Bug 46827 - Create Builtin S4 groups missing in UCS@school
Create Builtin S4 groups missing in UCS@school
Status: REOPENED
Product: UCS@school
Classification: Unclassified
Component: Samba 4
UCS@school 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
:
: 52464 (view as bug list)
Depends on: 32894 33883
Blocks: 52464
  Show dependency treegraph
 
Reported: 2018-04-16 16:13 CEST by Arvid Requate
Modified: 2023-02-23 17:44 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.103
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018040621000285, 2020111121000926, 2023020621000341, 2023022321000291
Bug group (optional):
Max CVSS v3 score:


Attachments
create-well-known-sids-missing-in-ucsschool.sh (13.26 KB, application/x-shellscript)
2018-04-16 16:13 CEST, Arvid Requate
Details
create-well-known-sids-missing-in-ucsschool.sh (deleted)
2021-01-12 16:01 CET, Arvid Requate
Details
create-well-known-sids-missing-in-ucsschool.sh (9.51 KB, application/x-shellscript)
2021-01-12 17:31 CET, Arvid Requate
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-04-16 16:13:59 CEST
Created attachment 9498 [details]
create-well-known-sids-missing-in-ucsschool.sh

After first installing UCS@school and then univention-s4-connector on an UCS 4.2-2 Master Test-VM the UMC system diagnostic module shows these errors:

========================================================================
No user or group with SID S-1-5-32-545 found, expected 'Users'. No user or group with SID S-1-5-32-544 found, expected 'Administrators'. No user or group with SID S-1-5-32-546 found, expected 'Guests'. No user or group with SID S-1-5-32-551 found, expected 'Backup Operators'. No user or group with SID S-1-5-32-557 found, expected 'Incoming Forest Trust Builders'. No user or group with SID S-1-5-32-568 found, expected 'IIS_IUSRS'. No user or group with SID S-1-5-32-552 found, expected 'Replicator'. No user or group with SID S-1-5-32-549 found, expected 'Server Operators'. No user or group with SID S-1-5-32-554 found, expected 'Pre-Windows 2000 Compatible Access'. No user or group with SID S-1-5-32-548 found, expected 'Account Operators'. No user or group with SID S-1-5-32-559 found, expected 'Performance Log Users'. No user or group with SID S-1-5-32-561 found, expected 'Terminal Server License Servers'. No user or group with SID S-1-5-32-556 found, expected 'Network Configuration Operators'. No user or group with SID S-1-5-32-555 found, expected 'Remote Desktop Users'. No user or group with SID S-1-5-32-573 found, expected 'Event Log Readers'. No user or group with SID S-1-5-32-569 found, expected 'Cryptographic Operators'. No user or group with SID S-1-5-32-560 found, expected 'Windows Authorization Access Group'. No user or group with SID S-1-5-32-574 found, expected 'Certificate Service DCOM Access'. No user or group with SID S-1-5-32-562 found, expected 'Distributed COM Users'. No user or group with SID S-1-5-32-558 found, expected 'Performance Monitor Users'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-521 found, expected 'Read-Only Domain Controllers'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-516 found, expected 'Domain Controllers'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-515 found, expected 'Domain Computers'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-571 found, expected 'Allowed RODC Password Replication Group'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-553 found, expected 'RAS and IAS Servers'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-519 found, expected 'Enterprise Admins'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-518 found, expected 'Schema Admins'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-520 found, expected 'Group Policy Creator Owners'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-517 found, expected 'Cert Publishers'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-572 found, expected 'Denied RODC Password Replication Group'. No user or group with SID S-1-5-21-375979446-2509653828-3357502841-498 found, expected 'Enterprise Read-only Domain Controllers'.
========================================================================


The description of Bug 32894 contains half of the explanation: These groups exist in Samba/AD as Builtin objects and at the time of that Bug (UCS 3.2) the S4-Connector already had been adjusted to synchronize these objects to OpenLDAP. The problem is, that Bug 33883 turned that off.

The attached script can be used to fix that (just a copy of the function found in univention-ldb-modules/96univention-samba4slavepdc.inst).


I guess we should adjust the join script univention-s4-connector/97univention-s4-connector.inst to do this, at least in UCS@school. Even better would be to install univention-ldb-modules on UCS@school Samba/AD DC Masters too.
Comment 1 Michel Smidt 2020-07-10 12:48:39 CEST
This issue has been filed against UCS@school 4.2.

UCS@school 4.2 is out of maintenance and many UCS@school components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS@school versions, please reopen it and update the UCS@school version. In this case please provide detailed information on how this issue is affecting you.
Comment 2 Christina Scheinig univentionstaff 2020-12-08 16:37:10 CET
This is still relevant.
Comment 3 Arvid Requate univentionstaff 2020-12-08 18:47:49 CET
*** Bug 52464 has been marked as a duplicate of this bug. ***
Comment 4 Arvid Requate univentionstaff 2021-01-12 16:01:04 CET
Created attachment 10591 [details]
create-well-known-sids-missing-in-ucsschool.sh

Updated version, which fixes the SIDs for the Well-Known "Builtin" groups.
Comment 5 Arvid Requate univentionstaff 2021-01-12 17:31:28 CET
Created attachment 10592 [details]
create-well-known-sids-missing-in-ucsschool.sh

Bugfix: extract_binddn_bindpwd_bindpwdfile_dcaccount_from_args was missing
Comment 6 Arvid Requate univentionstaff 2021-01-12 17:31:53 CET
The content of attachment 10591 [details] has been deleted
Comment 7 Mirac Erdemiroglu univentionstaff 2023-02-23 16:11:50 CET
Customer effected Ticket#2023022321000291
UCS: 5.0-2 errata352
samba4=4.16

##################### Start 44_well_known_sid_check #####################
## Check failed: 44_well_known_sid_check - Überprüfe 'Well Known' SIDs ##
Kein Nutzer oder keine Gruppe mit SID 'S-1-5-21-3076635181-3093931020-2375253368-501' gefunden, 'Guest' war erwartet.
Kein Nutzer oder keine Gruppe mit SID 'S-1-5-21-3076635181-3093931020-2375253368-502' gefunden, 'KRBTGT' war erwartet.
###################### End 44_well_known_sid_check ######################
Comment 8 Arvid Requate univentionstaff 2023-02-23 17:44:22 CET
Just FYI: I guess this is not *that* relevant IRL.

Q: What is the purpose of having these identities in OpenLDAP?
A: Getting Posisx-IDs assigned to them.
Q: Where would that be relevant?
A: If files are assigned ACLs regarding these identities.

We could also choose to adjust the diagnostic module to

* ignore this, if the accounts are simply not present.

After all, the purpose of that diagnostic check is
*not* to confirm that the accounts are present,
but that they have proper SIDs *if* they are present.