Bug 56160 – S4-Connector reject for user Guest after running AD-Takeover out of an ad/member=true setup

Bug 56160 - S4-Connector reject for user Guest after running AD-Takeover out of an ad/member=true setup


Summary:	S4-Connector reject for user Guest after running AD-Takeover out of an ad/mem...

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:	Samba maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-06-19 23:34 CEST by Arvid Requate
Modified:	2023-06-20 10:18 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2023-06-19 23:34:47 CEST

The test scenario product-tests/samba/ad-takeover-admembermode.cfg produces an S4-Connector reject for the user "Gast" that has been synchronized from a german AD to UCS by means of the AD-Connector. Later on, when switching from ad/member mode to AD-Takeover, the S4-Connector detects a value in userPassword that is invalid:

 # Gast, users, adtakeover.test
 dn: uid=Gast,cn=users,dc=adtakeover,dc=test
 univentionObjectFlag: synced
 sambaSID: S-1-5-21-1881855784-3914637463-3156806296-501
 sambaPrimaryGroupSID: S-1-5-21-1881855784-3914637463-3156806296-514
 sambaAcctFlags: [UD         ]
 shadowExpire: 1
 krb5KDCFlags: 254
 sambaNTPassword: NO PASSWORD*********************
 userPassword:: e0tJTklUfSE=

which corresponds to

 userPassword: {KINIT}!

(This value seems to be the result of the AD-Connector synchronizing the "Gast" account from AD to UCS. I guess the exclamation mark comes from the univention.connector.ad.disable_user_to_ucs that is run after univention.connector.ad.password.password_sync).


On the basis of that object, later the connector-s4.log shows this traceback:
==================
6.2023 22:53:25.132 LDAP        (PROCESS): sync UCS > AD: Resync rejected file: /var/lib/univention-connector/s4/1687207457.101551
19.06.2023 22:53:25.136 LDAP        (PROCESS): sync UCS > AD: [          user] [       add] 'cn=gast,cn=users,DC=adtakeover,DC=test'
19.06.2023 22:53:25.194 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1687207457.101551
19.06.2023 22:53:25.196 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/s4connector/__init__.py", line 809, in __sync_file_from_ucs
    if not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new):
  File "/usr/lib/python3/dist-packages/univention/s4connector/s4/__init__.py", line 2280, in sync_from_ucs
    post_con_modify_function(self, property_type, object)
  File "/usr/lib/python3/dist-packages/univention/s4connector/s4/password.py", line 599, in password_sync_ucs_to_s4
    unicodePwd_new = binascii.a2b_hex(ucsNThash)
binascii.Error: Non-hexadecimal digit found
==================

Comment 1 Arvid Requate

2023-06-19 23:36:28 CEST

The value in userPassword is irrelevant here, the traceback is about the sambaNTPassword.