Univention Bugzilla – Bug 41319
Default GPOs owned by root
Last modified: 2017-04-04 18:29:47 CEST
The UCS 3.3 Jenkins tests with Samba 4.3.7 showed that the GPOs Default Domain Policy and Default Domain Controller Policy were owned by root, contradicting the NTACLs, which correctly show "LA", i.e. the local Administrator (RID 500) as owner. This may be a timing and Samba caching issue during Samba installation: Debugging the system showed that samba-tool ntacl sysvolreset didn't fix anything until I ran "net cache flush" (and then sysvolreset again). So maybe we should ad a "net cache flush" before the final sysvolreset in 98univention-samba4-dns.inst.
*** Bug 41825 has been marked as a duplicate of this bug. ***
Ok, Lukas just reproduced this for Bug 41825 and it's pretty nasty. Basically Samba has three uids for Administrator, depending on how you ask. A) creating a file via smbclient -U Administrator: root@ucs33:/var/lib/samba/sysvol/loyen.intranet# ls -l total 24 drwxrwx---+ 4 root 3000000 4096 Dec 12 16:15 Policies drwxrwx---+ 2 root 3000000 4096 Dec 12 16:15 scripts -rwxrwx---+ 1 3000000 Domain Admins 748 Dec 12 18:37 t1 B) Asking wbinfo: root@ucs33:/var/lib/samba/sysvol/loyen.intranet# wbinfo -S S-1-5-21-654217909-4005852308-228228070-500 0 C) Asking wbinfo: root@ucs33:/var/lib/samba/sysvol/loyen.intranet# wbinfo -U 2002 S-1-5-21-654217909-4005852308-228228070-500 root@ucs33:/var/lib/samba/sysvol/loyen.intranet# wbinfo -S S-1-5-21-654217909-4005852308-228228070-500 2002 The idmap is up to date though: root@ucs33:/var/lib/samba/sysvol/loyen.intranet# ldbsearch -H /var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-654217909-4005852308-228228070-500 WARNING: The "syslog" option is deprecated WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. # record 1 dn: CN=S-1-5-21-654217909-4005852308-228228070-500 cn: S-1-5-21-654217909-4005852308-228228070-500 objectClass: sidMap objectSid: S-1-5-21-654217909-4005852308-228228070-500 type: ID_TYPE_UID xidNumber: 2002 And a samba restart alone didn't change anything. Only after "net cache flush" the behavior returned back to normal.
Maybe we should simply run the "net cache flush" as part of the /usr/lib/univention-directory-listener/system/samba-idmap.py --direct-resync call in 96uinvention-samba.inst. We should fix Bug 42819 there anyway.
samba4-idmap.py --direct-resync now calls net cache flush. Changelog adjusted.
Tests: I was unable to reproduce the issue but I've added a test case for it r77083: 00_checks/47_sysvol_ownership Code review: OK (r76766 + r76767) Changelog: OK
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".