Univention Bugzilla – Bug 53881
Primary group of Backup and Replica DC accounts differs between OpenLDAP/UDM and Samba/AD
Last modified: 2021-10-06 19:41:49 CEST
In Samba/AD the Backup and Replica DC accounts have RID 516 as primaryGroupID, which corresponds to the group "Domain Controllers". In OpenLDAP their primary group is "DC Slave Hosts" instead: root@primary20:~# id replica22$ uid=2013(replica22$) gid=5006(DC Slave Hosts) Gruppen=5006(DC Slave Hosts),5007(Computers),5010(Authenticated Users),5015(Enterprise Domain Controllers) Note: "Enterprise Domain Controllers" is yet another (builtin) group (S-1-5-9), not to be confused with the group "Domain Controllers". root@primary20:~# univention-s4search samaccountname=replica22$ primaryGroupID memberof # record 1 dn: CN=REPLICA22,OU=Domain Controllers,DC=ucs50domain,DC=net primaryGroupID: 516 root@primary20:~# univention-ldapsearch sambasid=S-1-5-21-3845704857-3224404521-1219090489-516 # extended LDIF # # LDAPv3 # base <dc=ucs50domain,dc=net> (default) with scope subtree # filter: sambasid=S-1-5-21-3845704857-3224404521-1219090489-516 # requesting: ALL # # Domain Controllers, groups, ucs50domain.net dn: cn=Domain Controllers,cn=groups,dc=ucs50domain,dc=net gidNumber: 5042 sambaSID: S-1-5-21-3845704857-3224404521-1219090489-516 cn: Domain Controllers sambaGroupType: 2 univentionGroupType: -2147483646 description: All domain controllers in the domain objectClass: sambaGroupMapping objectClass: top objectClass: univentionGroup objectClass: posixGroup objectClass: univentionObject univentionObjectType: groups/group memberUid: primary20$ uniqueMember: cn=primary20,cn=dc,cn=computers,dc=ucs50domain,dc=net # search result search: 3 result: 0 Success This is a bit surprising, because one would assume that the S4-Connector synchronized this. Maybe I'm missing something.
The situation is different for the UCS Primary DC, where the primary group also differs in a similar way, but *surprise*, it additionally is member of the "Domain Controllers" group in OpenLDAP, unlike Backup and Replica: root@primary20:~# id primary20$ uid=2001(primary20$) gid=5005(DC Backup Hosts) Gruppen=5005(DC Backup Hosts),1005(Windows Hosts),5006(DC Slave Hosts),5007(Computers),5010(Authenticated Users),5015(Enterprise Domain Controllers),5042(Domain Controllers),5051(Denied RODC Password Replication Group),5059(Pre-Windows 2000 Compatible Access) root@primary20:~# univention-ldapsearch \ sambasid=S-1-5-21-3845704857-3224404521-1219090489-516 # extended LDIF # # LDAPv3 # base <dc=ucs50domain,dc=net> (default) with scope subtree # filter: sambasid=S-1-5-21-3845704857-3224404521-1219090489-516 # requesting: ALL # # Domain Controllers, groups, ucs50domain.net dn: cn=Domain Controllers,cn=groups,dc=ucs50domain,dc=net gidNumber: 5042 sambaSID: S-1-5-21-3845704857-3224404521-1219090489-516 cn: Domain Controllers sambaGroupType: 2 univentionGroupType: -2147483646 description: All domain controllers in the domain objectClass: sambaGroupMapping objectClass: top objectClass: univentionGroup objectClass: posixGroup objectClass: univentionObject univentionObjectType: groups/group memberUid: primary20$ uniqueMember: cn=primary20,cn=dc,cn=computers,dc=ucs50domain,dc=net