Univention Bugzilla – Bug 40745
replace windows password service with python samba drsuapi.DsGetNCChangesRequest8/samr.SetUserInfo
Last modified: 2016-09-21 20:34:09 CEST
Here two python scripts for setting/getting the nt hash on/from a windows ad server. Maybe as replacement for our password service: NT get: uses drsuapi.DsGetNCChangesRequest8() - https://msdn.microsoft.com/en-us/library/dd207691.aspx NT set: samr.SetUserInfo - https://msdn.microsoft.com/en-us/library/cc245793.aspx
Created attachment 7493 [details] get-ad-nthash.py
Created attachment 7494 [details] set-ad-password.py
Better use NT4 Account name without domain part when looking for user dn: req = drsuapi.DsNameRequest1() names = drsuapi.DsNameString() names.str = user req.format_offered = drsuapi.DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT_NAME_SANS_DOMAIN req.format_desired = drsuapi.DRSUAPI_DS_NAME_FORMAT_FQDN_1779 req.count = 1 req.names = [names] i, o = drs.DsCrackNames(drsuapi_handle, 1, req) user_dn = o.array[0].result_name
A test case has been added: 55_adconnector/050sync_password_sync (r68120).
I've integrated the patches from Felix into the AD Connector and the synchronization works as expected: r68121 I've also removed the old Windows daemon and adjusted the UMC module: r68122 + r68124 + r68126 + r68127 The following steps need to be done: - YAML file - Tests with the wizard in AD member and ad connector setups - Jenkins tests - Tests with thousands of users The documentation can be adjusted after the release.
(In reply to Stefan Gohmann from comment #5) > I've integrated the patches from Felix into the AD Connector and the > synchronization works as expected: r68121 > > I've also removed the old Windows daemon and adjusted the UMC module: r68122 > + r68124 + r68126 + r68127 + r68159 > The following steps need to be done: > - YAML file univention-ad-connector.yaml (r68157 + r68158 + r68160) > - Tests with the wizard in AD member and ad connector setups Done > - Jenkins tests http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-1/job/ADConnectorMultiEnv/13/ > - Tests with thousands of users My tests were successful. > The documentation can be adjusted after the release. → Bug #40911
This happened in my test environment: 08.03.2016 21:57:34,680 LDAP (PROCESS): sync to ucs: [ user] [ add] uid=genuser-001198,cn=users,dc=deadlock12,dc=intranet 08.03.2016 21:57:34,682 LDAP (WARNING): __set_values: The attributes for lastname have not been removed as it represents a mandatory attribute 08.03.2016 21:57:35,123 LDAP (ERROR ): Unknown Exception during sync_to_ucs 08.03.2016 21:57:35,123 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1281, in sync_to_ucs result = self.add_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1135, in add_in_ucs return ucs_object.create() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 351, in create File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 725, in _create File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 2061, in _ldap_modlist File "/usr/lib/pymodules/python2.7/univention/admin/password.py", line 52, in crypt IOError: [Errno 24] Too many open files: '/dev/urandom'
(In reply to Stefan Gohmann from comment #7) > IOError: [Errno 24] Too many open files: '/dev/urandom' Should be fixed with r68202: * Create only one drs and samr connection per connector instance instead of creating a connection for every password sync (Bug #40745)
I always get "Failed to get Password-Hash from AD" after creating a user in UCS (syncmode write), the password is correct though (PROCESS): sync from ucs: [ user] [ add] cn=test6,DC=w2k12r2,DC=test (ERROR ): password_sync_ucs: Failed to get Password-Hash from AD (ERROR ): password_sync_ucs: Hash AD and Hash UCS differ (ERROR ): res None, CAA1239D44DA7EDF926BCE39F5C65D0F (ERROR ): pwd_set True (ERROR ): pwd_ad None (ERROR ): password_sync_ucs: Failed to sync Password from AD (PROCESS): sync from ucs: [ group] [ modify] cn=domänen-benutzer,cn=users,DC=w2k12r2,DC=test (PROCESS): sync from ucs: [ user] [ modify] cn=test6,DC=w2k12r2,DC=test -> smbclient //10.200.7.140/sysvol -U test6%univention -c exit Domain=[W2K12R2] OS=[Windows Server 2012 R2 Standard 9600] Server=[Windows Server 2012 R2 Standard 6.3] Problem seems to be if not pwd_set or pwd_ad: in password_sync_ucs() If a user is created in AD (via the connector) get_password_from_ad() returns None, this is stored in pwd_ad pwd_ad = get_password_from_ad( If the UCS password and the AD password don't macht, we set the password if not pwd == pwd_ad: pwd_set = True res = set_password_in_ad(connector, object['... Now pwd_set is True and pwd_ad is None and if not pwd_set or pwd_ad: ... else: ud.debug(ud.LDAP, ud.ERROR, "password_sync_ucs: Failed to sync Password from AD ") Maybe it is just a wrong log message, but please check if this "if not pwd_set or pwd_ad:" block is necessary when creating users in UCS.
(In reply to Felix Botner from comment #9) > Maybe it is just a wrong log message, but please check if this "if not > pwd_set or pwd_ad:" block is necessary when creating users in UCS. The connector is currently unable to decide whether the user was just created. For me the block looks right and I've removed the message: r69007 * In case the user was just created in AD, the connector can't read a password hash for the new user in AD. An irritating debug message has been removed for this case (Bug #40745)
Ok, works, advisory ok.
<http://errata.software-univention.de/ucs/4.1/173.html>
*** Bug 40756 has been marked as a duplicate of this bug. ***
*** Bug 40732 has been marked as a duplicate of this bug. ***