Univention Bugzilla – Bug 34335
Grant access to student's home directories to teachers
Last modified: 2014-08-29 08:31:02 CEST
Schools asked for the possibility to grant teachers the access to student's home directories. There should be a simple wizard that allows school/domain admins to configure this access for each fileserver. Possible access types should be: none, read only, read/write The desired solution is to add an additional level to the UNIX path of the home directories: students: /home/schueler/$UID/ teachers: /home/lehrer/$UID/ A joinscript automatically creates a new share for /home/schueler/. The owner group of that share is "lehrer-$OU", and this group is also defined as admin user for that share. This way, the teachers have access to all files. Because of setting the owner group to "lehrer-$OU" the teacher's netlogon script (for adding symlinks on the desktop to all relevant shares) will automatically add a link for the new "student share". Adding an additional level to the UNIX home path should be done automatically by the import script, which has to be adapted accordingly. Existing UCS@school installations should NOT change their behaviour automatically. During the update to UCS@school 3.2 R2 an UCR variable (ucsschool/import/…) should be set to maintain the old behaviour of the import script (/home/$UID). Additionally the joinscript should not add the share if the UCR variable is set. At least the new import script functionality should be covered by ucs-test. If possible, the share access should be tested too. Open questions: 1) How do we grant access to all teachers if there are multiple OUs on one master/slave? 2) Is there code in UCS@school that uses hardcoded /home/$UID as home directory for users?
As previously discussed, please use /home/$OU/{schueler,lehrer}/$UID/ as home directory. The share should be created automatically by the join script and should provide read-only access for teachers. Please also extend the administrators manual by a new section for this share, how it is intended to work and how the share may be configured.
* ucs-school-lib now ships a module roleshares.py * This script may be called as a script with options: --create [student|teacher|staff] * It creates requested roleshares for all school-OUs it can see * The script is called by the joinscripts of ucs-school-(slave|singlemaster) * The packages ucs-school-(slave|singlemaster) now depend on python-ucs-school * During updates the packages ucs-school-(master|slave|singlemaster) run ucr set ucsschool/import/roleshare=no * The verify_school function of ucs-school-import creates a student roleshare for the given school if not disabled via ucsschool/import/roleshare * As discussed directly, group shares are also handled like roleshares * The following packages also required adjusted treatment of "/home/.*": ucs-school-import, ucs-school-umc-groups, ucs-school-umc-exam * The default for ucsschool/import/generate/share/marktplatz/sharepath is not set any longer in ucs-school-import.postinst. This is done directly in hooks/ou_create_post.d/52marktplatz_create. If set manually, this overrides the ou-specific subdirs usually created if ucsschool/import/roleshare != false
* The script for roleshare creation has been split off into a separate script installed via a new package ucs-school-roleshares * Decision: The 'student' roleshare is not created by default, as discussed. * ucs-school-roleshares ships a joinscript which triggers the creation of the 'student' roleshare for all schools visible by the respective system. * The shares are created on the ucsschoolHomeShareFileServer and ucsschoolClassShareFileServer of the respective school. * The UCR variable ucsschool/import/roleshare now only controls if homedirectories for users are created in subdirectories /home/$ou/$role (with the special case role := "groups" for class-groups and "Marktplatz"). * ucsschool/import/roleshare is also evaluated by ucs-school-umc-groups (!) * ucs-test-ucsschool now contains a new test 12_roleshares_student which installs the ucs-school-roleshares package, runs the script with test credentials and checks access to the share by a teacher (read must succeed, write must not succeed by default).
* The joinscript od ucs-school-roleshares now only creates student roleshares automatically on a UCS@school singleserver or slave PDC. It outputs a an INFO line instead. This should avoid accidents of a domain wide scope. * The test case 12_roleshares_student has been adjusted to check all schools visible by the DC Master it runs on: So it should cover singlemaster as well as multi-server domains. During the test it installs the ucs-school-roleshares package and then runs create_roleshares and the tests for each school it finds. If no school or fileserver is found the test fails.
* Student roleshares are only created on the ucsschoolHomeShareFileServer now, not on ucsschoolClassShareFileServer. Additional conceptual work would be required to define DNs and access rights for group share access. * A section school:setup:roleshares has been added to the administrator manual. Handing over to QA for inspection.
ucs-school-roleshares/umc/python/school-roleshares/__init__.py:63: undefined name 'request' ucs-school-roleshares/umc/python/school-roleshares/__init__.py:64: undefined name 'request' ucs-school-roleshares/umc/python/school-roleshares/__init__.py:72: undefined name 'request' ucs-school-roleshares/umc/python/school-roleshares/__init__.py:73: undefined name 'request' ucs-school-roleshares/umc/python/school-roleshares/__init__.py:74: undefined name 'request Missing function parameters ;).
