This article describes the configuration of the synchronisation of AD group types and BUILTIN groups.
Starting with UCS 3.2 groupType attribute of group objects and AD BUILTIN groups in the Samba service and the OpenLDAP directory can be synchronised by the Univention S4 Connector.
Domains which initially have been installed with UCS releases prior to UCS 3.2 need to be migrated manually.
One of the required tools used for this is only available since UCS 3.2-3, so the steps below can only be performed on UCS 3.2-3 or later.
1. Activation of the synchronization of group type and BUILTIN groups in the Univention S4 Connector
To activate the synchronization of the groupType attribute the following commands have to be executed on the Univention S4 connector server(s). Usually this is the UCS DC Master.
In UCS@school these steps also need to be performed on all of the primary UCS@school DC Slaves running Samba4 at a school site.
eval "$(ucr shell)"
ucr set connector/s4/mapping/group/grouptype='true'
ucr set connector/s4/mapping/group/ignorelist="${connector_s4_mapping_group_ignorelist},\
Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,\
Enterprise Domain Controllers,Remote Interactive Logon,SChannel Authentication,Digest Authentication,\
Terminal Server User,NTLM Authentication,Other Organization,This Organization,Anonymous Logon,\
Network Service,Creator Group,Creator Owner,Local Service,Owner Rights,Interactive,Restricted,Network,\
Service, Dialup,System,Batch,Proxy,IUSR,Self"
/etc/init.d/univention-s4-connector restart
2. Synchronization of the AD BUILTIN groups
First, the two UCS groups “cn=Replicators
” and “cn=System Operators
” have to be deleted (via UMC) as they conflict with other AD BUILTIN groups.
After that the following script has to be executed on the S4 Connector server and looks for missing AD BUILTIN groups in OpenLDAP.
#!/bin/bash
# check if ad builtin groups exist in ucs
eval "$(ucr shell)"
. /usr/share/univention-lib/base.sh
declare -a dns
while read dn; do
cn=$(echo "$dn" | awk -F , '{print $1}' | awk -F = '{print $2}')
ucscn=$(custom_groupname "$cn")
ucsdn=$(univention-ldapsearch cn="$ucscn" dn | sed -n 's/^dn: //p')
if [ -z "$ucsdn" ]; then
# check if mapping/group/table
echo "missing Builtin group in ucs: $cn"
dns+=("$dn")
fi
done < <(univention-s4search '(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=1))' dn \
| ldapsearch-wrapper | sed -n 's/^dn: //p')
if [ -n "$dns" ]; then
echo "please run:"
for dn in "${dns[@]}"; do
echo "/usr/share/univention-s4-connector/resync_object_from_s4.py \"$dn\""
done
fi
The script displays all missing AD BUILTIN groups and a command to resync these groups from Samba to OpenLDAP, e.g.:
missing Builtin group in ucs: IIS_IUSRS
please run:
/usr/share/univention-s4-connector/resync_object_from_s4.py "CN=IIS_IUSRS,CN=Builtin,DC=aaa,DC=bbb"
The resync can be initialized with the command “/usr/share/univention-s4-connector/resync_object_from_s4.py” and the DN of the group as parameter.
After initiating the resync, the corresponding groups temporarily show up as rejected in the output of univention-s4-connector-list-rejected. This just indicates that the resync has been triggered and these rejects should clear up after a couple of seconds once the S4 Connector runs its next round of synchronization of rejected objects (max. 50 seconds by default).
3. Synchronization of the groupType attribute
3.1 groupType missing in OpenLDAP
Next, the following script should be executed on the S4 Connector server and looks for groups with unset groupType in OpenLDAP.
