Bug 54929 – proof_uniqueMembers fails for krbtgt user in UCS@school

Bug 54929 - proof_uniqueMembers fails for krbtgt user in UCS@school


Summary:	proof_uniqueMembers fails for krbtgt user in UCS@school

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UMC - System diagnostic
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:	48652 54988
Blocks:	54856
	Show dependency tree / graph

Reported:	2022-07-04 12:02 CEST by Felix Botner
Modified:	2022-07-14 13:10 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.069
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019020421000978
Bug group (optional):	bitesize
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2022-07-04 12:02:06 CEST

+++ This bug was initially created as a clone of Bug #48652 +++

Now and then an environment appears where the group membership attributes 'uniqueMember' and 'memberUid' are no longer consistent. As long as we didn't find the root cause for that behavior it would be a neat and quick step to integrate the script into the system diagnostic with a "fix me" button like the samba sysvol sync.

Comment 1 Felix Botner

2022-07-04 12:10:26 CEST

This test fails in school multiserver environments (no central samba AD) with 

/usr/share/univention-directory-manager-tools/proof_uniqueMembers -c
Checking if users are member of their primary group...
Checked 1033 posixAccounts, fixed 0 issues.
Checking if group-members exist...
Warning: No member for DN 'uid=krbtgt,cn=users,dc=five,dc=new', will be removed
Removing member DN 'uid=krbtgt,cn=users,dc=five,dc=new' from 'cn=Denied RODC Password Replication Group,cn=groups,dc=five,dc=new'
Warning: No member for UID 'krbtgt', will be removed
Removing member UID 'krbtgt' from 'cn=Denied RODC Password Replication Group,cn=groups,dc=five,dc=new'
Checked 107 posixGroups, fixed 2 issues.
There were 2 warning(s)!


I guess this is by design. We create/sync the krbtgt account only on the s4 connector server, but not in school (connector/s4/mapping/user/ignorelist).