Univention Bugzilla – Bug 41543
krbtgt has wrong RID after s3->s4 migration
Last modified: 2017-11-08 12:19:12 CET
Single school server with S3 -> Update to S4 (http://wiki.univention.de/UCS@school_Samba_3_to_Samba_4_Migration#Migration_of_the_UCS.40school_DCs_in_the_central_school_department) -> univention-ldapsearch uid=krbtgt ... sambaSID: S-1-5-21-4034621939-4037279472-3278188622-5012 This is bad. krbtgt has to have the RID *502*. Otherwise password change is not working (set "Change password on next login" and try to change password via kpasswd or windows, does not work if krbtgt has a RID other than 502). Seems that the connector sets this faulty RID (connector/s4/mapping/sid_to_s4: yes ). Before the connector is started, the s4 object is still OK (rid 502). After the initial sync of the connector the RID is broken. Maybe, in the first step, can add a hint to http://wiki.univention.de/UCS@school_Samba_3_to_Samba_4_Migration to verify (and correct) the RID of krbtgt after the migration.
Created attachment 7735 [details] connector-s4.log.bz2
The adjustments for Bug 44333 should fix this: 1. If the RID is wrong during errata update, it will be corrected. 2. If the new udm-modules package is already installed before the migration, the account will be created with the correct RID. *** This bug has been marked as a duplicate of bug 44333 ***
OK, verified with Bug #44333