Comment 1 Lukas Oyen 2017-06-12 14:05:02 CEST

Created attachment 8911 [details]
38238-diagnostic-well-known-sid-420.patch

This implements two checks for systems running the S4-Connector:

1) Check if all SIDs from `univention.lib.s4.well_known_{sids, domain_rids}` exist in OpenLDAP [1].
2) Check if the user/group found has the correct name (according to the dictionaries in `univention.lib.s4` and with consideration of `connector/s4/mapping/group/table/*`. The name comparison is lower-case as two names in the dictionaries have different cases than in the Samba-LDAP [2].

[1]: except for those specified in `NON_EXISTENT_SIDS` as those don't exist in a vanilla UCS 4.2.
[2]:  'Enterprise Read-only Domain Controllers' and 'KRBTGT'

Comment 2 Lukas Oyen 2017-08-01 16:29:35 CEST

Committed in r81617 - r81619 (advisory r81649).

Comment 3 Arvid Requate 2017-08-24 23:10:22 CEST

In my test this worked:

No user or group with SID S-1-5-21-2660895256-1678062113-3852026326-501 found, expected 'Guest'.

Now I would like the check to tell me, if 'Guest' actually has a different SID (otherwise the object could just be missing, which might be ok). To find that out, it's crucial to look for the correct (localized) group name:


The translation of the "well known" users and groups is done via UCR variables:

users/default/administrator=SomethingElse
groups/default/domainadmins="Other Group"

These Variables are automatically set by the /usr/lib/univention-directory-listener/system/well-known-sid-name-mapping.py Listner module in case a user or group object with a "well known" SID get's renamed. We need this e.g. for AD-Takeover of french Active Directories.


The library module univention-lib/python/misc.py has "custom_username" and "custom_groupname" functions to translate "standard" names into customized names. That's a bit awkward for this case, because the check now has to "know" that "Guest" is a user, e.g., and not a group. Maybe we should store a table like that in univention-lib at some point, but to me it's ok to put it locally into the test for now (if required). As you like.

AFAIK the connector/s4/mapping/group/table is not relevant for this (maybe it's required for the S4-Connector, but probably not for the check).

Comment 4 Lukas Oyen 2017-09-04 15:55:05 CEST

(In reply to Arvid Requate from comment #3)
> Now I would like the check to tell me, if 'Guest' actually has a different
> SID (otherwise the object could just be missing, which might be ok). To find
> that out, it's crucial to look for the correct (localized) group name:

Fixed. If no user/group with the expected SID is found, an object with the corresponding (possibly mapped) name is searched. If one with a SID is found a SID-mismatch is found:

4.2-1: r82624, YAML: r82626
4.2-2: r82633, YAML: r82635

Comment 5 Arvid Requate 2017-09-07 17:09:30 CEST

Nice, works.

Comment 6 Erik Damrose 2017-09-20 15:03:42 CEST

<http://errata.software-univention.de/ucs/4.2/166.html>