> Missing function parameters ;). This UMC code is incomplete, only in SVN and not part of the binary pacakge, see ucs-school-roleshares/debian/rules. The module has been taken off the current target milestone agenda.
(In reply to Arvid Requate from comment #2) > * ucs-school-lib now ships a module roleshares.py OK > * This script may be called as a script with options: > --create [student|teacher|staff] OK: /usr/share/ucs-school-import/scripts/create_roleshares > * It creates requested roleshares for all school-OUs it can see OK > * The script is called by the joinscripts of ucs-school-(slave|singlemaster) OK > * The packages ucs-school-(slave|singlemaster) now depend on > python-ucs-school OK (In reply to Arvid Requate from comment #3) > * The script for roleshare creation has been split off into a separate > script installed via a new package ucs-school-roleshares OK > * Decision: The 'student' roleshare is not created by default, as discussed. OK > * ucs-school-roleshares ships a joinscript which triggers the creation of > the 'student' roleshare for all schools visible by the respective system. OK > * The shares are created on the ucsschoolHomeShareFileServer and > ucsschoolClassShareFileServer of the respective school. OK: ucsschoolHomeShareFileServer I could not finish the whole QA. The shares are created, but they allow "read" and "access" for "others". Is this ok?
> * During updates the packages ucs-school-(master|slave|singlemaster) run > ucr set ucsschool/import/roleshare=no → FAIL Version "6.0.7-5" is already shipped, so the UCR variable would not be set, if customer is on currently latest available version and updates to UCS@school 3.2 R2 (→ off-by-one): if dpkg --compare-versions "$2" lt 6.0.7-5 ; then → if dpkg --compare-versions "$2" lt 6.0.7-26 ; then Despite this problem, the UCR variable should be also set via UCR policy. This should be done in conjunction with Bug 33677#c5. Please also set "update/reboot/required=yes" during the update, so all UCS@school systems will be (hopefully) rebooted and activate the UCR policy. > * The verify_school function of ucs-school-import creates a student roleshare > for the given school if not disabled via ucsschool/import/roleshare This is no longer the case. The student roleshare will be created via the joinscript ucs-school-roleshare. → OK > * As discussed directly, group shares are also handled like roleshares As noted below, no special access shares will be created for groups/classes. → OK > * The following packages also required adjusted treatment of "/home/.*": > ucs-school-import, ucs-school-umc-groups, ucs-school-umc-exam ucs-school-import: code change ok; tested successfully via 34_import-users_via_* ucs-school-umc-groups: TODO ucs-school-umc-exam: TODO > * The default for ucsschool/import/generate/share/marktplatz/sharepath is not > set any longer in ucs-school-import.postinst. This is done directly in > hooks/ou_create_post.d/52marktplatz_create. If set manually, this overrides > the ou-specific subdirs usually created if ucsschool/import/roleshare != false → FAIL In new installations the UCR variable 'ucsschool/import/roleshare' is not set. During updates the UCR variable is set to "no". Since is_ucr_true returns False if the variable is unset, the Marktplatz share is always created at the old place (/home/groups/Marktplatz). ---[ucs-school-import/hooks/ou_create_post.d/52marktplatz_create]--- if is_ucr_true 'ucsschool/import/roleshare'; then sharepath="/home/$ou/groups/Marktplatz" else sharepath="/home/groups/Marktplatz" fi ---[cut]--- → if [ -z "$ucsschool_import_roleshare" ] || is_ucr_true 'ucsschool/import/roleshare' ; then > * The script for roleshare creation has been split off into a separate > script installed via a new package ucs-school-roleshares → OK > * The UCR variable ucsschool/import/roleshare now only controls if homedirectories for users are created in subdirectories /home/$ou/$role (with the special case role := "groups" for class-groups and "Marktplatz"). → OK (TODO special cases → groups / marktplatz) > * ucsschool/import/roleshare is also evaluated by ucs-school-umc-groups (!) ucs-school-umc-groups has been adapted accordingly → OK ucs-school-lib/python/models/share.py does not respect the new path structure for classes: