Hey,
None that I know of. Checking the demo system or any freshly-installed, Samba4-based one is what I’d have done, too.
If you’re not comfortable with removing it, then we could go down that other road, if you want. First let’s check if there’s an idmap
entry for the OpenLDAP group ID of that administrators
group:
ldbsearch -H /var/lib/samba/private/idmap.ldb xidnumber=5010
Next add the sambaSID
attribute to the entry in the OpenLDAP. Save the following as add-sambaSID.ldif
(change the DN to your actual base DN, of course):
dn: cn=Administrators,cn=groups,dc=some,dc=thing
changetype: modify
add: sambaSID
sambaSID: S-1-5-32-544
Now apply it:
ldapmodify -x -D cn=admin,$(ucr get ldap/base) -y /etc/ldap.secret -f add-sambaSID.ldif
Observe if /var/log/univention/connector-s4.log
shows any errors about syncing that group afterwards.
Now change that idmap
entry to point to the correct Unix group ID:
ldbedit -H /var/lib/samba/private/idmap.ldb CN=S-1-5-32-544
Replace xidNumber=3000000
with xidNumber=5010
, save & exit the editor.
Restart Samba (or the whole server) — just in case.
Depending on the first ldbsearch
I asked you about in this post and potential S4 connector rejects (see univention-s4connector-list-rejected
), we may have to do some more work.
I cannot really test everything I write here before posting, especially the modifications. Hopefully nothing’s too broken
mosu