Bug 43070 – connector overwrites Domain Admins in AD with Domain Admins from UCS in initial sync

Bug 43070 - connector overwrites Domain Admins in AD with Domain Admins from UCS in initial sync


Summary:	connector overwrites Domain Admins in AD with Domain Admins from UCS in initi...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	AD Connector
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1-4-errata
Assigned To:	Felix Botner
QA Contact:	Stefan Gohmann

URL:
Keywords:

Depends on:
Blocks:	36354
	Show dependency tree / graph

Reported:	2016-11-28 18:40 CET by Felix Botner
Modified:	2016-12-14 12:36 CET (History)
CC List:	0 users

See Also:	36354
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.114
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
connector.log (1.69 MB, text/x-log) 2016-11-29 15:54 CET, Felix Botner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2016-11-28 18:40:16 CET

user fb is member of Domain Admin in AD

-> ldbsearch -H ldap://10.200.7.132 -U fb%Univention.99  objectSid=S-1-5-21-4081652553-1298243908-2397940796-512
# record 1
dn: CN=Domänen-Admins,CN=Users,DC=w2k12,DC=test
objectClass: top
objectClass: group
cn:: RG9tw6RuZW4tQWRtaW5z
member: CN=fb,OU=admins,DC=w2k12,DC=test
member: CN=Administrator,CN=Users,DC=w2k12,DC=test

# configure connector to use fb as sync user
-> ucr get connector/ad/ldap/binddn 
CN=fb,OU=admins,DC=w2k12,DC=test

After initial sync fb is no longer member of Domain Admins
-> ldbsearch -H ldap://10.200.7.132 -U fb%Univention.99  objectSid=S-1-5-21-4081652553-1298243908-2397940796-512
# record 1
dn: CN=Domänen-Admins,CN=Users,DC=w2k12,DC=test
objectClass: top
objectClass: group
cn:: RG9tw6RuZW4tQWRtaW5z
member: CN=Administrator,CN=Users,DC=w2k12,DC=test
distinguishedN

Problem: Connector tries to sync user before OU:

connector.log

28.11.2016 18:27:27,343 LDAP        (PROCESS): sync to ucs:   [          user] [       add] uid=fb,ou=admins,dc=w2k12,dc=test
28.11.2016 18:27:27,563 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
28.11.2016 18:27:27,565 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1300, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1158, in add_in_ucs
    return ucs_object.create() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 305, in create
    return self._create()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 759, in _create
    self.lo.add(self.dn, al)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 382, in add
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: No such object

28.11.2016 18:27:27,566 LDAP        (WARNING): sync to ucs was not successfull, save rejected
28.11.2016 18:27:27,566 LDAP        (WARNING): object was: CN=fb,OU=admins,DC=w2k12,DC=test
28.11.2016 18:27:27,572 LDAP        (PROCESS): sync to ucs:   [            ou] [       add] OU=admins,dc=w2k12,dc=test


Next sync also fails (udm lock object?)

28.11.2016 18:28:03,933 LDAP        (PROCESS): sync to ucs:   [          user] [       add] uid=fb,ou=admins,dc=w2k12,dc=test
28.11.2016 18:28:03,958 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
28.11.2016 18:28:03,968 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1300, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1158, in add_in_ucs
    return ucs_object.create() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 305, in create
    return self._create()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 721, in _create
    al = self._ldap_addlist()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1781, in _ldap_addlist
    raise univention.admin.uexceptions.uidAlreadyUsed(': %s' % username)
uidAlreadyUsed: : fb

And after that AD no longer accepts this user (as he is now no longer member of Domain Admins):


  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 761, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'))) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn))):
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 2484, in sync_from_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/password.py", line 280, in password_sync_ucs
    pwd_ad = get_password_from_ad(connector, univention.connector.ad.compatible_modstring(object['dn']))
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/password.py", line 180, in get_password_from_ad
    (level, ctr) = connector.drs.DsGetNCChanges(connector.drsuapi_handle, 8, req8)
RuntimeError: (8439, 'WERR_DS_DRA_BAD_DN')

28.11.2016 18:40:02,135 LDAP        (PROCESS): sync from ucs: [          user] [    modify] CN=w1,DC=w2k12,DC=test
28.11.2016 18:40:02,188 LDAP        (WARNING): sync failed, saved as rejected
28.11.2016 18:40:02,188 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 761, in __sync_file_from_ucs
    if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'))) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn))):
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 2484, in sync_from_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/password.py", line 289, in password_sync_ucs
    res = set_password_in_ad(connector, object['attributes']['sAMAccountName'][0], pwd)
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/password.py", line 151, in set_password_in_ad
    info = connector.samr.SetUserInfo(user_handle, 18, userinfo18)
RuntimeError: (-1073741790, 'Access denied')

Comment 1 Felix Botner

2016-11-29 15:53:22 CET

The problem seems to be that the connector initially syncs the group membership from ucs to ad:

# UCS
-> univention-ldapsearch -LLL cn=Domain\ Admins memberUid
dn: cn=Domain Admins,cn=groups,dc=w2k12,dc=test
memberUid: Administrator

# AD
-> ldbsearch  -H ldap://10.200.7.132 -U fb3%Univention.99 cn=Dom*Admins member
dn: CN=Domänen-Admins,CN=Users,DC=w2k12,DC=test
member: CN=fb3,DC=w2k12,DC=test
member: CN=Administrator,CN=Users,DC=w2k12,DC=test

fb3 is used as connector user, sync mode sync
after the setup the uses exists in UCS but lost is Domain Admins membership in AD

-> univention-ldapsearch -LLL uid=fb3 dn
dn: uid=fb3,dc=w2k12,dc=test

-> ldbsearch  -H ldap://10.200.7.132 -U fb3%Univention.99 cn=Dom*Admins member
# record 1
dn: CN=Domänen-Admins,CN=Users,DC=w2k12,DC=test
member: CN=Administrator,CN=Users,DC=w2k12,DC=test

connector.log
group_members_sync_from_ucs: Object exists only in AD [uid=fb3,dc=w2k12,dc=test]

group_members_sync_from_ucs: ad_members_from_ucs without members with this as their primary group: [u'cn=administrator,cn=users,dc=w2k12,dc=test']

members to del: [u'CN=fb\xf6,OU=\xfcdmins\\=\\,,OU=admins,DC=w2k12,DC=test', u'CN=fb3,DC=w2k12,DC=test']

Basically Domain Admins is overwritten by UCS during the initial sync.

Comment 2 Felix Botner

2016-11-29 15:54:00 CET

Created attachment 8253 [details]
connector.log

Comment 3 Felix Botner

2016-11-30 15:19:50 CET

I think this is Bug #33319, merged the s4connector changes to univention-ad-connector.

univention-ad-connector: r74831 
univention-ad-connector.yaml
merged to 4.2-0

Comment 4 Stefan Gohmann

2016-12-09 07:06:28 CET

Code review: OK

Merge to UCS 4.2: OK

Tests: OK, I've extended the test case 101sync_initial_membership_ad_to_ucs (r75143 + r75144)

Jenkins tests: OK

YAML: OK

Comment 5 Janek Walkenhorst

2016-12-14 12:36:50 CET

<http://errata.software-univention.de/ucs/4.1/359.html>