Bug 40300 – provide printers via gpo doesn't work when gpo is created at dc master central location

Bug 40300 - provide printers via gpo doesn't work when gpo is created at dc master central location


Summary:	provide printers via gpo doesn't work when gpo is created at dc master centra...

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	Samba 4
Version:	unspecified
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 4.0 Errata
Assigned To:	Felix Botner
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:	32041 40298 40459
Blocks:
	Show dependency tree / graph

Reported:	2015-12-18 15:23 CET by Felix Botner
Modified:	2016-01-19 15:54 CET (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
sync_msprinterpolicy_from_ucs.patch (2.28 KB, patch) 2016-01-12 21:08 CET, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2015-12-18 15:23:37 CET

+++ This bug was initially created as a clone of Bug #32041 +++

Please see ticket #2013071721001785 for more detail:

You have the possibility to provide printers per user via gpo. This is working when the gpo's are created at school locations, but does not fully work when they are created at the master location. The master itself uses samba 4 within its school-environment and is intended to be used for a central gpo management.

Comment 1 Felix Botner

2016-01-11 14:46:06 CET

ucs-school-ldap-acls-master: 
changed 65ucsschool ldap acl's. slaves are allowed to write objectClass=msPrintConnectionPolicy objects "cn=policies,cn=system,@%@ldap/base@%@" subtree

ucs-school-metapackage:
Set connector/s4/mapping/msprintconnectionpolicy?yes as default for all roles.

I did NOT update the ucs@school app yet.

Dependency:

https://forge.univention.org/bugzilla/show_bug.cgi?id=40299

Changelog:

ucs-school-ldap-acls-master:
The LDAP ACL's have been modified to allow school slave's to update printConnectionPolicy objects (to provide printers via Group Policies).

ucs-school-metapackage:
The synchronization of printConnectionPolicy objects (to provide printers via Group Policies) has been enabled for all server roles. The synchronization can be disabled by setting the UCR variable connector/s4/mapping/msprintconnectionpolicy to false.

Comment 2 Felix Botner

2016-01-12 16:36:11 CET

Added code to resync the objectClass=msPrint-ConnectionPolicy objects from s4 to udm to ucs-school-master.postinst, ucs-school-slave.postinst and ucs-school-nonedu-slave.postinst in ucs-school-metapackage.

Comment 3 Arvid Requate

2016-01-12 21:07:29 CET

Basically it works but there is one corner case:

Standard setup as discussed: *before* updating the UCS@school packages on a UCS 4.0-4 e381 Master and Slave I created two printers and assigned them in different ways via msPrint-ConnectionPolicy:

Two Windows clients:
* client 1 joined to master110 in the central school department
* client 2 joined to slave112 at school2

1. On the Master UMC I created printer1 and printer2 on slave112@school2 and uploaded+assigned a printer driver for both via Printmanagement.msc on client 1

2. Via GPMC on client 1 I created GPO1 and GPO2 on Master and assigned both to OU=school2

3.1 On a client 1 I used Printmanagement.msc to attach a msPrint-ConnectionPolicy for printer1 to GPO1 (user+machine)
3.2 On a client 2 I used Printmanagement.msc to attach a msPrint-ConnectionPolicy for printer2 to GPO2 (user+machine)

Then I updated first on the Master and then on slave112 and tested login at client 2 with a student account.

Problem: printer2 was connected but printer1 not.

I checked and the udm settings/msprintconnectionpolicy listed all 4 objects on the slave, but univention-s4search '(objectClass=msPrint-ConnectionPolicy)' dn only showed the two that had been created on the slave.

I think this is needed too:

/usr/share/univention-s4-connector/                     resync_object_from_ucs.py --filter '(objectClass=msPrintConnectionPolicy)'

I'll attach a patch proposal.

Comment 4 Arvid Requate

2016-01-12 21:08:13 CET

Created attachment 7404 [details]
sync_msprinterpolicy_from_ucs.patch

Comment 5 Felix Botner

2016-01-13 09:48:55 CET

(In reply to Arvid Requate from comment #4)
> Created attachment 7404 [details]
> sync_msprinterpolicy_from_ucs.patch

yes, by the time the master re-synced its PushedPrinterConnections from s4 to udm the connector on the slave wasn't updated yet and the connector did not know how to handle PushedPrinterConnections objects

fixed

Comment 6 Arvid Requate

2016-01-13 13:12:43 CET

Ok, works.

Comment 7 Sönke Schwardt-Krummrich

2016-01-13 14:09:23 CET

As discussed with Felix: UCS@school supports the possibility to convert a single master environment into a multi server environment. This is why 
62ucs-school-singlemaster.inst should also sync the msPrintConnectionPolicy objects → REOPEN

Comment 8 Felix Botner

2016-01-13 15:10:27 CET

(In reply to Sönke Schwardt-Krummrich from comment #7)
> As discussed with Felix: UCS@school supports the possibility to convert a
> single master environment into a multi server environment. This is why 
> 62ucs-school-singlemaster.inst should also sync the msPrintConnectionPolicy
> objects → REOPEN

added msPrintConnectionPolicy resync to ucs-school-singlemaster.postinst for this update

Comment 9 Arvid Requate

2016-01-13 19:39:57 CET

Ok, also works on Singlemaster.

Comment 10 Sönke Schwardt-Krummrich

2016-01-17 23:31:20 CET

UCS@school 4.0 R2 v6 has been released.

If this error occurs again, please use "Clone This Bug".