Univention Bugzilla – Bug 41220
replace windows password service with python samba drsuapi.DsGetNCChangesRequest8/samr.SetUserInfo
Last modified: 2016-09-21 20:34:16 CEST
This should be backported to UCS 3.2. +++ This bug was initially created as a clone of Bug #40745 +++ Here two python scripts for setting/getting the nt hash on/from a windows ad server. Maybe as replacement for our password service: NT get: uses drsuapi.DsGetNCChangesRequest8() - https://msdn.microsoft.com/en-us/library/dd207691.aspx NT set: samr.SetUserInfo - https://msdn.microsoft.com/en-us/library/cc245793.aspx
I've backported the patch: r69288 YAML: r69289 Test Case: r69296
I think we should adjust the code to address Bug 41247
(In reply to Arvid Requate from comment #2) > I think we should adjust the code to address Bug 41247 Done: r70478 YAML: r70479
Code Merge: Complete Functional Test: Ok Advisory: Ok
I also tested with AD-Connection-Mode (aka Member-Mode): Ok. Due to the default of connector/ad/mapping/user/password/kinit=true the new DRS code isn't used until the steps described in http://sdb.univention.de/1332 are performed, so there are no immediate rejects due to the connector/ad/ldap/binddn being set by default to the unprivileged machine account. Just to document the type of log messages I get when following SDB 1332 but still using the machine account (or some other underprivileged account): ============================================================================== 19.07.2016 22:52:34,292 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=wuser1,cn=users,dc=w2k8r2d2,dc=ar 19.07.2016 22:52:34,299 LDAP (ERROR ): failed in post_con_modify_functions 19.07.2016 22:52:34,299 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/connector/__init__.py", line 1281, in sync_to_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.6/univention/connector/ad/password.py", line 383, in password_sync res = get_password_from_ad(connector, univention.connector.ad.compatible_modstring(object['dn'])) File "/usr/lib/pymodules/python2.6/univention/connector/ad/password.py", line 183, in get_password_from_ad (level, ctr) = connector.drs.DsGetNCChanges(connector.drsuapi_handle, 8, req8) RuntimeError: (8439, 'WERR_DS_DRA_BAD_DN') ============================================================================== So there would be rejects in that case which will go away when configuring a privileged account instead.
<http://errata.software-univention.de/ucs/3.2/443.html>