First Last Prev Next    This bug is not in your last search results.
Bug 41848 - Adding users to Samba/AD group Print Operators impossible via UMC
Adding users to Samba/AD group Print Operators impossible via UMC
Status: CLOSED WONTFIX
Product: UCS@school
Classification: Unclassified
Component: Samba 4
UCS@school 4.1 R2
Other Linux
: P5 normal with 1 vote (vote)
: ---
Assigned To: Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-25 14:06 CEST by Arvid Requate
Modified: 2023-06-12 15:39 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.114
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2016081221000519
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-07-25 14:06:13 CEST 
The Samba/AD group "Print Operators" (SID S-1-5-32-550) has a different name in UCS/OpenLDAP for historical reasons, where it is called "Printer-Admins". Since Printer-Admins is in the connector/s4/mapping/group/ignorelist by default, there is no way for Administrators to add a user to the group "Print Operators" via UMC.
Comment 1 Nico Stöckigt univentionstaff 2016-08-12 16:51:56 CEST 
also requested at Ticket#2016081221000519
Comment 2 Arvid Requate univentionstaff 2017-03-02 13:31:39 CET 
Note: Printer-Admins is only added to connector/s4/mapping/group/ignorelist by default in UCS@school (ucs-school-metapackage).
Comment 3 Arvid Requate univentionstaff 2017-03-02 13:38:02 CET 
UCS@school puts those groups on the connector/s4/mapping/group/ignorelist for some reason (Bug 27395).
Comment 4 Felix Botner univentionstaff 2017-09-12 13:13:45 CEST 
(In reply to Arvid Requate from comment #0)
> The Samba/AD group "Print Operators" (SID S-1-5-32-550) has a different name
> in UCS/OpenLDAP for historical reasons, where it is called "Printer-Admins".
> Since Printer-Admins is in the connector/s4/mapping/group/ignorelist by
> default, there is no way for Administrators to add a user to the group
> "Print Operators" via UMC.

This is not completely true

 * UCS master + school  (no s4)
 * UCS school slave + school

in my case univention-s4-connector postinst has been executed before the ucs-school-slave postinst and as the ucs-school-slave postinst sets the ignore group with ?, this change has been ignored (Not updating connector/s4/mapping/group/ignorelist)

So, on the slave the group ignore list is the connector default, on the master the ucsschool default (no s4-connector package in the master yet, what happens if i installed samba4 on the master?).

This is all totally confusing, i vote for (at least) removing Printer-Admins from the ignore list.
Comment 5 Felix Botner univentionstaff 2017-09-12 16:41:25 CEST 
(In reply to Felix Botner from comment #4)
 > So, on the slave the group ignore list is the connector default, on the
> master the ucsschool default (no s4-connector package in the master yet,
> what happens if i installed samba4 on the master?).

I changed the group ignore list to the univention-s4-connector default on my master and then install univention-s4-connector, no rejects so far.
At least this scenario is OK with removing Printer-Admins from the ignore list.
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2019-02-05 21:43:51 CET 
This issue has been filled against UCS@school 4.1 (R2). The maintenance with
bug and security fixes for UCS@school 4.1 (R2) has ended on 5th of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3 (or later). 
Please contact your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug"
or simply reopen the issue. In this case please provide detailed information on
how this issue is affecting you.
First Last Prev Next    This bug is not in your last search results.