Univention Bugzilla – Bug 38238
add check well known rid users/groups integrity check (samba4)
Last modified: 2017-09-20 15:03:42 CEST
e.g., * check the existents of all well_known_sids and well_known_domain_rids from base/univention-lib/python/s4.py * ...
Created attachment 8911 [details] 38238-diagnostic-well-known-sid-420.patch This implements two checks for systems running the S4-Connector: 1) Check if all SIDs from `univention.lib.s4.well_known_{sids, domain_rids}` exist in OpenLDAP [1]. 2) Check if the user/group found has the correct name (according to the dictionaries in `univention.lib.s4` and with consideration of `connector/s4/mapping/group/table/*`. The name comparison is lower-case as two names in the dictionaries have different cases than in the Samba-LDAP [2]. [1]: except for those specified in `NON_EXISTENT_SIDS` as those don't exist in a vanilla UCS 4.2. [2]: 'Enterprise Read-only Domain Controllers' and 'KRBTGT'
Committed in r81617 - r81619 (advisory r81649).
In my test this worked: No user or group with SID S-1-5-21-2660895256-1678062113-3852026326-501 found, expected 'Guest'. Now I would like the check to tell me, if 'Guest' actually has a different SID (otherwise the object could just be missing, which might be ok). To find that out, it's crucial to look for the correct (localized) group name: The translation of the "well known" users and groups is done via UCR variables: users/default/administrator=SomethingElse groups/default/domainadmins="Other Group" These Variables are automatically set by the /usr/lib/univention-directory-listener/system/well-known-sid-name-mapping.py Listner module in case a user or group object with a "well known" SID get's renamed. We need this e.g. for AD-Takeover of french Active Directories. The library module univention-lib/python/misc.py has "custom_username" and "custom_groupname" functions to translate "standard" names into customized names. That's a bit awkward for this case, because the check now has to "know" that "Guest" is a user, e.g., and not a group. Maybe we should store a table like that in univention-lib at some point, but to me it's ok to put it locally into the test for now (if required). As you like. AFAIK the connector/s4/mapping/group/table is not relevant for this (maybe it's required for the S4-Connector, but probably not for the check).
(In reply to Arvid Requate from comment #3) > Now I would like the check to tell me, if 'Guest' actually has a different > SID (otherwise the object could just be missing, which might be ok). To find > that out, it's crucial to look for the correct (localized) group name: Fixed. If no user/group with the expected SID is found, an object with the corresponding (possibly mapped) name is searched. If one with a SID is found a SID-mismatch is found: 4.2-1: r82624, YAML: r82626 4.2-2: r82633, YAML: r82635
Nice, works.
<http://errata.software-univention.de/ucs/4.2/166.html>