Bug 33768 - sync ntSecurityDescriptor of groupPolicyContainer objects
sync ntSecurityDescriptor of groupPolicyContainer objects
Product: UCS
Classification: Unclassified
Component: S4 Connector
Other Linux
: P5 normal (vote)
: UCS 3.2-4-errata
Assigned To: Arvid Requate
Stefan Gohmann
Depends on: 36978
Blocks: 37350
  Show dependency treegraph
Reported: 2013-12-18 12:30 CET by Felix Botner
Modified: 2015-07-20 09:16 CEST (History)
6 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2013-12-18 12:30:07 CET
For a proper sysvol synchronization, we need to sync the ntSecurityDescriptor (the acl's for the gpo) for gpo objects.

This is especially necessary for ucs@school environments, because here gpo objects are replicated to the domain dc's via s4connector|UCS ldap replication (not by drs replication).
Comment 1 Tim Petersen univentionstaff 2014-09-24 11:16:51 CEST
Reported via 2014092421000347
Comment 2 Stefan Gohmann univentionstaff 2014-10-31 15:40:30 CET
Scheduled for end of November.
Comment 3 Arvid Requate univentionstaff 2014-11-27 17:38:24 CET
Testcase: 52_s4connector/100sync_gpo_ntsecurity_descriptor
Advisory: 2014-11-27-univention-s4-connector.yaml
Comment 4 Stefan Gohmann univentionstaff 2014-12-11 11:22:36 CET
I've a UCS@school setup with S4 on master and two slaves. If I create a GPO and remove Authenticated Users from the GPO permissions and add another group, Authenticated Users is re-added. If I stop the s4 connector, Authenticated Users is not re-added. The problem is the attribute based sync.

As discussed, maybe we sync the ntSecurityDesciptor in @school setups only.
Comment 5 Arvid Requate univentionstaff 2014-12-15 17:22:32 CET
Ok, code and advisory have been updated. There is a new errata bug for UCS@schoool 4.0 to activate synchronization.
Comment 6 Stefan Gohmann univentionstaff 2015-01-20 13:12:18 CET
(In reply to Arvid Requate from comment #5)
> Ok, code and advisory have been updated. There is a new errata bug for
> UCS@schoool 4.0 to activate synchronization.

That's Bug #37350.

Code review: OK

Tests: OK
Comment 7 Moritz Muehlenhoff univentionstaff 2015-01-21 12:24:05 CET