Bug 56334

Summary: wbinfo on school memberserver fails
Product: UCS Reporter: Christina Scheinig <scheinig>
Component: Samba4Assignee: Samba maintainers <samba-maintainers>
Status: NEW --- QA Contact: Samba maintainers <samba-maintainers>
Severity: normal    
Priority: P5 CC: requate, turfeld
Version: UCS 5.0   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=56886
What kind of report is it?: Bug Report What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.229 Enterprise Customer affected?:
School Customer affected?: Yes ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2023071121000251, 2023071821000103, 2024011221000212 Bug group (optional):
Max CVSS v3 score:
Attachments: script to add the special SID

Description Christina Scheinig univentionstaff 2023-07-18 11:54:09 CEST 
Environment:
School replica UCS5.0-4  with memberserver UCS5.0-3/5.0-4

symptom:
School replica:
wbinfo -Y S-1-18-1
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-18-1 to gid

memberserver:
 wbinfo -t
checking the trust secret for domain SCHEIN via RPC calls failed
wbcCheckTrustCredentials(SCHEIN): error code was NT_STATUS_INVALID_SID (0xc0000078)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret

wbinfo -n Administrator
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name Administrator
------------------

The SID S-1-18-1 is not in the idmap.ldb of the school replica.

-----------------
The SID is not found with the filter:
'(&(|(objectClass=sambaSamAccount)(objectClass=sambaGroupMapping))(sambaSID=*))'

so we should add this object during join on the Server, so that there is an entry for this in the idmap.ldb
Comment 1 Christina Scheinig univentionstaff 2023-07-21 13:10:15 CEST 
I saw this now in an other environment, non school, primary server:

  Unable to convert SID (S-1-18-1) at index 3 in user token to a GID.  Conversion was returned as type 0, full token:
[2023/07/21 12:58:34.429331,  0, pid=25052] ../../libcli/security/security_token.c:52(security_token_debug)
  Security token SIDs (8):
Comment 2 Christina Scheinig univentionstaff 2023-07-25 09:34:57 CEST 
Ticket 2023071821000103 is a non memberserver, non school environment
Comment 3 Christina Scheinig univentionstaff 2023-11-17 15:17:52 CET 
Created attachment 11145 [details]
script to add the special SID
Comment 4 Arvid Requate univentionstaff 2024-01-12 15:37:51 CET 
Please note the extended version of the script in Bug 56886 Comment 2.