Bug 43620 - sysvol-cleanup.py deletes grouppolicy folder for GPOs with an uppercase "CN="
sysvol-cleanup.py deletes grouppolicy folder for GPOs with an uppercase "CN="
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2-0-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-23 11:16 CET by Jens Thorp-Hansen
Modified: 2017-06-15 17:58 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.343
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017022321000249
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jens Thorp-Hansen univentionstaff 2017-02-23 11:16:15 CET
sysvol-cleanup.py "cleans" grouppolicy folder for GPOs with an uppercase "CN=". Example:

on master (the GPOs are replicated to here):

root@master:~# univention-s4search objectClass=groupPolicyContainer cn | grep -i ^cn:'
CN: {07D23440-some more stuff}
cn: {14DA1D9A-some more stuff}
cn: {17504898-some more stuff}
cn: {2EAAE6A3-some more stuff}
cn: {2F60254E-some more stuff}
cn: {31B2F340-some more stuff}
cn: {33532C2C-some more stuff}
CN: {3BD9B2EB-some more stuff}

on backup (the GPOs were created here):

root@backup:~# univention-s4search objectClass=groupPolicyContainer cn | grep -i ^cn:'
cn: {07D23440-some more stuff}
cn: {14DA1D9A-some more stuff}
cn: {17504898-some more stuff}
cn: {2EAAE6A3-some more stuff}
cn: {2F60254E-some more stuff}
cn: {31B2F340-some more stuff}
cn: {33532C2C-some more stuff}
cn: {3BD9B2EB-some more stuff}

The folder for the uppercase "CN=" GPOs are regularly deleted in the customer environment. It seems to happen at the replication and the sysvol-cleanup.py script only recognizes GPOs with a lowercase "cn=" (and deletes the folder for the uppercase "CN=" it does not see).
Comment 1 Arvid Requate univentionstaff 2017-02-23 14:29:41 CET
Yes, from a quick look into /usr/share/univention-samba4/scripts/sysvol-cleanup.py I guess that it takes the output of univention-s4search and filters for lowercase cn= .

We also need to check if samba-tool ntacl sysvolreset/sysvolcheck can deal with this "case".

And it would really be interesting why CN is different on both DCs, but, well.
Comment 2 Arvid Requate univentionstaff 2017-04-27 19:41:54 CEST
Advisory: univention-samba4.yaml
Comment 3 Stefan Gohmann univentionstaff 2017-05-03 08:14:12 CEST
YAML: OK

Tests: Fail

-------------------------------------------------------------------------------------------------------------------------------------------------------
root@master421:~# ls -la /var/lib/samba/sysvol/deadlock42.intranet/Policies/
insgesamt 32
drwxrwx---+ 4 Administrator Administrators 4096 Mai  3 08:10 .
drwxrwx---+ 4 Administrator Administrators 4096 Mai  3 08:08 ..
drwxrwx---+ 4 Administrator Domain Admins  4096 Apr  4 14:54 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 Administrator Domain Admins  4096 Apr  4 14:54 {6AC1786C-016F-11D2-945F-00C04FB984F9}
root@master421:~# /usr/share/univention-samba4/scripts/sysvol-cleanup.py --verbose --move /var/lib/samba/sysvol_backup
The following LDAP GPOs were found:
 - {31B2F340-016D-11D2-945F-00C04FB984F9}
 - {6AC1786C-016F-11D2-945F-00C04FB984F9}

The following file system GPOs were found:
 - {6AC1786C-016F-11D2-945F-00C04FB984F9}
 - {31B2F340-016D-11D2-945F-00C04FB984F9}

root@master421:~# apt-get dist-upgrade

[...]

Die folgenden Pakete werden aktualisiert (Upgrade):
  univention-samba4 univention-samba4-sysvol-sync
2 aktualisiert, 0 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
Es müssen noch 0 B von 125 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 0 B Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren? [J/n] y
(Lese Datenbank ... 93708 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von .../univention-samba4_6.0.10-3A~4.2.0.201704252056_amd64.deb ...
Entpacken von univention-samba4 (6.0.10-3A~4.2.0.201704252056) über (6.0.9-10A~4.2.0.201703301128) ...
Vorbereitung zum Entpacken von .../univention-samba4-sysvol-sync_6.0.10-3A~4.2.0.201704252056_all.deb ...
Entpacken von univention-samba4-sysvol-sync (6.0.10-3A~4.2.0.201704252056) über (6.0.9-10A~4.2.0.201703301128) ...
Trigger für univention-config (12.0.1-5A~4.2.0.201703151910) werden verarbeitet ...
dpkg-query: Kein Paket gefunden, das auf ldapacl_66univention-appcenter_app.acl passt
univention-samba4-sysvol-sync (6.0.10-3A~4.2.0.201704252056) wird eingerichtet ...
File: /etc/cron.d/sysvol-cleanup
File: /etc/cron.d/sysvol-sync
Not updating samba4/sysvol/cleanup/cron
univention-samba4 (6.0.10-3A~4.2.0.201704252056) wird eingerichtet ...

