Univention Bugzilla – Bug 50626
UCS@school: Wireless/Wired group GPO not replicated from Master Samba/AD to School Slave via OpenLDAP
Last modified: 2023-04-27 16:41:27 CEST
We should enable the 3 new policies for synchonisation in UCS@school: ucs set \ connector/s4/mapping/msgpwl?yes \ connector/s4/mapping/msgpipsec?yes \ connector/s4/mapping/msgpsi?yes +++ This bug was initially created as a clone of Bug #49838 +++
Created attachment 10261 [details] patch (git:fbest/50626-enable-windows-policies)
Happening for a customer. Trying to create wireless policies causes a "Richtlinienobjekt ist nicht vorhanden" on the school slave.
I tried to reproduce the bug as described in otrs, but no error was raised. I added a policy with gpmc -> right click on default policy or add new policy and finally adding a new non-configured entry in "Drahtlosnetzwerkrichtlinien (IEEE 802.11)" (in gpedit). Afterwards gpupdate did not yield any errors. Did I miss anything? ----- My Setup: **Master** ```$ univention-app info UCS: 4.4-4 errata624 Installed: ucsschool=4.4 v5 ``` **Slave** ```$ univention-app info UCS: 4.4-4 errata624 Installed: cups=2.2.1 samba4=4.10 squid=3.5 ucsschool=4.4 v5 ``` Windows 10 Client UCR-V ``` connector/s4/mapping/msgpwl connector/s4/mapping/msgpipsec connector/s4/mapping/msgpsi ``` are not set.
The Wireless/Wired group GPOs don't get replicated from Master Samba/AD to School Slave via OpenLDAP unless the UCR variables are activated on both, Master and School-Slaves and the S4-Conenctor is restarted. Unlike other GPOs these are special, because they have sub-objects in AD, which the S4-Connector didn't recognize before Bug #49838. The bug fix for that didn't activate the synchronization for all UCS@school domains automatically. This bug is about doing exactly that.
There's a general thing to be aware of for this kind of adjustments of the S4-Connector synchronization: When activating synchronization of a new object/attribute in the S4-Connector, we have to take care not to overwrite existing values in Samba/AD with values (possibly empty) from OpenLDAP (See 26926#c1). When the S4-C starts, it first starts with the sync_from_ucs. Assuming nothing changed, nothing happens (there is no automatic scan of all objects). But then, at some later point, some admin may change one of the objects. In UCS@school this may happen in three locations: a) UDM -> Primary OpenLDAP b) Windows-Client joined to Primary/Central Samba/AD c) Windows-Client joined to School Samba/AD Case a) could trigger the removal of an attribute value in Samba/AD. Case b) could trigger the removal/overwrite of an attribute value in the School Samba/ADs. etc. The exact risk depends on the case of objects/attributes that are added to the S4-C mapping. To avoid problems of this kind in similar earlier cases, we have created dedicated update-scripts, that trigger the S4-Connector to synchronize all of the affected Samba/AD objects during the update (via joinscript) once from Samba/AD to UDM/OpenLDAP (Bug 26926#c1 and Bug 33936#c1): grep "write2ucs" services/univention-s4-connector/97univention-s4-connector.inst and back: grep "write2samba" services/univention-s4-connector/97univention-s4-connector.inst
Patch-QA Code -> Ok Functionality -> ok Before patch: "Richtlinienobjekt ist nicht vorhanden" after creating wireless-gpo on client joined vs. master and updating on client joined vs. slave. After patch (applied on master & slave) - UCR-V were set - after restarting master & slave as well as restarting the s4-connector. - creating new wireless-gpo on client joined vs. master & updating on client joined vs. slave => no error => ok I added a ucs-test with [fbest/50626-enable-windows-policies] 7ccdeffcf Bug #50626: add ucs-test
OK: code review OK: functional test (GPO replication master->schoolserver failed; update; GPO replication works) OK: tests Please merge; build; advisory.
Thanks a lot for the QA! [4.4] 42bab3cf5 Bug #50626: Changelog & yaml [4.4] c5ee17ea0 Bug #50626: Merge branch 'fbest/50626-enable-windows-policies' into 4.4 [4.4] 59363b913 Bug #50626: implemented remarks [4.4] 7ccdeffcf Bug #50626: add ucs-test [4.4] 327db0b9d Bug #50626: enable MS policies Package: ucs-school-metapackage Version: 12.0.3-2A~4.4.0.202007081729 Branch: ucs_4.4-0 Scope: ucs-school-4.4
[4.4] 73282b197 Bug #50626: ucs-test changelog [4.4] a4171a371 Bug #50626: fix typo in file name [4.4] af4343210 Bug #50626: wording OK: code war merged to 4.4 OK: advisory OK: installs as expected
UCS@school 4.4 v6 has been released. https://docs.software-univention.de/changelog-ucsschool-4.4v6-de.html If this error occurs again, please clone this bug.