Problem: Short Samba SID

Problem

If you add a group or an user and after adding an univention-ldapsearch shows a short SambaSID

Investigation

univention-ldapsearch -LLL cn=my-groups
dn: cn=my-groups,cn=groups,dc=schein,dc=ig
sambaGroupType: 2
cn: my-groups
objectClass: top
objectClass: univentionGroup
objectClass: posixGroup
objectClass: univentionObject
objectClass: sambaGroupMapping
univentionObjectType: groups/group
SambaSID: S-1-4-5633
gidNumber: 5633
univentionGroupType: -2147483646
description:: Lieblingsgruppe

Solution

Check the ucr Variable
ucr get connector/s4/mapping/sid_to_s4
This Variable should not be true in a non-school environment.

ucr info connector/s4/mapping/sid_to_s4
connector/s4/mapping/sid_to_s4: <empty>
 If this option is activated, a SID configured in UCS LDAP is synchronised to the Samba 4 LDAP directory. If the variable is unset no synchronisation occurs.
 Categories: service-s4con

Now you can trigger the objects with a short SID via modifying the description. The connector registers a change an synchronised it to samba again. Now samba assigns an own long SID. An easy way to do this is the multivalue option via UMC.

If your client objects are displayed with a short sid you should check the objects in samba. There they should already have a long SID beacuse they are joined against samba. Then you should trigger the resync from samba to openLDAP:

/usr/share/univention-s4-connector/resync_object_from_s4.py --filter cn=<clientname>

Explanation

For an ucs@school-Server the connector/s4/mapping/sid_to_s4 is set to true by default, for a “normal” system it is empty. When creating a new object, a temporary short SID is used. Then the object is synchronized via the connector into samba and gets a new long SID. This SID is then resynchronized to OpenLDAP

2 Likes