User shall have their own (per user) primary group

UCS - Univention Corporate Server
#1

Hi, I run a ucs test setup and i need to be able to create users and groups using the command line interface.
During the test i observed when I try create a test user “smithda” and a group “smithda” ONLY the one or the other is possible, as follows:

udm groups/group create \
--position "cn=groups,dc=math,dc=uzh,dc=ch" \
--set name="smithda" \
--set gidNumber="10900"

and then

udm users/user create \
--position "cn=users,dc=math,dc=uzh,dc=ch" \
--set lastname="Smith" \
--set password="qwertyu1234" \
--set username="smithda"

Then I see –
“E: Object exists: (uid) : smithda”

another observation was when I run:

udm users/user create \
--position "cn=users,dc=math,dc=uzh,dc=ch" \
--set lastname="Smith" \
--set password="qwertyu1234" \
--set username="smithda" \
--set primaryGroup="cn=10900,cn=groups,dc=math,dc=uzh,dc=ch"

Then I see –
“Need a primary group with samba option to create a user with samba option.”

The background for my question is I need that the users have their own primary group, so it should look at then end as follows:

getent group smithda
smithda: *: 10900

getent passwd smithda
smithda:x:10900:10900: Daniel   Smith:/home/smithda: /bin/bash

Thanks for your feedback.

Best Regards,
Daniel

Setup:
UCS: 4.2-3 errata305
App Center compatibility: 4
Installed: cups=1.7.5 printquota=9.0 samba4=4.6

#2

Hey,

in a UCS system users & groups share the same name space. You simply cannot have a user and a group with the same name.

One possible way is to prefix or postfix each group with e.g. -grp, meaning you’d name the group smithda-grp and the corresponding user smithda.

Kind regards,
mosu

#3

Hi Moritz,
well, I am bit surprised but thanks for this clarification.

Could you also help why this command

udm users/user create \
--position "cn=users,dc=math,dc=uzh,dc=ch" \
--set lastname="Smith" \
--set password="qwertyu1234" \
--set username="smithda" \
--set primaryGroup="cn=10900,cn=groups,dc=math,dc=uzh,dc=ch"

gives the output
“Need a primary group with samba option to create a user with samba option.”

What means this, why is this messages then now showed.

Best Regards
Daniel

#5

Hi Moritz,
well, I am bit surprised but thanks for this clarification. It would be usefully to have such function for us. Does USC plans to implement such in a future release?

Could you also help why this command

udm users/user create
–position “cn=users,dc=math,dc=uzh,dc=ch”
–set lastname=“Smith”
–set password=“qwertyu1234”
–set username=“smithda”
–set primaryGroup=“cn=10900,cn=groups,dc=math,dc=uzh,dc=ch”

gives the output
“Need a primary group with samba option to create a user with samba option.”

What means this, why is this messages then now showed.

Best Regards
Daniel

#6

Hey,

I’d guess that the error message is slightly misleading. Your primary group is most likely not named cn=10900,… but e.g. cn=smitha-grp,…. You have to use the DN of an actually existing group here; you cannot simply use the group’s ID. If you need to know the group’s DN for a given ID, use something like this: univention-ldapsearch gidNumber=10900 dn

Kind regards,
mosu

#7

There could be two other reasons:

  • the “samba” option not set on the group (it should by default)
  • the s4 connector is not running, and thus, after creating a group, the samba attributes are not synced back from samba4

Please verify that the objectClass sambaGroupMapping is set on the group:

$ univention-ldapsearch -LLL cn=smithda objectClass
objectClass: organizationalRole
objectClass: sambaGroupMapping
objectClass: top
objectClass: univentionGroup
objectClass: univentionObject

Please post here the output of:
univention-ldapsearch -LLL '(|(cn=smithda)(cn=10900))'

Please verify that the s4 connector is running:

$ service univention-s4-connector status
● univention-s4-connector.service - LSB: Univention S4 Connector
   Loaded: loaded (/etc/init.d/univention-s4-connector)
   Active: active (running) since Di 2018-02-20 16:38:00 CET; 6 days ago
  Process: 1706 ExecStart=/etc/init.d/univention-s4-connector start (code=exited, status=0/SUCCESS)
 Main PID: 2787 (python2.7)
   CGroup: /system.slice/univention-s4-connector.service
           └─2787 /usr/bin/python2.7 -W ignore /usr/lib/pymodules/python2.7/univention/s4connector/s4/main.py

Feb 20 16:38:00 ucs26 univention-s4-connector[1706]: Starting Univention S4 Connector: univention-s4-connector.
Feb 20 16:38:00 ucs26 systemd[1]: univention-s4-connector.service: Supervising process 2787 which is not ...xits.
Feb 20 16:38:00 ucs26 systemd[1]: Started LSB: Univention S4 Connector.
Hint: Some lines were ellipsized, use -l to show in full.

