Univention Bugzilla – Bug 31132
Samba4 GPOs sometimes created without displayName
Last modified: 2020-07-03 20:54:01 CEST
Under some conditions Samba4 creates group policy objects without a "displayName" attribute attached to the corresponding groupPolicyContainer. In the Windows Group Policy Management tool they are shown as '[Name not available]' (in german versions: '[Name nicht verfügbar]'). This circumstances indicate that this is caused by some race condition: Currently I see this in UCS 3.1-1 during debug session with high debug level and when copying the samba logs away between subsequent attempts of GPO creation with the Windows Group Policy Management tool. I was able to provoke this with all possible scenarios tested for Bug 30999 Comment 2. IIRC I have also seen this behaviour in ucstest for GPOs created with samba-tool.
In the traces I see that the displayName is set correctly but then for some reason it is removed again with a delete operation. Actually looking at the traces again, I now see that also the gPCFileSysPath is missing as well, which probably renders the GPO-Data unaccessible for any GPO client: ====================================================================== + ldb: ldb_trace_request: MODIFY + dn: cn={d6b1e220-ceea-4305-9a2c-84043b269d4d},cn=policies,cn=system,dc=arucs31i0,dc=qa + changetype: modify + delete: gPCFileSysPath + - + delete: versionNumber + - + delete: displayName + - + delete: flags + - + delete: gPCFunctionalityVersion + - ======================================================================
Does the Connector overwrite the attribute?
Created attachment 5183 [details] New displayName: GPO20 unexpectedly renamed. In this special case the GPO container object finally had the name "Neues Gruppenrichtlinienobjekt", even though it was initially created as "GPO20". The gPCFileSysPath was lost anyway. The time interval between writing "displayName: GPO20" and deleting the attribute again was 5 seconds in this case (in another case it was 3 seconds).
Created attachment 5184 [details] connector-s4.log > Does the Connector overwrite the attribute? That's quite probable: after adding a debug statement for the modlist I get the following line in the connector-s4.log 17.02.2013 07:51:36,589 LDAP (INFO ): sync_from_ucs: modlist: [(1, 'gPCFileSysPath', None), (1, 'versionNumber', None), (1, 'displayName', None), (1, 'flags', None), (1, 'gPCFunctionalityVersion', None)]
Created attachment 5185 [details] log.samba corresponding to Comment 4 Note regarding Comment 3: The attached log.samba shows that all GPOs are first created with the displayName "Neues Gruppenrichtlinienobjekt" and then renamed, so that probably was just a very special outcome of this general race.
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.