Univention Bugzilla – Bug 35564
sysvol replication fails on slave after ad takeover from member mode
Last modified: 2014-09-10 17:45:01 CEST
The slave account has no read permission for /var/lib/samba/sysvol on the master. -> getfacl sysvol # file: sysvol # owner: Administrator # group: Administratoren user::rwx user:Administrator:rwx group::rwx group:Administratoren:rwx group:Server-Operatoren:r-x group:55002:r-x group:55003:rwx mask::rwx other::--- default:user::rwx default:user:Administrator:rwx default:group::--- default:group:Administratoren:rwx default:group:Server-Operatoren:r-x default:group:55002:r-x default:group:55003:rwx default:mask::rwx default:other::--- Seems that id mapping is broken. -> univention-ldapsearch sambaSid=S-1-5-11 gidNumber -LLL dn: sambaSID=S-1-5-11,cn=idmap,cn=univention,dc=w2k12,dc=test gidNumber: 55002 dn: cn=Authenticated Users,cn=Builtin,dc=w2k12,dc=test gidNumber: 5026
Created attachment 6048 [details] getfacl.log
Created attachment 6049 [details] idmap.log The gidNumbers 55002 and 55003 correspond to idmap objects in OpenLDAP, probably generated by samba during AD Member mode.
Created attachment 6050 [details] wbinfo.log Samba4 wbinfo doesn't seem to consider the cn=idmap objects in OpenLDAP. It finds the correct official gidNumbers.
Created attachment 6051 [details] ntacl.log Just for completeness, the ntacls. Looks like nothing's new or wrong here.
Created attachment 6052 [details] idmap_ldb.ldif /var/lib/samba/private/idmap.ldb is also correct for S-1-5-11 (Authenticated Users) and S-1-5-18 (System).
Created attachment 6053 [details] net_cache_flush_before_sysvolreset.patch This seems to fix the problem: net cache flush samba-tool ntacl sysvolreset After running this on the master the facls are fixed: ======================================================== root@master:~# getfacl /var/lib/samba/sysvol/w2k12.test getfacl: Entferne führende '/' von absoluten Pfadnamen # file: var/lib/samba/sysvol/w2k12.test # owner: Administrator # group: Administratoren user::rwx user:Administrator:rwx group::rwx group:Authenticated\040Users:r-x group:System:rwx group:Administratoren:rwx group:Server-Operatoren:r-x mask::rwx other::--- default:user::rwx default:user:Administrator:rwx default:group::--- default:group:Authenticated\040Users:r-x default:group:System:rwx default:group:Administratoren:rwx default:group:Server-Operatoren:r-x default:mask::rwx default:other::--- ======================================================== So we should run "net cache flush" in adtakeover before running sysvolreset, see attached patch.
After this the slave was was able to sync the sysvol GPOs from the master.
Fixed, Advisory: 2014-08-12-univention-management-console-module-adtakeover.yaml
OK - sysvol-sync on slaves after adtakeover out of AD member mode OK - YAML
please merge the changes to 4.0
> please merge the changes to 4.0 Done. the Package has not been built in the ucs_4.0-0 scope yet.
OK
http://errata.univention.de/ucs/3.2/203.html