Bug 38238 - add check well known rid users/groups integrity check (samba4)
add check well known rid users/groups integrity check (samba4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - System diagnostic
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Lukas Oyen
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-04-13 10:00 CEST by Felix Botner
Modified: 2017-09-20 15:03 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
oyen: Patch_Available+


Attachments
38238-diagnostic-well-known-sid-420.patch (9.92 KB, patch)
2017-06-12 14:05 CEST, Lukas Oyen
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2015-04-13 10:00:32 CEST
e.g., 
 
* check the existents of all well_known_sids and well_known_domain_rids from base/univention-lib/python/s4.py
* ...
Comment 1 Lukas Oyen univentionstaff 2017-06-12 14:05:02 CEST
Created attachment 8911 [details]
38238-diagnostic-well-known-sid-420.patch

This implements two checks for systems running the S4-Connector:

1) Check if all SIDs from `univention.lib.s4.well_known_{sids, domain_rids}` exist in OpenLDAP [1].
2) Check if the user/group found has the correct name (according to the dictionaries in `univention.lib.s4` and with consideration of `connector/s4/mapping/group/table/*`. The name comparison is lower-case as two names in the dictionaries have different cases than in the Samba-LDAP [2].

[1]: except for those specified in `NON_EXISTENT_SIDS` as those don't exist in a vanilla UCS 4.2.
[2]:  'Enterprise Read-only Domain Controllers' and 'KRBTGT'
Comment 2 Lukas Oyen univentionstaff 2017-08-01 16:29:35 CEST
Committed in r81617 - r81619 (advisory r81649).
Comment 3 Arvid Requate univentionstaff 2017-08-24 23:10:22 CEST
In my test this worked:

No user or group with SID S-1-5-21-2660895256-1678062113-3852026326-501 found, expected 'Guest'.

Now I would like the check to tell me, if 'Guest' actually has a different SID (otherwise the object could just be missing, which might be ok). To find that out, it's crucial to look for the correct (localized) group name:


The translation of the "well known" users and groups is done via UCR variables:

users/default/administrator=SomethingElse
groups/default/domainadmins="Other Group"

These Variables are automatically set by the /usr/lib/univention-directory-listener/system/well-known-sid-name-mapping.py Listner module in case a user or group object with a "well known" SID get's renamed. We need this e.g. for AD-Takeover of french Active Directories.


The library module univention-lib/python/misc.py has "custom_username" and "custom_groupname" functions to translate "standard" names into customized names. That's a bit awkward for this case, because the check now has to "know" that "Guest" is a user, e.g., and not a group. Maybe we should store a table like that in univention-lib at some point, but to me it's ok to put it locally into the test for now (if required). As you like.

AFAIK the connector/s4/mapping/group/table is not relevant for this (maybe it's required for the S4-Connector, but probably not for the check).
Comment 4 Lukas Oyen univentionstaff 2017-09-04 15:55:05 CEST
(In reply to Arvid Requate from comment #3)
> Now I would like the check to tell me, if 'Guest' actually has a different
> SID (otherwise the object could just be missing, which might be ok). To find
> that out, it's crucial to look for the correct (localized) group name:

Fixed. If no user/group with the expected SID is found, an object with the corresponding (possibly mapped) name is searched. If one with a SID is found a SID-mismatch is found:

4.2-1: r82624, YAML: r82626
4.2-2: r82633, YAML: r82635
Comment 5 Arvid Requate univentionstaff 2017-09-07 17:09:30 CEST
Nice, works.
Comment 6 Erik Damrose univentionstaff 2017-09-20 15:03:42 CEST
<http://errata.software-univention.de/ucs/4.2/166.html>