Univention Bugzilla – Bug 44333
krbtgt rid != 502 if samba4 is installed after ucs@school on UCS Master
Last modified: 2017-11-08 14:59:10 CET
UCS master -> ucs@school multiserver -> s4 DC
-> univention-s4search cn=krbtgt objectSid
# record 1
The krbtgt has to have the RID 502 (well known sid), otherwise password change may fail ...
also true for Guest user (wkr 501)
-> univention-s4search cn=guest objectSid| grep -i 'objectSid:'
Created attachment 9258 [details]
Screenshot of system diagnostics
The "Well Known" SIDs check in the system diagnostic module does detect this. Unfortunetaly, it doesn't offer any advice on how to resolve this :)
According to Arvid, this issue prevents password changes on the affected systems.
I've adjusted UDM users/user so it works generically (for users).
Merge commit: b56094583f1e57a84119da80f2c5fe9f1bc97ed6
I've added an update check to univention-s4-connector.postinst which checks the RID of the krbtgt account and fixes it if possible (only on master+backup, if slapd is running and only during this update).
*** Bug 41543 has been marked as a duplicate of this bug. ***
I've adjusted the patch once again to restrict the change to UCS@school.
Merge commit: 661746fcdb0ebe21f293eb4ba7d603c32b3e0ae3
OK - installation (s4 on master after school + school slave)
OK - update (school master with s4 and broken krbtgt rid is fixed)
OK - non school setup
OK - univention-s4-connector.yaml
OK - univention-lib.yaml
OK - univention-directory-manager-modules.yaml