Comment 1 Dmitry Galkin 2015-03-02 15:55:05 CET

(In reply to Arvid Requate from comment #0)
> We should have a ucs-test case to automatically check that the sambaSID of
> domain user and computer objects in OpenLDAP is a domain SID (and not a UCS
> specific temporal one, starting with a S-1-4- prefix).
> 
> The main use case of this test is checking the sambaSID of a
> computer/windows object generated automatically during the join of a native
> Windows system into a Samba/AD domain.


Test currently disabled as Bug #36570 is not yet fixed.
Tagged "native_win_client" that is run by the 'autotest-230-master-s4-w2k12-member-join.cfg' template.

r58571:
  * 51_samba4/57check_windows_sid: check a native Windows host SIDs
    (Bug #37572).
r58573:
  * Moved 51_samba4/57check_windows_sid to 52_s4connector/400check_windows_sid
    (Bug #37572).


As for users there are several checks exist in UCS@School: like tests 60_samba_sid_user and 96_samba4_sid_allocation. If we want to run similar tests there is a question if we should create a user from the Windows host (via powershell) or just via UDM on the UCS DC?

Comment 2 Arvid Requate 2015-03-30 11:53:56 CEST

> As for users there are several checks exist in UCS@School: like tests
> 60_samba_sid_user and 96_samba4_sid_allocation.

Yes, in UCS@school the S4-Connector (and UDM) are configured differently and UDM generates the SIDs. In normal UCS Samba assigns the SIDs and UDM just assigns temporary ones when it is asked to create a Samba account. That's why we need this separate test.

> If we want to run similar tests there is a question if we should create a user
> from the Windows host (via powershell) or just via UDM on the UCS DC?

This test should check "the sambaSID of a computer/windows object generated automatically during the join of a native Windows system into a Samba/AD domain".
So, I guess it would be a good idea to make the test just check existing windows clients. Then it is useful in all test setups, especially those Jenkins jobs where a native Windows client has been joined.

Comment 3 Dmitry Galkin 2015-03-30 15:07:14 CEST

(In reply to Arvid Requate from comment #2)
> So, I guess it would be a good idea to make the test just check existing
> windows clients. Then it is useful in all test setups, especially those
> Jenkins jobs where a native Windows client has been joined.

r59501:
  * 52_s4connector/400check_windows_sid: perform lookup for windows hostname;
    also tagged as 'basic' (Bug #37572).

Comment 4 Dmitry Galkin 2015-04-24 11:23:31 CEST

Ok, now the original Bug #36570 seems to be reproduced. In a new jenkins configuration for DC-Slave:
http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-1/job/Autotest%20MultiEnv/80/SambaVersion=s4,Systemrolle=slave/testReport/junit/52_s4connector/400check_windows_sid/test/

[2015-04-23 21:08:17.673078]The Windows Host sambaSID in 'OpenLDAP' is 'S-1-4-2010'
(2015-04-23 21:08:17.675275)error The sambaSID of the Windows 'IP-0AD2AB4F' has a UCS temorary prefix.

Comment 5 Dmitry Galkin 2015-05-05 13:01:38 CEST

(In reply to Dmitry Galkin from comment #4)

For now the test is disabled:
r60393:
  * 52_s4connector/400check_windows_sid: disabled (Bug #37572 #36570).


Don't know how it could matter, but the issue is reproduced with Windows 2012 Standard DE that is used in Jenkins autotest-095-slave-s4.cfg.

The connector log on DC-Master there says that sync happens:
05.05.2015 05:51:09,405 LDAP        (PROCESS): sync to ucs:   [windowscomputer] [       add] cn=IP-0AD21689,cn=computers,dc=autotest095,dc=local
05.05.2015 05:51:11,59 LDAP        (PROCESS): sync to ucs:   [           dns] [       add] DC=@,dc=autotest095.local,cn=dns,dc=autotest095,dc=local
05.05.2015 05:51:11,93 LDAP        (PROCESS): sync to ucs:   [           dns] [       add] DC=IP-0AD21689,dc=autotest095.local,cn=dns,dc=autotest095,dc=local
05.05.2015 05:51:17,239 LDAP        (PROCESS): sync from ucs: [windowscomputer] [       add] cn=ip-0ad21689,cn=computers,DC=autotest095,DC=local
05.05.2015 05:51:17,267 LDAP        (PROCESS): sync from ucs: [windowscomputer] [    modify] cn=ip-0ad21689,cn=computers,DC=autotest095,DC=local
05.05.2015 05:51:17,273 LDAP        (PROCESS): sync from ucs: [windowscomputer] [    modify] cn=ip-0ad21689,cn=computers,DC=autotest095,DC=local
05.05.2015 05:51:17,290 LDAP        (PROCESS): sync from ucs: [           dns] [       add] relativeDomainName=IP-0AD21689,zonename=autotest095.local,cn=microsoftdns,cn=system,DC=autotest095,DC=local
05.05.2015 05:51:18,407 LDAP        (PROCESS): sync to ucs:   [windowscomputer] [    modify] cn=ip-0ad21689,cn=computers,dc=autotest095,dc=local
05.05.2015 05:51:18,444 LDAP        (PROCESS): sync to ucs:   [           dns] [       add] DC=IP-0AD21689,dc=autotest095.local,cn=dns,dc=autotest095,dc=local


However, checking the SID in S4:

root@master095:~/tests/52_s4connector# univention-s4search CN=IP-0AD21689 objectSid
# record 1
dn: CN=IP-0AD21689,CN=Computers,DC=autotest095,DC=local
objectSid: S-1-5-21-1570097528-580915931-1247429348-1112


and in:

root@master095:~/tests/52_s4connector# univention-ldapsearch cn=IP-0AD21689 SambaSID

# IP-0AD21689, computers, autotest095.local
dn: cn=IP-0AD21689,cn=computers,dc=autotest095,dc=local
sambaSID: S-1-4-2010


In my, similar environment but with Windows 2012 " R2 " Standard DE in domain it works:

root@master230:/var/log/univention# univention-s4search CN=WIN2K12230 objectSid
objectSid: S-1-5-21-2709616565-2978592766-4007743964-1111

root@master230:/var/log/univention# univention-ldapsearch cn=WIN2K12230 SambaSID
sambaSID: S-1-5-21-2709616565-2978592766-4007743964-1111


If I understand correctly, the Windows version should not matter anyhow..