Univention Bugzilla – Bug 35540
password sync fails after takeover with ad/member=true for user account
Last modified: 2018-12-05 14:38:57 CET
01.08.2014 13:09:20,231 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1406890882.671217 01.08.2014 13:09:20,245 LDAP (PROCESS): sync from ucs: [ user] [ add] CN=Gast,cn=users,dc=w2k12,dc=test 01.08.2014 13:09:20,269 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1406890882.671217 01.08.2014 13:09:20,271 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 780, in __sync_file_from_ucs or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))): File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/__init__.py", line 2492, in sync_from_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/password.py", line 580, in password_sync_ucs_to_s4 unicodePwd_new = binascii.a2b_hex(ucsNThash) TypeError: Non-hexadecimal digit found uid=Gast,cn=users,dc=w2k12,dc=test sambaNTPassword: NO PASSWORD********************* Connector should skip hash synchronisation if "NO PASSWORD*..." is set.
issue mentioned in http://forum.univention.de/viewtopic.php?f=56&t=6035
That happens also during the UCS 4.2 product tests. I've installed a Windows 2012 AD server and joined a UCS as AD member. Afterwards, I've started a takeover. Unfortunately, I get this error for every user: 25.03.2017 16:20:18,698 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=stefan gohmann,cn=users,DC=autotest228,DC=local 25.03.2017 16:20:18,722 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1490472170.502376 25.03.2017 16:20:18,722 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 843, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_d n, old, new))): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2716, in sync_from_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", line 582, in password_sync_ucs_to_s4 unicodePwd_new = binascii.a2b_hex(ucsNThash) TypeError: Non-hexadecimal digit found root@admember228:~# univention-ldapsearch uid=stefan sambaNTPassword sambaLMPassword userPassword krb5Key -LLL dn: uid=stefan,cn=users,dc=autotest228,dc=local krb5Key:: MB2hGzAZoAMCARehEgQQT7+7FcbWxGZXPSF4xi6Z6g== krb5Key:: MFGhKzApoAMCARKhIgQgoXcxhHLA1xFoXKg7eJN454nj3m/3oTcmLYzyf9Xw4eaiIjAg oAMCAQOhGQQXQVVUT1RFU1QyMjguTE9DQUxzdGVmYW4= krb5Key:: MEGhGzAZoAMCARGhEgQQ1zuQSbYx6s5bzZrIA0JooqIiMCCgAwIBA6EZBBdBVVRPVEVT VDIyOC5MT0NBTHN0ZWZhbg== krb5Key:: MDmhEzARoAMCAQOhCgQIkQEWSvtD7DuiIjAgoAMCAQOhGQQXQVVUT1RFU1QyMjguTE9D QUxzdGVmYW4= userPassword:: e0tJTklUfQ== sambaNTPassword: NO PASSWORD*********************
(In reply to Stefan Gohmann from comment #2) > That happens also during the UCS 4.2 product tests. I've installed a Windows > 2012 AD server and joined a UCS as AD member. Before I was able to start the takeover, I had to downgrade the Windows forest and domain level: http://sdb.univention.de/1307
Created attachment 9758 [details] sync_from_ucs_skip_NO_PASSWORD_sambaNTPassword.patch I was able to reproduce this (after first adjusting the Windows Server 2012 domain controller GPO to not store NTLM hashes). The attached patch would be the trivial fix. But after I applied that in my test environment I directly ran into the next traceback: ============================================================================= 27.11.2018 15:46:35,708 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=aruser2 arname2,cn=users,DC=w2k12r2d2,DC=ar 27.11.2018 15:46:35,725 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1543326624.643418 27.11.2018 15:46:35,725 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 909, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2750, in sync_from_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", line 658, in password_sync_ucs_to_s4 s4connector.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), modlist, serverctrls=[ctrl_bypass_password_hash]) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 374, in modify_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) CONSTRAINT_VIOLATION: {'info': '0000202F: PrimaryKerberos num_keys != 2 at ../source4/dsdb/samdb/ldb_modules/password_hash.c:413', 'desc': 'Constraint violation'} ============================================================================= I guess that's because the supplementalCredentials attribute of the AD accounts doesn't have the des-cbc-crc keys any longer. So we need to adjust more of password.py. The last two commits of https://git.knut.univention.de/univention/ucs/tree/arequate/get-rid-of-DES-in-ucs my lead to the right direction, but I guess we can improve that (those patches would fill a dummy key type into supplementalCredentials, even in this case, where they doesn't need to be changed at all during the back sync_from_ucs. Please also note, that the value "NO PASSWORD****"... in the sambaNTPassword would stay there "forever". Maybe we could even remove it (it's just MAY in the OpenLDAP schema).
I've improved the patch to not run into the supplementalCredentials traceback: commit 182f1091a0 | When performing an AD-Takeover out of an ad/member setup, the sambaNTPassword in UCS OpenLDAP doesn't contain a password hash, causing S4-Connector rejects. commit 248302e130 | Version bump commit 32365cc220 | Advisory Actually, I'm not sure why we don't make the S4-Connector sync from S4->UCS initially during an AD-Takeover. I guess that would be the better solution? Closing for QA feedback.
OK - no rejects after admember -> adtakeover OK - yaml
<http://errata.software-univention.de/ucs/4.3/353.html>