Bug 41319 - Default GPOs owned by root
Default GPOs owned by root
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2
Assigned To: Arvid Requate
Stefan Gohmann
: interim-2
: 41825 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2016-05-23 12:12 CEST by Arvid Requate
Modified: 2017-04-04 18:29 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.017
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-05-23 12:12:51 CEST
The UCS 3.3 Jenkins tests with Samba 4.3.7 showed that the GPOs Default Domain Policy and Default Domain Controller Policy were owned by root, contradicting the NTACLs, which correctly show "LA", i.e. the local Administrator (RID 500) as owner. This may be a timing and Samba caching issue during Samba installation: Debugging the system showed that samba-tool ntacl sysvolreset didn't fix anything until I ran "net cache flush" (and then sysvolreset again).

So maybe we should ad a "net cache flush" before the final sysvolreset in  98univention-samba4-dns.inst.
Comment 1 Lukas Oyen univentionstaff 2016-12-12 18:52:35 CET
*** Bug 41825 has been marked as a duplicate of this bug. ***
Comment 2 Arvid Requate univentionstaff 2016-12-12 18:59:06 CET
Ok, Lukas just reproduced this for Bug 41825 and it's pretty nasty. Basically Samba has three uids for Administrator, depending on how you ask.

A) creating a file via smbclient -U Administrator:

root@ucs33:/var/lib/samba/sysvol/loyen.intranet# ls -l
total 24
drwxrwx---+ 4 root          3000000 4096 Dec 12 16:15 Policies
drwxrwx---+ 2 root          3000000 4096 Dec 12 16:15 scripts
-rwxrwx---+ 1 3000000 Domain Admins  748 Dec 12 18:37 t1

B) Asking wbinfo:

root@ucs33:/var/lib/samba/sysvol/loyen.intranet# wbinfo -S S-1-5-21-654217909-4005852308-228228070-500

C) Asking wbinfo:

root@ucs33:/var/lib/samba/sysvol/loyen.intranet# wbinfo -U 2002
root@ucs33:/var/lib/samba/sysvol/loyen.intranet# wbinfo -S S-1-5-21-654217909-4005852308-228228070-500

The idmap is up to date though:

root@ucs33:/var/lib/samba/sysvol/loyen.intranet# ldbsearch -H /var/lib/samba/private/idmap.ldb  objectsid=S-1-5-21-654217909-4005852308-228228070-500
WARNING: The "syslog" option is deprecated
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
# record 1
dn: CN=S-1-5-21-654217909-4005852308-228228070-500
cn: S-1-5-21-654217909-4005852308-228228070-500
objectClass: sidMap
objectSid: S-1-5-21-654217909-4005852308-228228070-500
xidNumber: 2002

And a samba restart alone didn't change anything. Only after "net cache flush" the behavior returned back to normal.
Comment 3 Arvid Requate univentionstaff 2016-12-12 19:02:21 CET
Maybe we should simply run the "net cache flush" as part of the

/usr/lib/univention-directory-listener/system/samba-idmap.py --direct-resync

call in 96uinvention-samba.inst. We should fix Bug 42819 there anyway.
Comment 4 Arvid Requate univentionstaff 2017-02-16 15:43:30 CET
samba4-idmap.py --direct-resync now calls net cache flush.
Changelog adjusted.
Comment 5 Stefan Gohmann univentionstaff 2017-02-24 06:56:07 CET
Tests: I was unable to reproduce the issue but I've added a test case for it
 r77083: 00_checks/47_sysvol_ownership

Code review: OK (r76766 + r76767)

Changelog: OK
Comment 6 Stefan Gohmann univentionstaff 2017-04-04 18:29:47 CEST
UCS 4.2 has been released:

If this error occurs again, please use "Clone This Bug".