Bug 49905 – Unable to change or remove dBCSPwd

Bug 49905 - Unable to change or remove dBCSPwd


Summary:	Unable to change or remove dBCSPwd

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-1-errata
Assigned To:	Arvid Requate
QA Contact:	Daniel Tröder

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-07-23 07:00 CEST by Stefan Gohmann
Modified:	2019-08-22 15:30 CEST (History)
CC List:	5 users (show)

See Also:	48142
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	4: A User would return the product
User Pain:	0.114
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:	Yes
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019071921000299
Bug group (optional):
Max CVSS v3 score:

Attachments
bug49905-dBCSPwd.patch (1.51 KB, patch) 2019-07-23 07:22 CEST, Stefan Gohmann	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2019-07-23 07:00:56 CEST

Similar to Bug #48142

Since Samba 4.9 the S4 connector is no longer allowed to delete the dBCSPwd attribute.

This happens in two scenarios:

1. The S4 connector make a delete and add if the value should be changed. This can be changed by using REPLACE.

2. If the LM hash was removed in OpenLDAP the S4 connector tries to delete the value in Samba 4 which is not allowed.

The traceback for scenario 2:

22.07.2019 15:01:45.470 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 910, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2754, in sync_from_ucs
    f(self, property_type, object)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/password.py", line 656, in password_sync_ucs_to_s4
    s4connector.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), modlist, serverctrls=[ctrl_bypass_password_hash])
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 374, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
NO_SUCH_ATTRIBUTE: {'info': "attribute 'dBCSPwd': no matching attribute value while deleting attribute on 'CN=FOO,CN=Users,DC=BASE'", 'desc': 'No such attribute'}

Comment 1 Stefan Gohmann

2019-07-23 07:22:36 CEST

Created attachment 10130 [details]
bug49905-dBCSPwd.patch

Comment 2 Stefan Gohmann

2019-07-23 07:32:37 CEST

Patch is available in stefan/bug49905-dBCSPwd

Github link:
https://github.com/univention/univention-corporate-server/commit/618d7b2a2e675282c36c585ec284e36addf3fc3a

Branch tests:
http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-1/view/Branch%20Tests/job/branch%20test%20samba%20s4-connector/2/


Steps to reproduce:

$ ucr set password/samba/lmhash=yes
$ udm users/user create --set username=test --set lastname=Test --set password=univention
Object created: uid=test,dc=deadlock44,dc=intranet

### Scenario 1
$ udm users/user modify --dn "uid=test,dc=deadlock44,dc=intranet" --set password=q1w2e3r4

### Scenario 2
$ cat remove-lmhash.ldif
dn: uid=test,dc=deadlock44,dc=intranet
changetype: modify
delete: sambaLMPassword
$ ldapmodify -x -D cn=admin,$ldap_base -y /etc/ldap.secret -f remove-lmhash.ldif

Comment 3 Stefan Gohmann

2019-07-23 07:32:50 CEST

Install patch on local system:

wget https://forge.univention.org/bugzilla/attachment.cgi?id=10130 -O /tmp/bug49905-dBCSPwd.patch 

patch -p7 -d /usr/lib/python2.7/dist-packages/univention/s4connector/s4/ </tmp/bug49905-dBCSPwd.patch

Comment 4 Stefan Gohmann

2019-07-23 07:42:01 CEST

The impact is, that the user passwords for these users are no longer synchronized which is in most scenarios critical.

Comment 5 Christina Scheinig

2019-07-23 11:04:46 CEST

The attached patch works for the customer.

Comment 6 Arvid Requate

2019-08-05 21:27:42 CEST

0c7b41c6cc | commit cherrypicked from branch stefan/bug49905-dBCSPwd
be2963b32e | Advisory

Comment 7 Arvid Requate

2019-08-13 13:18:09 CEST

a68fe1c38f | ucs-test case 52_s4connector/162sync_lm_hash

Comment 8 Arvid Requate

2019-08-14 12:38:01 CEST

I checked again in the customer environment, and I think that case 2 of the original big report has a different cause. I can remove that exact dBCSPwd attribute in Samba, on that exact server, on that exact user that had the traceback in the connector-s4.log. Looking at the exact error message again:


NO_SUCH_ATTRIBUTE: {'info': "attribute 'dBCSPwd': no matching attribute value while deleting attribute on 'CN=FOO,CN=Users,DC=BASE'", 'desc': 'No such attribute'}

Suggests to me that 



master# udm users/user create --set username=user1 --set lastname=l1 \
                              --set password=univention
master# sleep 10
master# ldbmodify -H /var/lib/samba/private/sam.ldb \
   --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 <<%EOF
dn: CN=user1,CN=Users,DC=domain,DC=net
changetype: modify
add: dBCSPwd
dBCSPwd: pOBxg6wjlKaUTi30iaiA5A==
%EOF


And now:

master# ldbmodify -H /var/lib/samba/private/sam.ldb \
   --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 <<%EOF
dn: CN=user1,CN=Users,DC=domain,DC=net
changetype: modify
delete: dBCSPwd
dBCSPwd: wrong
%EOF
ERR: (No such attribute) "attribute 'dBCSPwd': no matching attribute value while deleting attribute on 'CN=user1,CN=Users,DC=domain,DC=net'" on DN CN=user1,CN=Users,DC=domain,DC=net at block before line 4
Modify failed after processing 0 records

That's pretty much the same error message as in the connector-s4.log.

And in fact, I can 

master# ldbmodify -H /var/lib/samba/private/sam.ldb \
   --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 <<%EOF
dn: CN=user1,CN=Users,DC=domain,DC=net
changetype: modify
delete: dBCSPwd
##  dBCSPwd: don't do it wrong
%EOF
Modified 1 records successfully

Comment 9 Arvid Requate

2019-08-14 12:38:41 CEST

e5a6763814 | Fix dBCSPwd removal
7dc0200498 | Advisory update

Comment 10 Daniel Tröder

2019-08-21 10:55:18 CEST

OK: code change
OK: test succeeds
OK: advisory

Comment 11 Arvid Requate

2019-08-22 15:30:10 CEST

<http://errata.software-univention.de/ucs/4.4/239.html>