Bug 41848

Summary: Adding users to Samba/AD group Print Operators impossible via UMC
Product: UCS@school Reporter: Arvid Requate <requate>
Component: Samba 4Assignee: Samba maintainers <samba-maintainers>
Status: CLOSED WONTFIX QA Contact:
Severity: normal    
Priority: P5 CC: botner, gohmann, markus.daehlmann, stoeckigt
Version: UCS@school 4.1 R2   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=42675
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.114 Enterprise Customer affected?:
School Customer affected?: Yes ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2016081221000519 Bug group (optional):
Max CVSS v3 score:

Description Arvid Requate univentionstaff 2016-07-25 14:06:13 CEST 
The Samba/AD group "Print Operators" (SID S-1-5-32-550) has a different name in UCS/OpenLDAP for historical reasons, where it is called "Printer-Admins". Since Printer-Admins is in the connector/s4/mapping/group/ignorelist by default, there is no way for Administrators to add a user to the group "Print Operators" via UMC.
Comment 1 Nico Stöckigt univentionstaff 2016-08-12 16:51:56 CEST 
also requested at Ticket#2016081221000519
Comment 2 Arvid Requate univentionstaff 2017-03-02 13:31:39 CET 
Note: Printer-Admins is only added to connector/s4/mapping/group/ignorelist by default in UCS@school (ucs-school-metapackage).
Comment 3 Arvid Requate univentionstaff 2017-03-02 13:38:02 CET 
UCS@school puts those groups on the connector/s4/mapping/group/ignorelist for some reason (Bug 27395).
Comment 4 Felix Botner univentionstaff 2017-09-12 13:13:45 CEST 
(In reply to Arvid Requate from comment #0)
> The Samba/AD group "Print Operators" (SID S-1-5-32-550) has a different name
> in UCS/OpenLDAP for historical reasons, where it is called "Printer-Admins".
> Since Printer-Admins is in the connector/s4/mapping/group/ignorelist by
> default, there is no way for Administrators to add a user to the group
> "Print Operators" via UMC.

This is not completely true

 * UCS master + school  (no s4)
 * UCS school slave + school

in my case univention-s4-connector postinst has been executed before the ucs-school-slave postinst and as the ucs-school-slave postinst sets the ignore group with ?, this change has been ignored (Not updating connector/s4/mapping/group/ignorelist)

So, on the slave the group ignore list is the connector default, on the master the ucsschool default (no s4-connector package in the master yet, what happens if i installed samba4 on the master?).

This is all totally confusing, i vote for (at least) removing Printer-Admins from the ignore list.
Comment 5 Felix Botner univentionstaff 2017-09-12 16:41:25 CEST 
(In reply to Felix Botner from comment #4)
 > So, on the slave the group ignore list is the connector default, on the
> master the ucsschool default (no s4-connector package in the master yet,
> what happens if i installed samba4 on the master?).

I changed the group ignore list to the univention-s4-connector default on my master and then install univention-s4-connector, no rejects so far.
At least this scenario is OK with removing Printer-Admins from the ignore list.
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2019-02-05 21:43:51 CET 
This issue has been filled against UCS@school 4.1 (R2). The maintenance with
bug and security fixes for UCS@school 4.1 (R2) has ended on 5th of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3 (or later). 
Please contact your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug"
or simply reopen the issue. In this case please provide detailed information on
how this issue is affecting you.