Bug 30115 - dns-<hostname> account should be created via UDM instead of locally in sam.ldb
dns-<hostname> account should be created via UDM instead of locally in sam.ldb
Status: RESOLVED DUPLICATE of bug 47955
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P5 enhancement (vote)
: ---
Assigned To: Samba maintainers
Depends on: 34669
Blocks: 31936
  Show dependency treegraph
Reported: 2013-01-22 19:51 CET by Arvid Requate
Modified: 2018-10-11 10:52 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2013-01-22 19:51:57 CET
The workaround for Bug #30105 could be replaced by implementing the recommendation below. If this is bug actually gets fixed, another one should be filed against UCS@school to remove the workaround again.

+++ This bug was initially created as a clone of Bug #30105 +++

In UCS 3.0 the dns-<hostname> account was created in 96univention-samba4.inst
locally in the sam.ldb, before 97libunivention-ldb-modules.inst registered the
LDB module denying local user and group creation. In UCS 3.1 the creation of
the DNS service account was postponed to 98univention-samba4-dns.inst, so the
univention_samaccountname_ldap_check now denies local account creation.

Due to the workaround for Bug 26841 the DNS service account is explicitely
ignored by the S4 Connector (Bug 26861, the corresponding variable is set in
62ucs-school-slave.inst and 62ucs-school-master.inst), so the account only
exists locally in the sam.ldb of the corresponding Slave-PDC.

Note: Bug 26504 shifted the rIDAllocationPool a bit on the Slave-PDCs (to
2100), so there are no immediate collisions with a DC Master
(rIDAllocationPool: 1100-1599) and a DC Backup (rIDAllocationPool: 1600-2099)
in the school headquaters.

The joinscript univention-squid-kerberos/98univention-squid-samba4.inst gives
an example how these service accounts can be created via UDM, probably this
would be a good approach. This would require to take dns-<hostname> from the
connector/s4/mapping/user/ignorelist though.
Comment 1 Arvid Requate univentionstaff 2014-04-28 14:10:56 CEST
Currently we cannot set the servicePrincipalName (SPN) AD/Samba attribute via UDM, see Bug 34669. Maybe it's enough to write the SPN into the attribute userPrincipalName.

We should test if Windows-Clients and samba_dnsupdate and kinit -S "SPN>" would still work with this workaround. For other options see Bug 34669.
Comment 2 Felix Botner univentionstaff 2018-10-11 10:52:21 CEST

*** This bug has been marked as a duplicate of bug 47955 ***