Univention Bugzilla – Bug 42840
AD-Connector sync_mode=read: old group member name not removed after rename in AD
Last modified: 2017-01-05 11:22:41 CET
Created attachment 8183 [details] UMC Screenshot of the described behaviour In a customer environment a reference to a non existing user is added, when a group is renamed. The setting is a MSAD Server which is syncing it's content into UCS (mode: read). Let's say there are three groups: o TestGroup1 o TestGroup2 o RestGroup3 (which probably has a typo) and Group2 and Group3 are Member of Group1. --- root@ucs-master:~# univention-ldapsearch cn=TestGroup1 dn: cn=TestGroup1,cn=users,dc=univention,dc=active sambaGroupType: 2 cn: TestGroup1 objectClass: top objectClass: univentionGroup objectClass: posixGroup objectClass: univentionObject objectClass: sambaGroupMapping univentionObjectType: groups/group sambaSID: S-1-5-21-3082909645-71003255-4092467323-11049 gidNumber: 5024 univentionGroupType: -2147483646 univentionObjectFlag: synced uniqueMember: cn=TestGroup2,cn=users,dc=univention,dc=active uniqueMember: cn=TestGroup3,cn=users,dc=univention,dc=active -- So when correcting the name of Group3 from RestGroup3 to TestGroup3 the following happend: --- root@ucs-master:~# univention-ldapsearch cn=TestGroup1 dn: cn=TestGroup1,cn=users,dc=univention,dc=active sambaGroupType: 2 cn: TestGroup1 objectClass: top objectClass: univentionGroup objectClass: posixGroup objectClass: univentionObject objectClass: sambaGroupMapping univentionObjectType: groups/group sambaSID: S-1-5-21-3082909645-71003255-4092467323-11049 gidNumber: 5024 univentionGroupType: -2147483646 univentionObjectFlag: synced uniqueMember: cn=TestGroup2,cn=users,dc=univention,dc=active uniqueMember: cn=restgroup3,cn=users,dc=univention,dc=active uniqueMember: cn=TestGroup3,cn=users,dc=univention,dc=active -- Also in the UMC a USER is displayed as Member of TestGroup1. cn=restgroup3,cn=users,dc=univention,dc=active But there is no such User.
It's not quite clear to me: Where do you change the objects? In AD or in UCS? > root@ucs-master:~# univention-ldapsearch cn=TestGroup1 > uniqueMember: cn=TestGroup3,cn=users,dc=univention,dc=active → You told that the name if RestGroup3 not TestGroup3 prior to renaming. Did there already exists a group with that name? Or why is this typo here? My guess is that uniqueMember=cn=restgroup3,cn=users,dc=univention,dc=active is not removed from the group TestGroup1 due to the differences in upper/lowercase. What is the output of univention-ldapsearch -LLL -b cn=restgroup3,cn=users,dc=univention,dc=active ? → I guess that object doesn't exists anymore and is therefore shown as user in UMC.
The first LDAP search output is obviously incorrect, since TestGroup3 doesn't exist at that point according to the report. So, it must have been: ============================================================== dn: cn=TestGroup1,cn=users,dc=univention,dc=active sambaGroupType: 2 cn: TestGroup1 objectClass: top objectClass: univentionGroup objectClass: posixGroup objectClass: univentionObject objectClass: sambaGroupMapping univentionObjectType: groups/group sambaSID: S-1-5-21-3082909645-71003255-4092467323-11049 gidNumber: 5024 univentionGroupType: -2147483646 univentionObjectFlag: synced uniqueMember: cn=TestGroup2,cn=users,dc=univention,dc=active uniqueMember: cn=RestGroup3,cn=users,dc=univention,dc=active ============================================================== So the AD-Connector seems to re-add the old name (but in lowercase?) ad member. I guess we have fixed this in the S4-Connector? See e.g. Bug 40233 Comment 4 which mentions this test case: 52_s4connector/272read_ad_change_username.
