Bug 46436 - saml kerberos does not work after ad takeover
saml kerberos does not work after ad takeover
Status: NEW
Product: UCS
Classification: Unclassified
Component: AD Takeover
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-27 14:55 CET by Felix Botner
Modified: 2020-06-22 11:26 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.046
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2018-02-27 14:55:32 CET
ad takeover: 

First univention-s4-connector is installed and with it 98univention-samba4-saml-kerberos.inst. During the Join the ucs-sso SPN is created.

Second step is the takeover,  this removes all entries from the local samba db and "copies" the ad db.

Now the ucs-sso is missing

I think we have to remove the SPO account in rewrite_sambaSIDs_in_OpenLDAP() (as we do it for the http-proxy account) and mark the 98univention-samba4-saml-kerberos.inst as not configured in finalize() so that the next run-join-scripts re-creates the ucs-sso account.