Univention Bugzilla – Bug 36821
S3->S4 inplace migration: AD Builtin groups not synchronized to OpenLDAP
Last modified: 2019-01-03 07:16:18 CET
The S3->S4 in-place migration instructions do not mention ucr set connector/s4/mapping/group/grouptype=true The may be the reason for this idmaping issue apparent in the sysvol ACLs after migration: =========================================================================== root@master80:~# ls -la /var/lib/samba/sysvol/ar40s3.qa/ insgesamt 32 drwxrwx---+ 4 Administrator 3000000 4096 Nov 18 15:40 . drwxrwx---+ 3 Administrator 3000000 4096 Nov 18 15:40 .. drwxrwx---+ 4 Administrator 3000000 4096 Nov 18 15:40 Policies drwxrwx---+ 2 Administrator 3000000 4096 Nov 18 15:40 scripts root@master80:~# ldbsearch -H /var/lib/samba/private/idmap.ldb xidnumber=3000000 WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. # record 1 dn: CN=S-1-5-32-544 cn: S-1-5-32-544 objectClass: sidMap objectSid: S-1-5-32-544 type: ID_TYPE_BOTH xidNumber: 3000000 distinguishedName: CN=S-1-5-32-544 # returned 1 records # 1 entries # 0 referrals root@master80:~# univention-ldapsearch -x sambasid=S-1-5-32-544 # extended LDIF # # LDAPv3 # base <dc=ar40s3,dc=qa> (default) with scope subtree # filter: sambasid=S-1-5-32-544 # requesting: ALL # # search result search: 3 result: 0 Success ===========================================================================
There are more: =================================================================== root@master80:~# ldbsearch -H /var/lib/samba/private/idmap.ldb xidnumber=300* WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. # record 1 dn: CN=CONFIG cn: CONFIG lowerBound: 3000000 upperBound: 4000000 xidNumber: 3000009 distinguishedName: CN=CONFIG # record 2 dn: CN=S-1-5-32-554 cn: S-1-5-32-554 objectClass: sidMap objectSid: S-1-5-32-554 type: ID_TYPE_BOTH xidNumber: 3000008 distinguishedName: CN=S-1-5-32-554 # record 3 dn: CN=S-1-5-32-545 cn: S-1-5-32-545 objectClass: sidMap objectSid: S-1-5-32-545 type: ID_TYPE_BOTH xidNumber: 3000006 distinguishedName: CN=S-1-5-32-545 # record 4 dn: CN=S-1-5-32-544 cn: S-1-5-32-544 objectClass: sidMap objectSid: S-1-5-32-544 type: ID_TYPE_BOTH xidNumber: 3000000 distinguishedName: CN=S-1-5-32-544 # record 5 dn: CN=S-1-5-32-549 cn: S-1-5-32-549 objectClass: sidMap objectSid: S-1-5-32-549 type: ID_TYPE_BOTH xidNumber: 3000001 distinguishedName: CN=S-1-5-32-549 # record 6 dn: CN=S-1-5-32-546 cn: S-1-5-32-546 objectClass: sidMap objectSid: S-1-5-32-546 type: ID_TYPE_BOTH xidNumber: 3000007 distinguishedName: CN=S-1-5-32-546 # returned 6 records # 6 entries # 0 referrals ===================================================================
GPO management and evaluation worked none the less. The wonership for the actual GPO directories look ok: root@master80:~# ls -la /var/lib/samba/sysvol/ar40s3.qa/Policies/ insgesamt 40 drwxrwx---+ 5 Administrator 3000000 4096 Nov 18 15:02 . drwxrwx---+ 4 Administrator 3000000 4096 Nov 18 14:54 .. drwxrwx---+ 4 root Domain Admins 4096 Nov 18 15:02 {1C2047A6-BBAD-4997-8013-CDA1C6480AAB} drwxrwx---+ 4 Administrator Domain Admins 4096 Nov 18 14:54 {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrwx---+ 4 Administrator Domain Admins 4096 Nov 18 14:54 {6AC1786C-016F-11D2-945F-00C04FB984F9}
We noticed that behaviour in our test environment. We struggle mirgrating a samba3 slave to samba4. In our case, the username is affected, not the group. See also: https://help.univention.com/t/idmap-in-samba3-samba4-environment/7360
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016. Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.