Bug 44333 - krbtgt rid != 502 if samba4 is installed after ucs@school on UCS Master
krbtgt rid != 502 if samba4 is installed after ucs@school on UCS Master
Product: UCS
Classification: Unclassified
Component: UMC - Users
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Arvid Requate
Felix Botner
: 41543 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2017-04-10 12:54 CEST by Felix Botner
Modified: 2017-11-08 14:59 CET (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.257
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Screenshot of system diagnostics (40.58 KB, image/png)
2017-10-24 12:26 CEST, Michael Grandjean

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2017-04-10 12:54:33 CEST
UCS master -> ucs@school multiserver -> s4 DC

-> univention-s4search cn=krbtgt objectSid
# record 1
dn: CN=krbtgt,CN=Users,DC=four,DC=two
objectSid: S-1-5-21-3006362628-2186033213-1690935345-5012

The krbtgt has to have the RID 502 (well known sid), otherwise password change may fail ...
Comment 1 Felix Botner univentionstaff 2017-04-11 10:23:56 CEST
also true for Guest user (wkr 501)

-> univention-s4search cn=guest objectSid| grep -i 'objectSid:'
objectSid: S-1-5-21-3006362628-2186033213-1690935345-5010
Comment 2 Michael Grandjean univentionstaff 2017-10-24 12:26:21 CEST
Created attachment 9258 [details]
Screenshot of system diagnostics

The "Well Known" SIDs check in the system diagnostic module does detect this. Unfortunetaly, it doesn't offer any advice on how to resolve this :)
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2017-10-26 10:28:57 CEST
According to Arvid, this issue prevents password changes on the affected systems.
Comment 4 Arvid Requate univentionstaff 2017-11-06 16:40:56 CET
I've adjusted UDM users/user so it works generically (for users).

Merge commit: b56094583f1e57a84119da80f2c5fe9f1bc97ed6


* univention-directory-manager-modules.yaml
* univention-lib.yaml
Comment 5 Arvid Requate univentionstaff 2017-11-06 18:08:25 CET
I've added an update check to univention-s4-connector.postinst which checks the RID of the krbtgt account and fixes it if possible (only on master+backup, if slapd is running and only during this update).

Comment 6 Arvid Requate univentionstaff 2017-11-06 18:11:41 CET
*** Bug 41543 has been marked as a duplicate of this bug. ***
Comment 7 Arvid Requate univentionstaff 2017-11-07 09:52:51 CET
I've adjusted the patch once again to restrict the change to UCS@school.

Merge commit: 661746fcdb0ebe21f293eb4ba7d603c32b3e0ae3
Advisory updated.
Comment 8 Felix Botner univentionstaff 2017-11-07 18:48:38 CET
OK - installation (s4 on master after school + school slave)
OK - update (school master with s4 and broken krbtgt rid is fixed)
OK - non school setup

OK - univention-s4-connector.yaml
OK - univention-lib.yaml
OK - univention-directory-manager-modules.yaml