Univention Bugzilla – Full Text Bug Listing |
Summary: | replace windows password service with python samba drsuapi.DsGetNCChangesRequest8/samr.SetUserInfo | ||
---|---|---|---|
Product: | UCS | Reporter: | Stefan Gohmann <gohmann> |
Component: | AD Connector - Windows password service | Assignee: | Stefan Gohmann <gohmann> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | birkefeld, botner, gohmann, michelsmidt, requate, stoeckigt |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 3.2-8-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Feature Request | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | 40745 | ||
Bug Blocks: | 41365, 41632 |
Description
Stefan Gohmann
2016-05-09 14:30:17 CEST
I've backported the patch: r69288 YAML: r69289 Test Case: r69296 I think we should adjust the code to address Bug 41247 (In reply to Arvid Requate from comment #2) > I think we should adjust the code to address Bug 41247 Done: r70478 YAML: r70479 Code Merge: Complete Functional Test: Ok Advisory: Ok I also tested with AD-Connection-Mode (aka Member-Mode): Ok. Due to the default of connector/ad/mapping/user/password/kinit=true the new DRS code isn't used until the steps described in http://sdb.univention.de/1332 are performed, so there are no immediate rejects due to the connector/ad/ldap/binddn being set by default to the unprivileged machine account. Just to document the type of log messages I get when following SDB 1332 but still using the machine account (or some other underprivileged account): ============================================================================== 19.07.2016 22:52:34,292 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=wuser1,cn=users,dc=w2k8r2d2,dc=ar 19.07.2016 22:52:34,299 LDAP (ERROR ): failed in post_con_modify_functions 19.07.2016 22:52:34,299 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/connector/__init__.py", line 1281, in sync_to_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.6/univention/connector/ad/password.py", line 383, in password_sync res = get_password_from_ad(connector, univention.connector.ad.compatible_modstring(object['dn'])) File "/usr/lib/pymodules/python2.6/univention/connector/ad/password.py", line 183, in get_password_from_ad (level, ctr) = connector.drs.DsGetNCChanges(connector.drsuapi_handle, 8, req8) RuntimeError: (8439, 'WERR_DS_DRA_BAD_DN') ============================================================================== So there would be rejects in that case which will go away when configuring a privileged account instead. |