Univention Bugzilla – Bug 37350
sync ntSecurityDescriptor of groupPolicyContainer objects
Last modified: 2015-02-27 15:19:37 CET
To syncronize the ntSecurityDescriptor of groupPolicyContainer objects we should set connector/s4/mapping/gpo/ntsd=yes in ucs-school-metapackage +++ This bug was initially created as a clone of Bug #33768 +++ For a proper sysvol synchronization, we need to sync the ntSecurityDescriptor (the acl's for the gpo) for gpo objects. This is especially necessary for ucs@school environments, because here gpo objects are replicated to the domain dc's via s4connector|UCS ldap replication (not by drs replication).
The objects also need to be resynchronized, see univention-s4-connector.postinst for an example how to do this. There the code is currently disabled because the variable isn't set by default.
Fixed, changelog adjusted.
A S4 connector restart is missing. For example from a S4 school slave: -------------------------------------------------------------------------- Not updating connector/s4/mapping/wmifilter Create connector/s4/mapping/gpo/ntsd Not updating ucsschool/import/generate/policy/dhcp/dns/set_per_ou Create ucs/web/overview/entries/service/teacherconsole/icon Create ucs/web/overview/entries/service/teacherconsole/label Create ucs/web/overview/entries/service/teacherconsole/label/de Create ucs/web/overview/entries/service/teacherconsole/description Create ucs/web/overview/entries/service/teacherconsole/description/de Create ucs/web/overview/entries/service/teacherconsole/link Create ucs/web/overview/entries/service/teacherconsole/priority File: /var/www/ucs-overview/entries.json Multifile: /etc/samba/smb.conf No matching objects. WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. resync triggered for CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=deadlock45,DC=intranet resync triggered for CN={618E19A4-281E-409F-941B-5465CDD1A2F0},CN=Policies,CN=System,DC=deadlock45,DC=intranet resync triggered for CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=deadlock45,DC=intranet Estimated sync in 50 seconds. -------------------------------------------------------------------------- Between setting the UCR variable and the re-sync the connector is not restarted. Thus, the ntSecurityDescriptor is not synced.
Ok, adjusted.
OK, Tests were successful. Changelog OK
UCS@school 4.0 v2 has been released: http://docs.univention.de/release-notes-ucsschool-4.0v2-de.html If this error occurs again, please use "Clone This Bug".