Created attachment 8256 [details] reproduced connector.log
Created attachment 8257 [details] reproduced connector-s4.log The issue is also reproducible with the S4-Connector (sync mode).
Note: there are two ways to do this in the MS ADUC GUI: a) in place editing of the group name by left clicking into the name, changing it and hitting return. In that case a pop-up window is shown asking for groupname and "pre-Windows 2000" groupname. In that case both sAMAccountName and CN are changed b) double-click or right-click->properties: In that case only the "pre-Windows 2000" groupname is offered for modification. In that case, only the sAMAccountName is changed, but the old group name remains in the CN. The old group name is also shown in the ACLU object list. The issue reported with this bug happens in both cases.
Well, now I have a patch for the AD- and S4-Connector (additionally removing the old member in method one_group_member_sync_to_ucs). Then I asked myself, why we didn't also see this for users renamed in Samba/AD. The funny thing is: This happens only for renamed nested groups. Renaming of users works fine (at least in Samba/AD, didn't check with native AD yet), and I think it's the UDM users/user module that takes care of that (methods __update_groups and __rewrite_member_uid). Then I checked renaming of nested groups in UDM (w/o connectors) and the groups/group module updates group memerships just fine, as expected. So there must be a place in the connectors which either inhibits UDM module groups/group to do its job properly or the connectors explicitly add the old object DN again? Needs more debugging.
As suspected it was an issue in the UDM groups/group module, where uniqueMember attribute values were updated in a case sensitive way. Since the AD/S4-Connectors often write DNs in lowercase, the simple memberdnstring.replace(oldname, newname, 1) didn't work. With the fix, if we have this situation before the rename of the member group: uniqueMember: cn=restgroup3,cn=users,dc=ar41i1,dc=qa uniqueMember: cn=testgroup2,cn=users,dc=ar41i1,dc=qa then this is the result after the rename: uniqueMember: cn=testgroup2,cn=users,dc=ar41i1,dc=qa uniqueMember: cn=TestGroup3,cn=users,dc=ar41i1,dc=qa This issue never showed up without the connectors, because UDM itself usually preserves the case of DNs. Advisory: univention-directory-manager-modules.yaml
Tests: OK (I've added a new test case for this bug: 55_adconnector/273read_ad_rename_nested_group) Code review: OK Merge to UCS 4.2: Failed YAML: OK (minor adjustment: r75179
Merged and build for ucs_4.2-0
(In reply to Arvid Requate from comment #9) > Merged and build for ucs_4.2-0 OK
r75455: Remove UCS 4.1-3 from YAML file since UCS 4.1-3 is no longer in maintenance (Bug #42840)
Please have a look at these test cases: 52_s4connector.159sync_ad_create_non_domain_user.test 52_s4connector.259read_ad_create_non_domain_user.test 52_s4connector.269read_ad_move_object_from_ignore_subtree.test http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-4/job/AutotestJoin/SambaVersion=s4connector,Systemrolle=master/lastCompletedBuild/testReport/ It looks like these test fail now because of this fix: (2016-12-20 20:19:31.615941) info 2016-12-20 20:19:31 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ (2016-12-20 20:19:31.616718) info 2016-12-20 20:19:31 