Univention Bugzilla – Bug 31271
sysvol-sync re-sets read fACLs for "Authenticated Users", make this configurable via UCR
Last modified: 2013-05-30 10:28:49 CEST
Currently the sysvol-sync script calls setfacl on each run, to (re-)set default read permissions for the group "Authenticated Users". We should make this configurable via UCR, so we can avoid this if necessary, e.g. in the UCS@school context. Why should we want this? This is required in the following situation: For some group policy restrictions currently planned for the exam mode of UCS@school it is important narrow down the security filter of a Group Policy Container to a specific group (see Bug 30834 Comment 2). In this case the school administrator will manually remove the default read permission for the group "Authenticated Users" ("AU" for short) for the specific GPO. The Microsoft Group Policy Manamgenent Console (GPMC) correctly sets the according directory ACLs (nTSecurityDescriptor) on the Group Policy Container in the Samba/Active Directory and writes the corresponding NTACLs in the associated GPO subdirectory beneath the sysvol Policies folder. All fine up to this point. Then a bit later, the sysvol-sync script modifies the filesystem fACLs. Now, if an Administrator starts the GPMC again, the tool complains that the permissions in the sysvol folder are not consistent. This probably is because Samba translates the adjusted fACL of the GPO into an NTACL which shows read permissions for "AU", which does not agree with the nTSecurityDescriptor of the corresponding Group Policy Container in the Samba/Active Directory. Now the Administrator can click "OK" in the tool to fix this, but after the next sysvol-sync run it happens again. We should avoid that. Why did we set fACLs for "Authenticated Users" in the first place anyway? We did this for two reasons: 1. sysvol access for normal users. This used to be an issue with Samba4 Alpha17 in UCS 3.0 and seems to be reolved now due to the new "s3fs" integration of smbd and the Samba authentication backend. In my tests this was not an issue any more (in UCS 3.1-1), but it certainly should be checked again for this bug (also with UCS 3.1-0). 2. The sysvol-sync script copies the sysvol directories from other Samba4-DCs with machine credentials. Allowing "Authenticated Users" made this possible. So we need a replacement for this. But it looks like there is a generic solution for this: GPOs created with the GPMC have read permissions for "Enterprise Domain Controllers", which is a well-known group. Due to Bug 29000 this currently ends up e.g. as unmapped Posix-ID 3000009 in the GPO fACLs on UCS@school Samba4 Slave DCs. Thus, if we don't continue to tattoo the default fACLs for "AU", we should fix Bug 29000 at least for the Enterprise DCs group.
univention-samba4-sysvol-sync now supports a new UCR variable samba4/sysvol/sync/setfacl/AU If it is set to false, then the syysvol-sync script does not re-set the facls. Tests required.
Advisory: 2013-05-07-univention-samba4.yaml
(In reply to comment #1) > univention-samba4-sysvol-sync now supports a new UCR variable > samba4/sysvol/sync/setfacl/AU > If it is set to false, then the syysvol-sync script does not re-set the facls. > Tests required. I did not directly understand that AU=AuthenticatedUsers. Maybe samba4/sysvol/sync/setfacl/authenticated_users instead?
univention-samba4-sysvol-sync cannot rely on the presence of /usr/share/univention-samba4/lib/base.sh. univention-samba4-sysvol-sync is now adjusted and rebuilt.
3.1-1 errata: OK, it works. YAML: OK 3.1-2: OK (Code comparison) Changelog: OK
http://errata.univention.de/ucs/3.1/114.html