Univention Bugzilla – Bug 56772
Regression: S4 connector changes Posix-Only groups into Samba groups
Last modified: 2023-12-06 12:59:18 CET
Creating a Posix-Only group does not work when Samba4 is installed. ``` root@ucs50-master:~# univention-app info UCS: 5.0-5 errata821 Installed: samba4=4.16 Upgradable: root@ucs50-master:~# udm groups/group create --set name=posixonly --remove-option samba WARNING: The object is not going to be created underneath of its default containers. Object created: cn=posixonly,dc=testucs5,dc=intranet root@ucs50-master:~# udm groups/group list --filter 'name=posixonly' | grep -vi none name=posixonly DN: cn=posixonly,dc=testucs5,dc=intranet adGroupType: -2147483646 gidNumber: 5076 name: posixonly sambaGroupType: 2 sambaRID: 1114 ``` The problem showed up on a system which was initially created as UCS 4.2, and updated since then. I have created a test system 4.4-9 without any additional software, installed Samba4 and updated it to 5.0-0 -> from this moment on, I cannot create Posix-Only groups anymore. There is third-party software in place that reads this LDAP and relies on the distinction between Posix and Samba groups. Currenty this problem inhibits the customer from updating to UCS5 as group creation is not reliable anymore.
The reason is git:21f6cf119ee2916472802d6c096d68e3a066d794 in UCS 5.0-0 which changed that the specified UDM "options" in the mapping of properties are not automatically detected and don't need to specified in the mapping. This enables all UDM options when a property is synced from S4/AD to UDM.
An other customer effected, and he cannot update to UCS5, because they are using pure POSIX groups for a non-UCS application. To do this, they query the UCS LDAP directory. The query distinguishes between Samba and POSIX groups.
Why is this urgent: The bug 56322, which leads to errors during Windows logon (netlogon secure channel), cannot be fixed by the package update, as there is only one EMS package for samba for UCS-4.4-9. This means that Samba can only be updated by upgrading to UCS 5.0.
ee48fe9cff | fix + advisory 8082159a7e | testcase Package: univention-s4-connector Version: 14.0.15-6 Branch: ucs_5.0-0 Scope: errata5.0-5 Package: ucs-test Version: 10.0.19-41 Branch: ucs_5.0-0 Scope: errata5.0-5
- OK udm groups/group create --set name=posixonly --remove-option samba creates a posix only group - OK if i add group->groupType->auto_enable_udm_option=True to the mapping, i get the old behavior - OK an exception is userCertificate, here the sync from Samba to UCS adds the pkiUser option by default (if disabled in mapping, the attribute is no longer synced - OK test case - OK yaml
<https://errata.software-univention.de/#/?erratum=5.0x897>