Univention Bugzilla – Bug 49905
Unable to change or remove dBCSPwd
Last modified: 2019-08-22 15:30:10 CEST
Similar to Bug #48142 Since Samba 4.9 the S4 connector is no longer allowed to delete the dBCSPwd attribute. This happens in two scenarios: 1. The S4 connector make a delete and add if the value should be changed. This can be changed by using REPLACE. 2. If the LM hash was removed in OpenLDAP the S4 connector tries to delete the value in Samba 4 which is not allowed. The traceback for scenario 2: 22.07.2019 15:01:45.470 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 910, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))): File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/__init__.py", line 2754, in sync_from_ucs f(self, property_type, object) File "/usr/lib/python2.7/dist-packages/univention/s4connector/s4/password.py", line 656, in password_sync_ucs_to_s4 s4connector.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), modlist, serverctrls=[ctrl_bypass_password_hash]) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 374, in modify_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) NO_SUCH_ATTRIBUTE: {'info': "attribute 'dBCSPwd': no matching attribute value while deleting attribute on 'CN=FOO,CN=Users,DC=BASE'", 'desc': 'No such attribute'}
Created attachment 10130 [details] bug49905-dBCSPwd.patch
Patch is available in stefan/bug49905-dBCSPwd Github link: https://github.com/univention/univention-corporate-server/commit/618d7b2a2e675282c36c585ec284e36addf3fc3a Branch tests: http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-1/view/Branch%20Tests/job/branch%20test%20samba%20s4-connector/2/ Steps to reproduce: $ ucr set password/samba/lmhash=yes $ udm users/user create --set username=test --set lastname=Test --set password=univention Object created: uid=test,dc=deadlock44,dc=intranet ### Scenario 1 $ udm users/user modify --dn "uid=test,dc=deadlock44,dc=intranet" --set password=q1w2e3r4 ### Scenario 2 $ cat remove-lmhash.ldif dn: uid=test,dc=deadlock44,dc=intranet changetype: modify delete: sambaLMPassword $ ldapmodify -x -D cn=admin,$ldap_base -y /etc/ldap.secret -f remove-lmhash.ldif
Install patch on local system: wget https://forge.univention.org/bugzilla/attachment.cgi?id=10130 -O /tmp/bug49905-dBCSPwd.patch patch -p7 -d /usr/lib/python2.7/dist-packages/univention/s4connector/s4/ </tmp/bug49905-dBCSPwd.patch
The impact is, that the user passwords for these users are no longer synchronized which is in most scenarios critical.
The attached patch works for the customer.
0c7b41c6cc | commit cherrypicked from branch stefan/bug49905-dBCSPwd be2963b32e | Advisory
a68fe1c38f | ucs-test case 52_s4connector/162sync_lm_hash
I checked again in the customer environment, and I think that case 2 of the original big report has a different cause. I can remove that exact dBCSPwd attribute in Samba, on that exact server, on that exact user that had the traceback in the connector-s4.log. Looking at the exact error message again: NO_SUCH_ATTRIBUTE: {'info': "attribute 'dBCSPwd': no matching attribute value while deleting attribute on 'CN=FOO,CN=Users,DC=BASE'", 'desc': 'No such attribute'} Suggests to me that master# udm users/user create --set username=user1 --set lastname=l1 \ --set password=univention master# sleep 10 master# ldbmodify -H /var/lib/samba/private/sam.ldb \ --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 <<%EOF dn: CN=user1,CN=Users,DC=domain,DC=net changetype: modify add: dBCSPwd dBCSPwd: pOBxg6wjlKaUTi30iaiA5A== %EOF And now: master# ldbmodify -H /var/lib/samba/private/sam.ldb \ --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 <<%EOF dn: CN=user1,CN=Users,DC=domain,DC=net changetype: modify delete: dBCSPwd dBCSPwd: wrong %EOF ERR: (No such attribute) "attribute 'dBCSPwd': no matching attribute value while deleting attribute on 'CN=user1,CN=Users,DC=domain,DC=net'" on DN CN=user1,CN=Users,DC=domain,DC=net at block before line 4 Modify failed after processing 0 records That's pretty much the same error message as in the connector-s4.log. And in fact, I can master# ldbmodify -H /var/lib/samba/private/sam.ldb \ --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 <<%EOF dn: CN=user1,CN=Users,DC=domain,DC=net changetype: modify delete: dBCSPwd ## dBCSPwd: don't do it wrong %EOF Modified 1 records successfully
e5a6763814 | Fix dBCSPwd removal 7dc0200498 | Advisory update
OK: code change OK: test succeeds OK: advisory
<http://errata.software-univention.de/ucs/4.4/239.html>