Bug 42675 – Research for code cleanup: groups named differently in OpenLDAP and Samba/AD

Bug 42675 - Research for code cleanup: groups named differently in OpenLDAP and Samba/AD


Summary:	Research for code cleanup: groups named differently in OpenLDAP and Samba/AD

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:

URL:
Keywords:

Depends on:	27395 29486 32461 33645 40418
Blocks:
	Show dependency tree / graph

Reported:	2016-10-13 20:20 CEST by Arvid Requate
Modified:	2019-01-03 07:18 CET (History)
CC List:	4 users (show)

See Also:	41848 26693 32461 43368
What kind of report is it?:	Development Internal
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Cleanup
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-10-13 20:20:17 CEST

Research for code cleanup: There are three groups that are named differently in OpenLDAP vs Samba/AD, see Bug 29486 Comment 3 and Bug 32461 Comment 2:

OpenLDAP : System Operators
Samba/AD : Server Operators

OpenLDAP : Printer-Admins
Samba/AD : Print Operators

OpenLDAP : Replicators
Samba/AD : Replicator

The history of handling those groups is pretty confusing, so I guess somebody should find out if all of the following still makes sense in UCS 4.1 and later.
Either something about this can be cleaned up or it should get documented, maybe in the developer guide or so.


1) UCS@school puts those groups on the connector/s4/mapping/group/ignorelist for some reason (Bug 27395), but UCS itself doesn't.


2) For one of those groups there are two kinds of translation mechanisms:

2.a) There is a special S4-Connector mapping:

* connector/s4/mapping/group/table/Printer-Admins?"Print Operators"

set by

* univention-s4-connector.postinst
* univention-management-console-module-adtakeover
  (the only exception to Bug 33644 Comment 4)
* univention-ad-connector/scripts/well-known-sid-object-rename


2.b) There is the normal translation via UCR (via Bug 33645):

* groups/default/printoperators=Printer-Admins    ## normaly unset

automatically managed via the listener module well-known-sid-name-mapping.py when a group (or user) is renamed in LDAP. This is the recommended way at the time of writing this.

Comment 1 Arvid Requate

2017-03-02 14:16:37 CET

Some more insight into this: Quoting Bug 32461 Comment 2:

* "System Operators" are called "Server Operators" in Samba4:
  On Updates the UCS name stays "System Operators"
  In new installations it is "Server Operators".

* "Replicators" are called "Replicator" in Samba4:
  On Updates the UCS name stays "Replicators"
  In new installations it is "Replicator".


But this is not the case for Printer-Admins / Print Operators:

* In UCS 3.1:
=================================================
dn: CN=Print Operators,CN=Builtin,DC=ares31,DC=qa
objectClass: group
sAMAccountName: Print Operators
=================================================

* Installations starting with UCS 3.2:
=================================================
dn: CN=Print Operators,CN=Builtin,DC=arucs32,DC=qa
objectClass: group
sAMAccountName: Printer-Admins
=================================================

Comment 2 Stefan Gohmann

2019-01-03 07:18:58 CET

This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.