Univention Bugzilla – Bug 31640
sysvol Policies GPO ownership not correct after setup
Last modified: 2013-08-15 12:49:57 CEST
The initial report for Bug 31578 indicates that the special Samba4 configuration of UCS@school (e.g. official SIDs generated by UDM) might cause some yet unresolved issue with the ownership of the sysvol files. This needs to be checked: Either it's UCS@school specific or it is a general Samba4 issue. In the product tests I discovered this also once on a Master in a freshly installed UCS 3.1-1 domain (no samba), where I installed univention-s4-connector manually. IIRC it was after installing the wizard from UCS@school 3.1R2, but before running the wizard on the master. Thinking about it, this might indicated that it's a general issue. +++ This bug was initially created as a clone of Bug #31578 +++ On a UCS@school 3.1-R2 Samba4 Slave PDC setup via ucs-school-umc-installer wizzard: ======================================================================== root@slave82:~# ls -l /var/lib/samba/sysvol/arschool31r2.qa/Policies/ insgesamt 16 drwxrwx---+ 4 3000008 3000008 4096 29. Mai 17:24 {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrwx---+ 4 3000008 3000008 4096 29. Mai 17:24 {6AC1786C-016F-11D2-945F-00C04FB984F9} ======================================================================== all joinscripts had been executed. A manual sysvolreset fixes this: ======================================================================== root@slave82:~# samba-tool ntacl sysvolreset WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. root@slave82:~# ls -l /var/lib/samba/sysvol/arschool31r2.qa/Policies/ insgesamt 16 drwxrwx---+ 4 Administrator Domain Admins 4096 29. Mai 17:24 {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrwx---+ 4 Administrator Domain Admins 4096 29. Mai 17:24 {6AC1786C-016F-11D2-945F-00C04FB984F9} ======================================================================== Comparing this with a standard UCS 3.1-1 Master installation of univention-s4-connector: * univention-install univention-s4-connector * sysvol Policies GPO folder ownership is 3000008 * univention-run-join-scripts runs 98univention-samba4-dns.inst (sysvolreset) * ownerships fixed.
This had to be fixed in univention-samba4: * the UCS Posix IDs are now written to idmap.ldb directly after provision/join before the sysvolrest instead of after. * During updates the ownership of the GPO directory for the Domain Default Policy is checked. If it results in an invalid username, then a sysvolreset ist performed. Advisory: 2013-07-11-univention-samba4.yaml
From postinst: gpo_dir_owner="$(stat --printf '%U' "/var/lib/samba/sysvol/$domainname/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}" 2>&1)" It should be checked if the directory exists, for example the directory does not exist on an unjoined system. All other tests were OK. Diff between 3.1-1-errata and 3.2: OK YAML: OK Changelog: Missing
Fixed postinst and changelog.
OK - gpo_dir is checked and repaired if necessary OK - Diff between 3.1-1-errata and 3.2 OK - YAML
http://errata.univention.de/ucs/3.1/166.html