------------ --- /usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py +++ /usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py @@ -1178,12 +1178,6 @@ def mapWindowsFiletime(old): def unmapWindowsFiletime(old): - if old and old[0]: - if old[0] == "0": - return old[0] - d = long(116444736000000000) # difference between 1601 and 1970 - unixtime = (int(old[0]) - d) / 10000000 - return time.strftime('%Y%m%d%H%M%SZ', time.gmtime(unixtime)) return '' ------------------------------------------------------------------------------ the Reject changes to: 01.04.2020 16:32:48.085 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=ahenrich,cn=users,DC=schein,DC=ig 01.04.2020 16:32:48.119 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1585750985.393725 01.04.2020 16:32:48.120 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 891, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))): File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2610, in sync_from_ucs f(self, property_type, object) File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 111, in disable_user_from_ucs return s4connector.disable_user_from_ucs(key, object) File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 1983, in disable_user_from_ucs ucs_admin_object = univention.admin.objects.get(self.modules[object_key], co='', lo=self.lo, position='', dn=object_ucs['dn']) File "/usr/lib/python2.7/dist-packages/univention/admin/objects.py", line 108, in get obj = univention.admin.modules.lookup(module.module, co, lo, base=dn, superordinate=superordinate, scope='base', unique=True, required=True)[0] File "/usr/lib/python2.7/dist-packages/univention/admin/modules.py", line 916, in lookup tmpres = module.lookup(co, lo, filter, base=base, superordinate=superordinate, scope=scope, unique=unique, required=required, timeout=timeout, sizelimit=sizelimit) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1741, in lookup result.append(cls(co, lo, None, dn=dn, superordinate=superordinate, attributes=attrs)) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1280, in __init__ samba='sambaSamAccount', File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 241, in __init__ oldinfo = self.mapping.unmapValues(self.oldattr) File "/usr/lib/python2.7/dist-packages/univention/admin/mapping.py", line 531, in unmapValues info = mapDict(self, oldattr) File "/usr/lib/python2.7/dist-packages/univention/admin/mapping.py", line 587, in mapDict v = mapping.unmapValue(key, value) File "/usr/lib/python2.7/dist-packages/univention/admin/mapping.py", line 525, in unmapValue return unmap_value(value) if unmap_value else value File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1186, in unmapWindowsFiletime mapping.register('uidNumber', 'uidNumber', None, univention.admin.mapping.ListToString) ValueError: year out of range ------------------------------------------------------------------------------
(In reply to Erik Damrose from comment #13) > If i understand the ticket correctly, repeated login failures due to a wrong > password cause the user to get locked, and the timestamp is then written to > LDAP. > > net use \\server\share /user:testuser wrongpassword > Systemfehler 86 aufgetreten. > Das angegebene Netzwerkkennwort ist falsch. > > net use \\server\share /user:testuser wrongpassword > Systemfehler 1909 aufgetreten. > Das angesprochene Konto ist momentan gesperrt und kann nicht für die > Anmeldung verwendet werden. > > ldapsearch for the user object shows: > modifiersName: cn=server,cn=dc,cn=computers,dc=ldap,dc=base > modifyTimestamp: 20200327131114Z > entryDN: uid=b95144,cn=users,dc=ldap,dc=base > sambaBadPasswordTime 1585314674 Yes this seems to be the issue. But this is not caused by a stupid user. The user changes his password and the replication takes to long, so that the login for the share still uses the old password.
The Unix-Timestamps are written by Samba3. It is not reproducable in a Samba4 environment. (Other than setting the value manually by ldapmodify). We "could" patch Samba3 in this case, but I went with patching udm so that if an exception occurs, it treats the timestamp as a Unix-Timestamp. Successful build Package: univention-directory-manager-modules Version: 14.0.15-1ubuntu1A~4.4.0.202004161241 Branch: ucs_4.4-0 Scope: errata4.4-4 5282a1e145 Bug #49697: Fix yaml 7e12c795ce Bug #49697: yaml 8d0fcc0600 Bug #49697: version bump 5cedd7f2dd Bug #49697: Let udm calculate locked time if sambaBadPasswordTime is in unixepoch
I can confirm, that the fix works as expected and prevents the UDM from crashing. There was also a new debug message introduced, which would help in the unlikely case of a future bug regression. => VERIFIED
<http://errata.software-univention.de/ucs/4.4/537.html>