Systemdiagnostic: Well-known SIDs missing

UCS - Univention Corporate Server
, ,
#1

Hello,

seems to be that some groups are missing:

Kein Nutzer oder keine Gruppe mit SID S-1-5-32-557 gefunden, 'Incoming Forest Trust Builders' war erwartet.
Kein Nutzer oder keine Gruppe mit SID S-1-5-32-568 gefunden, 'IIS_IUSRS' war erwartet.
Kein Nutzer oder keine Gruppe mit SID S-1-5-32-554 gefunden, 'Pre-Windows 2000 Compatible Access' war erwartet. Kein Nutzer oder keine Gruppe mit SID S-1-5-32-559 gefunden, 'Performance Log Users' war erwartet.
Kein Nutzer oder keine Gruppe mit SID S-1-5-32-561 gefunden, 'Terminal Server License Servers' war erwartet.
Kein Nutzer oder keine Gruppe mit SID S-1-5-32-556 gefunden, 'Network Configuration Operators' war erwartet.
Kein Nutzer oder keine Gruppe mit SID S-1-5-32-555 gefunden, 'Remote Desktop Users' war erwartet.
Kein Nutzer oder keine Gruppe mit SID S-1-5-32-573 gefunden, 'Event Log Readers' war erwartet.
Kein Nutzer oder keine Gruppe mit SID S-1-5-32-569 gefunden, 'Cryptographic Operators' war erwartet.
Kein Nutzer oder keine Gruppe mit SID S-1-5-32-560 gefunden, 'Windows Authorization Access Group' war erwartet. Kein Nutzer oder keine Gruppe mit SID S-1-5-32-574 gefunden, 'Certificate Service DCOM Access' war erwartet.
Kein Nutzer oder keine Gruppe mit SID S-1-5-32-562 gefunden, 'Distributed COM Users' war erwartet.
Kein Nutzer oder keine Gruppe mit SID S-1-5-32-558 gefunden, 'Performance Monitor Users' war erwartet.

How can I fix this?

[System diagnostic] krbtgt S4 Well Known SIDs
#2

Hey,

those groups should still be present in the Samba 4 LDAP as Samba usually refuses to delete them in the first place. You can verify that for each group with the following command:

univention-s4search --cross-ncs "cn=IIS_IUSRS"

Replace IIS_IUSRS with the respective group name in each invocation.

If they do exist, you should be able to let them re-sync from the Samba 4 LDAP to the OpenLDAP with the following command:

/usr/share/univention-s4-connector/resync_object_from_s4.py cn=iis_iusrs,cn=builtin,DC=…

Insert the correct DN for each group as output by the univention-s4search command.

Kind regards,
mosu

#3

Hello,

this creates only a reject:

# univention-s4connector-list-rejected 

UCS rejected


S4 rejected

    1:    S4 DN: CN=IIS_IUSRS,CN=Builtin,DC=top2,DC=top1
         UCS DN: <not found>

        last synced USN: 15883
#4

This seems to be related:

# ucr search --brief connector/s4/mapping/group/ignorelist
connector/s4/mapping/group/ignorelist: Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers,Remote Interactive Logon,SChannel Authentication,Digest Authentication,Terminal Server User,NTLM Authentication,Other Organization,This Organization,Anonymous Logon,Network Service,Creator Group,Creator Owner,Local Service,Owner Rights,Interactive,Restricted,Network,Service,Dialup,System,Batch,Proxy,IUSR,Self
#5

The group IIS_IUSRS is not mentioned in that UCR variable, only IUSR. What’s the actual error message leading to the reject (see /var/log/univention/connector-s4.log)?

#6

Ok that’s correct. The log contains only:

07.02.2018 21:37:59,135 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=IIS_IUSRS,CN=Builtin,DC=top2,DC=top1
#7

…and is the reject still present? The reason I’m asking is that there’s a delay between entering the command /usr/share/univention-s4-connector/resync_object_from_s4.py… and the S4 connector actually attempting that resync.

#8

The reject is not there anymore. But the result of

univention-ldapsearch cn=IIS_IUSRS

is still empty.

#9

Hey,

that’s strange. I’ve just given this workflow a try, and for me it works.

What I’ve done:

  1. Removed the group IIS_IUSRS in the UMC
  2. Waited until univention-s4connector-list-rejected showed the reject due to S4 not allowing the deletion
  3. Removed the UCS reject by calling /usr/share/univention-s4-connector/remove_ucs_rejected.py cn=IIS_IUSRS,cn=Builtin,$(ucr get ldap/base) ; the output of univention-s4connector-list-rejected is now empty
  4. Triggered re-sync from S4 via /usr/share/univention-s4-connector/resync_object_from_s4.py cn=iis_iusrs,cn=builtin,DC=mbu-test,DC=intranet
  5. Waited until the connector is settled again
  6. univention-ldapsearch cn=IIS_IUSRS now shows the group again

Here’s what my connector-s4.log contains after step 4:

08.02.2018 10:16:07,603 LDAP        (PROCESS): sync to ucs: Resync rejected dn: cn=iis_iusrs,cn=builtin,DC=mbu-test,DC=intranet
08.02.2018 10:16:07,606 LDAP        (PROCESS): sync to ucs:   [         group] [       add] cn=IIS_IUSRS,cn=builtin,dc=mbu-test,dc=intranet
08.02.2018 10:16:07,888 LDAP        (WARNING): group_members_sync_to_ucs: failed to identify object type of s4 member, ignore membership: CN=S-1-5-17,CN=ForeignSecurityPrincipals,DC=mbu-test,DC=intranet
08.02.2018 10:16:12,897 LDAP        (PROCESS): sync from ucs: [         group] [       add] cn=iis_iusrs,cn=builtin,DC=mbu-test,DC=intranet
08.02.2018 10:16:12,901 LDAP        (PROCESS): group_members_sync_from_ucs: cn=iis_iusrs,cn=builtin,dc=mbu-test,dc=intranet is newly added. For this case don't remove the membership.

