Bug 50766 - S4-Connector should synchronize gidNumber also for group objects
S4-Connector should synchronize gidNumber also for group objects
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.4
All Linux
: P5 normal (vote)
: UCS 4.4-7-errata
Assigned To: Julia Bremer
Felix Botner
https://git.knut.univention.de/univen...
:
: 50278 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-02-01 11:35 CET by Antoine R
Modified: 2021-04-13 12:14 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.023
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021031121001206
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Antoine R 2020-02-01 11:35:09 CET
the gidNumber attribute is missing from the group object in the samba AD, preventing a proper group id mapping on systems using rfc2307 idmap.

a solution could be to sync the existing gidNumber attribute from the openldap with samba.
Comment 1 Arvid Requate univentionstaff 2020-02-04 13:02:19 CET
Thanks for reporting this issue. Since Bug 49092 (UCS 4.4 Erratum 239) the S4-Connector supports the synchronization of the gidNumber attribute -- BUT: Only for users, not yet for groups.

FYI: For new systems installed after that Erratum (i.e. Systems installed with UCS 4.4-2) this should be the default but for systems that have been updated to that erratum it is not, because in that cat we explicitly put it on a list of attributes to ignore, which is configured with the UCR Variable connector/s4/mapping/user/attributes/ignorelist. After changing that variable, the S4-Connector needs to be restarted. Please note that the connector only starts to honour this, when the individual objects are actually created or modified after changing that UCR variable.
Comment 2 Antoine R 2020-08-03 20:13:33 CEST
is the synchronization of the gidNumber attribute for groups is planned for a further erratum or release ?

this issue is preventing to having a proper unix groups idmap for unix user with samba
Comment 3 Arvid Requate univentionstaff 2020-11-19 20:07:43 CET
UCS currently stores gidNumer and uidNumber in OpenLDAP and that is the source from which the entries in /var/lib/samba/private/idmap.ldb are generated. The rfc2307 attributes in Samba/AD are not required for the identity mapping. NSS goes against OpenLDAP and Winbind uses idmap.ldb.
Comment 5 Dirk Schnick univentionstaff 2021-03-12 07:58:01 CET
A customer reported the need of the gidNumber for groups. Attached ticket and set ent cust affeced
Comment 6 Julia Bremer univentionstaff 2021-03-23 12:59:48 CET
Successful build
Package: univention-s4-connector
Version: 13.0.2-86A~4.4.0.202103180923
Branch: ucs_4.4-0
Scope: errata4.4-7

0fa9758b03 Bug #50766: version bump
6c8213ea37 Bug #50766: gidNumber is post attribute
5756e35bfb Bug #50766: version bump
c6adb6e33f Bug #50766: version bump
1f4a7da1ba Bug #50766: sync gidNumber for groups in write mode
6c27eb8388 Bug #50278: fix typo
97bee3fc8c Bug #50278: yaml


I set gidNumber for users and group to write mode. 
For users, it was synced before, but due to it being a postattribute and having the property valueMayNotChange, it always ended in a reject if synced from S4.
This has been fixed.
Sync of gidNumber for groups has been added, also in write mode. 
The synchronization is active on update, but no resync happens automatically. 
the tool resync_objects_from_ucs has to be used, if this is desired. 

We need to discuss if it is acceptable to activate the sync on update, or if we have to create an ignorelist ucr variable for group-attributes. 

I adjusted 150sync_create_and_modify_ucs_group to test gidNumber for groups also.
Comment 7 Julia Bremer univentionstaff 2021-03-23 15:23:34 CET
fcf5b55086 Bug #50766: yaml update
4afc4e5273 Bug #50766: adjust loglevel output

Package: univention-s4-connector
Version: 13.0.2-87A~4.4.0.202103231521
Branch: ucs_4.4-0
Scope: errata4.4-7

as discussed with QA, I adjusted the log level of a line from PROCESS to INFO
Comment 8 Julia Bremer univentionstaff 2021-03-24 10:37:33 CET
We decided to leave the "sync" (write mode) of the gidNumber attribute activated upon update
Comment 9 Julia Bremer univentionstaff 2021-03-24 11:21:45 CET
created merge-request:

https://git.knut.univention.de/univention/ucs/-/merge_requests/79
Comment 10 Julia Bremer univentionstaff 2021-03-24 11:24:15 CET
*** Bug 50278 has been marked as a duplicate of this bug. ***
Comment 11 Felix Botner univentionstaff 2021-03-24 11:42:20 CET
TODO merge request

OK - gidNumber sync from UCS to samba for users and groups
OK - no sync from samba to UCS
OK - Jenkins Tests
OK - 150sync_create_and_modify_ucs_group
OK - yaml

We have decided to make the groups gidNumber sync to samba the default behavior.
Comment 12 Julia Bremer univentionstaff 2021-03-24 11:56:07 CET
Created merge request:


> created merge-request:
> 
> https://git.knut.univention.de/univention/ucs/-/merge_requests/79
Comment 13 Felix Botner univentionstaff 2021-03-24 12:23:22 CET
OK