First Last Prev Next    This bug is not in your last search results.
Bug 48153 - UCS -> Windows2008: userPrincipalName is not modified when userobject has changed
UCS -> Windows2008: userPrincipalName is not modified when userobject has cha...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Felix Botner
Arvid Requate
:
Depends on: 20518
Blocks: 20657
  Show dependency treegraph
 
Reported: 2018-11-15 15:49 CET by Christina Scheinig
Modified: 2018-12-05 17:25 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018091121000775
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2018-11-15 15:49:15 CET 
+++ This bug was initially created as a clone of Bug #20518 +++

Bei der Default-Konfiguration wird im Sync UCS -> AD das Attribut "userPrincipalName" im AD nicht gesetzt. AFAIR passierte das in AD 2003 noch automatisch.

In 2008 hat man dann mit einem von UCS synchronisierten User kein Kerberos-Konto mehr.

-------------------------------------------------------------------------------
A customer reported, that he renamed a user via UMC and the krb5PrincipalName was renamed as expected, but after the synchronization into AD the userPrincipalName was not changed.

The connector is in write mode
Comment 1 Christina Scheinig univentionstaff 2018-11-19 09:12:29 CET 
The fix is important and urgent for the customer. It is also blocking further development of the customers infrastructure. I therefore set the waiting for support tag and increased the affected feel tag.
Comment 2 Felix Botner univentionstaff 2018-11-20 16:47:56 CET 
8248f6e4dea93a0e30860cb28324b12703a1dc64 - univention-ad-connector
bdeb1721f849c3fc22efdcf8d44b274f73a56a5d - yaml

Always set userPrincipalName in AD to UCS/AD username.
Comment 3 Felix Botner univentionstaff 2018-11-21 12:46:00 CET 
ad16a06ff324ca6a0cf598746095f7a5be2ef41f

as discussed
 * set userPrincipalName username@$connector/ad/mapping/kerberosdomain if not set 
   in AD (as until now)
 * additionally we modify userPrincipalName to UCS_username@AD_Principal if 
   userPrincipalName exists in AD

The modify part can be disabled with connector/ad/mapping/sync/userPrincipalName=false (which is the case for updated systems)
Comment 4 Arvid Requate univentionstaff 2018-11-21 20:35:43 CET 
Ok, cool, verified:
* Sync works
* Disabled on updates, enabled on new installations

I adjusted the advisory text a bit: 30121b5f37
Comment 5 Arvid Requate univentionstaff 2018-12-05 17:25:30 CET 
<http://errata.software-univention.de/ucs/4.3/354.html>
First Last Prev Next    This bug is not in your last search results.