Bug 47583 - Improve UMC system diagnostic sysvol check
Improve UMC system diagnostic sysvol check
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - System diagnostic
UCS 4.3
Other Linux
: P5 enhancement (vote)
: UCS 4.3-2-errata
Assigned To: Julia Bremer
Arvid Requate
:
Depends on: 44876
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-13 16:43 CEST by Arvid Requate
Modified: 2018-12-05 14:39 CET (History)
1 user (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018081621000464
Bug group (optional):
Max CVSS v3 score:


Attachments
Patch for samba-tool (1.38 KB, patch)
2018-08-16 16:59 CEST, Julia Bremer
Details | Diff
qa.patch (858 bytes, patch)
2018-11-12 19:50 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-08-13 16:43:58 CEST
The "system diagnostic" UMC module currently has a plugin that checks sysvol ACLs but it's not fault tolerant. E.g. When a GPO directory is missing the error message of the module looks like this:

===============================================================================
`samba-tool ntacl sysvolcheck` returned a problem with the sysvol ACLs.

STDOUT:
get_nt_acl_conn: get_nt_acl returned NT_STATUS_OBJECT_NAME_NOT_FOUND.
(2, 'No such file or directory')
(-1073741772, 'The object name is not found.')

You can run `samba-tool ntacl sysvolreset` to fix the issue.
===============================================================================

I was able to trigger this by running this command on the UCS Samba/DC:

mv /var/lib/samba/sysvol/ar41i1.qa/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\} /var/lib/samba



When a GPO is referenced in Samba/AD but the corresponding directory is missing in the sysvol directory then this can mean three things:

a) the GPO has just been created and is not yet replicated but it's only a temporary effect

b) the sysvol share file replication to the local system doesn't work

c) somebody manually (re-)created objects in Samba/AD LDAP


We should improve the error message. Maybe we should even improve samba-tool to continue with it's checks, even when some directory is missing. We did a similar thing to make "samba-tool ntacl sysvolreset" more robust (see Bug #38217).



+++ This bug was initially created as a clone of Bug #44876 +++

Adds a new diagnostic check `samba_tool_sysvolcheck.py` which runs `samba-tool ntacl sysvolcheck`.
Comment 1 Julia Bremer univentionstaff 2018-08-16 16:59:40 CEST
Created attachment 9629 [details]
Patch for samba-tool

This patch improves samba-tool ntacl sysvolcheck to detect missing files and directories and issue a proper error message.

This is the first part of a solution to this bug.
Comment 2 Julia Bremer univentionstaff 2018-10-09 11:44:10 CEST
Version: 4.0.1-4A~4.3.0.201810091102
Branch: ucs_4.3-0
Scope: errata4.3-2

5b8bbc5de2 Bug #47583: bump version
32fc581daf Bug #47583: Improved system diagnostik sysvol check error message

Fixed this issue by filtering out the unhelpful samba error message.
Comment 3 Arvid Requate univentionstaff 2018-11-12 19:50:48 CET
Created attachment 9737 [details]
qa.patch

Now all the output of sysvolcheck gets filtered out. I guess it's a typo, see attached diff.

Also, we need to rebuild samba in errata4.3-2 with the patch of Comment 1. These patches need to be checked in into the subversion repository under a path that can be found out by running repo_get_version.py (e.g. dimma):
======================================================================
user@dimma:~$ repo_get_version.py -r 4.3 -s errata4.3-2 -p samba
Package: samba
Source rev tag : 125598
Current version: 2:4.7.8-1
Patch path: ~/svn/patches/samba/4.3-0-0-ucs/2:4.7.8-1-errata4.3-2/
Patch prefix: samba-4.7.8
======================================================================

Finally we need an advisory entry for this bug in the following to files:
* univention-management-console-module-diagnostic.yaml
* samba.yaml

I've added the entry to the first file now (commit 55c1edfc26).
Comment 4 Julia Bremer univentionstaff 2018-11-21 13:56:49 CET
2c2175e55e Bug #47583: Advisory
3f98dfc066 Bug #47583: Advisory
6250227955 Bug #47583: Merge branch 'jbremer/47583' into 4.3-2
19e26250227955 Bug #47583: Merge branch 'jbremer/47583' into 4.3-2
19e28b3a29 Bug #47583: Fixed typo


Successful build
Package: univention-management-console-module-diagnostic
Version: 4.0.1-9A~4.3.0.201811191134
Branch: ucs_4.3-0
Scope: errata4.3-2
User: jbremer

Successful build
Package: samba
Version: 2:4.7.8-1A~4.3.0.201811201204
Branch: ucs_4.3-0
Scope: errata4.3-2
User: jbremer

I fixed the typo, 
edited the advisories and rebuild samba with the new patch.
Comment 5 Arvid Requate univentionstaff 2018-11-21 20:48:14 CET
Ok, it works nicely. I just have one small nitpick about the error message. In my test-VM I get this:

=========================================================================
WARNING: Check Samba sysvol ACLs for errors

STDOUT:
ERROR: File not found /var/lib/samba/sysvol/ar41i1.qa/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
ERROR: File not found /var/lib/samba/sysvol/ar41i1.qa/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}

You can run `samba-tool ntacl sysvolreset` to fix the issue.
=========================================================================

In this situation running "samba-tool ntacl sysvolreset" will not fix the error,
so I would recommend to not show the "You can run" ... message. Maybe that's possible? In any case, I'd like to change the wording from
  "You can run .. to fix the issue"
to
  "You may run ... to attempt to fix the issue"
Comment 6 Julia Bremer univentionstaff 2018-11-22 14:19:45 CET
Successful build
Package: univention-management-console-module-diagnostic
Version: 4.0.1-10A~4.3.0.201811221414
Branch: ucs_4.3-0
Scope: errata4.3-2
User: jbremer

ce14219f26 Bug #47583: Merge branch 'jbremer/bug47583' into 4.3-2
f00bad19a3 Bug #47583: Version bump
31ffd395be Bug #47583: Added translation for 42_samba_tool_ntacl_sysvolcheck
f0b468d64c Bug #47583: Improved error message

I adjusted the "fix"-message to "Running 'samba-tool ntacl sysvolreset' may fix the issue"
In this particular error case, it will not show up any more.
Comment 7 Arvid Requate univentionstaff 2018-11-22 17:13:47 CET
Verified:
* Patch for samba-tool now outputs the path of missing directories
* The UMC module presents the issue clearer
* Advisories ok: samba.yaml univention-management-console-module-diagnostic.yaml
Comment 8 Arvid Requate univentionstaff 2018-11-27 11:57:37 CET
<http://errata.software-univention.de/ucs/4.3/332.html>
Comment 9 Arvid Requate univentionstaff 2018-12-05 14:39:13 CET
<http://errata.software-univention.de/ucs/4.3/352.html>