Bug 36570 - Windows Client SIDs not synchronized to OpenLDAP
Windows Client SIDs not synchronized to OpenLDAP
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.1-4-errata
Assigned To: Felix Botner
Arvid Requate
:
: 39804 (view as bug list)
Depends on:
Blocks: 37572
  Show dependency treegraph
 
Reported: 2014-11-11 14:01 CET by Arvid Requate
Modified: 2017-01-05 11:22 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 5: Will affect all installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.171
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2015110921000315, 2016032921000274, 2016103121000363, 2016102821000806
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Attachments
connector-s4.log (105.11 KB, text/plain)
2014-11-11 14:02 CET, Arvid Requate
Details
ad-takeover.log (61.58 KB, text/plain)
2014-11-11 14:02 CET, Arvid Requate
Details
management-console-module-adtakeover.log (2.91 KB, text/plain)
2014-11-11 14:03 CET, Arvid Requate
Details
connector-s4.log win7pro (492.71 KB, text/x-log)
2014-12-16 18:03 CET, Felix Botner
Details
fix-sambasid.sh (1.03 KB, text/x-sh)
2016-03-29 17:46 CEST, Arvid Requate
Details
fix-sambasid.sh (1.04 KB, text/x-sh)
2016-03-29 18:34 CEST, Arvid Requate
Details
fix-sambasid.sh (1.09 KB, text/x-sh)
2016-03-30 11:22 CEST, Arvid Requate
Details
bug36570.patch (1.07 KB, patch)
2016-11-03 19:32 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2014-11-11 14:01:53 CET
After updating the cloud formation demo setup for AD-Takeover  to UCS 4.0  the AD-Takover seems to leave the OpenLDAP-SIDs of the pre-joined Windows-AD-Clients in non-synchronized state:


root@ucs-master:~# univention-ldapsearch -x cn=W2K8-CLIENT sambasid
# W2K8-CLIENT, computers, ucscompany.com
dn: cn=W2K8-CLIENT,cn=computers,dc=ucscompany,dc=com
sambaSID: S-1-4-2026


root@ucs-master:~# univention-s4search cn=W2K8-CLIENT objectsid
# record 1
dn: CN=W2K8-CLIENT,CN=Computers,DC=ucscompany,DC=com
objectSid: S-1-5-21-3579140493-3034593125-3661895607-1125

A quick look at the connector-s4.log shows no tracebacks, there are no rejects and the connector is running.

The SID in OpenLDAP is one of the UDM-generated temporary SIDs. No clue yet why the S4 Connector didn't sync the S4 SIDs over to UDM (or why UDM ignored them?)
Comment 1 Arvid Requate univentionstaff 2014-11-11 14:02:19 CET
Created attachment 6344 [details]
connector-s4.log
Comment 2 Arvid Requate univentionstaff 2014-11-11 14:02:44 CET
Created attachment 6345 [details]
ad-takeover.log
Comment 3 Arvid Requate univentionstaff 2014-11-11 14:03:18 CET
Created attachment 6346 [details]
management-console-module-adtakeover.log
Comment 4 Arvid Requate univentionstaff 2014-11-11 14:05:06 CET
The resulting effect is that the Windows login at the Client hangs "forever".
Comment 5 Arvid Requate univentionstaff 2014-11-11 14:11:24 CET
Just for completeness: There are other special S4 Accounts which are not even present in OpenLDAP:

CN=Pre-Windows 2000 Compatible Access,CN=Builtin
CN=Exchange Install Domain Servers,CN=Microsoft Exchange System Objects
CN=Windows Authorization Access Group,CN=Builtin

maybe that's normal/ok though. I found them by looking for Samba4-assigned local xidnumbers in idmap.ldb:

 ldbsearch -H /var/lib/samba/private/idmap.ldb xidnumber=30000* xidnumber
Comment 6 Felix Botner univentionstaff 2014-12-16 18:02:34 CET
Seems to be a more generic problem: UCS 4.0-0 with s4, windows client joined 

-> univention-s4search cn=win7pro objectSid
dn: CN=WIN7PRO,CN=Computers,DC=four,DC=test
objectSid: S-1-5-21-1528294070-983756076-781214264-1112


