First Last Prev Next    This bug is not in your last search results.
Bug 56772 - Regression: S4 connector changes Posix-Only groups into Samba groups
Regression: S4 connector changes Posix-Only groups into Samba groups
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-5-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2023-10-27 12:49 CEST by Frank Greif
Modified: 2023-12-06 12:59 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2023110221000474
Bug group (optional): Regression
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Frank Greif univentionstaff 2023-10-27 12:49:29 CEST 
Creating a Posix-Only group does not work when Samba4 is installed.
```
root@ucs50-master:~# univention-app info
UCS: 5.0-5 errata821
Installed: samba4=4.16
Upgradable: 
root@ucs50-master:~# udm groups/group create --set name=posixonly --remove-option samba
WARNING: The object is not going to be created underneath of its default containers.
Object created: cn=posixonly,dc=testucs5,dc=intranet
root@ucs50-master:~# udm groups/group list --filter 'name=posixonly' | grep -vi none
name=posixonly
DN: cn=posixonly,dc=testucs5,dc=intranet
  adGroupType: -2147483646
  gidNumber: 5076
  name: posixonly
  sambaGroupType: 2
  sambaRID: 1114
```

The problem showed up on a system which was initially created as UCS 4.2, and updated since then. I have created a test system 4.4-9 without any additional software, installed Samba4 and updated it to 5.0-0 -> from this moment on, I cannot create Posix-Only groups anymore.

There is third-party software in place that reads this LDAP and relies on the distinction between Posix and Samba groups. Currenty this problem inhibits the customer from updating to UCS5 as group creation is not reliable anymore.
Comment 1 Florian Best univentionstaff 2023-10-27 13:24:06 CEST 
The reason is git:21f6cf119ee2916472802d6c096d68e3a066d794 in UCS 5.0-0 which changed that the specified UDM "options" in the mapping of properties are not automatically detected and don't need to specified in the mapping. This enables all UDM options when a property is synced from S4/AD to UDM.
Comment 2 Christina Scheinig univentionstaff 2023-11-06 10:15:37 CET 
An other customer effected, and he cannot update to UCS5, because they are using pure POSIX groups for a non-UCS application. To do this, they query the UCS LDAP directory. The query distinguishes between Samba and POSIX groups.
Comment 3 Christina Scheinig univentionstaff 2023-11-06 13:58:48 CET 
Why is this urgent:
The bug 56322, which leads to errors during Windows logon (netlogon secure channel), cannot be fixed by the package update, as there is only one EMS package for samba for UCS-4.4-9. This means that Samba can only be updated by upgrading to UCS 5.0.
Comment 5 Arvid Requate univentionstaff 2023-12-05 15:54:36 CET 
ee48fe9cff | fix + advisory
8082159a7e | testcase

Package: univention-s4-connector
Version: 14.0.15-6
Branch: ucs_5.0-0
Scope: errata5.0-5

Package: ucs-test
Version: 10.0.19-41
Branch: ucs_5.0-0
Scope: errata5.0-5
Comment 6 Felix Botner univentionstaff 2023-12-06 08:44:07 CET 
- OK udm groups/group create --set name=posixonly --remove-option samba creates a posix only group
- OK if i add group->groupType->auto_enable_udm_option=True to the mapping, i get the old behavior
- OK an exception is userCertificate, here the sync from Samba to UCS adds the pkiUser option by default (if disabled in mapping, the attribute is no longer synced
- OK test case
- OK yaml
First Last Prev Next    This bug is not in your last search results.