#!/bin/bash
eval "$(ucr shell)"
. /usr/share/univention-lib/base.sh
# check if ad group type is equal to ucs group type
declare -a missing
while read scope line; do
test "$scope" = "dn:" && dn="$line"; type=""
test "$scope" = "groupType:" && type="$line"
if [ -n "$dn" -a -n "$type" ]; then
cn=$(echo "$dn" | awk -F , '{print $1}' | awk -F = '{print $2}')
ucscn=$(custom_groupname "$cn")
otype=$(univention-ldapsearch cn="$ucscn" univentionGroupType | ldapsearch-wrapper | \
sed -n 's/^univentionGroupType: //p')
if [ -z "$otype" ]; then
echo "missing group type for group: $cn"
missing+=("$dn")
fi
fi
done < <(univention-s4search '(objectCategory=group)' dn groupType |ldapsearch-wrapper| grep '^groupType: \|^dn: ')
# resync if type is missing in OpenLDAP
if [ -n "$missing" ]; then
echo "OpenLDAP group type missing, sync Samba/AD objects (group type) to OpenLDAP with:"
for dn in "${missing[@]}"; do
echo " /usr/share/univention-s4-connector/resync_object_from_s4.py \"$dn\""
done
fi
The script displays all groups without a groupType in OpenLDAP and a series of commands to resync these groups from Samba to OpenLDAP, e.g.:
missing group type for group: DC Slave Hosts
missing group type for group: DnsUpdateProxy
OpenLDAP Grouptype missing, sync Samba/AD objects (group type) to OpenLDAP with:
/usr/share/univention-s4-connector/resync_object_from_s4.py "CN=DC Slave Hosts,CN=Groups,DC=aaa,DC=bbb"
/usr/share/univention-s4-connector/resync_object_from_s4.py "CN=DnsUpdateProxy,CN=Groups,DC=aaa,DC=bb
The resync can be initialized with the command “/usr/share/univention-s4-connector/resync_object_from_s4.py” and the DN of the group as parameter (see above).
3.2 groupType mismatch between Samba and OpenLDAP
The following script has to be executed on the domaincontroller master server and looks for groups with different groupType in Samba and OpenLDAP. If such a group is found, the script optionally (if confirmed) overwrites the OpenLDAP groupType with the groupType from Samba.
#!/bin/bash
eval "$(ucr shell)"
. /usr/share/univention-lib/base.sh
# check master and s4 server
if [ "$server_role" != "domaincontroller_master" ]; then
echo "Error: This script needs to be executed on the"
echo " domaincontroller master server!"
exit 1
fi
# check Samba/AD server
kinit --keytab=/etc/krb5.keytab "$(echo $hostname | tr [a-z] [A-Z])\$" || exit $?
while read server; do
ldapsearch -Q -H "ldap://$server:389" -s base '(objectclass=*)' >/dev/null
if [ $? -eq 0 ]; then
search="ldapsearch -LLL -Q -H ldap://$server:389 -E pr=1000/noprompt"
break
fi
done < <(univention-ldapsearch -LLL univentionService="S4 Connector" cn | ldapsearch-wrapper | sed -n 's/^cn: //p')
if [ -z "$search" ]; then
echo "Error: Could not find a Samba/AD (S4 Connector) server"
kdestroy
exit 1
fi
# check if ad group type is equal to ucs group type
declare -A mismatch
while read scope line; do
test "$scope" = "dn:" && dn="$line"; s4type=""
test "$scope" = "groupType:" && s4type="$line"
if [ -n "$dn" -a -n "$s4type" ]; then
cn=$(echo "$dn" | awk -F , '{print $1}' | awk -F = '{print $2}')
ucscn=$(custom_groupname "$cn")
ucs=$(univention-ldapsearch cn="$ucscn" univentionGroupType dn | ldapsearch-wrapper | \
grep '^univentionGroupType: \|^dn: ')
ucstype="$(echo "$ucs" | sed -n 's/^univentionGroupType: //p')"
ucsdn="$(echo "$ucs" | sed -n 's/^dn: //p')"
if [ -n "$ucstype" -a "$ucstype" != "$s4type" ]; then
echo "group type mismatch for group: $cn (Samba/AD:$s4type OpenLDAP:$ucstype)"
mismatch["$dn"]="$s4type"
fi
fi
done < <($search '(objectCategory=group)' dn groupType | ldapsearch-wrapper | grep '^groupType: \|^dn: ')
kdestroy
# manually sync if type mismatch
if [ ${#mismatch[@]} -gt 0 ]; then
for dn in "${!mismatch[@]}"; do
while true; do
read -p \
"Do you want to sync the Samba/AD grouptype ${mismatch["$dn"]} to the OpenLDAP group $dn? [y,N] " answer
if [ -n "$answer" ]; then
case "${answer^^}" in
Y|YY|YES)
echo -e "
dn: $dn
changetype: modify
replace: univentionGroupType
univentionGroupType: ${mismatch["$dn"]}" | ldapmodify -D "cn=admin,$ldap_base" \
-y /etc/ldap.secret || exit $?
break
;;
*)
break
;;
esac
fi
done
done
fi