Univention Bugzilla – Full Text Bug Listing |
Summary: | Unable to change or remove dBCSPwd | ||
---|---|---|---|
Product: | UCS | Reporter: | Stefan Gohmann <gohmann> |
Component: | S4 Connector | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Daniel Tröder <troeder> |
Severity: | normal | ||
Priority: | P5 | CC: | best, markus.daehlmann, requate, scheinig, troeder |
Version: | UCS 4.4 | ||
Target Milestone: | UCS 4.4-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=48142 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 1: Will affect a very few installed domains | How will those affected feel about the bug?: | 4: A User would return the product |
User Pain: | 0.114 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Yes | Flags outvoted (downgraded) after PO Review: | |
Ticket number: | 2019071921000299 | Bug group (optional): | |
Max CVSS v3 score: | |||
Attachments: | bug49905-dBCSPwd.patch |
Description
Stefan Gohmann
2019-07-23 07:00:56 CEST
Created attachment 10130 [details] bug49905-dBCSPwd.patch Patch is available in stefan/bug49905-dBCSPwd Github link: https://github.com/univention/univention-corporate-server/commit/618d7b2a2e675282c36c585ec284e36addf3fc3a Branch tests: http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-1/view/Branch%20Tests/job/branch%20test%20samba%20s4-connector/2/ Steps to reproduce: $ ucr set password/samba/lmhash=yes $ udm users/user create --set username=test --set lastname=Test --set password=univention Object created: uid=test,dc=deadlock44,dc=intranet ### Scenario 1 $ udm users/user modify --dn "uid=test,dc=deadlock44,dc=intranet" --set password=q1w2e3r4 ### Scenario 2 $ cat remove-lmhash.ldif dn: uid=test,dc=deadlock44,dc=intranet changetype: modify delete: sambaLMPassword $ ldapmodify -x -D cn=admin,$ldap_base -y /etc/ldap.secret -f remove-lmhash.ldif Install patch on local system: wget https://forge.univention.org/bugzilla/attachment.cgi?id=10130 -O /tmp/bug49905-dBCSPwd.patch patch -p7 -d /usr/lib/python2.7/dist-packages/univention/s4connector/s4/ </tmp/bug49905-dBCSPwd.patch The impact is, that the user passwords for these users are no longer synchronized which is in most scenarios critical. The attached patch works for the customer. 0c7b41c6cc | commit cherrypicked from branch stefan/bug49905-dBCSPwd be2963b32e | Advisory a68fe1c38f | ucs-test case 52_s4connector/162sync_lm_hash I checked again in the customer environment, and I think that case 2 of the original big report has a different cause. I can remove that exact dBCSPwd attribute in Samba, on that exact server, on that exact user that had the traceback in the connector-s4.log. Looking at the exact error message again: NO_SUCH_ATTRIBUTE: {'info': "attribute 'dBCSPwd': no matching attribute value while deleting attribute on 'CN=FOO,CN=Users,DC=BASE'", 'desc': 'No such attribute'} Suggests to me that master# udm users/user create --set username=user1 --set lastname=l1 \ --set password=univention master# sleep 10 master# ldbmodify -H /var/lib/samba/private/sam.ldb \ --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 <<%EOF dn: CN=user1,CN=Users,DC=domain,DC=net changetype: modify add: dBCSPwd dBCSPwd: pOBxg6wjlKaUTi30iaiA5A== %EOF And now: master# ldbmodify -H /var/lib/samba/private/sam.ldb \ --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 <<%EOF dn: CN=user1,CN=Users,DC=domain,DC=net changetype: modify delete: dBCSPwd dBCSPwd: wrong %EOF ERR: (No such attribute) "attribute 'dBCSPwd': no matching attribute value while deleting attribute on 'CN=user1,CN=Users,DC=domain,DC=net'" on DN CN=user1,CN=Users,DC=domain,DC=net at block before line 4 Modify failed after processing 0 records That's pretty much the same error message as in the connector-s4.log. And in fact, I can master# ldbmodify -H /var/lib/samba/private/sam.ldb \ --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 <<%EOF dn: CN=user1,CN=Users,DC=domain,DC=net changetype: modify delete: dBCSPwd ## dBCSPwd: don't do it wrong %EOF Modified 1 records successfully e5a6763814 | Fix dBCSPwd removal 7dc0200498 | Advisory update OK: code change OK: test succeeds OK: advisory |