Disable connector (2016-12-20 20:19:31.617539) info 2016-12-20 20:19:31 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ (2016-12-20 20:19:31.618256) info 2016-12-20 20:19:31 Setting S4 connector 'connector' to none-mode [2016-12-20 20:19:31.701567] Setting connector/s4/mapping/syncmode [2016-12-20 20:19:31.880495] Stopping univention-s4-connector daemon. [2016-12-20 20:19:31.883630] done. [2016-12-20 20:19:33.924952] Starting univention-s4-connector daemon. [2016-12-20 20:19:37.601063] done. (2016-12-20 20:19:37.627612) info 2016-12-20 20:19:37 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ (2016-12-20 20:19:37.628937) info 2016-12-20 20:19:37 Create user and group (2016-12-20 20:19:37.629789) info 2016-12-20 20:19:37 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ (2016-12-20 20:19:38.533555) info 2016-12-20 20:19:38 User ybssbcuy created (2016-12-20 20:19:39.025214) info 2016-12-20 20:19:39 Group jrlpbcuw created (2016-12-20 20:19:39.026012) info 2016-12-20 20:19:39 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ (2016-12-20 20:19:39.026780) info 2016-12-20 20:19:39 Set group as primary group of user (2016-12-20 20:19:39.027638) info 2016-12-20 20:19:39 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ (2016-12-20 20:19:39.516360) info 2016-12-20 20:19:39 Object CN=jrlpbcuw,CN=groups,DC=AUTOTEST091C,DC=LOCAL modified (2016-12-20 20:19:40.006913) info 2016-12-20 20:19:40 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ (2016-12-20 20:19:40.007720) info 2016-12-20 20:19:40 Reenable connector (2016-12-20 20:19:40.008545) info 2016-12-20 20:19:40 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ (2016-12-20 20:19:40.017412) info 2016-12-20 20:19:40 Setting S4 connector 'connector' to sync-mode [2016-12-20 20:19:40.096766] Setting connector/s4/mapping/syncmode [2016-12-20 20:19:40.275274] Stopping univention-s4-connector daemon. [2016-12-20 20:19:40.278404] done. [2016-12-20 20:19:42.319444] Starting univention-s4-connector daemon. [2016-12-20 20:19:45.981188] done. (2016-12-20 20:19:46.079338) info 2016-12-20 20:19:46 Waiting for full synchronisation (sleeping for 16 seconds) (2016-12-20 20:19:46.081717) info 2016-12-20 20:19:46 Hint: You might want to decrease this value during debugging of the tests (2016-12-20 20:20:02.364467) info 2016-12-20 20:20:02 Waiting for full synchronisation (sleeping for 16 seconds) (2016-12-20 20:20:02.365263) info 2016-12-20 20:20:02 Hint: You might want to decrease this value during debugging of the tests (2016-12-20 20:20:18.852108) info 2016-12-20 20:20:18 Object CN=jrlpbcuw,CN=groups,DC=AUTOTEST091C,DC=LOCAL exists (2016-12-20 20:20:18.855125) info 2016-12-20 20:20:18 EXECUTING: udm-test 'groups/group' list | egrep '^DN: cn=jrlpbcuw,cn=groups,dc=AutoTest091c,dc=local$' [2016-12-20 20:20:19.149263] DN: cn=jrlpbcuw,cn=groups,dc=AutoTest091c,dc=local (2016-12-20 20:20:19.150674) info 2016-12-20 20:20:19 groups/group object jrlpbcuw exists (2016-12-20 20:20:19.635393) info 2016-12-20 20:20:19 Object CN=ybssbcuy,CN=Users,DC=AUTOTEST091C,DC=LOCAL exists (2016-12-20 20:20:19.646618) info 2016-12-20 20:20:19 EXECUTING: udm-test 'users/user' list | egrep '^DN: uid=ybssbcuy,cn=users,dc=AutoTest091c,dc=local$' [2016-12-20 20:20:19.868713] DN: uid=ybssbcuy,cn=users,dc=AutoTest091c,dc=local (2016-12-20 20:20:19.870164) info 2016-12-20 