Univention Bugzilla – Bug 44333
krbtgt rid != 502 if samba4 is installed after ucs@school on UCS Master
Last modified: 2017-11-08 14:59:10 CET
UCS master -> ucs@school multiserver -> s4 DC -> univention-s4search cn=krbtgt objectSid # record 1 dn: CN=krbtgt,CN=Users,DC=four,DC=two objectSid: S-1-5-21-3006362628-2186033213-1690935345-5012 The krbtgt has to have the RID 502 (well known sid), otherwise password change may fail ...
also true for Guest user (wkr 501) -> univention-s4search cn=guest objectSid| grep -i 'objectSid:' objectSid: S-1-5-21-3006362628-2186033213-1690935345-5010
Created attachment 9258 [details] Screenshot of system diagnostics The "Well Known" SIDs check in the system diagnostic module does detect this. Unfortunetaly, it doesn't offer any advice on how to resolve this :)
According to Arvid, this issue prevents password changes on the affected systems.
I've adjusted UDM users/user so it works generically (for users). Merge commit: b56094583f1e57a84119da80f2c5fe9f1bc97ed6 Advisories: * univention-directory-manager-modules.yaml * univention-lib.yaml
I've added an update check to univention-s4-connector.postinst which checks the RID of the krbtgt account and fixes it if possible (only on master+backup, if slapd is running and only during this update). 3d4486a753..1d47e0e6dc
*** Bug 41543 has been marked as a duplicate of this bug. ***
I've adjusted the patch once again to restrict the change to UCS@school. Merge commit: 661746fcdb0ebe21f293eb4ba7d603c32b3e0ae3 Advisory updated.
OK - installation (s4 on master after school + school slave) OK - update (school master with s4 and broken krbtgt rid is fixed) OK - non school setup OK - univention-s4-connector.yaml OK - univention-lib.yaml OK - univention-directory-manager-modules.yaml
<http://errata.software-univention.de/ucs/4.2/214.html> <http://errata.software-univention.de/ucs/4.2/215.html> <http://errata.software-univention.de/ucs/4.2/216.html>