Bug 50626 - UCS@school: Wireless/Wired group GPO not replicated from Master Samba/AD to School Slave via OpenLDAP
UCS@school: Wireless/Wired group GPO not replicated from Master Samba/AD to S...
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: Samba 4
UCS@school 4.4
Other Linux
: P5 normal (vote)
: UCS@school 4.4 v5-errata
Assigned To: Tobias Wenzel
Daniel Tröder
https://docs.microsoft.com/de-de/wind...
:
Depends on: 50642 49838 50641
Blocks:
  Show dependency treegraph
 
Reported: 2019-12-11 10:56 CET by Florian Best
Modified: 2020-08-05 17:07 CEST (History)
11 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.257
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019071021000966, 2020042821000221
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+


Attachments
patch (git:fbest/50626-enable-windows-policies) (6.21 KB, patch)
2019-12-11 10:57 CET, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2019-12-11 10:56:14 CET
We should enable the 3 new policies for synchonisation in UCS@school:
ucs set \
       connector/s4/mapping/msgpwl?yes \
       connector/s4/mapping/msgpipsec?yes \
       connector/s4/mapping/msgpsi?yes


+++ This bug was initially created as a clone of Bug #49838 +++
Comment 1 Florian Best univentionstaff 2019-12-11 10:57:29 CET
Created attachment 10261 [details]
patch (git:fbest/50626-enable-windows-policies)
Comment 2 Christian Völker univentionstaff 2020-05-06 17:20:54 CEST
Happening for a customer.

Trying to create wireless policies causes a "Richtlinienobjekt ist nicht vorhanden" on the school slave.
Comment 4 Tobias Wenzel univentionstaff 2020-06-30 11:16:17 CEST
I tried to reproduce the bug as described in otrs, but no error was raised. 

I added a policy with gpmc -> right click on default policy or add new policy and finally adding a new non-configured entry in "Drahtlosnetzwerkrichtlinien (IEEE 802.11)" (in gpedit).
Afterwards gpupdate did not yield any errors. Did I miss anything?  



-----

My Setup: 
**Master**
```$ univention-app info
UCS: 4.4-4 errata624
Installed: ucsschool=4.4 v5
```

**Slave**
```$ univention-app info
UCS: 4.4-4 errata624
Installed: cups=2.2.1 samba4=4.10 squid=3.5 ucsschool=4.4 v5

```
Windows 10 Client

UCR-V 
```
connector/s4/mapping/msgpwl
connector/s4/mapping/msgpipsec
connector/s4/mapping/msgpsi
```
are not set.
Comment 5 Arvid Requate univentionstaff 2020-06-30 17:27:33 CEST
The Wireless/Wired group GPOs don't get replicated from Master Samba/AD
to School Slave via OpenLDAP unless the UCR variables are activated on both,
Master and School-Slaves and the S4-Conenctor is restarted. Unlike other
GPOs these are special, because they have sub-objects in AD, which the
S4-Connector didn't recognize before Bug #49838. The bug fix for that
didn't activate the synchronization for all UCS@school domains automatically.
This bug is about doing exactly that.
Comment 6 Arvid Requate univentionstaff 2020-06-30 17:51:15 CEST
There's a general thing to be aware of for this kind of
adjustments of the S4-Connector synchronization:

When activating synchronization of a new object/attribute
in the S4-Connector, we have to take care not to overwrite
existing values in Samba/AD with values (possibly empty)
from OpenLDAP (See 26926#c1).
When the S4-C starts, it first starts with the sync_from_ucs.
Assuming nothing changed, nothing happens (there is no
automatic scan of all objects). But then, at some later
point, some admin may change one of the objects.
In UCS@school this may happen in three locations:

a) UDM -> Primary OpenLDAP
b) Windows-Client joined to Primary/Central Samba/AD
c) Windows-Client joined to School Samba/AD

Case a) could trigger the removal of an attribute value
in Samba/AD. Case b) could trigger the removal/overwrite
of an attribute value in the School Samba/ADs. etc.

The exact risk depends on the case of objects/attributes
that are added to the S4-C mapping.

To avoid problems of this kind in similar earlier cases,
we have created dedicated update-scripts, that trigger the
S4-Connector to synchronize all of the affected Samba/AD
objects during the update (via joinscript) once
from Samba/AD to UDM/OpenLDAP (Bug 26926#c1 and Bug 33936#c1):

grep "write2ucs" services/univention-s4-connector/97univention-s4-connector.inst

and back:

grep "write2samba" services/univention-s4-connector/97univention-s4-connector.inst
Comment 7 Tobias Wenzel univentionstaff 2020-07-06 13:25:45 CEST
Patch-QA

Code -> Ok
Functionality -> ok

Before patch:
"Richtlinienobjekt ist nicht vorhanden" after creating wireless-gpo on client joined vs. master and updating on client joined vs. slave.

After patch (applied on master & slave)
- UCR-V were set
- after restarting master & slave as well as restarting the s4-connector.
- creating new wireless-gpo on client joined vs. master & updating on client joined vs. slave

=> no error => ok

I added a ucs-test with 
[fbest/50626-enable-windows-policies] 7ccdeffcf Bug #50626: add ucs-test
Comment 8 Daniel Tröder univentionstaff 2020-07-08 17:04:30 CEST
OK: code review
OK: functional test (GPO replication master->schoolserver failed; update; GPO replication works)
OK: tests

Please merge; build; advisory.
Comment 9 Tobias Wenzel univentionstaff 2020-07-08 17:34:00 CEST
Thanks a lot for the QA!

[4.4] 42bab3cf5 Bug #50626: Changelog & yaml
[4.4] c5ee17ea0 Bug #50626: Merge branch 'fbest/50626-enable-windows-policies' into 4.4
[4.4] 59363b913 Bug #50626: implemented remarks
[4.4] 7ccdeffcf Bug #50626: add ucs-test
[4.4] 327db0b9d Bug #50626: enable MS policies

Package: ucs-school-metapackage
Version: 12.0.3-2A~4.4.0.202007081729
Branch: ucs_4.4-0
Scope: ucs-school-4.4
Comment 10 Daniel Tröder univentionstaff 2020-07-09 11:07:27 CEST
[4.4] 73282b197 Bug #50626: ucs-test changelog
[4.4] a4171a371 Bug #50626: fix typo in file name
[4.4] af4343210 Bug #50626: wording

OK: code war merged to 4.4
OK: advisory
OK: installs as expected
Comment 11 Daniel Tröder univentionstaff 2020-08-05 17:07:58 CEST
UCS@school 4.4 v6 has been released.

https://docs.software-univention.de/changelog-ucsschool-4.4v6-de.html

If this error occurs again, please clone this bug.