Univention Bugzilla – Bug 50389
Cannot create a group named "Default"
Last modified: 2023-07-07 14:47:20 CEST
root@master190:~# udm groups/group create --set name=Default WARNING: The object is not going to be created underneath of its default containers. E: Object exists: (group) : Default This is not really true. No group "Default" exists. And no user "Default" exists. I suspect this object to block the creation: root@master190:~# univention-ldapsearch uid=Default -LLL dn: krb5PrincipalName=default@DOMAIN.DE,cn=kerberos,dc=domain,dc=de [...] uid: default [...] Is this really necessary? Would something break if we allowed a group to be named like the uid attribute of a krb5Principal object? If so, this report is INVALID. If not, we may consider relaxing this restriction.
Ok, after a bit of code archeology I found: * the uid "default" is taken by the LDAP object with objectclass krb5Principal and krb5KDCEntry * This object is used by Heimdal as a storage for the default policy * It seems to get created in /usr/lib/univention-install/11univention-heimdal-init.inst by: kadmin -l init --realm-max-ticket-life=unlimited --realm-max-renewable-life=unlimited * The name is hardcoded in Heimdal * created in kadmin/init.c (git commit 5620f021e (originally from 1997)) * name hardcoded in lib/kadm5/create_s.c and lib/kadm5/modify_s.c * No clue if/how this is even stored/considered in Samba/Heimdal * To me this looks like very old and unmaintained stuff Options: 1. I guess we could avoid creating this in Samba/AD domains because it will not be used there 2. We could patch Heimdal (standalone i.e. non-samba) to adjust the name of the policy to something like "heimdal_default" 3. We could even make the name configurable via krb5.conf 4. If a project depends on it, we could just lapdelete the object without running a high interoperability (or otherwise) risk