Univention Bugzilla – Bug 43070
connector overwrites Domain Admins in AD with Domain Admins from UCS in initial sync
Last modified: 2016-12-14 12:36:50 CET
user fb is member of Domain Admin in AD -> ldbsearch -H ldap://10.200.7.132 -U fb%Univention.99 objectSid=S-1-5-21-4081652553-1298243908-2397940796-512 # record 1 dn: CN=Domänen-Admins,CN=Users,DC=w2k12,DC=test objectClass: top objectClass: group cn:: RG9tw6RuZW4tQWRtaW5z member: CN=fb,OU=admins,DC=w2k12,DC=test member: CN=Administrator,CN=Users,DC=w2k12,DC=test # configure connector to use fb as sync user -> ucr get connector/ad/ldap/binddn CN=fb,OU=admins,DC=w2k12,DC=test After initial sync fb is no longer member of Domain Admins -> ldbsearch -H ldap://10.200.7.132 -U fb%Univention.99 objectSid=S-1-5-21-4081652553-1298243908-2397940796-512 # record 1 dn: CN=Domänen-Admins,CN=Users,DC=w2k12,DC=test objectClass: top objectClass: group cn:: RG9tw6RuZW4tQWRtaW5z member: CN=Administrator,CN=Users,DC=w2k12,DC=test distinguishedN Problem: Connector tries to sync user before OU: connector.log 28.11.2016 18:27:27,343 LDAP (PROCESS): sync to ucs: [ user] [ add] uid=fb,ou=admins,dc=w2k12,dc=test 28.11.2016 18:27:27,563 LDAP (ERROR ): Unknown Exception during sync_to_ucs 28.11.2016 18:27:27,565 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1300, in sync_to_ucs result = self.add_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1158, in add_in_ucs return ucs_object.create() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 305, in create return self._create() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 759, in _create self.lo.add(self.dn, al) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 382, in add raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) ldapError: No such object 28.11.2016 18:27:27,566 LDAP (WARNING): sync to ucs was not successfull, save rejected 28.11.2016 18:27:27,566 LDAP (WARNING): object was: CN=fb,OU=admins,DC=w2k12,DC=test 28.11.2016 18:27:27,572 LDAP (PROCESS): sync to ucs: [ ou] [ add] OU=admins,dc=w2k12,dc=test Next sync also fails (udm lock object?) 28.11.2016 18:28:03,933 LDAP (PROCESS): sync to ucs: [ user] [ add] uid=fb,ou=admins,dc=w2k12,dc=test 28.11.2016 18:28:03,958 LDAP (ERROR ): Unknown Exception during sync_to_ucs 28.11.2016 18:28:03,968 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1300, in sync_to_ucs result = self.add_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1158, in add_in_ucs return ucs_object.create() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 305, in create return self._create() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 721, in _create al = self._ldap_addlist() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1781, in _ldap_addlist raise univention.admin.uexceptions.uidAlreadyUsed(': %s' % username) uidAlreadyUsed: : fb And after that AD no longer accepts this user (as he is now no longer member of Domain Admins): File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 761, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'))) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn))): File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 2484, in sync_from_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/connector/ad/password.py", line 280, in password_sync_ucs pwd_ad = get_password_from_ad(connector, univention.connector.ad.compatible_modstring(object['dn'])) File "/usr/lib/pymodules/python2.7/univention/connector/ad/password.py", line 180, in get_password_from_ad (level, ctr) = connector.drs.DsGetNCChanges(connector.drsuapi_handle, 8, req8) RuntimeError: (8439, 'WERR_DS_DRA_BAD_DN') 28.11.2016 18:40:02,135 LDAP (PROCESS): sync from ucs: [ user] [ modify] CN=w1,DC=w2k12,DC=test 28.11.2016 18:40:02,188 LDAP (WARNING): sync failed, saved as rejected 28.11.2016 18:40:02,188 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 761, in __sync_file_from_ucs if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'))) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn))): File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 2484, in sync_from_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/connector/ad/password.py", line 289, in password_sync_ucs res = set_password_in_ad(connector, object['attributes']['sAMAccountName'][0], pwd) File "/usr/lib/pymodules/python2.7/univention/connector/ad/password.py", line 151, in set_password_in_ad info = connector.samr.SetUserInfo(user_handle, 18, userinfo18) RuntimeError: (-1073741790, 'Access denied')
The problem seems to be that the connector initially syncs the group membership from ucs to ad: # UCS -> univention-ldapsearch -LLL cn=Domain\ Admins memberUid dn: cn=Domain Admins,cn=groups,dc=w2k12,dc=test memberUid: Administrator # AD -> ldbsearch -H ldap://10.200.7.132 -U fb3%Univention.99 cn=Dom*Admins member dn: CN=Domänen-Admins,CN=Users,DC=w2k12,DC=test member: CN=fb3,DC=w2k12,DC=test member: CN=Administrator,CN=Users,DC=w2k12,DC=test fb3 is used as connector user, sync mode sync after the setup the uses exists in UCS but lost is Domain Admins membership in AD -> univention-ldapsearch -LLL uid=fb3 dn dn: uid=fb3,dc=w2k12,dc=test -> ldbsearch -H ldap://10.200.7.132 -U fb3%Univention.99 cn=Dom*Admins member # record 1 dn: CN=Domänen-Admins,CN=Users,DC=w2k12,DC=test member: CN=Administrator,CN=Users,DC=w2k12,DC=test connector.log group_members_sync_from_ucs: Object exists only in AD [uid=fb3,dc=w2k12,dc=test] group_members_sync_from_ucs: ad_members_from_ucs without members with this as their primary group: [u'cn=administrator,cn=users,dc=w2k12,dc=test'] members to del: [u'CN=fb\xf6,OU=\xfcdmins\\=\\,,OU=admins,DC=w2k12,DC=test', u'CN=fb3,DC=w2k12,DC=test'] Basically Domain Admins is overwritten by UCS during the initial sync.
Created attachment 8253 [details] connector.log
I think this is Bug #33319, merged the s4connector changes to univention-ad-connector. univention-ad-connector: r74831 univention-ad-connector.yaml merged to 4.2-0
Code review: OK Merge to UCS 4.2: OK Tests: OK, I've extended the test case 101sync_initial_membership_ad_to_ucs (r75143 + r75144) Jenkins tests: OK YAML: OK
<http://errata.software-univention.de/ucs/4.1/359.html>