Univention Bugzilla – Bug 52373
AD 2008R2 to UCS sync fails with primaryGroupWithoutSamba
Last modified: 2024-04-17 13:19:11 CEST
17.11.2020 16:43:22.436 MAIN (------ ): DEBUG_INIT 17.11.2020 16:43:25.613 LDAP (PROCESS): Using CUSTOMER as AD Netbios domain name 17.11.2020 16:43:25.717 LDAP (PROCESS): AD search continues, already found 2000 objects 17.11.2020 16:44:04.758 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=administrator_sb,ou=benutzer,ou=sys-admin,ou=customer,dc=customer,dc=local 17.11.2020 16:44:04.806 LDAP (ERROR ): Unknown Exception during sync_to_ucs 17.11.2020 16:44:04.808 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1357, in sync_to_ucs f(self, property_type, object) File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 199, in primary_group_sync_to_ucs return connector.primary_group_sync_to_ucs(key, object) File "/usr/lib/python2.7/dist-packages/univention/connector/ad/__init__.py", line 1694, in primary_group_sync_to_ucs ucs_admin_object.modify() File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1405, in modify return super(object, self).modify(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 647, in modify self._ldap_pre_ready() File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1601, in _ldap_pre_ready raise univention.admin.uexceptions.primaryGroupWithoutSamba(self['primaryGroup']) primaryGroupWithoutSamba: cn=domain users,cn=users,dc=customer,dc=local 17.11.2020 16:44:04.808 LDAP (WARNING): sync to ucs was not successfull, save rejected 17.11.2020 16:44:04.808 LDAP (WARNING): object was: CN=Administrator_SB,OU=Benutzer,OU=Sys-Admin,OU=customer,DC=customer,DC=local The user itself has Domänen-Benutzer as primary group in AD. This group is known to UCS: root@kopano01:/var/lib/univention-ldap# getent group 5001 Domänen-Benutzer:*:5001:Administrator_SB,all-our-users,....
Which UCS version is in use? -> univention-app info It should be noted that Win 2008 servers are no longer officially supported since the beginning of this year, see bug 49381
# univention-app info UCS: 4.4-6 errata803 Installed: adconnector=12.0 kopano-core=8.7.1.0-1 kopano-webapp=3.5.14.2539-2 samba-memberserver=4.7 z-push-kopano=2.4.5
What is the output of the following commands: ucr get \ groups/default/domainusers \ connector/ad/mapping/group/language univention-ldapsearch -LLL "(&(gidNumber=5001)(univentionObjectType=groups/group))" sambaSID univention-ldapsearch -LLL -b "cn=domain users,cn=users,dc=customer,dc=local" sambaSID univention-adsearch CN=Administrator_SB | egrep -i "(objectSid|memberOf|primaryGroupID)"
root@kopano01:~# ucr get \ > groups/default/domainusers \ > connector/ad/mapping/group/language Domänen-Benutzer root@kopano01:~# univention-ldapsearch -LLL "(&(gidNumber=5001)(univentionObjectType=groups/group))" sambaSID dn:: Y249RG9tw6RuZW4tQmVudXR6ZXIsY249Z3JvdXBzLGRjPXByb2Rlc2lnbixkYz1sb2NhbA== sambaSID: S-1-5-21-3528624953-3559364101-3506604361-513 root@kopano01:~# univention-ldapsearch -LLL -b "cn=domain users,cn=users,dc=customer,dc=local" sambaSID No such object (32) Matched DN: cn=users,dc=customer,dc=local root@kopano01:~# univention-adsearch CN=Administrator_SB | egrep -i "(objectSid|memberOf|primaryGroupID)" primaryGroupID: 513 objectSid: S-1-5-21-588273740-1646099605-1082013118-7992 memberOf: CN=Adm-Netzwerk,OU=Gruppen_virtuelle_Benutzer,OU=Sys-Admin,OU=customer,DC=customer,DC=local memberOf: CN=Domänen-Admins,CN=Users,DC=customer,DC=local
Hi Arvid and Erik, thank you for your time. Is there something i can provide / help with? Thank you. Stefan
I had a typo in Comment 3, maybe you could send the output of: ucr search --brief connector/ad/mapping/group/language If that's set (to something like "de"), then I could imagine that the AD-Connector tries to map the german localized names of the well known groups like "Domänen-Benutzer" to the default english ones. It all depends on the history of your specific installation. Since it's specific to your installation I would recommend to look at it in a support case, if you have a subscription.
Thank you Arvid for your time, # ucr search --brief connector/ad/mapping/group/language con.*/ad/mapping/group/language: <empty> connector/ad/mapping/group/language: de We did not set anything special - aside from selection German during the setup - joined to the domain and thats it. No tuning or anything else. According to the description of the field: connector/ad/mapping/group/language: de Defines which form of standard group names should be used between UCS (group names are always English) and Active Directory. The mapping to a Active Directory service in German language is preset using the value "de". It should be correctly to have 'de'.
Just unset the language variable, changed a field in AD and monitored connector.log: ucr unset connector/ad/mapping/group/language 19.11.2020 18:13:17.812 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=administrator_sb,ou=benutzer,ou=sys-admin,ou=customer,dc=customer,dc=local Looks much better :) Thank you. Howevery i'm not quite certain that this does not break anything else. Need to test further.
> It should be correctly to have 'de'. Yeah, maybe. connector/ad/mapping/group/language is pretty old and we (I) reworked the handling of Well-Known-SID-Accounts with localized names for the AD-Takeover. During AD-Takeover we sync the names localized (e.g. german) to OpenLDAP and a listener-module notices this and automagically sets e.g. groups/default/domainusers="Domänen-Benutzer", which in turn adjusts a couple of config files and LDAP ACLs to match the german names. By default UCS uses the original english names and the UCR setting connector/ad/mapping/group/language=de tells the AD-Connector to translate the names (That UCR variable activates a translation table in /etc/univention/connector/ad/mapping.py). In your case now, you have the translation table active but you have german names in UCS, which raises questions :-) Like: who renamed them to german in UDM/OpenLDAP? Anyhow, with german names for the Well-Known-SID-accounts, the translation table makes no sense. And the fact that groups/default/domainusers is set in your UCR tells me that the automagic listener-module mechanism worked. You could look into /var/log/univention/config-registry.replog* to see if you still find, at what point the UCR-Variable was set, indicating the moment when the renaming happened. But I don't mind, as long as the AD-Connector is happy.
I guess we should improve the documentation for the translation options.
This bug hasn't seen any update for several years. I close it. If you still see a need for it, you can reopen the bug. Please add an argumentation about why it's important to take care of it.