Bug 33677 - Samba doesn't generate proper SIDs on Memberservers in Single-Master setup
Samba doesn't generate proper SIDs on Memberservers in Single-Master setup
Product: UCS@school
Classification: Unclassified
Component: Samba
UCS@school 3.2
Other Linux
: P5 normal (vote)
: UCS@school 3.2 R2
Assigned To: Arvid Requate
Stefan Gohmann
Depends on:
  Show dependency treegraph
Reported: 2013-12-06 09:38 CET by Jan Christoph Ebersbach
Modified: 2014-10-06 16:05 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Jan Christoph Ebersbach univentionstaff 2013-12-06 09:38:06 CET
I joined an additional Memberserver into an existing Single-Master domain.  The Membersever doesn't belong to any of school specific groups, e.g. OUxxx-Memberserver-Edukativnetz but is positioned in cn=computers,$(ucr get ldap/base).  No problems occurred at the point of joining the machine and operating it.

One big issue I ran into was the creation of LDAP objects on the Memberserver.  These objects receive a SID that doesn't belong to the domain, i.e. S-1-4-5128, instead of S-1-5-*.  Creating the same object on the Master doesn't cause any issues.

The problem is caused by the UCR variable directory/manager/samba3/legacy which is set to "yes" on the Master and is <empty> on the Memberserver.  Setting it to "yes" on the Memberserver solves the problem.
Comment 1 Arvid Requate univentionstaff 2013-12-06 10:30:52 CET
Either we create a meta-package also for UCS@school member servers or we should set an UCR policy.
Comment 2 Stefan Gohmann univentionstaff 2013-12-17 07:34:55 CET
Could we simple copy the UCR variable from the master while joining the memberserver? I think it would work for most scenarios.
Comment 3 Arvid Requate univentionstaff 2014-05-13 14:01:38 CEST
ucs-school-master and ucs-school-singlemaster now set a UCR policy "ucsschool-samba4" and reference it at the ldap/base. This is a more generic extension of the local UCR config already implemented via the ucs-school-metapackage postinst scripts (see Bug 26034).

During joins the policy is evaluated by 20univention-directory-policy.inst, no accounts are created locally

Changelog adjusted.
Comment 4 Stefan Gohmann univentionstaff 2014-05-16 11:14:38 CEST
I've added two test cases: r50333

Waiting for jenkins results.
Comment 5 Stefan Gohmann univentionstaff 2014-05-16 11:32:55 CEST
You are adding a new UCR policy to the base. This does not work if there is already a UCR policy at the base. I think you have to modify the UCR policy if exists.
Comment 6 Arvid Requate univentionstaff 2014-05-19 19:42:50 CEST
Ok, fixed, The scripts now first check for UCR policies assigned to the ldap/base. If several are found, a warning is issued. If one of the existing registered UCR policies already sets the UCR variable, then that one is modified to set the value as desired. Otherwise the first registered UCR policy is ammended. If no UCR policy is found registered at ldap/base, then a new one is created and assigned.
Comment 7 Stefan Gohmann univentionstaff 2014-05-20 06:58:24 CEST
OK, it works like expected. An existing policy is updated or a new policy is created.

Changelog: OK.
Comment 9 Sönke Schwardt-Krummrich univentionstaff 2014-06-12 09:19:27 CEST
UCS@school 3.2 R2 has been released:

If this error occurs again, please use "Clone This Bug".