Bug 41543

Summary: krbtgt has wrong RID after s3->s4 migration
Product: UCS@school Reporter: Felix Botner <botner>
Component: Samba 4Assignee: Arvid Requate <requate>
Status: CLOSED DUPLICATE QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P5 CC: requate, schwardt
Version: UCS@school 4.1 R2   
Target Milestone: UCS@school 4.2 v6   
Hardware: Other   
OS: Linux   
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.086 Enterprise Customer affected?: Yes
School Customer affected?: Yes ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2015120221000282 Bug group (optional):
Max CVSS v3 score:
Attachments: connector-s4.log.bz2

Description Felix Botner univentionstaff 2016-06-13 11:35:46 CEST 
Single school server with S3 -> Update to S4 (http://wiki.univention.de/UCS@school_Samba_3_to_Samba_4_Migration#Migration_of_the_UCS.40school_DCs_in_the_central_school_department)

-> univention-ldapsearch uid=krbtgt
...
sambaSID: S-1-5-21-4034621939-4037279472-3278188622-5012

This is bad. krbtgt has to have the RID *502*. Otherwise password change is not working (set "Change password on next login" and try to change password via kpasswd or windows, does not work if krbtgt has a RID other than 502).

Seems that the connector sets this faulty RID (connector/s4/mapping/sid_to_s4: yes
). Before the connector is started, the s4 object is still OK (rid 502). After the initial sync of the connector the RID is broken.

Maybe, in the first step, can add a hint to http://wiki.univention.de/UCS@school_Samba_3_to_Samba_4_Migration to verify (and correct) the RID of krbtgt after the migration.
Comment 1 Felix Botner univentionstaff 2016-06-13 11:36:26 CEST 
Created attachment 7735 [details]
connector-s4.log.bz2
Comment 2 Arvid Requate univentionstaff 2017-11-06 18:11:41 CET 
The adjustments for Bug 44333 should fix this:

1. If the RID is wrong during errata update, it will be corrected.

2. If the new udm-modules package is already installed before the migration, the account will be created with the correct RID.

*** This bug has been marked as a duplicate of bug 44333 ***
Comment 3 Felix Botner univentionstaff 2017-11-07 18:00:27 CET 
OK, verified with Bug #44333