Bug 37350 - sync ntSecurityDescriptor of groupPolicyContainer objects
sync ntSecurityDescriptor of groupPolicyContainer objects
Product: UCS@school
Classification: Unclassified
Component: Samba 4
UCS@school 4.0
Other Linux
: P5 normal (vote)
: UCS@school 4.0 Errata
Assigned To: Arvid Requate
Stefan Gohmann
Depends on: 33768
  Show dependency treegraph
Reported: 2014-12-15 16:57 CET by Arvid Requate
Modified: 2015-02-27 15:19 CET (History)
6 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2014-12-15 16:57:12 CET
To syncronize the ntSecurityDescriptor of groupPolicyContainer objects we should set connector/s4/mapping/gpo/ntsd=yes in ucs-school-metapackage

+++ This bug was initially created as a clone of Bug #33768 +++

For a proper sysvol synchronization, we need to sync the ntSecurityDescriptor (the acl's for the gpo) for gpo objects.

This is especially necessary for ucs@school environments, because here gpo objects are replicated to the domain dc's via s4connector|UCS ldap replication (not by drs replication).
Comment 1 Arvid Requate univentionstaff 2014-12-15 16:59:18 CET
The objects also need to be resynchronized, see univention-s4-connector.postinst for an example how to do this. There the code is currently disabled because the variable isn't set by default.
Comment 2 Arvid Requate univentionstaff 2015-02-16 21:30:53 CET
Fixed, changelog adjusted.
Comment 3 Stefan Gohmann univentionstaff 2015-02-18 06:47:13 CET
A S4 connector restart is missing. For example from a S4 school slave:

Not updating connector/s4/mapping/wmifilter
Create connector/s4/mapping/gpo/ntsd
Not updating ucsschool/import/generate/policy/dhcp/dns/set_per_ou
Create ucs/web/overview/entries/service/teacherconsole/icon
Create ucs/web/overview/entries/service/teacherconsole/label
Create ucs/web/overview/entries/service/teacherconsole/label/de
Create ucs/web/overview/entries/service/teacherconsole/description
Create ucs/web/overview/entries/service/teacherconsole/description/de
Create ucs/web/overview/entries/service/teacherconsole/link
Create ucs/web/overview/entries/service/teacherconsole/priority
File: /var/www/ucs-overview/entries.json
Multifile: /etc/samba/smb.conf
No matching objects.
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
resync triggered for CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=deadlock45,DC=intranet
resync triggered for CN={618E19A4-281E-409F-941B-5465CDD1A2F0},CN=Policies,CN=System,DC=deadlock45,DC=intranet
resync triggered for CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=deadlock45,DC=intranet
Estimated sync in 50 seconds.

Between setting the UCR variable and the re-sync the connector is not restarted. Thus, the ntSecurityDescriptor is not synced.
Comment 4 Arvid Requate univentionstaff 2015-02-18 15:59:48 CET
Ok, adjusted.
Comment 5 Stefan Gohmann univentionstaff 2015-02-19 06:44:44 CET
OK, Tests were successful.

Changelog OK
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2015-02-27 15:19:37 CET
UCS@school 4.0 v2 has been released:

If this error occurs again, please use "Clone This Bug".