Problem:
After Update to UCS 5.x the users (seem) to have no memberOf attribute attached anymore.
There might be more attributes like employeeType, homeDirectory, homeDrive missing in samba.
They are not shown with univention-s4search but with ldbsearch they are still visible and existing.
Investigation:
UCS 5.x environments comming from UCS 5.0-x with Samba AD are affected.
The root cause seem to be a resync of all groups from openLdap to samba.
univention-ldapsearch -LLL -b CN="Pre-Windows 2000 Compatible Access,CN=Builtin,$(ucr get ldap/base)" has no uniqueMembers. A resync of this group to samba will delete the member in samba4, which cause the “missing” attributes.
Root Cause:
Solution:
Verify if group “Pre-Windows 2000 Compatible Access” has a security principal attached:
samba-tool group listmembers "Pre-Windows 2000 Compatible Access"
Output should look like:
S-1-5-11
The default looks like above. If there is no security principal attached you need to add one.
AUTHENTICATED_USERS
samba-tool group addmembers "Pre-Windows 2000 Compatible Access" --member-dn="CN=S-1-5-11,CN=ForeignSecurityPrincipals,$(ucr get samba4/ldap/base)"
ENTERPRISE_DOMAIN_CONTROLLERS
samba-tool group addmembers "Pre-Windows 2000 Compatible Access" --member-dn="CN=S-1-5-9,CN=ForeignSecurityPrincipals,$(ucr get samba4/ldap/base)"
The default is AUTHENTICATED_USERS (S-1-5-11) but maybe you want to set ENTERPRISE_DOMAIN_CONTROLLERS (S-1-5-9) as this is not so open and should be enough for univention-s4search and within a big usage scope.
Workaround:
To prevent this error from occurring again, the following UCRV can be set and then the S4 connector restarted. This adds the group cn=Pre-Windows 2000 Compatible Access to the ignorelist.
ucr set connector/s4/mapping/group/ignorelist="$(ucr get connector/s4/mapping/group/ignorelist),Pre-Windows 2000 Compatible Access"service univention-s4-connector restart