Bug 46706 - UMC diagnose: Well known SID's for krbtgt and guest not found
UMC diagnose: Well known SID's for krbtgt and guest not found
Status: NEW
Product: UCS@school
Classification: Unclassified
Component: Samba 4 - Slave PDC
UCS@school 4.3
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
:
: 50768 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-20 17:03 CET by Felix Botner
Modified: 2021-01-06 12:26 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.103
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020080321000564, 2020101521000466, 2020012721000139, 2020070721000773
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2018-03-20 17:03:38 CET
UCS 4.3 school multiserver

On my school slave the um diagnose module complains about missing well known SID's for krbtgt and guest.


I do not have samba on the master and an school slaves krbtgt and guest are ignored in the connector

-> ucr get connector/s4/mapping/user/ignorelist 
root,ucs-s4sync,dns-slave,krbtgt,Guest

so these objects are never synced to ucs (and that is where the 44_well_known_sid_check.py looks for the SID's)
Comment 1 Arvid Requate univentionstaff 2020-08-06 15:13:28 CEST
If there is no Samba/AD installed on the Master, then univention-heimdal-kdc should be active there
and /usr/lib/univention-install/11univention-heimdal-init.inst should have created a krbtgt account.
Comment 2 Christian Völker univentionstaff 2020-08-06 15:26:05 CEST
Happened on customer site.

Multi-school with no Samba on the master.

system diagnose prints a warning which confuses customer (and support during troubleshooting):
=============================
##################### Start 44_well_known_sid_check #####################
## Check failed: 44_well_known_sid_check - Überprüfe 'Well Known' SIDs ##
Kein Nutzer oder keine Gruppe mit SID S-1-5-21-4189432101-1806742356-2962702042-502 gefunden, 'KRBTGT' war erwartet.
Kein Nutzer oder keine Gruppe mit SID S-1-5-21-4189432101-1806742356-2962702042-501 gefunden, 'Guest' war erwartet.
###################### End 44_well_known_sid_check ######################
============================


According to developer this is to be expected when there is no samba4 on the master installed and connector/s4/mapping/user/ignorelist is by default set to "root,ucs-s4sync,dns-slave,krbtgt,Guest"

Trying to sync these users from the school slave fails:
============================
root@luiseedu:~# ucr set connector/s4/mapping/user/ignorelist=root,ucs-s4sync
root@luiseedu:~# systemctl restart univention-s4-connector
root@luiseedu:~# /usr/share/univention-s4-connector/resync_object_from_s4.py "CN=krbtgt,CN=Users,DC=schulen,DC=ucs"
resync triggered for CN=krbtgt,CN=Users,DC=schulen,DC=ucs
Estimated sync in 50 seconds.
================================


BUT this results in a reject and traceback of s4 connector:
=====================
25.07.2020 06:34:34.610 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=dns,DC=schulen,DC=ucs
25.07.2020 06:34:34.615 LDAP        (PROCESS): sync to ucs:   [     container] [    modify] u'cn=dns,dc=schulen,dc=ucs'
25.07.2020 06:34:34.699 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
25.07.2020 06:34:34.700 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1555, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/__init__.py", line 1299, in modify_in_ucs
    res = ucs_object.modify(serverctrls=serverctrls, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 650, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1327, in _modify
    self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 897, in modify
    raise univention.admin.uexceptions.permissionDenied
permissionDenied
===========



If this is decided by system diagnosis as a warning we should handle the issue so there will be no warning in diagnostic.

If it is really to be ignored we should not bother about it in system diagnose.
Comment 3 Christian Völker univentionstaff 2020-08-06 15:30:09 CEST
heimdal on the master is properly installed, running and I do not see any issues otherwise:
=====================
root@master:~# dpkg -l | grep heimdal
ii  heimdal-kdc                                         7.1.0+dfsg-13+deb9u3A~4.4.0.202006161052                            amd64        Heimdal Kerberos - key distribution center (KDC)
[...]
ii  univention-heimdal-common                           12.0.1-4A~4.4.0.202003261441                                        all          UCS - Kerberos common package
ii  univention-heimdal-kdc                              12.0.1-4A~4.4.0.202003261441                                        all          UCS - Kerberos KDC
=======================

Running the join script again is successful but stil now show of a krbtgt user:
===================
root@master:~# univention-run-join-scripts --force --run-scripts 11univention-heimdal-init.inst
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright (c) 2001-2020 Univention GmbH, Germany

Running pre-joinscripts hook(s):                           done
Running 11univention-heimdal-init.inst                     done
Running post-joinscripts hook(s):                          done
===================


So I assume it is ok if this user does not exist.... but again it should be handled properly if this is a false warning.
Comment 4 Arvid Requate univentionstaff 2020-08-06 15:36:20 CEST
Ah, yes, Heimdal-KDC doesn't create uid=krbtgt, but instead:

dn: krb5PrincipalName=krbtgt/$kerberos_realm@$kerberos_realm,cn=kerberos,$ldap_base

So from the Kerberos point of view, it should be ok that uid=krbtgt does not exist
(leaving aside the question of KDC interoperability).


But the Guest account would be required in OpenLDAP to make the ID-Mapping work
in cases where a Windows Client writes a file to a Samba/AD-Share with NTACLs
or ownerships referring to that account. At least as long as we use idmap.ldb
for ID-Mapping and generate it via listener module from OpenLDAP.
Comment 5 Christina Scheinig univentionstaff 2020-10-16 16:11:20 CEST
Now we have 
UCS: 4.4-5 errata750
Installed: cups=2.2.1 samba4=4.10 squid=3.5 ucsschool=4.4 v6

Master is without samba4

On slave side univention-s4search cn=krbtgt shows the user.
Comment 6 Christian Völker univentionstaff 2020-10-20 11:56:12 CEST
*** Bug 50768 has been marked as a duplicate of this bug. ***