Univention Bugzilla – Bug 30115
dns-<hostname> account should be created via UDM instead of locally in sam.ldb
Last modified: 2018-10-11 10:52:21 CEST
The workaround for Bug #30105 could be replaced by implementing the recommendation below. If this is bug actually gets fixed, another one should be filed against UCS@school to remove the workaround again. +++ This bug was initially created as a clone of Bug #30105 +++ In UCS 3.0 the dns-<hostname> account was created in 96univention-samba4.inst locally in the sam.ldb, before 97libunivention-ldb-modules.inst registered the LDB module denying local user and group creation. In UCS 3.1 the creation of the DNS service account was postponed to 98univention-samba4-dns.inst, so the univention_samaccountname_ldap_check now denies local account creation. Due to the workaround for Bug 26841 the DNS service account is explicitely ignored by the S4 Connector (Bug 26861, the corresponding variable is set in 62ucs-school-slave.inst and 62ucs-school-master.inst), so the account only exists locally in the sam.ldb of the corresponding Slave-PDC. Note: Bug 26504 shifted the rIDAllocationPool a bit on the Slave-PDCs (to 2100), so there are no immediate collisions with a DC Master (rIDAllocationPool: 1100-1599) and a DC Backup (rIDAllocationPool: 1600-2099) in the school headquaters. The joinscript univention-squid-kerberos/98univention-squid-samba4.inst gives an example how these service accounts can be created via UDM, probably this would be a good approach. This would require to take dns-<hostname> from the connector/s4/mapping/user/ignorelist though.
Currently we cannot set the servicePrincipalName (SPN) AD/Samba attribute via UDM, see Bug 34669. Maybe it's enough to write the SPN into the attribute userPrincipalName. We should test if Windows-Clients and samba_dnsupdate and kinit -S "SPN>" would still work with this workaround. For other options see Bug 34669.
*** This bug has been marked as a duplicate of bug 47955 ***