Univention Bugzilla – Bug 40418
installing univention-s4-connector after ucs-school-master leads to rejects of well known groups on UCS master
Last modified: 2016-12-12 13:10:18 CET
UCS master -> ucs@school -> univention-s4-connector The s4 connector by default ignore some special groups ucr set connector/s4/mapping/group/ignorelist?"Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers,Remote Interactive Logon,SChannel Authentication,Digest Authentication,Terminal Server User,NTLM Authentication,Other Organization,This Organization,Anonymous Logon,Network Service,Creator Group,Creator Owner,Local Service,Owner Rights,Interactive,Restricted,Network,Service,Dialup,System,Batch,Proxy,IUSR,Self" to avoid rejects for these objects (objectSid constraint violations). But if one installs ucs@school on the master without s4 connector 62ucs-school-master.inst sets ucr set connector/s4/mapping/group/ignorelist?"Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Replicators,Printer-Admins,System Operators" Note, lots of groups missing here. Now i install univention-s4-connector , the connector/s4/mapping/group/ignorelist is not updated to the full group list (ucr set with ? in univention-s4-connector.postinst) and the connector produces rejects for every group missing in connector/s4/mapping/group/ignorelist (compared to the default setting in univention-s4-connector).
I don't think, that this is an unusual scenario ==> Errata
As discussed, possibly the UCR setting of Bug 40432 was missing too, this might need to be taken into consideration when analysing this.
I adjusted ucs-school-metapackage: * set connector/s4/mapping/group/ignorelist in postinst instead of joinscript * initialize it to the current values with ? (as done before in the joinscript) * on update append the missing groups to UCR and crestart the connector if installed. See also Bug 42675. Let's see the CI test results first. Advisory: ucs-school-metapackage.yaml
Why do we need to set connector/s4/mapping/group/ignorelist in ucs-school specific packages in the first place. We need this ignore list for the connector and we set it in the connectors postinst. But why in ucs-school-*..postinst? Yes, the values for the ignore list are slightly different but do we need this? Normal setups (install with s4 on master) already use the connector/s4/mapping/group/ignorelist value from the connector package, so why not completely remove this from ucs-school?
svn blame shows that the ignorelist has been added to ucs-school-metapackage in r34403 (25 Jul 2012 14:54:09), which refers to Bug #27395. My modification for this bug puts the missing groups onto the ignorelist to fixe the rejects. I opened Bug #42675 exactly to address Comment 4. But that requires careful analysis and testing which is beyond the scope of this bug IMHO.
Seems that the ucs@school ignore list was introduced to ignore the groups Replicators Printer-Admins "System Operators" in ucs@school. On my ucs@school master * Printer-Admins - there is a mapping table for Printer-Admins <-> Print Operators, so why ignore this group? * the groups System Operators/Replicators do not exist in my openldap (we do not create them anymore?), so the ignore list entry makes no sense and if there is a problem why not add them to the ignore list in the connector package I installed ucs@school on a master (without samba4), ucr unset connector/s4/mapping/group/ignorelist (to get the connector defaults for the ignore list) and installed the connector on the master. No rejects. Once again, why do we need this. connector/s4/mapping/group/ignorelist is now set in 5 (!) different postinst files with slightly different values. Nobody knows why and depending on the installation order connector/s4/mapping/group/ignorelist holds Replicators Printer-Admins "System Operators" or not. I suggest remove the ignore list completely from ucs@school and if (and that is a big if, all we know is that it is broken right now) there is a problem with Replicators Printer-Admins "System Operators", fix the connector.
I think we leave it the way it currently is with updated "values" for the UCR variable. The package version used postinst for comparison during updates was too small and has been fixed. It didn't worked with attached suffix of buildsystem. The advisory has been updated. ucs-school-metapackage (9.0.2-13): r75101 | Bug #40418: fixed package version comparison / removed trailing comma in connector/s4/mapping/group/ignorelist r75103 | Bug #40418: reverted some changes of last commit ucs-school-metapackage.yaml: r75104 | Bug #40418: advisory update r75102 | Bug #40418: advisory update Package: ucs-school-metapackage Version: 9.0.2-13.189.201612072218 Branch: ucs_4.1-0 Scope: ucs-school-4.1r2
Ok, I cannot be QA since the currently commited changes in svn are mine and Sönkes.
OK - installation s4 master (mutliserver) OK - update master with s4 (mutliserver) OK - installation s4 master (singleserver) OK - update master + slave OK - code review OK - YAML
UCS@school 4.1 R2 v9 has been released. http://docs.software-univention.de/changelog-ucsschool-4.1R2v9-de.html