Bug 52464 – Well Known SID Issues in Systemdiagnoses after installing samba4 after ucsschool on the master

Bug 52464 - Well Known SID Issues in Systemdiagnoses after installing samba4 after ucsschool on the master


Summary:	Well Known SID Issues in Systemdiagnoses after installing samba4 after ucssch...

Status:	RESOLVED DUPLICATE of bug 46827

Product:	UCS@school
Classification:	Unclassified
Component:	Samba 4
Version:	UCS@school 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:

URL:
Keywords:

Depends on:	46827
Blocks:
	Show dependency tree / graph

Reported:	2020-12-07 12:41 CET by Christina Scheinig
Modified:	2020-12-08 18:47 CET (History)
CC List:	3 users (show)

See Also:	51886
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.034
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020111121000926, 2020091621005122
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2020-12-07 12:41:58 CET

1 - On a fresh installed UCS Master I installed ucsschool as a multi server environment. After finishing the configuration of @school I checked the system diagnoses and get
Problem: Ucs@school Check if samba4 is installed.

As I recall this is not even recommended on the master in large school environments, but we have a lot of customers with samba4 on the master.

2 - So then I installed samba4 (active directory compatible domain controller)
and ran the systemdiagnoses again.

Now I get the Well Known SID warning with:
No user or group with SID S-1-5-32-545 found, expected 'Users'.
No user or group with SID S-1-5-32-544 found, expected 'Administrators'.
No user or group with SID S-1-5-32-546 found, expected 'Guests'.
No user or group with SID S-1-5-32-551 found, expected 'Backup Operators'.
No user or group with SID S-1-5-32-557 found, expected 'Incoming Forest Trust Builders'.
No user or group with SID S-1-5-32-568 found, expected 'IIS_IUSRS'.
No user or group with SID S-1-5-32-552 found, expected 'Replicator'.
No user or group with SID S-1-5-32-549 found, expected 'Server Operators'.
No user or group with SID S-1-5-32-554 found, expected 'Pre-Windows 2000 Compatible Access'.
No user or group with SID S-1-5-32-548 found, expected 'Account Operators'.
No user or group with SID S-1-5-32-559 found, expected 'Performance Log Users'.
No user or group with SID S-1-5-32-561 found, expected 'Terminal Server License Servers'.
No user or group with SID S-1-5-32-556 found, expected 'Network Configuration Operators'.
No user or group with SID S-1-5-32-555 found, expected 'Remote Desktop Users'.
No user or group with SID S-1-5-32-573 found, expected 'Event Log Readers'.
No user or group with SID S-1-5-32-569 found, expected 'Cryptographic Operators'.
No user or group with SID S-1-5-32-560 found, expected 'Windows Authorization Access Group'.
No user or group with SID S-1-5-32-574 found, expected 'Certificate Service DCOM Access'.
No user or group with SID S-1-5-32-562 found, expected 'Distributed COM Users'.
No user or group with SID S-1-5-32-558 found, expected 'Performance Monitor Users'.
No user or group with SID S-1-5-21-4056447619-3264413342-2188226695-521 found, expected 'Read-Only Domain Controllers'.
No user or group with SID S-1-5-21-4056447619-3264413342-2188226695-516 found, expected 'Domain Controllers'.
No user or group with SID S-1-5-21-4056447619-3264413342-2188226695-515 found, expected 'Domain Computers'.
No user or group with SID S-1-5-21-4056447619-3264413342-2188226695-571 found, expected 'Allowed RODC Password Replication Group'.
No user or group with SID S-1-5-21-4056447619-3264413342-2188226695-553 found, expected 'RAS and IAS Servers'.
No user or group with SID S-1-5-21-4056447619-3264413342-2188226695-519 found, expected 'Enterprise Admins'.
No user or group with SID S-1-5-21-4056447619-3264413342-2188226695-518 found, expected 'Schema Admins'.
No user or group with SID S-1-5-21-4056447619-3264413342-2188226695-520 found, expected 'Group Policy Creator Owners'.
No user or group with SID S-1-5-21-4056447619-3264413342-2188226695-517 found, expected 'Cert Publishers'.
No user or group with SID S-1-5-21-4056447619-3264413342-2188226695-572 found, expected 'Denied RODC Password Replication Group'.
No user or group with SID S-1-5-21-4056447619-3264413342-2188226695-498 found, expected 'Enterprise Read-only Domain Controllers'.
TEST AGAIN

So this could not be the best experience for a customer, choosing this order of installing, but nothing prevents this.

I now have the challenge to fix these Well Known SIDs for a customer environment, why I tested this.

Do we have a recommended way to fix this and can we prevent this from happening?

Comment 1 Christina Scheinig

2020-12-07 15:14:36 CET

I suggest, that this is caused by the connector mapping variables.
After running the school wizard I have the typical school SID mapping:
connector/s4/mapping/sid_to_s4: yes
connector/s4/mapping/sid_to_ucs: no

instead of a non school environment:

connector/s4/mapping/sid/sid_to_ucs: <empty>
connector/s4/mapping/sid: true
connector/s4/mapping/sid_to_s4: <empty>

So I changed this before installing samba4, but this was not the root cause. Happens anyway.

Comment 2 Arvid Requate

2020-12-07 20:06:18 CET

First, I'm unsure if Samba and S4-Connector are running properly now on the master of the customer environment. Long ago some UCR adjustments where needed if Samba was installed after UCS@school (Bug #40432 etc.), but IIRC we changed something in that area, I'm unsure about the current status. We should collect the join.log / updater.log  at the ticket to see what's going on.


FYI: The setting of those UCS variables you mention in Comment 1 differs between UCS@school and plain UCS, because in UCS@school not Samba but UDM needs to assign the SIDs. It is important not not change them, also because there are about 3 that need to be set in a certain way.

Comment 3 Christina Scheinig

2020-12-08 09:29:41 CET

(In reply to Arvid Requate from comment #2)
> First, I'm unsure if Samba and S4-Connector are running properly now on the
> master of the customer environment. Long ago some UCR adjustments where
> needed if Samba was installed after UCS@school (Bug #40432 etc.), but IIRC
> we changed something in that area, I'm unsure about the current status. We
> should collect the join.log / updater.log  at the ticket to see what's going
> on.
> 
> 


Okay, I am shocked if there are some adjustments needed for this kind of setup. I reproduced this about 3 times in a row. So I will check the ucr in my testenvironment and check if these "doings" are still necessary.

> FYI: The setting of those UCS variables you mention in Comment 1 differs
> between UCS@school and plain UCS, because in UCS@school not Samba but UDM
> needs to assign the SIDs. It is important not not change them, also because
> there are about 3 that need to be set in a certain way.

So I missed one ucr. Drat.
Anyway, this was just an idea to find the root cause, and getting to know how to fix this.

Comment 4 Christina Scheinig

2020-12-08 14:37:00 CET

So using 
ucr set samba4/provision/primary=yes \
        connector/s4/allow/secondary=yes

on the Master after installing school an before installing samba4, still results in the same well known sid diagnostic issue.

BUT joining an edu slave in this master, this fixes the well known sids.
Now it would be interesting what the slave did in his join process.

Comment 5 Arvid Requate

2020-12-08 16:30:39 CET

I guess this is Bug #46827

Comment 6 Arvid Requate

2020-12-08 18:47:49 CET


*** This bug has been marked as a duplicate of bug 46827 ***