Bug 45345 – Listenermodule is unable to remove netlogon script

Bug 45345 - Listenermodule is unable to remove netlogon script


Summary:	Listenermodule is unable to remove netlogon script

Status:	CLOSED WONTFIX

Product:	UCS@school
Classification:	Unclassified
Component:	Netlogon scripts
Version:	UCS@school 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS@school maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-09-07 18:05 CEST by Sönke Schwardt-Krummrich
Modified:	2023-06-12 15:39 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2017-09-07 18:05:27 CEST

02.09.17 19:43:43.906  LISTENER    ( PROCESS ) : updating 'uid=o7rbfhjszy,cn=lehrer,cn=users,ou=c2qsr05gua,dc=nstx,dc=local' command d
02.09.17 19:43:43.932  LISTENER    ( PROCESS ) : samba4-idmap: removing entry for S-1-5-21-3842850871-998187786-178935136-5488
02.09.17 19:43:43.937  LISTENER    ( WARN    ) : remove-old-homedirs: not removing home of user o7rbfhjszy: /home/c2qsr05gua/lehrer/o7rbfhjszy does not exist
02.09.17 19:43:43.939  LISTENER    ( WARN    ) : ucs-school-user-logonscript: Deleting netlogon script /var/lib/samba/netlogon/user/o7rbfhjszy.vbs...
02.09.17 19:43:43.939  LISTENER    ( ERROR   ) : ucs-school-user-logonscript: error=OSError(13, 'Permission denied')
02.09.17 19:43:43.943  LISTENER    ( ERROR   ) : ucs-school-user-logonscript: Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/ucs-school-user-logonscript.py", line 645, in user_change
    os.remove(vbs_path)
OSError: [Errno 13] Permission denied: '/var/lib/samba/netlogon/user/o7rbfhjszy.vbs'

Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/ucs-school-user-logonscript.py", line 654, in handler
    script_handler.user_change(new, old)
  File "/usr/lib/univention-directory-listener/system/ucs-school-user-logonscript.py", line 645, in user_change
    os.remove(vbs_path)
OSError: [Errno 13] Permission denied: '/var/lib/samba/netlogon/user/o7rbfhjszy.vbs'
02.09.17 19:43:43.945  LISTENER    ( WARN    ) : at least one delete handler failed

Comment 1 Daniel Tröder

2017-09-08 08:09:55 CEST

Strange: the code is run after a "listener.setuid(0)"...

When the listener is rewritten, I suggest to use a dedicated user account for all script generation and make the directory writable for that user. The initialization of the future listener should check and possibly rectify the directory permissions only once when starting. I think this will be cleaner than all those listener.[un]setuid() throughout the code.

Comment 2 Sönke Schwardt-Krummrich

2017-09-08 10:34:25 CEST

I would bet that the ACLs of /var/lib/samba/netlogon/ are part of this problem.

Comment 3 Michel Smidt 2020-07-14 11:17:00 CEST

This issue has been filed against UCS@school 4.2.

UCS@school 4.2 is out of maintenance and many UCS@school components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS@school versions, please reopen it and update the UCS@school version. In this case please provide detailed information on how this issue is affecting you.