Univention Bugzilla – Bug 34226
S4-Connector: GPO DS-ACL replication
Last modified: 2019-02-05 21:26:41 CET
Currently the S4-Connector does not replicate the nTSecurityDescriptor of the GPO objects to OpenLDAP and back. In multi-school domains this may lead to inconsistencies between the NTACLs in the sysvol share and the nTSecurityDescriptor in the Samba/ADDS, which may cause irritating warnings to pop up at an Administrator using the Microsoft Group Policy Management Console. We should extend the UCS OpenLDAP msgpo schema to support this attribute and extend the S4 Connector to synchronize it. Maybe it's best to replicate this as a blob rather than as a SDDL string representation.
Already noticed by one larger UCS@school customer. Not the "irritating warnings" by itself but the missing sync of the corresponding attributes.
There is a Customer ID set so I set the flag "School Customer affected".
This issue has been filled against UCS@school 3.2. The maintenance with bug and security fixes for UCS@school 3.2 has ended on Dec 31, 2016. Customers still on UCS 3.x are encouraged to update to UCS 4.3 (or later). Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.