Bug 44333 – krbtgt rid != 502 if samba4 is installed after ucs@school on UCS Master

Bug 44333 - krbtgt rid != 502 if samba4 is installed after ucs@school on UCS Master


Summary:	krbtgt rid != 502 if samba4 is installed after ucs@school on UCS Master

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC - Users
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-2-errata
Assigned To:	Arvid Requate
QA Contact:	Felix Botner

URL:
Keywords:

Duplicates:	41543 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-04-10 12:54 CEST by Felix Botner
Modified:	2017-11-08 14:59 CET (History)
CC List:	6 users (show)

See Also:	45587
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.257
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Screenshot of system diagnostics (40.58 KB, image/png) 2017-10-24 12:26 CEST, Michael Grandjean	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2017-04-10 12:54:33 CEST

UCS master -> ucs@school multiserver -> s4 DC

-> univention-s4search cn=krbtgt objectSid
# record 1
dn: CN=krbtgt,CN=Users,DC=four,DC=two
objectSid: S-1-5-21-3006362628-2186033213-1690935345-5012


The krbtgt has to have the RID 502 (well known sid), otherwise password change may fail ...

Comment 1 Felix Botner

2017-04-11 10:23:56 CEST

also true for Guest user (wkr 501)

-> univention-s4search cn=guest objectSid| grep -i 'objectSid:'
objectSid: S-1-5-21-3006362628-2186033213-1690935345-5010

Comment 2 Michael Grandjean

2017-10-24 12:26:21 CEST

Created attachment 9258 [details]
Screenshot of system diagnostics

The "Well Known" SIDs check in the system diagnostic module does detect this. Unfortunetaly, it doesn't offer any advice on how to resolve this :)

Comment 3 Sönke Schwardt-Krummrich

2017-10-26 10:28:57 CEST

According to Arvid, this issue prevents password changes on the affected systems.

Comment 4 Arvid Requate

2017-11-06 16:40:56 CET

I've adjusted UDM users/user so it works generically (for users).

Merge commit: b56094583f1e57a84119da80f2c5fe9f1bc97ed6

Advisories:

* univention-directory-manager-modules.yaml
* univention-lib.yaml

Comment 5 Arvid Requate

2017-11-06 18:08:25 CET

I've added an update check to univention-s4-connector.postinst which checks the RID of the krbtgt account and fixes it if possible (only on master+backup, if slapd is running and only during this update).

3d4486a753..1d47e0e6dc

Comment 6 Arvid Requate

2017-11-06 18:11:41 CET

*** Bug 41543 has been marked as a duplicate of this bug. ***

Comment 7 Arvid Requate

2017-11-07 09:52:51 CET

I've adjusted the patch once again to restrict the change to UCS@school.

Merge commit: 661746fcdb0ebe21f293eb4ba7d603c32b3e0ae3
Advisory updated.

Comment 8 Felix Botner

2017-11-07 18:48:38 CET

OK - installation (s4 on master after school + school slave)
OK - update (school master with s4 and broken krbtgt rid is fixed)
OK - non school setup

OK - univention-s4-connector.yaml
OK - univention-lib.yaml
OK - univention-directory-manager-modules.yaml

Comment 9 Arvid Requate

2017-11-08 14:59:10 CET

<http://errata.software-univention.de/ucs/4.2/214.html>
<http://errata.software-univention.de/ucs/4.2/215.html>
<http://errata.software-univention.de/ucs/4.2/216.html>