Univention Bugzilla – Bug 29000
WellKnown Security Principals mit statischen PosixIDs als systemAccounts anlegen.
Last modified: 2016-06-02 11:53:18 CEST
Eine Reihe von Samba-SIDs sind zur Zeit noch nicht auf statische Posix-IDs gemapped und werden von Samba4 in der idmap aus dem Standardpool 3000000-4000000 versorgt. Diese PosixIDs haben zwei Nachteile: 1. Sind sie nicht Server-Übergreifend eindeutig 2. Werden sie z.B. in fACLs im Dateisystem dann nicht als Name angezeigt. Wenn man sie anlegt, sollte die Lizenzzähling entsprechend angepasst werden. =============================================================================== root@master1:~# univention-s4search -b "CN=Configuration,$ldap_base" objectclass=foreignSecurityPrincipal objectsid SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS # record 1 dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-9 # record 2 dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-14 # record 3 dn: CN=SChannel Authentication,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-64-14 # record 4 dn: CN=Digest Authentication,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-64-21 # record 5 dn: CN=Terminal Server User,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-13 # record 6 dn: CN=Authenticated Users,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-11 # record 7 dn: CN=NTLM Authentication,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-64-10 # record 8 dn: CN=Other Organization,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-1000 # record 9 dn: CN=This Organization,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-15 # record 10 dn: CN=Anonymous Logon,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-7 # record 11 dn: CN=Network Service,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-20 # record 12 dn: CN=Creator Group,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-3-1 # record 13 dn: CN=Creator Owner,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-3-0 # record 14 dn: CN=Local Service,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-19 # record 15 dn: CN=Owner Rights,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-3-4 # record 16 dn: CN=Interactive,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-4 # record 17 dn: CN=Restricted,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-12 # record 18 dn: CN=Everyone,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-1-0 # record 19 dn: CN=Network,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-2 # record 20 dn: CN=Service,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-6 # record 21 dn: CN=Dialup,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-1 # record 22 dn: CN=System,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-18 # record 23 dn: CN=Batch,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-3 # record 24 dn: CN=Proxy,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-8 # record 25 dn: CN=IUSR,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-17 # record 26 dn: CN=Self,CN=WellKnown Security Principals,CN=Configuration,DC=arucs31i5,DC=qa objectSid: S-1-5-10 ===============================================================================
E.g. for Samba4 NTACL to Poxix fACL translation it is important that the groups are created with the proper well-known SIDs. Currently UDM cli only offers the option to assign certain domain RIDs -- either we allow setting the full SID via UDM cli or we would have to create them via ldif.
The case "Enterprise Domain Controllers" has been dealt with via Bug 31437. In that case it was useful to mark this group as sambaGroupType=5, which is filtered out by the default S4 Connector mapping, to avoid SID conflicts with the corresponding foreignSecurityPrincipal in Samba4.
These are created via samba4 join script: _create_group_with_special_sid "Authenticated Users" "S-1-5-11" "$@" _create_group_with_special_sid "World Authority" "S-1-1" "$@" _create_group_with_special_sid "Everyone" "S-1-1-0" "$@" _create_group_with_special_sid "Null Authority" "S-1-0" "$@" _create_group_with_special_sid "Nobody" "S-1-0-0" "$@" I think we could create Enterprise Domain Controllers in the same way. But I'm unsure if we should create all other objects. See attached patch for a possible solution. The patch is untested.
Created attachment 5516 [details] bug_29000.patch
(In reply to Stefan Gohmann from comment #3) > I think we could create Enterprise Domain Controllers in the same way. But > I'm unsure if we should create all other objects. See attached patch for a > possible solution. The patch is untested. I've created these objects in OpenLDAP because it is possible to set permissions to files with this SIDs in AD. So we need a mapping to POSIX IDs. Test case: 51_samba4/31well-known-security-principals
The idmap stuff works and the changelog is ok. Reopend for: * strange, the groups in the cn=Builtin don't have adGroupType set * Maybe the proposal from Bug 31817 should be considered, this would also simplify the s4 connector mapping ignorelist * For updates it might be good to modify the existing groups (created by base.ldif) to the new default values?
(In reply to Arvid Requate from comment #6) > The idmap stuff works and the changelog is ok. Reopend for: > > * strange, the groups in the cn=Builtin don't have adGroupType set The groups are created with the posix option only and the adGroupType is part of the samba option. I moved the groupType setting to the ldapmodify command. > * Maybe the proposal from Bug 31817 should be considered, this would also > simplify the s4 connector mapping ignorelist I've changed the groups to samba group type 5. But the connector mapping ignorelist is needed because we synchronize with 3.2 also samba group type 5 groups. At least for new installed systems. > * For updates it might be good to modify the existing groups (created by > base.ldif) to the new default values? Done
Created attachment 5528 [details] ldapmodify against ldap/master Currently univention-run-joinscripts fails on a DC backup (after update from 3.1-1), I guess the attached patch is required. ====================================================================== RUNNING 96univention-samba4.inst Multifile: /etc/samba/smb.conf Object exists: cn=Builtin,dc=ar311r1,dc=qa WARNING: cannot append cn=backup21,cn=dc,cn=computers,dc=ar311r1,dc=qa to hosts, value exists No modification: cn=Enterprise Domain Controllers,cn=groups,dc=ar311r1,dc=qa ldap_modify: Referral (10) referrals: ldap://master20.ar311r1.qa:7389/cn=Authenticated%20Users,cn=groups,dc=ar311r1,dc=qa modifying entry "cn=Authenticated Users,cn=groups,dc=ar311r1,dc=qa" ======================================================================
(In reply to Arvid Requate from comment #8) > Created attachment 5528 [details] > ldapmodify against ldap/master > > Currently univention-run-joinscripts fails on a DC backup (after update from > 3.1-1), I guess the attached patch is required. Yes applied with a small fix.
Ok, looks good, test and changelog as well.
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".