Bug 35540 - password sync fails after takeover with ad/member=true for user account
password sync fails after takeover with ad/member=true for user account
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on:
Blocks: 48231
  Show dependency treegraph
 
Reported: 2014-08-01 12:08 CEST by Felix Botner
Modified: 2018-12-05 14:38 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.229
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018062521000307
Bug group (optional):
Max CVSS v3 score:


Attachments
sync_from_ucs_skip_NO_PASSWORD_sambaNTPassword.patch (1.05 KB, patch)
2018-11-27 17:20 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2014-08-01 12:08:46 CEST
01.08.2014 13:09:20,231 LDAP        (PROCESS): sync from ucs:   Resync rejected file: /var/lib/univention-connector/s4/1406890882.671217
01.08.2014 13:09:20,245 LDAP        (PROCESS): sync from ucs: [          user] [       add] CN=Gast,cn=users,dc=w2k12,dc=test
01.08.2014 13:09:20,269 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1406890882.671217
01.08.2014 13:09:20,271 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 780, in __sync_file_from_ucs
    or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/__init__.py", line 2492, in sync_from_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/password.py", line 580, in password_sync_ucs_to_s4
    unicodePwd_new = binascii.a2b_hex(ucsNThash)
TypeError: Non-hexadecimal digit found

uid=Gast,cn=users,dc=w2k12,dc=test
sambaNTPassword: NO PASSWORD*********************


Connector should skip hash synchronisation if "NO PASSWORD*..." is set.
Comment 1 Dirk Ahrnke 2016-09-08 15:35:15 CEST
issue mentioned in http://forum.univention.de/viewtopic.php?f=56&t=6035
Comment 2 Stefan Gohmann univentionstaff 2017-03-25 21:24:18 CET
That happens also during the UCS 4.2 product tests. I've installed a Windows 2012 AD server and joined a UCS as AD member.

Afterwards, I've started a takeover. Unfortunately, I get this error for every user:

25.03.2017 16:20:18,698 LDAP        (PROCESS): sync from ucs: [          user] [    modify] cn=stefan gohmann,cn=users,DC=autotest228,DC=local
25.03.2017 16:20:18,722 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1490472170.502376
25.03.2017 16:20:18,722 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 843, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_d
n, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2716, in sync_from_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", line 582, in password_sync_ucs_to_s4
    unicodePwd_new = binascii.a2b_hex(ucsNThash)
TypeError: Non-hexadecimal digit found

root@admember228:~# univention-ldapsearch uid=stefan sambaNTPassword sambaLMPassword userPassword krb5Key -LLL
dn: uid=stefan,cn=users,dc=autotest228,dc=local
krb5Key:: MB2hGzAZoAMCARehEgQQT7+7FcbWxGZXPSF4xi6Z6g==
krb5Key:: MFGhKzApoAMCARKhIgQgoXcxhHLA1xFoXKg7eJN454nj3m/3oTcmLYzyf9Xw4eaiIjAg
 oAMCAQOhGQQXQVVUT1RFU1QyMjguTE9DQUxzdGVmYW4=
krb5Key:: MEGhGzAZoAMCARGhEgQQ1zuQSbYx6s5bzZrIA0JooqIiMCCgAwIBA6EZBBdBVVRPVEVT
 VDIyOC5MT0NBTHN0ZWZhbg==
krb5Key:: MDmhEzARoAMCAQOhCgQIkQEWSvtD7DuiIjAgoAMCAQOhGQQXQVVUT1RFU1QyMjguTE9D
 QUxzdGVmYW4=
userPassword:: e0tJTklUfQ==
sambaNTPassword: NO PASSWORD*********************
Comment 3 Stefan Gohmann univentionstaff 2017-03-25 21:27:27 CET
(In reply to Stefan Gohmann from comment #2)
> That happens also during the UCS 4.2 product tests. I've installed a Windows
> 2012 AD server and joined a UCS as AD member.

Before I was able to start the takeover, I had to downgrade the Windows forest and domain level: http://sdb.univention.de/1307
Comment 4 Arvid Requate univentionstaff 2018-11-27 17:20:40 CET
Created attachment 9758 [details]
sync_from_ucs_skip_NO_PASSWORD_sambaNTPassword.patch

I was able to reproduce this (after first adjusting the Windows Server 2012 domain controller GPO to not store NTLM hashes).

The attached patch would be the trivial fix. But after I applied that in my test environment I directly ran into the next traceback:

=============================================================================
27.11.2018 15:46:35,708 LDAP        (PROCESS): sync from ucs: [          user] [    modify] cn=aruser2 arname2,cn=users,DC=w2k12r2d2,DC=ar
27.11.2018 15:46:35,725 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1543326624.643418
27.11.2018 15:46:35,725 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 909, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new))):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2750, in sync_from_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", line 658, in password_sync_ucs_to_s4
    s4connector.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), modlist, serverctrls=[ctrl_bypass_password_hash])
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 374, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 514, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 521, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
CONSTRAINT_VIOLATION: {'info': '0000202F: PrimaryKerberos num_keys != 2 at ../source4/dsdb/samdb/ldb_modules/password_hash.c:413', 'desc': 'Constraint violation'}
=============================================================================

I guess that's because the supplementalCredentials attribute of the AD accounts doesn't have the des-cbc-crc keys any longer. So we need to adjust more of password.py. The last two commits of

 https://git.knut.univention.de/univention/ucs/tree/arequate/get-rid-of-DES-in-ucs

my lead to the right direction, but I guess we can improve that (those patches would fill a dummy key type into supplementalCredentials, even in this case, where they doesn't need to be changed at all during the back sync_from_ucs.

Please also note, that the value "NO PASSWORD****"... in the sambaNTPassword would stay there "forever". Maybe we could even remove it (it's just MAY in the OpenLDAP schema).
Comment 5 Arvid Requate univentionstaff 2018-11-27 20:36:45 CET
I've improved the patch to not run into the supplementalCredentials traceback:

commit 182f1091a0 | When performing an AD-Takeover out of an ad/member setup,
                    the sambaNTPassword in UCS OpenLDAP doesn't contain
                    a password hash, causing S4-Connector rejects.
commit 248302e130 | Version bump
commit 32365cc220 | Advisory


Actually, I'm not sure why we don't make the S4-Connector sync from S4->UCS initially during an AD-Takeover. I guess that would be the better solution?
Closing for QA feedback.
Comment 6 Felix Botner univentionstaff 2018-11-28 16:14:06 CET
OK - no rejects after admember -> adtakeover
OK - yaml
Comment 7 Arvid Requate univentionstaff 2018-12-05 14:38:57 CET
<http://errata.software-univention.de/ucs/4.3/353.html>