Univention Bugzilla – Bug 53882
memerOf in Samba 4 stops working
Last modified: 2023-09-15 13:52:14 CEST
A customer "lost" the memberOf attributes in samba after update to UCS 5. A closer investigation showed that the attributes are still there but the group "Pre-Windows 2000 Compatible Access" that have right access to the attribute was empty. In most test environments the foreign Security Principal S-1-5-11 (Authenticated Users) is attached there, but I also found a test environment that looked like the one of the customer. It does not matter why that happen, the pain is very high and as we change the default acl:search=no to yes (UCR var samba/acl_search) with the update to UCS 5 this take effect with the update. I think it would be a good idea to extend the pre checks to verify the group "Pre-Windows 2000 Compatible Access" is not empty and if so throw a message that must be confirmed. Alternative or additional a test in diagnose module (with fix me) would be nice. The windows standard is/was the foreign Security Principal "Authenticated Users" in the group "Pre-Windows 2000 Compatible Access" BUT the work around against printing nightmare was removing this! Alternative to "Authenticated Users" the foreign Security Principal "ENTERPRISE_DOMAIN_CONTROLLERS" (S-1-5-9) should fix the visibility of memberOf for at least univention-s4search and within the most impacts.
We had the same issue in a customer environment after running: /usr/share/univention-ldap-overlay-memberof/univention-update-memberof The problem is that the S4 Connector overwrites the group membership and removes the SID S-1-5-11 and the result is that memberOf doesn't work in Samba 4. The result was a failure to log in the applications. Workaround: ucr set connector/s4/mapping/group/ignorelist="$(ucr get connector/s4/mapping/group/ignorelist),Pre-Windows 2000 Compatible Access" service univention-s4-connector restart Steps to reproduce: root@primary10:~# samba-tool group listmembers "Pre-Windows 2000 Compatible Access" S-1-5-11 root@primary10:~# univention-ldapsearch cn="Pre-Windows 2000 Compatible Access" -LLL uniqueMember dn: cn=Pre-Windows 2000 Compatible Access,cn=Builtin,dc=deadlock10,dc=intranet root@primary10:~# univention-s4search cn=stefan memberOf # record 1 dn: CN=stefan,CN=Users,DC=deadlock10,DC=intranet memberOf: CN=gp1,CN=Groups,DC=deadlock10,DC=intranet # Referral ref: ldaps://deadlock10.intranet/CN=Configuration,DC=deadlock10,DC=intranet # Referral ref: ldaps://deadlock10.intranet/DC=DomainDnsZones,DC=deadlock10,DC=intranet # Referral ref: ldaps://deadlock10.intranet/DC=ForestDnsZones,DC=deadlock10,DC=intranet # returned 4 records # 1 entries # 3 referrals root@primary10:~# udm groups/group modify --dn "cn=Pre-Windows 2000 Compatible Access,cn=Builtin,dc=deadlock10,dc=intranet" --append users="uid=Administrator,cn=users,dc=deadlock10,dc=intranet" Object modified: cn=Pre-Windows 2000 Compatible Access,cn=Builtin,dc=deadlock10,dc=intranet root@primary10:~# univention-ldapsearch cn="Pre-Windows 2000 Compatible Access" -LLL uniqueMember dn: cn=Pre-Windows 2000 Compatible Access,cn=Builtin,dc=deadlock10,dc=intranet uniqueMember: uid=Administrator,cn=users,dc=deadlock10,dc=intranet root@primary10:~# samba-tool group listmembers "Pre-Windows 2000 Compatible Access" Administrator root@primary10:~# univention-s4search cn=stefan memberOf # record 1 dn: CN=stefan,CN=Users,DC=deadlock10,DC=intranet # Referral ref: ldaps://deadlock10.intranet/CN=Configuration,DC=deadlock10,DC=intranet # Referral ref: ldaps://deadlock10.intranet/DC=DomainDnsZones,DC=deadlock10,DC=intranet # Referral ref: ldaps://deadlock10.intranet/DC=ForestDnsZones,DC=deadlock10,DC=intranet # returned 4 records # 1 entries # 3 referrals root@primary10:~# samba-tool group addmembers "Pre-Windows 2000 Compatible Access" --member-dn="CN=S-1-5-11,CN=ForeignSecurityPrincipals,$(ucr get samba4/ldap/base)" Added members to group Pre-Windows 2000 Compatible Access root@primary10:~# samba-tool group listmembers "Pre-Windows 2000 Compatible Access" Administrator S-1-5-11 root@primary10:~# univention-s4search cn=stefan memberOf # record 1 dn: CN=stefan,CN=Users,DC=deadlock10,DC=intranet memberOf: CN=gp1,CN=Groups,DC=deadlock10,DC=intranet # Referral ref: ldaps://deadlock10.intranet/CN=Configuration,DC=deadlock10,DC=intranet # Referral ref: ldaps://deadlock10.intranet/DC=DomainDnsZones,DC=deadlock10,DC=intranet # Referral ref: ldaps://deadlock10.intranet/DC=ForestDnsZones,DC=deadlock10,DC=intranet # returned 4 records # 1 entries # 3 referrals root@primary10:~# https://help.univention.com/t/problem-no-memberof-attributes-in-samba-after-update-to-ucs-5/18673