Comment 1 Felix Botner 2017-09-07 15:27:41 CEST

Added a check for dead links in setup-s4.sh.run_samba_domain_provision()

univention-samba4 6.0.10-28A~4.2.0.201709071450

Comment 2 Arvid Requate 2017-09-12 12:13:01 CEST

Ok, works.

Comment 3 Arvid Requate 2017-09-12 12:29:45 CEST

This also needs to be fixed for normal re-joins:


During re-join of a Backup Samba/AD DC against a Master Samba/AD DC I see in the join.log:
===========================================================================
root@backup11:~# ln -s wrong /var/lib/samba/sysvol/ar41i1.qa/Policies/foo
root@backup11:~# sed -i /^univention-samba4/d /var/univention-join/status
root@backup11:~# univention-run-join-scripts
[...]
root@backup11:~# grep ^ERROR -A10 /var/log/univention/join.log
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1600, in setsysvolacl
    passdb=s4_passdb, service=SYSVOL_SERVICE)
  File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
open: error=2 (No such file or directory)
Not updating samba4/sysvol/sync/cron
===========================================================================

And sysvolcheck shows inconsistencies:
===========================================================================
root@backup11:~# samba-tool ntacl sysvolcheck
ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/ar41i1.qa/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/ar41i1.qa/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/ar41i1.qa/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/ar41i1.qa/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO obje
===========================================================================

Comment 4 Felix Botner 2017-09-12 14:37:42 CEST

* moved the test to the join script
* also test if find succeeds
* added note to correct problems on the sysvol sync host too (see Bug #45384)

Comment 5 Arvid Requate 2017-09-12 15:44:09 CEST

Ok.

Comment 6 Arvid Requate 2017-09-13 16:35:08 CEST

<http://errata.software-univention.de/ucs/4.2/164.html>