Univention Bugzilla – Full Text Bug Listing |
Summary: | Synchronization fails after move in UCS if ldap/base and samba4/ldap/base are different | ||
---|---|---|---|
Product: | UCS | Reporter: | Nico Stöckigt <stoeckigt> |
Component: | S4 Connector | Assignee: | Felix Botner <botner> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | best, botner, michelsmidt, requate |
Version: | UCS 4.3 | ||
Target Milestone: | UCS 4.3-3-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=42393 https://forge.univention.org/bugzilla/show_bug.cgi?id=46741 https://forge.univention.org/bugzilla/show_bug.cgi?id=26501 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 1: Will affect a very few installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
User Pain: | 0.143 | Enterprise Customer affected?: | Yes |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Yes | Flags outvoted (downgraded) after PO Review: | |
Ticket number: | 2018120421000817 | Bug group (optional): | |
Max CVSS v3 score: | |||
Attachments: |
here_be_dragons.diff
proposal.diff |
Description
Nico Stöckigt
2018-12-17 15:18:02 CET
Looking at the join script univention-samba4/96univention-samba4.inst I see a function set_samba4_ldap_base which derives the samba4/ldap/base from kerberos/realm. The setup-s4.sh script which calls samba-tool domain provision also passes kerberos/realm, so I guess that's how you can change the default. Anyway, the connector-s4.log shows the point where the DN get's messed up: ========================================================================== 13.12.2018 13:23:35,140 LDAP (INFO ): samaccount_dn_mapping: check newdn for key dn: uid=test.user,cn=users,dc=my-domain,dc=com 13.12.2018 13:23:35,140 LDAP (INFO ): samaccount_dn_mapping: not premapped (in first instance) 13.12.2018 13:23:35,140 LDAP (INFO ): samaccount_dn_mapping: got an UCS-Object 13.12.2018 13:23:35,140 LDAP (INFO ): samaccount_dn_mapping: search in s4 for (&(objectclass=user)(samaccountname=test.user)) 13.12.2018 13:23:35,141 LDAP (INFO ): samaccount_dn_mapping: newdn: CN=test.user,cn=users,dc=my-domain,dc=codc=my-domain,dc=com 13.12.2018 13:23:35,141 LDAP (INFO ): samaccount_dn_mapping: newdn for key dn: 13.12.2018 13:23:35,141 LDAP (INFO ): samaccount_dn_mapping: olddn: uid=test.user,cn=users,dc=my-domain,dc=com 13.12.2018 13:23:35,141 LDAP (INFO ): samaccount_dn_mapping: newdn: CN=test.user,cn=users,dc=my-domain,dc=codc=my-domain,dc=com 13.12.2018 13:23:35,141 LDAP (INFO ): samaccount_dn_mapping: check newdn for key olddn: cn=test.user,cn=users,DC=cw,DC=my-domain,DC=com ========================================================================== Looks like the rfind call in samaccount_dn_mapping returns a -1 in this case. Before the adjustment for Bug #46741 the rfind was a string replace, and that probably never did anything (wrong). Tracing back the history of that code line left me in the dark (2007 import from CVS). I always treated that line as "better don't touch" whenever I worked on that function, because it always felt like it did something useless -- but it didn't break anything. I'll attach a patch that may restore the "doesn't break anything" behavior. We should carefully consider removing those few lines of code. I'll have to chat with Felix to hear if he can see a point why we should keep them. Created attachment 9780 [details]
here_be_dragons.diff
Created attachment 9781 [details]
proposal.diff
After reading the code, I guess this would be the right way to do it? Please don't hand this patch over into a productive environment unless it is properly understood and tested.
This error was triggerd by a move in UCS, not a password change. We can not simply return the S4 DN in samaccountname_dn_mapping for moves, sync_from_ucs depends on that UCS DN, see Bug #48438 for more info. So return the S4 DN with the UCS ldap base for "move" in the "if ucsobject:" section. aff1e7e0ecd2632e57a45db8e345a331f1af57b7 - yaml 5d83ea733885ce469d6d69bbe70e100cb382a2e5 - univention-s4-connector be313fe6bd001ce41f2765203c876f115c511c53 - merge to 4.4-0 tests look good http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-3/job/AutotestJoin/SambaVersion=s4connector,Systemrolle=master/ws/test/ Ok, looks good. |