Univention Bugzilla – Bug 31437
Make sysvol readable for members of the group "Enterprise Domain Controllers"
Last modified: 2013-05-30 10:28:52 CEST
The changes of Bug 31271 demand that a different way for sysvol synchronization is created: The group "Enterprise Domain Controllers" needs to be created with its propper builtin SID (S-1-5-9) and all currently registered samba4 DC need to be added. After waiting for samba4-idmap to write the updated mapping to idmap.ldb, samba-tool ntacl sysvolreset should be called to re-create the fACLs from the directory-NTACLs.
Created attachment 5236 [details] concept for this change.
The attached concept is implemented, tests required.
Advisories: * 2013-05-07-univention-samba4.yaml * 2013-05-27-univention-s4-controller.yaml
"Enterprise Domain Controllers" → As this group has the fixed SID of a builtin group (S-1-5-9) it would be good to mark it as builtin group via sambaGroupType=5: http://pig.made-it.com/samba-accounts.html#22762
Great idea, could have been mine ;-) this simplifies things quite a bit, as builtin groups are filtered by default in the S4 Connector mapping. Fixed and advisories are updated.
(In reply to comment #5) > Great idea, could have been mine ;-) this simplifies things quite a bit, as > builtin groups are filtered by default in the S4 Connector mapping. > Fixed and advisories are updated. Wonderful! 2 minds, 1 idea :) !
3.1-1 errata: OK, it works for the default scenarios. Only one issue: if the master is already updated and a slave is installed without the new erratum, then the slave is not member of the group: Bug #31572 YAML: OK 3.1-2: OK (Code comparison) Changelog: OK
On a plain ucs3.1-1 master updated to the latest (yet unreleased) errata3.1-1 I just faced the following traceback while installing univention-s4-connector for the first time. Looks like this occurrs because no credentials are given in this case: ============================================================ Starting univention-s4-connector daemon. done. Traceback (most recent call last): File "/usr/share/univention-samba4/scripts/create_group_Enterprise_Domain_Controllers.py", line 115, in <module> create_group_Enterprise_Domain_Controllers(lo) File "/usr/share/univention-samba4/scripts/create_group_Enterprise_Domain_Controllers.py", line 65, in create_group_Enterprise_Domain_Controllers uid = univention.admin.allocators.request(lo, position, 'groupName', value=groupName) File "/usr/lib/pymodules/python2.6/univention/admin/allocators.py", line 166, in request return acquireUnique(lo, position, type, value, _type2attr[type], scope = _type2scope[type]) File "/usr/lib/pymodules/python2.6/univention/admin/allocators.py", line 144, in acquireUnique univention.admin.locking.lock(lo, position, type, value, scope=scope) File "/usr/lib/pymodules/python2.6/univention/admin/locking.py", line 71, in lock raise e univention.admin.uexceptions.permissionDenied Setting dns/backend ============================================================
Rebuilt univention-samba4 (containing the script), advisory updated.
OK, it works. A minor issue was split to Bug #31575.
http://errata.univention.de/ucs/3.1/115.html
http://errata.univention.de/ucs/3.1/114.html