Univention Bugzilla – Bug 37572
ucs-test: UCS4.0 Windows Client SIDs not synchronized to OpenLDAP
Last modified: 2018-04-14 14:15:06 CEST
We should have a ucs-test case to automatically check that the sambaSID of domain user and computer objects in OpenLDAP is a domain SID (and not a UCS specific temporal one, starting with a S-1-4- prefix). The main use case of this test is checking the sambaSID of a computer/windows object generated automatically during the join of a native Windows system into a Samba/AD domain. +++ This bug was initially created as a clone of Bug #36570 +++ After updating the cloud formation demo setup for AD-Takeover to UCS 4.0 the AD-Takover seems to leave the OpenLDAP-SIDs of the pre-joined Windows-AD-Clients in non-synchronized state: root@ucs-master:~# univention-ldapsearch -x cn=W2K8-CLIENT sambasid # W2K8-CLIENT, computers, ucscompany.com dn: cn=W2K8-CLIENT,cn=computers,dc=ucscompany,dc=com sambaSID: S-1-4-2026 root@ucs-master:~# univention-s4search cn=W2K8-CLIENT objectsid # record 1 dn: CN=W2K8-CLIENT,CN=Computers,DC=ucscompany,DC=com objectSid: S-1-5-21-3579140493-3034593125-3661895607-1125 A quick look at the connector-s4.log shows no tracebacks, there are no rejects and the connector is running. The SID in OpenLDAP is one of the UDM-generated temporary SIDs. No clue yet why the S4 Connector didn't sync the S4 SIDs over to UDM (or why UDM ignored them?)
(In reply to Arvid Requate from comment #0) > We should have a ucs-test case to automatically check that the sambaSID of > domain user and computer objects in OpenLDAP is a domain SID (and not a UCS > specific temporal one, starting with a S-1-4- prefix). > > The main use case of this test is checking the sambaSID of a > computer/windows object generated automatically during the join of a native > Windows system into a Samba/AD domain. Test currently disabled as Bug #36570 is not yet fixed. Tagged "native_win_client" that is run by the 'autotest-230-master-s4-w2k12-member-join.cfg' template. r58571: * 51_samba4/57check_windows_sid: check a native Windows host SIDs (Bug #37572). r58573: * Moved 51_samba4/57check_windows_sid to 52_s4connector/400check_windows_sid (Bug #37572). As for users there are several checks exist in UCS@School: like tests 60_samba_sid_user and 96_samba4_sid_allocation. If we want to run similar tests there is a question if we should create a user from the Windows host (via powershell) or just via UDM on the UCS DC?
> As for users there are several checks exist in UCS@School: like tests > 60_samba_sid_user and 96_samba4_sid_allocation. Yes, in UCS@school the S4-Connector (and UDM) are configured differently and UDM generates the SIDs. In normal UCS Samba assigns the SIDs and UDM just assigns temporary ones when it is asked to create a Samba account. That's why we need this separate test. > If we want to run similar tests there is a question if we should create a user > from the Windows host (via powershell) or just via UDM on the UCS DC? This test should check "the sambaSID of a computer/windows object generated automatically during the join of a native Windows system into a Samba/AD domain". So, I guess it would be a good idea to make the test just check existing windows clients. Then it is useful in all test setups, especially those Jenkins jobs where a native Windows client has been joined.
(In reply to Arvid Requate from comment #2) > So, I guess it would be a good idea to make the test just check existing > windows clients. Then it is useful in all test setups, especially those > Jenkins jobs where a native Windows client has been joined. r59501: * 52_s4connector/400check_windows_sid: perform lookup for windows hostname; also tagged as 'basic' (Bug #37572).
Ok, now the original Bug #36570 seems to be reproduced. In a new jenkins configuration for DC-Slave: http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-1/job/Autotest%20MultiEnv/80/SambaVersion=s4,Systemrolle=slave/testReport/junit/52_s4connector/400check_windows_sid/test/ [2015-04-23 21:08:17.673078]The Windows Host sambaSID in 'OpenLDAP' is 'S-1-4-2010' (2015-04-23 21:08:17.675275)error The sambaSID of the Windows 'IP-0AD2AB4F' has a UCS temorary prefix.
(In reply to Dmitry Galkin from comment #4) For now the test is disabled: r60393: * 52_s4connector/400check_windows_sid: disabled (Bug #37572 #36570). Don't know how it could matter, but the issue is reproduced with Windows 2012 Standard DE that is used in Jenkins autotest-095-slave-s4.cfg. The connector log on DC-Master there says that sync happens: 05.05.2015 05:51:09,405 LDAP (PROCESS): sync to ucs: [windowscomputer] [ add] cn=IP-0AD21689,cn=computers,dc=autotest095,dc=local 05.05.2015 05:51:11,59 LDAP (PROCESS): sync to ucs: [ dns] [ add] DC=@,dc=autotest095.local,cn=dns,dc=autotest095,dc=local 05.05.2015 05:51:11,93 LDAP (PROCESS): sync to ucs: [ dns] [ add] DC=IP-0AD21689,dc=autotest095.local,cn=dns,dc=autotest095,dc=local 05.05.2015 05:51:17,239 LDAP (PROCESS): sync from ucs: [windowscomputer] [ add] cn=ip-0ad21689,cn=computers,DC=autotest095,DC=local 05.05.2015 05:51:17,267 LDAP (PROCESS): sync from ucs: [windowscomputer] [ modify] cn=ip-0ad21689,cn=computers,DC=autotest095,DC=local 05.05.2015 05:51:17,273 LDAP (PROCESS): sync from ucs: [windowscomputer] [ modify] cn=ip-0ad21689,cn=computers,DC=autotest095,DC=local 05.05.2015 05:51:17,290 LDAP (PROCESS): sync from ucs: [ dns] [ add] relativeDomainName=IP-0AD21689,zonename=autotest095.local,cn=microsoftdns,cn=system,DC=autotest095,DC=local 05.05.2015 05:51:18,407 LDAP (PROCESS): sync to ucs: [windowscomputer] [ modify] cn=ip-0ad21689,cn=computers,dc=autotest095,dc=local 05.05.2015 05:51:18,444 LDAP (PROCESS): sync to ucs: [ dns] [ add] DC=IP-0AD21689,dc=autotest095.local,cn=dns,dc=autotest095,dc=local However, checking the SID in S4: root@master095:~/tests/52_s4connector# univention-s4search CN=IP-0AD21689 objectSid # record 1 dn: CN=IP-0AD21689,CN=Computers,DC=autotest095,DC=local objectSid: S-1-5-21-1570097528-580915931-1247429348-1112 and in: root@master095:~/tests/52_s4connector# univention-ldapsearch cn=IP-0AD21689 SambaSID # IP-0AD21689, computers, autotest095.local dn: cn=IP-0AD21689,cn=computers,dc=autotest095,dc=local sambaSID: S-1-4-2010 In my, similar environment but with Windows 2012 " R2 " Standard DE in domain it works: root@master230:/var/log/univention# univention-s4search CN=WIN2K12230 objectSid objectSid: S-1-5-21-2709616565-2978592766-4007743964-1111 root@master230:/var/log/univention# univention-ldapsearch cn=WIN2K12230 SambaSID sambaSID: S-1-5-21-2709616565-2978592766-4007743964-1111 If I understand correctly, the Windows version should not matter anyhow..