Bug 45210 - Broken Group policy with new 4.2 Slave
Broken Group policy with new 4.2 Slave
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Felix Botner
Arvid Requate
Depends on:
Blocks: 45329
  Show dependency treegraph
Reported: 2017-08-15 17:10 CEST by Christina Scheinig
Modified: 2017-09-24 21:09 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.257
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2017081521000495
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2017-08-15 17:10:42 CEST
A customer reported, that all additional Group policies are no longer linked to the samba-Ad base, when he installs a new School-Slave with 4.2 in his environment.
He found out, that the ucr variable 
connector/s4/mapping/dc/syncmode is now longer set to write per default, instead it is unset and sync seems to be used.
Comment 1 Arvid Requate univentionstaff 2017-08-15 19:28:47 CEST
> connector/s4/mapping/dc/syncmode is now longer set to write per default

On the new School-Slave or on other Systems?
Comment 2 Arvid Requate univentionstaff 2017-08-15 20:28:47 CEST
This is what univention-s4-connector/debian/univention-s4-connector.postinst does:

# deactivate sambaDomain sync to ucs for slaves in ucs@school
if [ "$server_role" = "domaincontroller_slave" ]; then
        if is_ucr_true 'connector/s4/allow/secondary'; then # Slave PDC
                ucr set connector/s4/mapping/dc/syncmode?'write'

So the order of package installation might matter here.
Comment 3 Christina Scheinig univentionstaff 2017-08-16 11:42:01 CEST
Yes I think you are right with the installation order
The customer uses CD installation but he did not select software in the installation assistant, but before he joins the system he installs the software manually from the repository server.
univention-install -y \
italc-windows- \
univention-samba4 \
univention-dhcp \
univention-printserver \
univention-virtual-machine-manager-daemon \
univention-virtual-machine-manager-node-kvm \
univention-tftp \
univention-printer-assignment \
univention-netlogon-logon \
univention-nagios-raid \
univention-nagios-smart \
ucs-school-slave \
ucs-school-umc-installer \
Comment 4 Arvid Requate univentionstaff 2017-08-21 14:09:46 CEST
Ok, I think we need to put these kinds of UCR defaults into the joinscript. The definition of join is that everything works once it's finished.
Comment 5 Felix Botner univentionstaff 2017-09-06 12:10:30 CEST
univention-s4-connector r82714 errata4.2-2

moved the "connector/s4/mapping/dc/syncmode" into the join script (and in postinst for this update)
Comment 6 Felix Botner univentionstaff 2017-09-06 14:39:01 CEST
Additionally i have added a test in the s4 con join script to abort if $samba4_ldap_base is empty. This is the default for connector/s4/ldap/base and without a proper connector/s4/ldap/base the connector can not work.

How can $samba4_ldap_base be empty:

* UCS master + ucs@school
* UCS slave unjoined, installed univention-s4-connector
* Joined the slave in order to install the school app
  - 97univention-s4-connector.inst aborts with 
    "No S4 Connector installed yet on DC Master or DC Backup" 
    (no school at this point)
    does not set samba4/ldap/base
  - but 97univention-s4-connector.inst goes on and uses the still empty
    samba4/ldap/base for connector/s4/ldap/base
    this join scripts also aborts later, nevertheless connector/s4/ldap/base
    is set now to an empyt string and the connector config broken
Comment 7 Arvid Requate univentionstaff 2017-09-07 17:43:03 CEST
Ok, works and advisory looks good.
Comment 8 Erik Damrose univentionstaff 2017-09-20 15:04:06 CEST