-> univention-ldapsearch cn=win7pro sambaSID
dn: cn=WIN7PRO,cn=computers,dc=four,dc=test
sambaSID: S-1-4-2009
Comment 7 Felix Botner univentionstaff 2014-12-16 18:03:33 CET
Created attachment 6542 [details]
connector-s4.log win7pro
Comment 8 Dmitry Galkin univentionstaff 2015-03-02 15:56:46 CET
Please enable the 52_s4connector/400check_windows_sid test after bug is resolved.
Comment 9 Dmitry Galkin univentionstaff 2015-03-24 12:45:12 CET
(In reply to Dmitry Galkin from comment #8)
> Please enable the 52_s4connector/400check_windows_sid test after bug is
> resolved.

BTW, I could not reproduce that bug with native Win2012 R2 (DE)
Comment 10 Arvid Requate univentionstaff 2016-03-29 17:20:07 CEST
*** Bug 39804 has been marked as a duplicate of this bug. ***
Comment 11 Arvid Requate univentionstaff 2016-03-29 17:46:07 CEST
Created attachment 7563 [details]
fix-sambasid.sh

This script may be used to fix the issue.
Comment 12 Arvid Requate univentionstaff 2016-03-29 18:10:09 CEST
Happened again at Ticket# 2015110921000315
Comment 13 Arvid Requate univentionstaff 2016-03-29 18:10:16 CEST
Happened again at Ticket# 2016032921000318
Comment 14 Arvid Requate univentionstaff 2016-03-29 18:34:29 CEST
Created attachment 7565 [details]
fix-sambasid.sh

Updated version of the script.
Comment 15 Arvid Requate univentionstaff 2016-03-30 11:22:58 CEST
Created attachment 7566 [details]
fix-sambasid.sh

Yet another update of the script. ldapsearch-wrapper was missing.
Comment 16 Arvid Requate univentionstaff 2016-05-10 19:41:27 CEST
Another case of this issue was found at Ticket#2015110921000315, where we fixed the issue by running /usr/share/univention-s4-connector/resync_object_from_s4.py from a similar script. After the rejects resolved a "net cache flush" was required to make samba use the correct uids (now synced into idmap.ldb).
Comment 17 Felix Botner univentionstaff 2016-11-02 16:58:39 CET
ID mapping is broken is that happens.

Either one gets a dynamic UID (30000x) for given SID or ID mapping is completely broken (due to bug #42819).
Comment 18 Arvid Requate univentionstaff 2016-11-03 19:11:45 CET
The first time this was detected was during the QA for Bug 33621 Comment 11,
so the diff mode that was introduced there could be the cause of this issue.

For 'windowscomputer' mapping.py has a regular attribute mapping, using "read" mode in standard UCS ("write" in UCS@school), so we should check why the official  objectSid of the newly added machine account in Samba/AD is not written to OpenLDAP (via UDM).
Comment 19 Arvid Requate univentionstaff 2016-11-03 19:32:14 CET
Created attachment 8186 [details]
bug36570.patch

I think Felix found it, see attached patch proposal.
Comment 20 Felix Botner univentionstaff 2016-11-14 17:17:34 CET
Currently, if the s4 connector is present, the RID (SID) can not be set via UDM, UDM always creates a local SID in this case. 

we want to changes this to

 * if RID is given, create a Domain SID and use it
 * if RID is NOT given and connector is NOT present, create a Domain SID
 * if RID is NOT give and connector is present, create a local SID

As this must be changed in all computer handlers, i moved the test to the already existing simpleComputer.getMachineSid() and changed _ldap_addlist() and _ldap_modlist for all computer handlers.

univention-directory-manager-modules: r74403

merged to 4.2-0
Comment 21 Arvid Requate univentionstaff 2016-11-21 18:39:15 CET
Verified:
* Code review: Ok
* Package update: Ok
* Functional test: Ok
* Advisory: Ok
Comment 22 Janek Walkenhorst univentionstaff 2017-01-05 11:22:37 CET
<http://errata.software-univention.de/ucs/4.1/367.html>