Univention Bugzilla – Bug 54929
proof_uniqueMembers fails for krbtgt user in UCS@school
Last modified: 2022-07-14 13:10:36 CEST
+++ This bug was initially created as a clone of Bug #48652 +++ Now and then an environment appears where the group membership attributes 'uniqueMember' and 'memberUid' are no longer consistent. As long as we didn't find the root cause for that behavior it would be a neat and quick step to integrate the script into the system diagnostic with a "fix me" button like the samba sysvol sync.
This test fails in school multiserver environments (no central samba AD) with /usr/share/univention-directory-manager-tools/proof_uniqueMembers -c Checking if users are member of their primary group... Checked 1033 posixAccounts, fixed 0 issues. Checking if group-members exist... Warning: No member for DN 'uid=krbtgt,cn=users,dc=five,dc=new', will be removed Removing member DN 'uid=krbtgt,cn=users,dc=five,dc=new' from 'cn=Denied RODC Password Replication Group,cn=groups,dc=five,dc=new' Warning: No member for UID 'krbtgt', will be removed Removing member UID 'krbtgt' from 'cn=Denied RODC Password Replication Group,cn=groups,dc=five,dc=new' Checked 107 posixGroups, fixed 2 issues. There were 2 warning(s)! I guess this is by design. We create/sync the krbtgt account only on the s4 connector server, but not in school (connector/s4/mapping/user/ignorelist).