Bug 47069 – Logon failure in Password-Sync via DRS when not using Administrator

Bug 47069 - Logon failure in Password-Sync via DRS when not using Administrator


Summary:	Logon failure in Password-Sync via DRS when not using Administrator

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	AD Connector
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3-2-errata
Assigned To:	Arvid Requate
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-05-24 13:26 CEST by Nico Stöckigt
Modified:	2018-12-05 14:39 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.143
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2018042321000341
Bug group (optional):
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
bug47069.patch (2.04 KB, patch) 2018-05-24 16:47 CEST, Arvid Requate	Details \| Diff
bug47069.patch (2.04 KB, patch) 2018-05-24 16:54 CEST, Arvid Requate	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nico Stöckigt

2018-05-24 13:26:05 CEST

In a customers environment a special AD-Sync user is used to replicate from MS/AD. While ldap objects are successfully replicated the passwords are not. We figured out that this is because for the PWD-Sync via DRS the sAMAccountName is used for authentication. The ad-connector uses the CN part of the BindDN as sAMAccountName - which is ok while using Administrator - but in this scenario both attributes differ.

We should determine the correct sAMAccountName from the AD-Object to use it in the PWD-Sync via DRS.

Comment 1 Arvid Requate

2018-05-24 16:47:19 CEST

Created attachment 9536 [details]
bug47069.patch

Good catch! The attached patch may be suitable to fix this.

Comment 2 Arvid Requate

2018-05-24 16:54:19 CEST

Created attachment 9537 [details]
bug47069.patch

Fixed syntax error

Comment 3 Arvid Requate

2018-11-27 21:01:33 CET

Patch applied.

bce52836f6 | Fix AD to UCS password hash synchronization in case
             a custom Domain Admin account is used
7bba9ad416 | Advisory

Comment 4 Felix Botner

2018-11-28 12:10:05 CET

OK - works with

-> univention-adsearch cn=Administrator dn sAMAccountName
DN: CN=Administrator,CN=Users,DC=w2k12,DC=test
sAMAccountName: Admin

OK - YAML

Comment 5 Arvid Requate

2018-12-05 14:39:12 CET

<http://errata.software-univention.de/ucs/4.3/354.html>