20:20:19 users/user object ybssbcuy exists (2016-12-20 20:20:19.882173) info 2016-12-20 20:20:19 EXECUTING: udm-test 'groups/group' list --filter "cn=jrlpbcuw" | egrep '^ *users: ' | sed 's/^ *users: //' (2016-12-20 20:20:20.035158) info 2016-12-20 20:20:20 Value of "users" is "uid=ybssbcuy,cn=Users,dc=AutoTest091c,dc=local", does not contain line "uid=ybssbcuy,cn=users,dc=AutoTest091c,dc=local" (2016-12-20 20:20:20.035941) error 2016-12-20 20:20:20 Expected operation to succeed, but it failed (2016-12-20 20:20:20.036815) error 2016-12-20 20:20:20 **************** Test failed above this line (110) **************** (2016-12-20 20:20:20.040686) info 2016-12-20 20:20:20 EXECUTING: udm-test 'users/user' list --filter "uid=ybssbcuy" | egrep '^ *groups: ' | sed 's/^ *groups: //' (2016-12-20 20:20:20.222085) info 2016-12-20 20:20:20 EXECUTING: udm-test 'users/user' list --filter "uid=ybssbcuy" | egrep '^ *primaryGroup: ' | sed 's/^ *primaryGroup: //' (2016-12-20 20:20:20.390110) info 2016-12-20 20:20:20 is CN=jrlpbcuw,CN=groups,DC=AUTOTEST091C,DC=LOCAL the primary group of CN=ybssbcuy,CN=Users,DC=AUTOTEST091C,DC=LOCAL ? (2016-12-20 20:20:20.891067) info 2016-12-20 20:20:20 Yes. (2016-12-20 20:20:20.891876) info 2016-12-20 20:20:20 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ (2016-12-20 20:20:20.892628) info 2016-12-20 20:20:20 Clean up (2016-12-20 20:20:20.901572) info 2016-12-20 20:20:20 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ (2016-12-20 20:20:20.941342) info 2016-12-20 20:20:20 Recursively deleting CN=ybssbcuy,CN=Users,DC=AUTOTEST091C,DC=LOCAL [2016-12-20 20:20:21.086689] Deleted 1 records (2016-12-20 20:20:21.130315) info 2016-12-20 20:20:21 Recursively deleting CN=jrlpbcuw,CN=groups,DC=AUTOTEST091C,DC=LOCAL [2016-12-20 20:20:21.259750] Deleted 1 records (2016-12-20 20:20:21.310280) info 2016-12-20 20:20:21 Waiting for full synchronisation (sleeping for 16 seconds) (2016-12-20 20:20:21.311145) info 2016-12-20 20:20:21 Hint: You might want to decrease this value during debugging of the tests (2016-12-20 20:20:37.797234) info 2016-12-20 20:20:37 Object CN=ybssbcuy,CN=Users,DC=AUTOTEST091C,DC=LOCAL doesn't exist (2016-12-20 20:20:37.800366) info 2016-12-20 20:20:37 EXECUTING: udm-test 'users/user' list | egrep '^DN: uid=ybssbcuy,cn=users,dc=AutoTest091c,dc=local$' (2016-12-20 20:20:37.997431) info 2016-12-20 20:20:37 users/user object ybssbcuy does not exist (2016-12-20 20:20:38.715830) info 2016-12-20 20:20:38 Object CN=jrlpbcuw,CN=groups,DC=AUTOTEST091C,DC=LOCAL doesn't exist (2016-12-20 20:20:38.745736) info 2016-12-20 20:20:38 EXECUTING: udm-test 'groups/group' list | egrep '^DN: cn=jrlpbcuw,cn=groups,dc=AutoTest091c,dc=local$' (2016-12-20 20:20:39.165640) info 2016-12-20 20:20:39 groups/group object jrlpbcuw does not exist (2016-12-20 20:20:39.166389) info 2016-12-20 20:20:39 Setting S4 connector 'connector' to sync-mode (2016-12-20 20:20:39.218439) info 2016-12-20 20:20:39 Already in sync-mode
(In reply to Stefan Gohmann from comment #12) > Please have a look at these test cases: > > 52_s4connector.159sync_ad_create_non_domain_user.test > 52_s4connector.259read_ad_create_non_domain_user.test > 52_s4connector.269read_ad_move_object_from_ignore_subtree.test > I've fixed the test cases: r75531
Verified again
<http://errata.software-univention.de/ucs/4.1/367.html>