Univention Bugzilla – Bug 45210
Broken Group policy with new 4.2 Slave
Last modified: 2017-09-24 21:09:19 CEST
A customer reported, that all additional Group policies are no longer linked to the samba-Ad base, when he installs a new School-Slave with 4.2 in his environment.
He found out, that the ucr variable
connector/s4/mapping/dc/syncmode is now longer set to write per default, instead it is unset and sync seems to be used.
> connector/s4/mapping/dc/syncmode is now longer set to write per default
On the new School-Slave or on other Systems?
This is what univention-s4-connector/debian/univention-s4-connector.postinst does:
# deactivate sambaDomain sync to ucs for slaves in ucs@school
if [ "$server_role" = "domaincontroller_slave" ]; then
if is_ucr_true 'connector/s4/allow/secondary'; then # Slave PDC
ucr set connector/s4/mapping/dc/syncmode?'write'
So the order of package installation might matter here.
Yes I think you are right with the installation order
The customer uses CD installation but he did not select software in the installation assistant, but before he joins the system he installs the software manually from the repository server.
univention-install -y \
Ok, I think we need to put these kinds of UCR defaults into the joinscript. The definition of join is that everything works once it's finished.
univention-s4-connector r82714 errata4.2-2
moved the "connector/s4/mapping/dc/syncmode" into the join script (and in postinst for this update)
Additionally i have added a test in the s4 con join script to abort if $samba4_ldap_base is empty. This is the default for connector/s4/ldap/base and without a proper connector/s4/ldap/base the connector can not work.
How can $samba4_ldap_base be empty:
* UCS master + ucs@school
* UCS slave unjoined, installed univention-s4-connector
* Joined the slave in order to install the school app
- 97univention-s4-connector.inst aborts with
"No S4 Connector installed yet on DC Master or DC Backup"
(no school at this point)
does not set samba4/ldap/base
- but 97univention-s4-connector.inst goes on and uses the still empty
samba4/ldap/base for connector/s4/ldap/base
this join scripts also aborts later, nevertheless connector/s4/ldap/base
is set now to an empyt string and the connector config broken
Ok, works and advisory looks good.