Univention Bugzilla – Bug 46706
UMC diagnose: Well known SID's for krbtgt and guest not found
Last modified: 2024-04-17 14:02:29 CEST
UCS 4.3 school multiserver On my school slave the um diagnose module complains about missing well known SID's for krbtgt and guest. I do not have samba on the master and an school slaves krbtgt and guest are ignored in the connector -> ucr get connector/s4/mapping/user/ignorelist root,ucs-s4sync,dns-slave,krbtgt,Guest so these objects are never synced to ucs (and that is where the 44_well_known_sid_check.py looks for the SID's)
If there is no Samba/AD installed on the Master, then univention-heimdal-kdc should be active there and /usr/lib/univention-install/11univention-heimdal-init.inst should have created a krbtgt account.
Happened on customer site. Multi-school with no Samba on the master. system diagnose prints a warning which confuses customer (and support during troubleshooting): ============================= ##################### Start 44_well_known_sid_check ##################### ## Check failed: 44_well_known_sid_check - Überprüfe 'Well Known' SIDs ## Kein Nutzer oder keine Gruppe mit SID S-1-5-21-4189432101-1806742356-2962702042-502 gefunden, 'KRBTGT' war erwartet. Kein Nutzer oder keine Gruppe mit SID S-1-5-21-4189432101-1806742356-2962702042-501 gefunden, 'Guest' war erwartet. ###################### End 44_well_known_sid_check ###################### ============================ According to developer this is to be expected when there is no samba4 on the master installed and connector/s4/mapping/user/ignorelist is by default set to "root,ucs-s4sync,dns-slave,krbtgt,Guest" Trying to sync these users from the school slave fails: ============================ root@luiseedu:~# ucr set connector/s4/mapping/user/ignorelist=root,ucs-s4sync root@luiseedu:~# systemctl restart univention-s4-connector root@luiseedu:~# /usr/share/univention-s4-connector/resync_object_from_s4.py "CN=krbtgt,CN=Users,DC=schulen,DC=ucs" resync triggered for CN=krbtgt,CN=Users,DC=schulen,DC=ucs Estimated sync in 50 seconds. ================================ BUT this results in a reject and traceback of s4 connector: ===================== 25.07.2020 06:34:34.610 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=dns,DC=schulen,DC=ucs 25.07.2020 06:34:34.615 LDAP (PROCESS): sync to ucs: [ container] [ modify] u'cn=dns,dc=schulen,dc=ucs' 25.07.2020 06:34:34.699 LDAP (ERROR ): Unknown Exception during sync_to_ucs 25.07.2020 06:34:34.700 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1555, in sync_to_ucs result = self.modify_in_ucs(property_type, object, module, position) File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1299, in modify_in_ucs res = ucs_object.modify(serverctrls=serverctrls, response=response) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 650, in modify dn = self._modify(modify_childs, ignore_license=ignore_license, response=response) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1327, in _modify self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response) File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 897, in modify raise univention.admin.uexceptions.permissionDenied permissionDenied =========== If this is decided by system diagnosis as a warning we should handle the issue so there will be no warning in diagnostic. If it is really to be ignored we should not bother about it in system diagnose.
heimdal on the master is properly installed, running and I do not see any issues otherwise: ===================== root@master:~# dpkg -l | grep heimdal ii heimdal-kdc 7.1.0+dfsg-13+deb9u3A~4.4.0.202006161052 amd64 Heimdal Kerberos - key distribution center (KDC) [...] ii univention-heimdal-common 12.0.1-4A~4.4.0.202003261441 all UCS - Kerberos common package ii univention-heimdal-kdc 12.0.1-4A~4.4.0.202003261441 all UCS - Kerberos KDC ======================= Running the join script again is successful but stil now show of a krbtgt user: =================== root@master:~# univention-run-join-scripts --force --run-scripts 11univention-heimdal-init.inst univention-run-join-scripts: runs all join scripts existing on local computer. copyright (c) 2001-2020 Univention GmbH, Germany Running pre-joinscripts hook(s): done Running 11univention-heimdal-init.inst done Running post-joinscripts hook(s): done =================== So I assume it is ok if this user does not exist.... but again it should be handled properly if this is a false warning.
Ah, yes, Heimdal-KDC doesn't create uid=krbtgt, but instead: dn: krb5PrincipalName=krbtgt/$kerberos_realm@$kerberos_realm,cn=kerberos,$ldap_base So from the Kerberos point of view, it should be ok that uid=krbtgt does not exist (leaving aside the question of KDC interoperability). But the Guest account would be required in OpenLDAP to make the ID-Mapping work in cases where a Windows Client writes a file to a Samba/AD-Share with NTACLs or ownerships referring to that account. At least as long as we use idmap.ldb for ID-Mapping and generate it via listener module from OpenLDAP.
Now we have UCS: 4.4-5 errata750 Installed: cups=2.2.1 samba4=4.10 squid=3.5 ucsschool=4.4 v6 Master is without samba4 On slave side univention-s4search cn=krbtgt shows the user.
*** Bug 50768 has been marked as a duplicate of this bug. ***
version update to UCS 4.4, most propably also the case for UCS 5.0
This test is failing every day for the UCS 5.0-1 DVD installation tests: - 00_checks.81_diagnostic_checks.test_run_diagnostic_checks for - school - school-dev - school-scope ##################### Start 44_well_known_sid_check ##################### ## Check failed: 44_well_known_sid_check - Überprüfe 'Well Known' SIDs ## Kein Nutzer oder keine Gruppe mit SID 'S-1-5-21-2064950683-1856380664-415471391-501' gefunden, 'Guest' war erwartet. Kein Nutzer oder keine Gruppe mit SID 'S-1-5-21-2064950683-1856380664-415471391-502' gefunden, 'KRBTGT' war erwartet. ###################### End 44_well_known_sid_check ###################### As U@S seems to work without those 2 SIDs maybe we should add code to detect U@S and then disable this check?
Still failing every day: https://univention-dist-jenkins.k8s.knut.univention.de/job/UCS-5.0/job/UCS-5.0-1/job/Installation%20Tests/lastCompletedBuild/mode=school-scope/testReport/00_checks/81_diagnostic_checks/test_run_diagnostic_checks/
*** Bug 45587 has been marked as a duplicate of this bug. ***
Happy new year, dear Bug: Still failing every day since 165 runs :-( diff --git management/univention-management-console-module-diagnostic/umc/python/diagnostic/plugins/44_well_known_sid_check.py management/univention-management-console-module-diagnostic/umc/python/diagnostic/plugins/44_well_known_sid_check.py index faedacb6eb..8a4151935c 100755 --- management/univention-management-console-module-diagnostic/umc/python/diagnostic/plugins/44_well_known_sid_check.py +++ management/univention-management-console-module-diagnostic/umc/python/diagnostic/plugins/44_well_known_sid_check.py @@ -141,10 +141,17 @@ def custom_name(name: str) -> str: def check_existence_and_consistency() -> Iterator[CheckError]: + s4c_ignore = { + user.strip().casefold() + for user in ucr.get("connector/s4/mapping/user/ignorelist", "").split(",") + } ldap_connection = LDAPConnection() domain_sid = ldap_connection.get_domain_sid() for (sid, expected_name) in all_sids_and_names(domain_sid): mapped_name = custom_name(expected_name) + if mapped_name.casefold() in s4c_ignore: + continue + try: # The user/group retrieved by SID should have the name as specified # in the well-known-sid-mapping (or mapped as per
Still happening 2023062921000326 UCS5.0-4 school replica
Also occurs at the customer 156166 on Replica. Primary without samba / AD.