Bug 215 - zExtras suite overwriting Zimbra patch code in Zimbra 8.6.0
Summary: zExtras suite overwriting Zimbra patch code in Zimbra 8.6.0
Alias: None
Product: ZeXtras
Classification: Unclassified
Component: ZxCore (show other bugs)
Version: 2.4.2
Hardware: Physical Infrastructure Linux
: Normal major
Assignee: Jay
QA Contact:
Depends on:
Reported: 2016-12-14 18:49 CET by Michael Medellin
Modified: 2016-12-29 14:07 CET (History)
3 users (show)

See Also:
Browser: ---
Zimlet Chat version: ---
Zimbra Version: 8.6.0


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Medellin 2016-12-14 18:49:32 CET
Hi ZeXtras team,

We've had a customer run into an issue where delegate admins aren't able to delete users on different mailbox servers. This issue was resolved in 8.6.0 patch 4 (https://bugzilla.zimbra.com/show_bug.cgi?id=96254) and therefore escalated to our engineering team. After investigation, the engineer on the case determined that the ZeXtras suite is overwriting patch code on Zimbra 8.6.0, rendering the patched fix impotent. 

At this point in time, we are unaware of any other functionality that may be affected in a similar manner. In the meantime, will ZeXtras engineers take a look at the patch and determine the necessary fix for this issue?
Michael Medellin
Zimbra Product Manager, Synacor
Comment 1 Jay 2016-12-15 10:45:46 CET
reproduced in zimbra 8.7 multistore
Comment 2 Jay 2016-12-15 12:06:08 CET
When creating a new delegated administrator the domain cache is not synchronized on other mailboxes leading to:

at com.zimbra.common.service.ServiceException.PERM_DENIED(ServiceException.java:308)
at com.zimbra.common.service.ServiceException.DEFEND_ACCOUNT_HARVEST(ServiceException.java:325)

"zmprov flushCache domain acl" fix the issue.

We will add an automatic flush cache after creating or editing delegated administrators permissions.

Does it fix your issue, or do you have a different one?
Comment 3 Jay 2016-12-22 09:47:03 CET
We've found another issue which is probably the one you were referring to, defendsAgainstDelegateAdminAccountHarvesting() is not implemented in ZAL [1] returning always false which leads to PERM_DENIED if the loginAs right is missing from the delegated administrator.

As a temporary workaround you can add loginAs right, the fix will be available in the next release 2.4.3, scheduled for early next week.

[1] https://github.com/ZeXtras/OpenZAL/blob/master/src/java/org/openzal/zal/soap/InternalAdminDocumentHandler.java
Comment 4 Jay 2016-12-29 14:07:24 CET
fixed in 2.4.3