Bug 42819 – samba4-idmap.py listener doesn't initialize idmap.ldb metadata when file has been deleted.

Bug 42819 - samba4-idmap.py listener doesn't initialize idmap.ldb metadata when file has been deleted.


Summary:	samba4-idmap.py listener doesn't initialize idmap.ldb metadata when file has ...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2
Assigned To:	Arvid Requate
QA Contact:	Stefan Gohmann

URL:
Keywords:	interim-2

Depends on:	40511
Blocks:
	Show dependency tree / graph

Reported:	2016-11-02 14:54 CET by Arvid Requate
Modified:	2017-04-04 18:29 CEST (History)
CC List:	2 users (show)

See Also:	41319
What kind of report is it?:	Bug Report
What type of bug is this?:	1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.011
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2016103121000363
Bug group (optional):
Max CVSS v3 score:

Attachments
initialize_idmap.patch (1.57 KB, patch) 2016-11-02 14:54 CET, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-11-02 14:54:52 CET

Created attachment 8179 [details]
initialize_idmap.patch

The samba4-idmap.py listener currently doesn't check if the idmap.ldb is properly initialized. In re-joining scenarios we often remove the idmap.ldb and then let the listener re-fill it. But then these basic metadata objects are missing:

cat /usr/share/samba/setup/idmap_init.ldif 
=============================
dn: CN=CONFIG
cn: CONFIG
lowerBound: 3000000
upperBound: 4000000

dn: @INDEXLIST
@IDXATTR: xidNumber
@IDXATTR: objectSid
=============================

As a consequence, winbind cannot dynamically allocate any xidNumber (UIDs/GIDs) for accounts that for some reason do not have a proper idmap entry yet (e.g. due to Bug 36570).

The attached patch fixes this by calling samba.provision.setup_idmapdb() in case the file doesn't exist during open. Untested.

Comment 1 Stefan Gohmann

2016-12-13 08:10:37 CET

The Enterprise Customer affected flag is set but neither a Ticket number is referenced nor a Customer ID is set. Please set a Ticket number or a Customer ID. Otherwise the Enterprise Customer affected flag will be reset.

Comment 2 Arvid Requate

2017-02-15 19:13:16 CET

I've applied an improved version of the patch.
Package rebuilt and changelog adjusted.

Package: univention-samba4
Version: 6.0.9-4A~4.2.0.201702151909
Branch: ucs_4.2-0

QA:

univention-directory-listener-ctrl samba4-idmap resync
ldbsearch -H /var/lib/samba/private/idmap.ldb CN=CONFIG
ldbsearch -H /var/lib/samba/private/idmap.ldb -b "@INDEXLIST" -s base

rm /var/lib/samba/private/idmap.ldb
service univention-directory-listener stop
univention-directory-listener-ctrl samba4-idmap resync
ldbsearch -H /var/lib/samba/private/idmap.ldb CN=CONFIG
ldbsearch -H /var/lib/samba/private/idmap.ldb -b "@INDEXLIST" -s base

Comment 3 Stefan Gohmann

2017-02-24 07:11:30 CET

Tests: OK, it the entries are available after rejoining the system.

Code review: OK (r76714)

Changelog: OK

Comment 4 Stefan Gohmann

2017-04-04 18:29:15 CEST

UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".