Univention Bugzilla – Bug 36570
Windows Client SIDs not synchronized to OpenLDAP
Last modified: 2017-01-05 11:22:37 CET
After updating the cloud formation demo setup for AD-Takeover to UCS 4.0 the AD-Takover seems to leave the OpenLDAP-SIDs of the pre-joined Windows-AD-Clients in non-synchronized state: root@ucs-master:~# univention-ldapsearch -x cn=W2K8-CLIENT sambasid # W2K8-CLIENT, computers, ucscompany.com dn: cn=W2K8-CLIENT,cn=computers,dc=ucscompany,dc=com sambaSID: S-1-4-2026 root@ucs-master:~# univention-s4search cn=W2K8-CLIENT objectsid # record 1 dn: CN=W2K8-CLIENT,CN=Computers,DC=ucscompany,DC=com objectSid: S-1-5-21-3579140493-3034593125-3661895607-1125 A quick look at the connector-s4.log shows no tracebacks, there are no rejects and the connector is running. The SID in OpenLDAP is one of the UDM-generated temporary SIDs. No clue yet why the S4 Connector didn't sync the S4 SIDs over to UDM (or why UDM ignored them?)
Created attachment 6344 [details] connector-s4.log
Created attachment 6345 [details] ad-takeover.log
Created attachment 6346 [details] management-console-module-adtakeover.log
The resulting effect is that the Windows login at the Client hangs "forever".
Just for completeness: There are other special S4 Accounts which are not even present in OpenLDAP: CN=Pre-Windows 2000 Compatible Access,CN=Builtin CN=Exchange Install Domain Servers,CN=Microsoft Exchange System Objects CN=Windows Authorization Access Group,CN=Builtin maybe that's normal/ok though. I found them by looking for Samba4-assigned local xidnumbers in idmap.ldb: ldbsearch -H /var/lib/samba/private/idmap.ldb xidnumber=30000* xidnumber
Seems to be a more generic problem: UCS 4.0-0 with s4, windows client joined -> univention-s4search cn=win7pro objectSid dn: CN=WIN7PRO,CN=Computers,DC=four,DC=test objectSid: S-1-5-21-1528294070-983756076-781214264-1112 -> univention-ldapsearch cn=win7pro sambaSID dn: cn=WIN7PRO,cn=computers,dc=four,dc=test sambaSID: S-1-4-2009
Created attachment 6542 [details] connector-s4.log win7pro
Please enable the 52_s4connector/400check_windows_sid test after bug is resolved.
(In reply to Dmitry Galkin from comment #8) > Please enable the 52_s4connector/400check_windows_sid test after bug is > resolved. BTW, I could not reproduce that bug with native Win2012 R2 (DE)
*** Bug 39804 has been marked as a duplicate of this bug. ***
Created attachment 7563 [details] fix-sambasid.sh This script may be used to fix the issue.
Happened again at Ticket# 2015110921000315
Happened again at Ticket# 2016032921000318
Created attachment 7565 [details] fix-sambasid.sh Updated version of the script.
Created attachment 7566 [details] fix-sambasid.sh Yet another update of the script. ldapsearch-wrapper was missing.
Another case of this issue was found at Ticket#2015110921000315, where we fixed the issue by running /usr/share/univention-s4-connector/resync_object_from_s4.py from a similar script. After the rejects resolved a "net cache flush" was required to make samba use the correct uids (now synced into idmap.ldb).
ID mapping is broken is that happens. Either one gets a dynamic UID (30000x) for given SID or ID mapping is completely broken (due to bug #42819).
The first time this was detected was during the QA for Bug 33621 Comment 11, so the diff mode that was introduced there could be the cause of this issue. For 'windowscomputer' mapping.py has a regular attribute mapping, using "read" mode in standard UCS ("write" in UCS@school), so we should check why the official objectSid of the newly added machine account in Samba/AD is not written to OpenLDAP (via UDM).
Created attachment 8186 [details] bug36570.patch I think Felix found it, see attached patch proposal.
Currently, if the s4 connector is present, the RID (SID) can not be set via UDM, UDM always creates a local SID in this case. we want to changes this to * if RID is given, create a Domain SID and use it * if RID is NOT given and connector is NOT present, create a Domain SID * if RID is NOT give and connector is present, create a local SID As this must be changed in all computer handlers, i moved the test to the already existing simpleComputer.getMachineSid() and changed _ldap_addlist() and _ldap_modlist for all computer handlers. univention-directory-manager-modules: r74403 merged to 4.2-0
Verified: * Code review: Ok * Package update: Ok * Functional test: Ok * Advisory: Ok
<http://errata.software-univention.de/ucs/4.1/367.html>