Univention Bugzilla – Bug 31936
Samba4 account creation not blocked on UCS@school master
Last modified: 2023-06-12 15:39:39 CEST
If samba4 is installed manually on an ucs-school-master, Samba4 is not configured to intercept account creation. Yet, the postinst of ucs-school-master configures UDM and S4 Connector in such a way that UDM generates domain SIDs and the S4 Connector writes them into Samba4, in the same way as a singlemaster or ucs-school-slave: directory/manager/samba3/legacy?yes \ connector/s4/mapping/sid_to_ucs?no \ connector/s4/mapping/sid_to_s4?yes In this situation Samba4 allocates RIDs (starting about 1100) in concurrance with UDM (starting at about 11000). Thus, the package libunivention-ldb-modules should be installed as well in this case. A UCR variable needs to be set as well beforehand. The full procedure would be ucr set connector/s4/allow/secondary=yes \ samba4/ldb/sam/module/prepend="univention_samaccountname_ldap_check" samba/script/addmachine='/usr/share/univention-samba/addmachine.sh "%u"' univention-install univention-samba4 \ libunivention-ldb-modules \ univention-s4-connector Since this is fairly error prone, I would suggest to adjust ucs-school-master to set the UCR variables and to install libunivention-ldb-modules. The joinscript of libunivention-ldb-modules (or the postinst) would need to be adjusted in such a way, that the joinscript does not run automatically unless 96univention-samba4.inst was run successfully. Also univention-management-console-module-selective-udm needs to be adjusted for this case to allow machine account creation without OU. +++ This bug was initially created as a clone of Bug #31443 +++
I guess samba/script/addmachine is not strictly necessary.
An additional UCR variable is necessary: ucr set samba4/provision/primary=yes (see http://wiki.univention.de/UCS@school_Samba_3_to_Samba_4_Migration#Migration_of_the_UCS.40school_DCs_in_the_central_school_department )
Something is still missing in this: After performing all the steps above, the _kerberos._tcp record is not synchronized to Samba4 on the UCS@school DC Master. This is probably due to the connector/s4/mapping/dns/srv_record/_kerberos._tcp.$domainname/location?"ignore" settings made by 62ucs-school-master.inst. I'm not quite sure why these are necessary. At least the _kerberos._tcp record looks fine in OpenLDAP, only the master is listed there. This setting was introduced by Bug 27395 Comment 6. So, right now I don't see a stright forward way to manually "post"-install univention-s4-connector (+ univention-samba4) on a ucs-school-master. Probably I'm missing some crucial detail, as this should should obviously have been noticed earlier e.g. in the case of Migration of an ucs-school-master from Samba3 to Samba4.
@Arvid: please test what the impact would be and how much effort would be required to "repair" an affected system afterwards.
(copy of bug 30131 comment #7) > As discussed I checked this again: It's not critical and enough to document > it. > > Details: > ============================================================================ > root@master60:~# univention-install univention-s4-connector > [...] > root@master60:~# univention-check-join-status > Warning: 'univention-samba4' is not configured. > Warning: 'univention-samba4-dns' is not configured. > Error: Not all install files configured: 2 missing > root@master60:~# univention-run-join-scripts > [...] > Running 92univention-management-console-web-server.inst skipped (already > executed) > Running 96univention-samba4.inst failed (exitcode: > 1) > Running 97univention-s4-connector.inst skipped (already > executed) > Running 98univention-pkgdb-tools.inst skipped (already > executed) > Running 98univention-samba4-dns.inst failed (exitcode: > 1) > > root@master60:~# univention-run-join-scripts --ask-pass > [...] > Running 96univention-samba4.inst failed (exitcode: > 1) > Running 97univention-s4-connector.inst skipped (already > executed) > Running 98univention-pkgdb-tools.inst skipped (already > executed) > Running 98univention-samba4-dns.inst failed (exitcode: > 1) > ============================================================================ > > > join.log shows the reason: > ============================================================================ > ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS - > <00002071: ldb_request: Entry already exists (68)> <> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 628, > in run > keep_existing=keep_existing) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1177, in > join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1080, in > do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 543, in > join_add_objects > ctx.samdb.add(rec) > checking sAMAccountName > Adding CN=MASTER60,OU=Domain Controllers,DC=ar41i2,DC=local > Join failed - cleaning up > ============================================================================ > > And this is because the UCS@school Slave PDC has the > univention_samaccountname_ldap_check LDB module active.
Since the LDB module (in it's current implementation) blocks creation of user account directly in Samba, I would suggest to fix Bug 30115 before enabling it everywhere. Alternatively the LDB module could be modified to support user creation via UMC call, just like it is done for machine accounts. But the effort to implement that would be higher, I guess.
This issue has been filled against UCS@school 4.1 (R2). The maintenance with bug and security fixes for UCS@school 4.1 (R2) has ended on 5th of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3 (or later). Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.