Univention Bugzilla – Bug 44278
w2k3 de - not all GPO links have been taken over
Last modified: 2019-09-04 15:48:08 CEST
UCS 4.2 ad takeover german w2k3 # w2k3 GPO Links gPLink: [LDAP://cn={DD5FC622-A1A2-4263-80FA-42D9C32EFC84},cn=policies,cn=syste m,DC=w2k3,DC=test;0][LDAP://cn={5CF6DFCA-E740-439A-80B6-B671719BA89F},cn=poli cies,cn=system,DC=w2k3,DC=test;0][LDAP://CN={31B2F340-016D-11D2-945F-00C04FB9 84F9},CN=Policies,CN=System,DC=w2k3,DC=test;0] # UCS GPO Links gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syste m,DC=w2k3,DC=test;0] # but, GPO's exists in UCS -> ldbsearch -H /var/lib/samba/private/sam.ldb cn='{DD5FC622-A1A2-4263-80FA-42D9C32EFC84}' dn dn: CN={DD5FC622-A1A2-4263-80FA-42D9C32EFC84},CN=Policies,CN=System,DC=w2k3,DC=test -> ldbsearch -H /var/lib/samba/private/sam.ldb cn='{5CF6DFCA-E740-439A-80B6-B671719BA89F}' dn dn: CN={5CF6DFCA-E740-439A-80B6-B671719BA89F},CN=Policies,CN=System,DC=w2k3,DC=test
Created attachment 8752 [details] ad-takeover.log
We should test again with W2K3 R2.
We just saw this again in the UCS 4.4 AD-Takeover Jenkins tests: http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-0/view/Product%20Tests/job/product-test-samba-ad-takeover-all-tests/
When I look into the connector-s4.log I guess that's the first thing that the S4-Connector does: 04.07.2019 15:56:30.031 MAIN (------ ): DEBUG_INIT 04.07.2019 15:56:30.833 LDAP (PROCESS): Building internal group membership cache 04.07.2019 15:56:30.993 LDAP (PROCESS): Internal group membership cache was created 04.07.2019 15:56:31.726 LDAP (PROCESS): sync from ucs: [ container_dc] [ add] DC=adtakeover,DC=local and I guess that's overwriting the gPLink attribute. No clue how the test can have worked.
Ok, the takeover code runs "/usr/share/univention-s4-connector/msgpo.py --write2ucs" in the start_s4_connector method before actually starting the connector. That script should sync the gPLink attributes from Samba/AD to OpenLDAP.
Created attachment 10108 [details] connector-s4.log.gPLink.FAIL.txt broken gPLink after takeover $ univention-s4search dc=adtakeover gPLink dn: DC=adtakeover,DC=local gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syste m,DC=adtakeover,DC=local;0] should be (and was after the join into ad) $ univention-s4search dc=adtakeover dn: DC=adtakeover,DC=local gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syste m,DC=adtakeover,DC=local;0][LDAP://cn={D1960C4B-C8B2-44B4-87CF-8D272157DD23}, cn=policies,cn=system,DC=adtakeover,DC=local;2][LDAP://cn={94CC7522-4978-42A3 -A1B4-F04FD9F93445},cn=policies,cn=system,DC=adtakeover,DC=local;2]
Created attachment 10109 [details] connector-s4.log.gPLink.OK.txt Correct gPLink after takeover $ univention-s4search dc=w2k12 gPLink dn: DC=w2k12,DC=test gPLink: [LDAP://cn={F0F4F747-F986-4A32-8B06-13C9C9362B49},cn=policies,cn=syste m,DC=w2k12,DC=test;0][LDAP://cn={3B7240ED-D485-44A7-A99A-B946AF045D4C},cn=pol icies,cn=system,DC=w2k12,DC=test;0][LDAP://CN={31B2F340-016D-11D2-945F-00C04F B984F9},CN=Policies,CN=System,DC=w2k12,DC=test;0]
I think this bug is a duplicate of Bug 46443 which I couldn't reproduce after the release of 4.3.
See Comment 3, please try to reproduce by running those tests.
Created attachment 10153 [details] Patch setting syncmode to read when starting the S4 connector I was able to reproduce this bug with the automated product test of AD Takeover. What I observed is that S4 connector, will overwrite the default GPO links taken over from the AD. This will remove all GPO links linked to the Default GPO in the UCS server, which is the cause why the GPO checks fail in the test after the AD Takeover. I started another run locally with the attached patch and the checks are executed succesfully. The patch switches the syncmode of S4 connector to read-only when the AD Takeover is starting the s4 connector module and switches it back when the module is loaded I will test the patch in Jenkins and if fixes the problem, I will patch the AD Takeover module.
Ok, but see Comment 5, we explicitly call /usr/share/univention-s4-connector/msgpo.py --write2ucs, why doesn't that work? Also, as discussed, if you change the takeover code to initialize the connector in "read" mode and then later switch ro "sync" mode, then I guess the S4-Connector doesn't automatically look at all objects in OpenLDAP and sync them to Samba/AD. So you may have to re-initialze the S4-Connector after switching to "sync" mode or at least reset the lastUSN value in the S4-Connector ( sqlite3 /etc/univention/connector/s4internal.sqlite "select value from s4 where key='lastUSN'" ).
The loss/overwriting of GPO links are caused by the listener that cannot keep up with the notifier. Specifically "well-known-sid-name-mapping.py"(see Bug 50022) takes too much time. While the AD-Takeover will wait for 10 minutes until the listener id catches up to notifier id, it will continue after 10 minutes even if the listener id is not the same as notifier id. Increasing the timeout after syncing the GPO links will solve this. I will test ad-takeover-all-test this fix in Jenkins.
ad-takeover-all-tests in Jenkins now runs without error: http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-1/view/Product%20Tests/job/product-test-samba-ad-takeover-all-tests/ commits: dda29ec9 Increasing threshold for timeout while waiting for listener 611cb782 Version Bump 748184c0 YAML
yep, test works now, patch looks good, modified the yaml slightly
Looks Ok.
<http://errata.software-univention.de/ucs/4.4/250.html>