Univention Bugzilla – Bug 31600
S4-Slave tries to change LDAP base without write permissions
Last modified: 2013-08-15 09:45:23 CEST
Created attachment 5257 [details] connector-s4.log 31.05.2013 17:07:03,387 MAIN (------ ): DEBUG_INIT 31.05.2013 17:07:03,416 LDAP (PROCESS): Building internal group membership cache 31.05.2013 17:07:03,456 LDAP (PROCESS): Internal group membership cache was created 31.05.2013 17:07:03,636 LDAP (PROCESS): sync to ucs: Resync rejected dn: DC=nstx,DC=local 31.05.2013 17:07:03,646 LDAP (PROCESS): sync to ucs: [ container_dc] [ modify] dc=nstx,dc=local 31.05.2013 17:07:03,661 LDAP (ERROR ): Unknown Exception during sync_to_ucs 31.05.2013 17:07:03,663 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 1292, in sync_to_ucs result = self.property[property_type].ucs_sync_function(self, property_type, object) File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/dc.py", line 181, in con2ucs s4connector.lo.modify(dn, ml) File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 409, in modify raise univention.admin.uexceptions.permissionDenied permissionDenied DN: 'dc=nstx,dc=local' ---[modlist]--- [('msGPOLink', ['[LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=nstx,DC=local;0]'], [u'[LDAP://cn={A3703992-29E0-4F37-A763-2999C0DE0B5F},cn=policies,cn=system,DC=nstx,DC=local;0][LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=nstx,DC=local;0]'])] --------------- Is it related to Bug 31578? Attached connector-s4.log
*** Bug 27209 has been marked as a duplicate of this bug. ***
(In reply to comment #1) > *** Bug 27209 has been marked as a duplicate of this bug. *** See Bug #27209 for an old report. If S4 is installed on the DC Master the GPO is set through the Master. I don't think we need to fix it in this release. Workaround on the DC Master: udm container/dc modify --dn $(ucr get ldap/base) \ --set gPLink="..."
Addition: the failed change attempt seem to remain forever in the connector list of rejected objects.
It's not related to Bug 31578. It's an old issue, see Bug 27209 Comment 1.
This issue was also reported at Ticket #2012051421002599.
*** Bug 27294 has been marked as a duplicate of this bug. ***
This issue occurrs when an Administrator of an UCS@school Slave PDC links a GPO to the LDAP base (or some common container outside of it's own OU). From a security point of view the current behaviour seems to be a reasonable, i.e. not allowing UCS@school Slave PDCs to link arbitrary Group Policy Objects outside of their OU, affecting windows clients in the central department and at all other schools. It would be better if the S4 Connector could be configured to e.g. not sync the LDAP base. For this I created Bug 31935.
Btw, if the LDAP-ACLs would allow this, the Connector would probably have run into Bug 29845 instead.
Ok, maybe it's best to document this: If an administrator operating on a UCS@school Samba4 Slave DC chooses to modify (add/remove) GPO links at the LDAP base or at the container "OU=Domain Controllers" the S4 Connector will show a reject as the UCS@school Samba4 Slave DC is not allowed to modify these objects by default. The gPLinks can then be synchronized manually by running the following command on the UCS@school Slave DC: eval "$(ucr shell)" /usr/share/univention-s4-connector/msgpo.py --write2ucs \ --binddn "uid=Administrator,cn=users,$ldap_base" --bindpwd <password> This writes the gPLink attributes for the LDAP base and the container "OU=Domain Controllers" from Samba4 to UDM. The S4 Connector automatically drops the reject during the next resync. In case just one of the containers should be modified, comment 2 may help to achieve that.
Comment added to schoolexam-de.xml, Section 1.3.1 "Generelle Hinweise zum Administrativen Vorlagen und Gruppenrichtlinien".
(In reply to Arvid Requate from comment #10) > Comment added to schoolexam-de.xml, Section 1.3.1 "Generelle Hinweise zum > Administrativen Vorlagen und Gruppenrichtlinien". Committed small changes. → VERIFIED
UCS@school 3.1 R2-1 has been released: http://download.univention.de/doc/release-notes-ucsschool-3.1-rev2-1.pdf If this error occurs again, please use "Clone This Bug".