Univention Bugzilla – Bug 29486
Lokale Gruppen synchronisieren
Last modified: 2017-04-20 12:33:42 CEST
Die lokalen Gruppen sollten ebenfalls zwischen OpenLDAP und S4 synchronisiert werden.
*** Bug 27546 has been marked as a duplicate of this bug. ***
*** Bug 31986 has been marked as a duplicate of this bug. ***
Die folgenden Namen sind unterschiedlich: UCS: System Operators AD : Server Operators UCS: Printer-Admins AD : Print Operators UCS: Replicators AD : Replicator Das Anlegen von lokalen oder Well-Known-Gruppen im S4 ist nicht ohne weiteres möglich, auch das Ändern des Gruppentyps nicht. Deshalb ist geplant, dass der Gruppentyp nur von S4 nach UCS richtig synchronisiert wird und das auch nur beim ersten Anlegen. Wenn eine lokale Gruppe im UCS angelegt wird, dann wird diese als globale Gruppe ins S4 synchronisiert. Die Gruppenmitglieder werden zwischen den Gruppen dann wie gewünscht synchronisiert. Test Cases wurden hinzugefügt: 010_sync_group_type 011_sync_local_group_membership
Nach der Aktivierung würden die folgenden Gruppenmitglieder aus cn=users entfernt werden: member: CN=Domain Users,CN=Groups member: CN=S-1-5-4,CN=ForeignSecurityPrincipals member: CN=S-1-5-11,CN=ForeignSecurityPrincipals Domain Users könnte über das base.ldif eingepflegt werden. Die anderen Mitglieder sollten eigentlich durch den Connector ignoriert werden.
Created attachment 5403 [details] local_group_sync.patch Erster Patch.
If we change this we should map all Samba group types in UMC/UDM and we should check which group type can be member of which group: - domain local groups - global groups - universal groups - builtin groups - pseudo groups (Bug #29000) Furthermore we should create the groups via Samba 4 provisioning or samba 3 join script: Bug #32461. We should check the 3.2 timeline after MS2.
Local groups are now synchronized between OpenLDAP and S4 if connector/s4/mapping/group/synclocal is set to true (default in 3.2). All other systems need to be migrated manually: Bug #32863. Test case: 52_s4connector/011_sync_local_group_membership
* One minor issue: the uinst script unsets connector/s4/mapping/group/synclocal but Bug 32767 renamed the variable to connector/s4/mapping/group/grouptype. * Just for future readers of this bug history: As far as I read the code, the local groups can now be synchronized bidirectionally, i.e. also samba4 can be convinced to accept the creation of a local group (which usually have a non-domain-SID). Verified: * The testcase (adding an UDM member to Printer-Admins) works * A group created in UDM as "local" is synchronized to Samba4 * Changelog ok
(In reply to Arvid Requate from comment #8) > * One minor issue: the uinst script unsets > connector/s4/mapping/group/synclocal but Bug 32767 renamed the variable to > connector/s4/mapping/group/grouptype. Fixed. > * Just for future readers of this bug history: As far as I read the code, > the local groups can now be synchronized bidirectionally, i.e. also samba4 > can be convinced to accept the creation of a local group (which usually have > a non-domain-SID). Yes, but that is only in the S4 connector scenario possible. The AD connector can't create these local groups via LDAP interface.
Another traceback has been fixed: r45587
I adjusted univention-ad-takeover to map the builtin groups and foreignsecurityPrincipals as well -- untested.
(In reply to Arvid Requate from comment #11) > I adjusted univention-ad-takeover to map the builtin groups and > foreignsecurityPrincipals as well -- untested. Thanks, I've updated the patch (r45659) and my tests were successful.
Ok, univention-ad-takeover of SBS 2008 also worked without rejects.
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".
*** Bug 29712 has been marked as a duplicate of this bug. ***
*** Bug 32278 has been marked as a duplicate of this bug. ***