Univention Bugzilla – Bug 50766
S4-Connector should synchronize gidNumber also for group objects
Last modified: 2021-04-13 12:14:00 CEST
the gidNumber attribute is missing from the group object in the samba AD, preventing a proper group id mapping on systems using rfc2307 idmap. a solution could be to sync the existing gidNumber attribute from the openldap with samba.
Thanks for reporting this issue. Since Bug 49092 (UCS 4.4 Erratum 239) the S4-Connector supports the synchronization of the gidNumber attribute -- BUT: Only for users, not yet for groups. FYI: For new systems installed after that Erratum (i.e. Systems installed with UCS 4.4-2) this should be the default but for systems that have been updated to that erratum it is not, because in that cat we explicitly put it on a list of attributes to ignore, which is configured with the UCR Variable connector/s4/mapping/user/attributes/ignorelist. After changing that variable, the S4-Connector needs to be restarted. Please note that the connector only starts to honour this, when the individual objects are actually created or modified after changing that UCR variable.
is the synchronization of the gidNumber attribute for groups is planned for a further erratum or release ? this issue is preventing to having a proper unix groups idmap for unix user with samba
UCS currently stores gidNumer and uidNumber in OpenLDAP and that is the source from which the entries in /var/lib/samba/private/idmap.ldb are generated. The rfc2307 attributes in Samba/AD are not required for the identity mapping. NSS goes against OpenLDAP and Winbind uses idmap.ldb.
A customer reported the need of the gidNumber for groups. Attached ticket and set ent cust affeced
Successful build Package: univention-s4-connector Version: 13.0.2-86A~4.4.0.202103180923 Branch: ucs_4.4-0 Scope: errata4.4-7 0fa9758b03 Bug #50766: version bump 6c8213ea37 Bug #50766: gidNumber is post attribute 5756e35bfb Bug #50766: version bump c6adb6e33f Bug #50766: version bump 1f4a7da1ba Bug #50766: sync gidNumber for groups in write mode 6c27eb8388 Bug #50278: fix typo 97bee3fc8c Bug #50278: yaml I set gidNumber for users and group to write mode. For users, it was synced before, but due to it being a postattribute and having the property valueMayNotChange, it always ended in a reject if synced from S4. This has been fixed. Sync of gidNumber for groups has been added, also in write mode. The synchronization is active on update, but no resync happens automatically. the tool resync_objects_from_ucs has to be used, if this is desired. We need to discuss if it is acceptable to activate the sync on update, or if we have to create an ignorelist ucr variable for group-attributes. I adjusted 150sync_create_and_modify_ucs_group to test gidNumber for groups also.
fcf5b55086 Bug #50766: yaml update 4afc4e5273 Bug #50766: adjust loglevel output Package: univention-s4-connector Version: 13.0.2-87A~4.4.0.202103231521 Branch: ucs_4.4-0 Scope: errata4.4-7 as discussed with QA, I adjusted the log level of a line from PROCESS to INFO
We decided to leave the "sync" (write mode) of the gidNumber attribute activated upon update
created merge-request: https://git.knut.univention.de/univention/ucs/-/merge_requests/79
*** Bug 50278 has been marked as a duplicate of this bug. ***
TODO merge request OK - gidNumber sync from UCS to samba for users and groups OK - no sync from samba to UCS OK - Jenkins Tests OK - 150sync_create_and_modify_ucs_group OK - yaml We have decided to make the groups gidNumber sync to samba the default behavior.
Created merge request: > created merge-request: > > https://git.knut.univention.de/univention/ucs/-/merge_requests/79
OK
<https://errata.software-univention.de/#/?erratum=4.4x935>