Bug 50389 – Cannot create a group named "Default"

Bug 50389 - Cannot create a group named "Default"


Summary:	Cannot create a group named "Default"

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UMC - Groups
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-10-18 14:07 CEST by Dirk Wiesenthal
Modified:	2023-07-07 14:47 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Wiesenthal

2019-10-18 14:07:33 CEST

root@master190:~# udm groups/group create --set name=Default
WARNING: The object is not going to be created underneath of its default containers.
E: Object exists: (group) : Default

This is not really true. No group "Default" exists. And no user "Default" exists.

I suspect this object to block the creation:

root@master190:~# univention-ldapsearch uid=Default -LLL
dn: krb5PrincipalName=default@DOMAIN.DE,cn=kerberos,dc=domain,dc=de
[...]
uid: default
[...]

Is this really necessary? Would something break if we allowed a group to be named like the uid attribute of a krb5Principal object?

If so, this report is INVALID. If not, we may consider relaxing this restriction.

Comment 3 Arvid Requate

2023-07-07 14:47:20 CEST

Ok, after a bit of code archeology I found:

* the uid "default" is taken by the LDAP object with objectclass krb5Principal and krb5KDCEntry
* This object is used by Heimdal as a storage for the default policy
* It seems to get created in /usr/lib/univention-install/11univention-heimdal-init.inst by:
  kadmin -l init --realm-max-ticket-life=unlimited --realm-max-renewable-life=unlimited
* The name is hardcoded in Heimdal
  * created in kadmin/init.c (git commit 5620f021e (originally from 1997))
  * name hardcoded in lib/kadm5/create_s.c and lib/kadm5/modify_s.c
* No clue if/how this is even stored/considered in Samba/Heimdal
* To me this looks like very old and unmaintained stuff

Options:

1. I guess we could avoid creating this in Samba/AD domains because it will not be used there
2. We could patch Heimdal (standalone i.e. non-samba) to adjust the name of the policy
   to something like "heimdal_default"
3. We could even make the name configurable via krb5.conf
4. If a project depends on it, we could just lapdelete the object without running
   a high interoperability (or otherwise) risk