Problem with accounts adding a proxmox as member server to a AD running on UCS - _VERY_ crude workaround

UCS - Univention Corporate Server
,
#1

I’ve used ad-takeover to get a DC migrated to UCS. The old DC was running on Ubuntu 20.04, which itself took over a 2008 R2.

I had the problem, that some users had no uidNumber, so they were not seen on getent passwd, and not discoverable by id. (both on UCS and the member server) I added them manually, so all was good.

But a day later, most (but not all) accounts disappeared again! This time only on the member server running proxmox, not on UCS itself) A debug session later I discovered that winbind said “could not find attribute uidNumber”. But it was still here - at least on the LDAP server and on UCS itself. I used the idmap “ad”, because I wanted to have the same uids as on UCS itself. The idmap rid let the users appear. The same happened on a newly created user.

Because I needed to get it running “somehow”, after a few hours of digging into it without getting a solution I took the big hammer. Or should I say “Big bottles from the poison cabinet and mixing it all together”?

Ingredients:

  • UCS: php script + inetd
  • member server: bash script + idmap script

php script:

sidtouid.php 
#!/usr/bin/php
<?php
	$input = readline();
	$input = explode(' ', $input);
	$inputarg = escapeshellarg(str_replace("\r","",str_replace("\n","",@$input[1])));
	if ($input[0] == 'SIDTOID') {
		// User?
		$exec = 'wbinfo -S '.$inputarg.' 2>&1';
		//echo "\n\n\n\n|$exec|\n\n\n\n";
		$result = shell_exec($exec);
		if (strpos($result,"failed")===false) {
			echo "UID:$result";
			die();
		}
		// Group?
		$exec = 'wbinfo -Y '.$inputarg.' 2>&1';
		$result = shell_exec($exec);
		if (strpos($result,"failed")===false) {
			echo "GID:$result";
			die();
		}
		echo "ERR:1234\n";
		die();
	}
	if ($input[0] == 'IDTOSID') {
		$inputarg = str_replace("\r","",str_replace("\n","",$input[1]));
		$inputarg2 = escapeshellarg(str_replace("\r","",str_replace("\n","",$input[2])));
		if ($inputarg == 'XID') {
			$exec = 'wbinfo -U '.$inputarg2.' 2>&1';
			$result = shell_exec($exec);
			if (strpos($result,"failed")===false) {
				echo "SID:$result";
				die();
			}
			echo "ERR:1235\n";
			die();
		}
		if ($inputarg == 'UID') {
			$exec = 'wbinfo -U '.$inputarg2.' 2>&1';
			$result = shell_exec($exec);
			if (strpos($result,"failed")===false) {
				echo "SID:$result";
				die();
			}
			echo "ERR:1236\n";
			die();
		}
		if ($inputarg == 'GID') {
			$exec = 'wbinfo -G '.$inputarg2.' 2>&1';
			$result = shell_exec($exec);
			if (strpos($result,"failed")===false) {
				echo "SID:$result";
				die();
			}
			echo "ERR:1237\n";
			die();
		}
		echo "ERR:1240  |$inputarg|\n";
	}
	echo "ERR:1250\n";

inetd:
dict stream tcp nowait root /usr/sbin/tcpd /root/sidtouid.php

(needed to do a ucr set security/packetfilter/tcp/2628/all=ACCEPT)

bash script:

#!/bin/bash
input="$@";

echo `date` >> /tmp/sendsid.log

echo $input >>/tmp/sendsid.log

output=`echo $input | nc 192.168.10.250 dict`;

echo $output >>/tmp/sendsid.log

echo >> /tmp/sendsid.log

echo $output;

idmap script (samba config):

idmap config ADNAME:backend = script
idmap config ADNAME:range = 2000-9999
idmap config ADNAME:script = /root/sendsid.sh

The most worrisome thing: this smelly pile of crap actually works! (No, I refuse to call this a hack…)

But, is there a solution for this problem which can be called a “solution”?

Mastodon