$ ps ax | grep s4connector
 2787 ?        S     19:24 /usr/bin/python2.7 -W ignore /usr/lib/pymodules/python2.7/univention/s4connector/s4/main.py

Greetings
Daniel

#8

Hi Daniel, Thanks for the reply. Please see the output.

root@ucs:/home# univention-ldapsearch -LLL ‘(|(cn=smithda)(cn=10900))’
dn: cn=smithda,cn=groups,dc=math,dc=uzh,dc=ch
sambaGroupType: 2
cn: smithda
objectClass: top
objectClass: univentionGroup
objectClass: posixGroup
objectClass: univentionObject
objectClass: sambaGroupMapping
univentionObjectType: groups/group
gidNumber: 10900
univentionGroupType: -2147483646
sambaSID: S-1-5-21-3817833853-2945879862-3432639042-1164

#9

hi daniel, pls also see this output, Thanks a lot
root@ucs:/home# service univention-s4-connector status -l
● univention-s4-connector.service - LSB: Univention S4 Connector
Loaded: loaded (/etc/init.d/univention-s4-connector)
Active: active (running) since Sun 2018-02-25 06:25:35 CET; 4 days ago
Process: 485 ExecStop=/etc/init.d/univention-s4-connector stop (code=exited, status=0/SUCCESS)
Process: 492 ExecStart=/etc/init.d/univention-s4-connector start (code=exited, status=0/SUCCESS)
Main PID: 571 (python2.7)
CGroup: /system.slice/univention-s4-connector.service
└─571 /usr/bin/python2.7 -W ignore /usr/lib/pymodules/python2.7/univention/s4connector/s4/main.py

Feb 25 06:25:35 ucs univention-s4-connector[492]: Starting Univention S4 Connector: univention-s4-connector.
Feb 25 06:25:35 ucs systemd[1]: PID file /var/run/univention-s4-connector not readable (yet?) after start.
Feb 25 06:25:35 ucs systemd[1]: univention-s4-connector.service: Supervising process 571 which is not our child. We’ll most likely not notice when it exits.
Feb 25 06:25:35 ucs systemd[1]: Started LSB: Univention S4 Connector.

root@ucs:/home# ps ax | grep s4connector
571 ? S 5:58 /usr/bin/python2.7 -W ignore /usr/lib/pymodules/python2.7/univention/s4connector/s4/main.py
25113 pts/3 S+ 0:00 grep --color s4connector

#10

Hey,

your group is still named smithda. Therefore creating a user with the same name won’t work, even if you specify the correct group name.

You should:

  1. rename the group so that its name won’t clash with the new user’s name (e.g. to smithda-grp; corresponding command might be udm groups/group modify --dn cn=smithda,cn=groups,dc=math,dc=uzh,dc=ch --set name=smithda-grp)
  2. create the user specifying the group’s new DN as the primaryGroup (udm users/user create … --set primaryGroup=cn=smithda-grp,cn=groups,dc=math,dc=uzh,dc=ch …)

Kind regards,
mosu

#11

Fair point: pls see this now
root@ucs:/home# udm groups/group remove --dn “cn=smithda,cn=groups,dc=math,dc=uzh,dc=ch”
Object removed: cn=smithda,cn=groups,dc=math,dc=uzh,dc=ch

root@ucs:/home# udm groups/group create \

–position “cn=groups,dc=math,dc=uzh,dc=ch”
–set name=“smithda_g”
–set gidNumber=“10900”
Object created: cn=smithda_g,cn=groups,dc=math,dc=uzh,dc=ch
root@ucs:/home# udm groups/group list --filter name=“smith*”
name=smith*
DN: cn=smithda_g,cn=groups,dc=math,dc=uzh,dc=ch
UVMMGroup: 0
adGroupType: -2147483646
description: None
gidNumber: 10900
mailAddress: None
name: smithda_g
sambaGroupType: 2

udm users/user create
–position “cn=users,dc=math,dc=uzh,dc=ch”
–set lastname=“Smith”
–set password=“qwertyu1234”
–set username=“smithda”
–set primaryGroup=“cn=smithda_g,cn=groups,dc=math,dc=uzh,dc=ch”
Object created: uid=smithda,cn=users,dc=math,dc=uzh,dc=ch

root@ucs:/home# udm users/user list --filter uid=smith*
uid=smithda
::::
groups: cn=smithda_g,cn=groups,dc=math,dc=uzh,dc=ch
:::
primaryGroup: cn=smithda_g,cn=groups,dc=math,dc=uzh,dc=ch

#12

This looks good to me. Both the user & the group have been created, the user’s primary group is the newly-created group.

#13

Moritz, I give now a try again.
Thanks for your help
Regards
Daniel

Mastodon