Bug 51276 – Additional memberserver in school ou does not have permission to read sambaNTPassword

Bug 51276 - Additional memberserver in school ou does not have permission to read sambaNTPassword


Summary:	Additional memberserver in school ou does not have permission to read sambaNT...

Status:	NEW

Product:	UCS@school
Classification:	Unclassified
Component:	General
Version:	UCS@school 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS@school maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-05-12 09:45 CEST by Christina Scheinig
Modified:	2020-07-21 12:42 CEST (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.091
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020050121000359, 2020050721000277
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2020-05-12 09:45:44 CEST

I could reproduce this in my testenvironment.
The impact is, that using radius is not possible on an additional memberserver in  school. Radius needs the sambaNTPassword.



root@member-sun:~# univention-ldapsearch -LLL uid=cscheini sambaNTPassword
dn: uid=cscheini,cn=schueler,cn=users,ou=sun,dc=schein,dc=me

Updateuser is allowed to read the sambaNTPassword:
root@member-sun:~# univention-ldapsearch -LLL -D "cn=update,dc=schein,dc=me" -W  uid=cscheini sambaNTPassword
Enter LDAP Password: 
dn: uid=cscheini,cn=schueler,cn=users,ou=sun,dc=schein,dc=me
sambaNTPassword: CAA1239D44DA7EDF926BCE39F5C65D0F

root@member-sun:~# id member-sun\$
uid=2075(member-sun$) gid=5007(Computers) Gruppen=5007(Computers),5013(Member-Edukativnetz),5015(OUsun-Member-Edukativnetz)

root@member-sun:~# ucr get ldap/server/name 
slave-sun

Comment 2 Christian Völker

2020-05-14 14:02:41 CEST

Another customer affected.

Comment 3 Michel Smidt 2020-05-14 14:07:18 CEST

(In reply to Christian Völker from comment #2)
> Another customer affected.

No its not. Its the same customer with new ticket.