Bug 48153

Summary: UCS -> Windows2008: userPrincipalName is not modified when userobject has changed
Product: UCS Reporter: Christina Scheinig <scheinig>
Component: AD ConnectorAssignee: Felix Botner <botner>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P5 CC: botner, gohmann, steuwer
Version: UCS 4.3   
Target Milestone: UCS 4.3-2-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Bug Report What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.171 Enterprise Customer affected?:
School Customer affected?: Yes ISV affected?:
Waiting Support: Yes Flags outvoted (downgraded) after PO Review:
Ticket number: 2018091121000775 Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 20518    
Bug Blocks: 20657    

Description Christina Scheinig univentionstaff 2018-11-15 15:49:15 CET 
+++ This bug was initially created as a clone of Bug #20518 +++

Bei der Default-Konfiguration wird im Sync UCS -> AD das Attribut "userPrincipalName" im AD nicht gesetzt. AFAIR passierte das in AD 2003 noch automatisch.

In 2008 hat man dann mit einem von UCS synchronisierten User kein Kerberos-Konto mehr.

-------------------------------------------------------------------------------
A customer reported, that he renamed a user via UMC and the krb5PrincipalName was renamed as expected, but after the synchronization into AD the userPrincipalName was not changed.

The connector is in write mode
Comment 1 Christina Scheinig univentionstaff 2018-11-19 09:12:29 CET 
The fix is important and urgent for the customer. It is also blocking further development of the customers infrastructure. I therefore set the waiting for support tag and increased the affected feel tag.
Comment 2 Felix Botner univentionstaff 2018-11-20 16:47:56 CET 
8248f6e4dea93a0e30860cb28324b12703a1dc64 - univention-ad-connector
bdeb1721f849c3fc22efdcf8d44b274f73a56a5d - yaml

Always set userPrincipalName in AD to UCS/AD username.
Comment 3 Felix Botner univentionstaff 2018-11-21 12:46:00 CET 
ad16a06ff324ca6a0cf598746095f7a5be2ef41f

as discussed
 * set userPrincipalName username@$connector/ad/mapping/kerberosdomain if not set 
   in AD (as until now)
 * additionally we modify userPrincipalName to UCS_username@AD_Principal if 
   userPrincipalName exists in AD

The modify part can be disabled with connector/ad/mapping/sync/userPrincipalName=false (which is the case for updated systems)
Comment 4 Arvid Requate univentionstaff 2018-11-21 20:35:43 CET 
Ok, cool, verified:
* Sync works
* Disabled on updates, enabled on new installations

I adjusted the advisory text a bit: 30121b5f37
Comment 5 Arvid Requate univentionstaff 2018-12-05 17:25:30 CET 
<http://errata.software-univention.de/ucs/4.3/354.html>