Bug 29000 - WellKnown Security Principals mit statischen PosixIDs als systemAccounts anlegen.
WellKnown Security Principals mit statischen PosixIDs als systemAccounts anle...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 3.0
Other Linux
: P5 enhancement (vote)
: UCS 3.2
Assigned To: Stefan Gohmann
Arvid Requate
: interim-3
Depends on: 29486
Blocks: 41417
  Show dependency treegraph
 
Reported: 2012-10-31 12:48 CET by Arvid Requate
Modified: 2016-06-02 11:53 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
bug_29000.patch (11.09 KB, patch)
2013-10-13 22:26 CEST, Stefan Gohmann
Details | Diff
ldapmodify against ldap/master (1.21 KB, patch)
2013-10-23 15:02 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2012-10-31 12:48:13 CET
Eine Reihe von Samba-SIDs sind zur Zeit noch nicht auf statische Posix-IDs gemapped und werden von Samba4 in der idmap aus dem Standardpool 3000000-4000000 versorgt. Diese PosixIDs haben zwei Nachteile:

  1. Sind sie nicht Server-Übergreifend eindeutig

  2. Werden sie z.B. in fACLs im Dateisystem dann nicht als Name angezeigt.

Wenn man sie anlegt, sollte die Lizenzzähling entsprechend angepasst werden.

===============================================================================
root@master1:~# univention-s4search -b "CN=Configuration,$ldap_base" objectclass=foreignSecurityPrincipal objectsid
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS
# record 1
dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-9

# record 2
dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-14

# record 3
dn: CN=SChannel Authentication,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-64-14

# record 4
dn: CN=Digest Authentication,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-64-21

# record 5
dn: CN=Terminal Server User,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-13

# record 6
dn: CN=Authenticated Users,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-11

# record 7
dn: CN=NTLM Authentication,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-64-10

# record 8
dn: CN=Other Organization,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-1000

# record 9
dn: CN=This Organization,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-15

# record 10
dn: CN=Anonymous Logon,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-7

# record 11
dn: CN=Network Service,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-20

# record 12
dn: CN=Creator Group,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-3-1

# record 13
dn: CN=Creator Owner,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-3-0

# record 14
dn: CN=Local Service,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-19

# record 15
dn: CN=Owner Rights,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-3-4

# record 16
dn: CN=Interactive,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-4

# record 17
dn: CN=Restricted,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-12

# record 18
dn: CN=Everyone,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-1-0

# record 19
dn: CN=Network,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-2

# record 20
dn: CN=Service,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-6

# record 21
dn: CN=Dialup,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-1

# record 22
dn: CN=System,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-18

# record 23
dn: CN=Batch,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-3

# record 24
dn: CN=Proxy,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-8

# record 25
dn: CN=IUSR,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-17

# record 26
dn: CN=Self,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa
objectSid: S-1-5-10
===============================================================================
Comment 1 Arvid Requate univentionstaff 2013-05-02 18:08:50 CEST
E.g. for Samba4 NTACL to Poxix fACL translation it is important that the groups are created with the proper well-known SIDs. Currently UDM cli only offers the option to assign certain domain RIDs -- either we allow setting the full SID via UDM cli or we would have to create them via ldif.
Comment 2 Arvid Requate univentionstaff 2013-06-10 10:36:52 CEST
The case "Enterprise Domain Controllers" has been dealt with via Bug 31437. In that case it was useful to mark this group as sambaGroupType=5, which is filtered out by the default S4 Connector mapping, to avoid SID conflicts with the corresponding foreignSecurityPrincipal in Samba4.
Comment 3 Stefan Gohmann univentionstaff 2013-10-13 22:25:41 CEST
These are created via samba4 join script:

    _create_group_with_special_sid "Authenticated Users" "S-1-5-11" "$@"
    _create_group_with_special_sid "World Authority" "S-1-1" "$@"
    _create_group_with_special_sid "Everyone" "S-1-1-0" "$@"
    _create_group_with_special_sid "Null Authority" "S-1-0" "$@"
    _create_group_with_special_sid "Nobody" "S-1-0-0" "$@"