udm_obj['path'] = '/home/groups/klassen/%s' % self.name > * ucs-test-ucsschool now contains a new test 12_roleshares_student which > installs the ucs-school-roleshares package, runs the script with test > credentials and checks access to the share by a teacher (read must succeed, > write must not succeed by default). The test script has been extended to test the read/write access to the share by - students - teachers - staff-teachers - staff - Administrator/Domain Admin > * The joinscript od ucs-school-roleshares now only creates student > roleshares automatically on a UCS@school singleserver or slave PDC. It > outputs a an INFO line instead. This should avoid accidents of a domain > wide scope. → OK > * The test case 12_roleshares_student has been adjusted to check all schools visible by the DC Master it runs on: So it should cover singlemaster as well as multi-server domains. During the test it installs the ucs-school-roleshares package and then runs create_roleshares and the tests for each school it finds. If no school or fileserver is found the test fails. > * Student roleshares are only created on the ucsschoolHomeShareFileServer > now, not on ucsschoolClassShareFileServer. Additional conceptual work > would be required to define DNs and access rights for group share access. → OK > * A section school:setup:roleshares has been added to the administrator manual. → added comments to printed version of this section > I could not finish the whole QA. > The shares are created, but they allow "read" and "access" for "others". Is this ok? Yes, this is ok, otherwise /home/$OU/schueler/* would not be accessable by the students. The access to the share is limited to the teacher group: $ for i in Administrator max.mustermann lehrer1 mitarbeiter1 lehrmitarbeiter1 ; do echo "------"; echo "USER: $i"; smbclient \\\\10.200.18.61\\schueler-gsmitte -U $i%univention -c dir ; done ------ USER: Administrator Domain=[NSTX61] OS=[Unix] Server=[Samba 4.1.0-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED ------ USER: max.mustermann Domain=[NSTX61] OS=[Unix] Server=[Samba 4.1.0-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED ------ USER: lehrer1 Domain=[NSTX61] OS=[Unix] Server=[Samba 4.1.0-Debian] . D 0 Thu May 15 16:34:42 2014 .. D 0 Thu May 15 16:38:08 2014 thomas.klein D 0 Thu May 15 16:34:42 2014 susanne.bauer D 0 Thu May 15 16:34:30 2014 susanne.bauer2 D 0 Thu May 15 16:34:33 2014 max.mustermann D 0 Thu May 15 16:34:20 2014 34769 blocks of size 524288. 26060 blocks available ------ USER: mitarbeiter1 Domain=[NSTX61] OS=[Unix] Server=[Samba 4.1.0-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED ------ USER: lehrmitarbeiter1 Domain=[NSTX61] OS=[Unix] Server=[Samba 4.1.0-Debian] . D 0 Thu May 15 16:34:42 2014 .. D 0 Thu May 15 16:38:08 2014 thomas.klein D 0 Thu May 15 16:34:42 2014 susanne.bauer D 0 Thu May 15 16:34:30 2014 susanne.bauer2 D 0 Thu May 15 16:34:33 2014 max.mustermann D 0 Thu May 15 16:34:20 2014 34769 blocks of size 524288. 26060 blocks available $ By default the role share schueler-$OU is readonly: $ smbclient \\\\10.200.18.61\\schueler-gsmitte -U lehrer1%univention -c "cd thomas.klein; del .bashrc" Domain=[NSTX61] OS=[Unix] Server=[Samba 4.1.0-Debian] NT_STATUS_MEDIA_WRITE_PROTECTED deleting remote file \thomas.klein\.bashrc NT_STATUS_MEDIA_WRITE_PROTECTED listing \thomas.klein\.bashrc $ And if write access for samba has been enabled manually: $ smbclient \\\\10.200.18.61\\schueler-gsmitte -U lehrer1%univention -c "cd thomas.klein; del .bashrc" Domain=[NSTX61] OS=[Unix] Server=[Samba 4.1.0-Debian] $ → FAIL: but read/write access via NFS is always enabled. We should disable NFS access. → FAIL: the group Domain Admins should also have access to the student's role share. (if fixed, please also alter the ucs-test script 12_roleshares_student: access_user_dir(TESTS_DOMAINADMIN, school_id, fqdn, name_student, userfilename, testwrite=True, write_access=False, read_access=False) → switch read_access to True) root@master61:~# cat /etc/exports | grep schueler "/home/gsmitte/schueler" *(rw,root_squash,sync,subtree_check) # LDAP:cn=schueler-gsmitte,cn=shares,ou=gsmitte,dc=nstx,dc=local
All points should be fixed.
./models/share.py:56: undefined name 'school_class' missing "self"
I hope this fixes it: replaced school_class.school by self.school.