[...]

root@master421:~# /usr/share/univention-samba4/scripts/sysvol-cleanup.py --verbose --move /var/lib/samba/sysvol_backup
The following LDAP GPOs were found:
 - {31b2f340-016d-11d2-945f-00c04fb984f9}
 - {6ac1786c-016f-11d2-945f-00c04fb984f9}

The following file system GPOs were found:
 - {6AC1786C-016F-11D2-945F-00C04FB984F9}
 - {31B2F340-016D-11D2-945F-00C04FB984F9}

Move unused GPO {6AC1786C-016F-11D2-945F-00C04FB984F9} to /var/lib/samba/sysvol_backup/{6AC1786C-016F-11D2-945F-00C04FB984F9}_201705030812
Move unused GPO {31B2F340-016D-11D2-945F-00C04FB984F9} to /var/lib/samba/sysvol_backup/{31B2F340-016D-11D2-945F-00C04FB984F9}_201705030812
root@master421:~# ls -la /var/lib/samba/sysvol/deadlock42.intranet/Policies/
insgesamt 16
drwxrwx---+ 2 Administrator Administrators 4096 Mai  3 08:12 .
drwxrwx---+ 4 Administrator Administrators 4096 Mai  3 08:08 ..
root@master421:~# 
-------------------------------------------------------------------------------------------------------------------------------------------------------
Comment 4 Arvid Requate univentionstaff 2017-06-01 19:37:28 CEST
Ok, fixed.
Comment 5 Felix Botner univentionstaff 2017-06-08 16:44:10 CEST
@slave univention-s4search objectClass=groupPolicyContainer cn | grep -i cn:
cn: {31B2F340-016D-11D2-945F-00C04FB984F9}
cn: {6AC1786C-016F-11D2-945F-00C04FB984F9}
CN: {7FE24A72-5C6E-43CB-9527-93D5DA966864}

@master univention-s4search objectClass=groupPolicyContainer cn | grep -i cn:
cn: {31B2F340-016D-11D2-945F-00C04FB984F9}
cn: {6AC1786C-016F-11D2-945F-00C04FB984F9}
cn: {7FE24A72-5C6E-43CB-9527-93D5DA966864}

before the update

@slave sysvol-cleanup.py --verbose
The following LDAP GPOs were found:
 - {31B2F340-016D-11D2-945F-00C04FB984F9}
 - {6AC1786C-016F-11D2-945F-00C04FB984F9}

The following file system GPOs were found:
 - {31B2F340-016D-11D2-945F-00C04FB984F9}
 - {085209BD-1E7A-4E08-A0BF-C4764CE9DA82}
 - {7FE24A72-5C6E-43CB-9527-93D5DA966864}
 - {6AC1786C-016F-11D2-945F-00C04FB984F9}

Found unused GPO: {7FE24A72-5C6E-43CB-9527-93D5DA966864}

after the update

@slave ysvol-cleanup.py --verbose
The following LDAP GPOs were found:
 - {31B2F340-016D-11D2-945F-00C04FB984F9}
 - {6AC1786C-016F-11D2-945F-00C04FB984F9}
 - {7FE24A72-5C6E-43CB-9527-93D5DA966864}

The following file system GPOs were found:
 - {31B2F340-016D-11D2-945F-00C04FB984F9}
 - {7FE24A72-5C6E-43CB-9527-93D5DA966864}
 - {6AC1786C-016F-11D2-945F-00C04FB984F9}

Found unused GPO: {085209BD-1E7A-4E08-A0BF-C4764CE9DA82}

@master OK

OK - samba-tool ntacl sysvolreset/check
OK - YAML
Comment 6 Janek Walkenhorst univentionstaff 2017-06-15 17:58:03 CEST
<http://errata.software-univention.de/ucs/4.2/42.html>