Can you please try re-syncing from S4 again and post what your connector-s4.log contains starting with that Resync rejected dn: line? Thanks.

Kind regards,
mosu

#10

As written above, it contains only this:

(PROCESS): sync to ucs: Resync rejected dn: CN=IIS_IUSRS,CN=Builtin,DC=top2,DC=top1

EDIT: With debug level 4:

08.02.2018 10:27:37,275 LDAP        (INFO   ): _ignore_object: ignore object because of subtree match: [cn=IIS_IUSRS,CN=Builtin,dc=top2,dc=top1]
#11

Hey,

I see. That’s most likely because the UCR variable connector/s4/mapping/group/grouptype is either set to false or not set at all. Can you please verify that?

If that’s the case:

  1. Set the variable to true
  2. Restart the S4 Connector service
  3. Try re-syncing again

Kind regards,
mosu

#12

Ok this seems to be working:

08.02.2018 10:31:22,194 MAIN        (------ ): DEBUG_INIT
08.02.2018 10:31:22,230 LDAP        (PROCESS): Building internal group membership cache
08.02.2018 10:31:22,234 LDAP        (PROCESS): Internal group membership cache was created
08.02.2018 10:38:18,319 MAIN        (------ ): DEBUG_INIT
08.02.2018 10:48:17,899 MAIN        (------ ): DEBUG_INIT
08.02.2018 10:58:17,816 MAIN        (------ ): DEBUG_INIT
08.02.2018 11:08:17,722 MAIN        (------ ): DEBUG_INIT
08.02.2018 11:15:24,625 MAIN        (------ ): DEBUG_INIT
08.02.2018 11:15:24,656 LDAP        (PROCESS): Building internal group membership cache
08.02.2018 11:15:24,660 LDAP        (PROCESS): Internal group membership cache was created
08.02.2018 11:15:33,570 MAIN        (------ ): DEBUG_INIT
08.02.2018 11:16:07,869 MAIN        (------ ): DEBUG_INIT
08.02.2018 11:16:16,713 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=IIS_IUSRS,CN=Builtin,DC=home,DC=dg
08.02.2018 11:16:16,716 LDAP        (PROCESS): sync to ucs:   [         group] [       add] cn=IIS_IUSRS,CN=Builtin,dc=home,dc=dg
08.02.2018 11:16:22,121 MAIN        (------ ): DEBUG_INIT
08.02.2018 11:16:30,436 MAIN        (------ ): DEBUG_INIT
08.02.2018 11:16:33,391 LDAP        (WARNING): group_members_sync_to_ucs: failed to identify object type of s4 member, ignore membership: CN=S-1-5-17,CN=ForeignSecurityPrincipals,DC=top2,DC=top1
08.02.2018 11:16:40,195 LDAP        (PROCESS): sync from ucs: [         group] [       add] cn=iis_iusrs,cn=builtin,DC=top2,DC=top1
08.02.2018 11:16:40,199 LDAP        (PROCESS): group_members_sync_from_ucs: cn=iis_iusrs,cn=builtin,dc=home,dc=dg is newly added. For this case don't remove the membership.
08.02.2018 11:16:41,272 LDAP        (PROCESS): sync to ucs:   [            dc] [    modify] cn=dc-slave,cn=dc,cn=computers,dc=top2,dc=top1
08.02.2018 11:16:47,623 MAIN        (------ ): DEBUG_INIT
08.02.2018 11:18:17,706 MAIN        (------ ): DEBUG_INIT

It is now in the LDAP:

# univention-ldapsearch cn=IIS_IUSRS
# extended LDIF
#
# LDAPv3
# base <dc=top2,dc=top1> (default) with scope subtree
# filter: cn=IIS_IUSRS
# requesting: ALL
#

# IIS_IUSRS, Builtin, home.dg
dn: cn=IIS_IUSRS,cn=Builtin,dc=top2,dc=top1
sambaGroupType: 2
cn: IIS_IUSRS
objectClass: top
objectClass: univentionGroup
objectClass: posixGroup
objectClass: univentionObject
objectClass: sambaGroupMapping
univentionObjectType: groups/group
sambaSID: S-1-5-32-568
gidNumber: 1070
univentionGroupType: -2147483643
description: Built-in group used by Internet Information Services.

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Is the cn (cn=Bultin, not cn=groups) correct? Can I proceed with the other groups?

#13

Hey,

yes & yes:

[0 root@master ~] univention-ldapsearch | grep -i cn=builtin | head
dn: cn=Builtin,dc=mbu-test,dc=intranet
dn: cn=IUSR,cn=Builtin,dc=mbu-test,dc=intranet
dn: cn=Self,cn=Builtin,dc=mbu-test,dc=intranet
dn: cn=Batch,cn=Builtin,dc=mbu-test,dc=intranet
dn: cn=Proxy,cn=Builtin,dc=mbu-test,dc=intranet
dn: cn=Users,cn=Builtin,dc=mbu-test,dc=intranet
dn: cn=Dialup,cn=Builtin,dc=mbu-test,dc=intranet
dn: cn=Guests,cn=Builtin,dc=mbu-test,dc=intranet
dn: cn=Nobody,cn=Builtin,dc=mbu-test,dc=intranet
dn: cn=System,cn=Builtin,dc=mbu-test,dc=intranet

Kind regards,
mosu

1 Like
#14

Ok thanks, all groups are synced now.

#15

Great :+1: And you’re welcome.

Mastodon