I think we could create Enterprise Domain Controllers in the same way. But I'm unsure if we should create all other objects. See attached patch for a possible solution. The patch is untested.
Comment 4 Stefan Gohmann univentionstaff 2013-10-13 22:26:10 CEST
Created attachment 5516 [details]
bug_29000.patch
Comment 5 Stefan Gohmann univentionstaff 2013-10-16 21:13:09 CEST
(In reply to Stefan Gohmann from comment #3)
> I think we could create Enterprise Domain Controllers in the same way. But
> I'm unsure if we should create all other objects. See attached patch for a
> possible solution. The patch is untested.

I've created these objects in OpenLDAP because it is possible to set permissions to files with this SIDs in AD. So we need a mapping to POSIX IDs.

Test case: 51_samba4/31well-known-security-principals
Comment 6 Arvid Requate univentionstaff 2013-10-22 17:35:00 CEST
The idmap stuff works and the changelog is ok. Reopend for:

* strange, the groups in the cn=Builtin don't have adGroupType set

* Maybe the proposal from Bug 31817 should be considered, this would also simplify the s4 connector mapping ignorelist

* For updates it might be good to modify the existing groups (created by base.ldif) to the new default values?
Comment 7 Stefan Gohmann univentionstaff 2013-10-23 07:38:36 CEST
(In reply to Arvid Requate from comment #6)
> The idmap stuff works and the changelog is ok. Reopend for:
> 
> * strange, the groups in the cn=Builtin don't have adGroupType set

The groups are created with the posix option only and the adGroupType is part of the samba option. I moved the groupType setting to the ldapmodify command.

> * Maybe the proposal from Bug 31817 should be considered, this would also
> simplify the s4 connector mapping ignorelist

I've changed the groups to samba group type 5. But the connector mapping ignorelist is needed because we synchronize with 3.2 also samba group type 5 groups. At least for new installed systems.

> * For updates it might be good to modify the existing groups (created by
> base.ldif) to the new default values?

Done
Comment 8 Arvid Requate univentionstaff 2013-10-23 15:02:14 CEST
Created attachment 5528 [details]
ldapmodify against ldap/master

Currently univention-run-joinscripts fails on a DC backup (after update from 3.1-1), I guess the attached patch is required.

======================================================================
RUNNING 96univention-samba4.inst
Multifile: /etc/samba/smb.conf
Object exists: cn=Builtin,dc=ar311r1,dc=qa
WARNING: cannot append cn=backup21,cn=dc,cn=computers,dc=ar311r1,dc=qa to hosts, value exists
No modification: cn=Enterprise Domain Controllers,cn=groups,dc=ar311r1,dc=qa
ldap_modify: Referral (10)
        referrals:
                ldap://master20.ar311r1.qa:7389/cn=Authenticated%20Users,cn=groups,dc=ar311r1,dc=qa
modifying entry "cn=Authenticated Users,cn=groups,dc=ar311r1,dc=qa"
======================================================================
Comment 9 Stefan Gohmann univentionstaff 2013-10-24 07:53:13 CEST
(In reply to Arvid Requate from comment #8)
> Created attachment 5528 [details]
> ldapmodify against ldap/master
> 
> Currently univention-run-joinscripts fails on a DC backup (after update from
> 3.1-1), I guess the attached patch is required.

Yes applied with a small fix.
Comment 10 Arvid Requate univentionstaff 2013-10-24 13:55:43 CEST
Ok, looks good, test and changelog as well.
Comment 11 Stefan Gohmann univentionstaff 2013-11-19 06:43:28 CET
UCS 3.2 has been released:
 http://docs.univention.de/release-notes-3.2-en.html
 http://docs.univention.de/release-notes-3.2-de.html

If this error occurs again, please use "Clone This Bug".