> if dpkg --compare-versions "$2" lt 6.0.7-26 ; then → OK > Despite this problem, the UCR variable should be also set via UCR policy. This should be done in conjunction with Bug 33677#c5. ucs-school-metapackage/62ucs-school-master.inst + ucs-school-metapackage/62ucs-school-singlemaster.inst: policy_name="ucsschool-import-roleshares" → policy_name="ucsschool-ucr-settings" → REOPEN tmp_str=$(sed -rn 's/^univentionRegistry;entry-hex-([^:]+): .*/\1/p' <<<"$ldif") if [ "$tmp_str" = "$key_hex" ]; then → If the existing UCR policy already contains several UCR variables, the check for equality will always fail. → REOPEN > Please also set "update/reboot/required=yes" during the update, so all UCS@school systems will be (hopefully) rebooted and activate the UCR policy. → OK > * The verify_school function of ucs-school-import creates a student roleshare > for the given school if not disabled via ucsschool/import/roleshare This is no longer the case. The student roleshare will be created via the joinscript ucs-school-roleshare. → OK > * As discussed directly, group shares are also handled like roleshares As noted below, no special access shares will be created for groups/classes. → OK >> * The following packages also required adjusted treatment of "/home/.*": >> ucs-school-import, ucs-school-umc-groups, ucs-school-umc-exam > ucs-school-umc-groups: TODO → OK > ucs-school-umc-exam: TODO → OK >> * The default for ucsschool/import/generate/share/marktplatz/sharepath is not >> set any longer in ucs-school-import.postinst. This is done directly in >> hooks/ou_create_post.d/52marktplatz_create. If set manually, this overrides >> the ou-specific subdirs usually created if ucsschool/import/roleshare != false > > In new installations the UCR variable 'ucsschool/import/roleshare' is not set. During updates the UCR variable is set to "no". > Since is_ucr_true returns False if the variable is unset, the Marktplatz share is always created at the old place (/home/groups/Marktplatz). → OK > ucs-school-lib/python/models/share.py does not respect the new path structure for classes: > udm_obj['path'] = '/home/groups/klassen/%s' % self.name → OK The joinscript should fail with an exitcode != 0 if create_roleshares throws a traceback. → FAIL RUNNING 38ucs-school-roleshares.inst Object created: cn=schueler-gsmitte,cn=shares,ou=gsmitte,ou=gs,dc=nstx,dc=local Traceback (most recent call last): File "/usr/share/ucs-school-import/scripts/create_roleshares", line 101, in <module> create_roleshares(opts.roleshares, opts.schools, ucr) File "/usr/lib/pymodules/python2.6/ucsschool/lib/roleshares.py", line 190, in create_roleshares create_roleshare_for_searchbase(role, searchbase, ucr) File "/usr/lib/pymodules/python2.6/ucsschool/lib/schoolldap.py", line 204, in wrapper_func return func( *args, **kwargs ) File "/usr/lib/pymodules/python2.6/ucsschool/lib/roleshares.py", line 154, in create_roleshare_for_searchbase for serverfqdn in fileservers_for_school(school_ou): File "/usr/lib/pymodules/python2.6/ucsschool/lib/schoolldap.py", line 204, in wrapper_func return func( *args, **kwargs ) File "/usr/lib/pymodules/python2.6/ucsschool/lib/roleshares.py", line 134, in fileservers_for_school fqdn = fqdn_from_serverdn(server_dn) File "/usr/lib/pymodules/python2.6/ucsschool/lib/schoolldap.py", line 204, in wrapper_func return func( *args, **kwargs ) File "/usr/lib/pymodules/python2.6/ucsschool/lib/roleshares.py", line 115, in fqdn_from_serverdn dn, ldap_obj = ldap_machine_read.search(base=serverdn, scope='base', attr=['cn', 'associatedDomain'])[0] File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 347, in search raise univention.admin.uexceptions.noObject, _err2str(msg) univention.admin.uexceptions.noObject: No such object EXITCODE=0 → some slaves were not joined yet → FAIL > FAIL: but read/write access via NFS is always enabled. We should disable NFS access. → OK > → FAIL: the group Domain Admins should also have access to the student's role share. > (if fixed, please also alter the ucs-test script 12_roleshares_student: > access_user_dir(TESTS_DOMAINADMIN, school_id, fqdn, name_student, userfilename, testwrite=True, write_access=False, read_access=False) > → switch read_access to True) → OK > root@master61:~# cat /etc/exports | grep schueler > "/home/gsmitte/schueler" *(rw,root_squash,sync,subtree_check) # LDAP:cn=schueler-gsmitte,cn=shares,ou=gsmitte,dc=nstx,dc=local # cat /etc/exports | grep schueler | wc -l 0 # → OK
policy_name="ucsschool-ucr-settings" → Fixed > If the existing UCR policy already contains several UCR variables, the check for equality will always fail. → Fixed > The joinscript should fail with an exitcode != 0 if create_roleshares throws a traceback. → Fixed > RUNNING 38ucs-school-roleshares.inst → Fixed
(In reply to Arvid Requate from comment #14) > policy_name="ucsschool-ucr-settings" > → Fixed → OK > > If the existing UCR policy already contains several UCR variables, the check for equality will always fail. > → Fixed → OK > > The joinscript should fail with an exitcode != 0 if create_roleshares throws a traceback. > → Fixed → OK > > RUNNING 38ucs-school-roleshares.inst > → Fixed → OK
UCS@school 3.2 R2 has been released: http://docs.univention.de/release-notes-ucsschool-3.2R2-de.html If this error occurs again, please use "Clone This Bug".
*** Bug 20756 has been marked as a duplicate of this bug. ***