Univention Bugzilla – Bug 46827
Create Builtin S4 groups missing in UCS@school
Last modified: 2023-02-23 17:44:22 CET
Created attachment 9498 [details] create-well-known-sids-missing-in-ucsschool.sh After first installing UCS@school and then univention-s4-connector on an UCS 4.2-2 Master Test-VM the UMC system diagnostic module shows these errors: ======================================================================== No user or group with SID S-1-5-32-545 found, expected 'Users'. No user or group with SID S-1-5-32-544 found, expected 'Administrators'. No user or group with SID S-1-5-32-546 found, expected 'Guests'. No user or group with SID S-1-5-32-551 found, expected 'Backup Operators'. No user or group with SID S-1-5-32-557 found, expected 'Incoming Forest Trust Builders'. No user or group with SID S-1-5-32-568 found, expected 'IIS_IUSRS'. No user or group with SID S-1-5-32-552 found, expected 'Replicator'. No user or group with SID S-1-5-32-549 found, expected 'Server Operators'. No user or group with SID S-1-5-32-554 found, expected 'Pre-Windows 2000 Compatible Access'. No user or group with SID S-1-5-32-548 found, expected 'Account Operators'. No user or group with SID S-1-5-32-559 found, expected 'Performance Log Users'. No user or group with SID S-1-5-32-561 found, expected 'Terminal Server License Servers'. No user or group with SID S-1-5-32-556 found, expected 'Network Configuration Operators'. No user or group with SID S-1-5-32-555 found, expected 'Remote Desktop Users'. No user or group with SID S-1-5-32-573 found, expected 'Event Log Readers'. No user or group with SID S-1-5-32-569 found, expected 'Cryptographic Operators'. No user or group with SID S-1-5-32-560 found, expected 'Windows Authorization Access Group'. No user or group with SID S-1-5-32-574 found, expected 'Certificate Service DCOM Access'. No user or group with SID S-1-5-32-562 found, expected 'Distributed COM Users'. No user or group with SID S-1-5-32-558 found, expected 'Performance Monitor Users'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-521 found, expected 'Read-Only Domain Controllers'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-516 found, expected 'Domain Controllers'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-515 found, expected 'Domain Computers'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-571 found, expected 'Allowed RODC Password Replication Group'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-553 found, expected 'RAS and IAS Servers'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-519 found, expected 'Enterprise Admins'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-518 found, expected 'Schema Admins'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-520 found, expected 'Group Policy Creator Owners'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-517 found, expected 'Cert Publishers'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-572 found, expected 'Denied RODC Password Replication Group'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-498 found, expected 'Enterprise Read-only Domain Controllers'. ======================================================================== The description of Bug 32894 contains half of the explanation: These groups exist in Samba/AD as Builtin objects and at the time of that Bug (UCS 3.2) the S4-Connector already had been adjusted to synchronize these objects to OpenLDAP. The problem is, that Bug 33883 turned that off. The attached script can be used to fix that (just a copy of the function found in univention-ldb-modules/96univention-samba4slavepdc.inst). I guess we should adjust the join script univention-s4-connector/97univention-s4-connector.inst to do this, at least in UCS@school. Even better would be to install univention-ldb-modules on UCS@school Samba/AD DC Masters too.
This issue has been filed against UCS@school 4.2. UCS@school 4.2 is out of maintenance and many UCS@school components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS@school versions, please reopen it and update the UCS@school version. In this case please provide detailed information on how this issue is affecting you.
This is still relevant.
*** Bug 52464 has been marked as a duplicate of this bug. ***
Created attachment 10591 [details] create-well-known-sids-missing-in-ucsschool.sh Updated version, which fixes the SIDs for the Well-Known "Builtin" groups.
Created attachment 10592 [details] create-well-known-sids-missing-in-ucsschool.sh Bugfix: extract_binddn_bindpwd_bindpwdfile_dcaccount_from_args was missing
The content of attachment 10591 [details] has been deleted
Customer effected Ticket#2023022321000291 UCS: 5.0-2 errata352 samba4=4.16 ##################### Start 44_well_known_sid_check ##################### ## Check failed: 44_well_known_sid_check - Überprüfe 'Well Known' SIDs ## Kein Nutzer oder keine Gruppe mit SID 'S-1-5-21-3076635181-3093931020-2375253368-501' gefunden, 'Guest' war erwartet. Kein Nutzer oder keine Gruppe mit SID 'S-1-5-21-3076635181-3093931020-2375253368-502' gefunden, 'KRBTGT' war erwartet. ###################### End 44_well_known_sid_check ######################
Just FYI: I guess this is not *that* relevant IRL. Q: What is the purpose of having these identities in OpenLDAP? A: Getting Posisx-IDs assigned to them. Q: Where would that be relevant? A: If files are assigned ACLs regarding these identities. We could also choose to adjust the diagnostic module to * ignore this, if the accounts are simply not present. After all, the purpose of that diagnostic check is *not* to confirm that the accounts are present, but that they have proper SIDs *if* they are present.