Problem
After Update to UCS 5 the users (seem) to have no memberOf attribute attached anymore.
There might be more attributes like employeeType, homeDirectory, homeDrive missing in samba.
They are not shown with univention-s4search but with ldbsearch they are still visible and existing.
Investigation:
UCS5 environments comming from UCS 4 with samba ad are affected.
The root cause seem to be a resync of all groups from openLdap to samba.
univention-ldapsearch -LLL -b CN=Pre-Windows 2000 Compatible Access,CN=Builtin,$(ucr get ldap/base) has no uniqueMembers. A resync of this group to samba will delete the member in samba4, which cause the “missing” attributes.
Solution
Verify if group “Pre-Windows 2000 Compatible Access” has a security principal attached:
root@dc0:~# samba-tool group listmembers "Pre-Windows 2000 Compatible Access"
S-1-5-11
The default looks like above. If there is no security principal attached you need to add one.
root@dc0:~# samba-tool group addmembers "Pre-Windows 2000 Compatible Access" --member-dn="CN=S-1-5-11,CN=ForeignSecurityPrincipals,$(ucr get samba4/ldap/base)"
The default is AUTHENTICATED_USERS (S-1-5-11) but maybe you want to set ENTERPRISE_DOMAIN_CONTROLLERS (S-1-5-9) as this is not so open and should be enough for univention-s4search and within a big usage scope.
The workaround against printing nightmare in windows AD could also be a root cause for removing authenticated users from the group.