Bug 53089 - 52_s4connector.100sync_gpo_ntsecurity_descriptor fails on S4 Connector tests for UCS 5.0-0
52_s4connector.100sync_gpo_ntsecurity_descriptor fails on S4 Connector tests ...
Status: CLOSED FIXED
Product: UCS Test
Classification: Unclassified
Component: S4 Connector
unspecified
Other Linux
: P5 normal (vote)
: UCS 5.0
Assigned To: Julia Bremer
Arvid Requate
: interim-5
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-14 10:11 CEST by Felix Botner
Modified: 2021-05-25 16:03 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Julia Bremer univentionstaff 2021-05-07 12:30:32 CEST
Successful build
Package: ucs-test
Version: 10.0.5-17A~5.0.0.202105071217
Branch: ucs_5.0-0

08a7cae350 Bug #53089: Fix 100sync_gpo_ntsecurity_descriptor

In ucs5 the hidden attribute ntsecuritydescriptor can not be found via ldbsearch when using the ldap url. It is only found if /var/lib/samba/private/sam.ldb is used. 
univention-s4search uses the ldap url, so it doesn't find the ntsecuritydescriptor attribute either. 
This is due to the changed default of the acl:search option in the smb.conf. 
The default was changed in Bug #51522. 

The test has been fixed. I am not sure if the configuration should stay like this. I am not aware of the benefits of the acl:search option.
Comment 2 Arvid Requate univentionstaff 2021-05-07 19:05:05 CEST
The acl:search = no setting in UCS-4 was just a workaround to avoid a samba crash.
With acl:search disabled, the DSACL in nTSecurityDescriptor are ignored for searches,
which is really bad in case you want to use something like LAPS, which stores a plain
test password in LDAP and *needs* to protect that value from appearing in LDAP searches.

So, acl:search = yes is good. If that hides nTSecurityDescriptor, then so be it.
Comment 3 Julia Bremer univentionstaff 2021-05-08 15:06:46 CEST
Thanks for the explanation. :)
Since the synchronization works as expected, I guess it is sufficient to change the test case.
The test was successful in the last test run.
Comment 5 Arvid Requate univentionstaff 2021-05-11 12:20:21 CEST
Verified:
* Test code change
* Jenkins result
Comment 6 Florian Best univentionstaff 2021-05-25 16:03:15 CEST
UCS 5.0 has been released:
 https://docs.software-univention.de/release-notes-5.0-0-en.html
 https://docs.software-univention.de/release-notes-5.0-0-de.html

If this error occurs again, please use "Clone This Bug".