If you add a group or an user and after adding an univention-ldapsearch shows a short SambaSID
univention-ldapsearch -LLL cn=my-groups dn: cn=my-groups,cn=groups,dc=schein,dc=ig sambaGroupType: 2 cn: my-groups objectClass: top objectClass: univentionGroup objectClass: posixGroup objectClass: univentionObject objectClass: sambaGroupMapping univentionObjectType: groups/group SambaSID: S-1-4-5633 gidNumber: 5633 univentionGroupType: -2147483646 description:: Lieblingsgruppe
Check the ucr Variable
ucr get connector/s4/mapping/sid_to_s4
This Variable should not be true in a non-school environment.
ucr info connector/s4/mapping/sid_to_s4 connector/s4/mapping/sid_to_s4: <empty> If this option is activated, a SID configured in UCS LDAP is synchronised to the Samba 4 LDAP directory. If the variable is unset no synchronisation occurs. Categories: service-s4con
Now you can trigger the objects with a short SID via modifying the description. The connector registers a change an synchronised it to samba again. Now samba assigns an own long SID. An easy way to do this is the multivalue option via UMC.
If your client objects are displayed with a short sid you should check the objects in samba. There they should already have a long SID beacuse they are joined against samba. Then you should trigger the resync from samba to openLDAP:
/usr/share/univention-s4-connector/resync_object_from_s4.py --filter cn=<clientname>
For an ucs@school-Server the connector/s4/mapping/sid_to_s4 is set to true by default, for a “normal” system it is empty. When creating a new object, a temporary short SID is used. Then the object is synchronized via the connector into samba and gets a new long SID. This SID is then resynchronized to OpenLDAP