Bug 49293 - sysvolcheck ProvisioningError after modifying / creating GPOs in UCS@school 4.3
sysvolcheck ProvisioningError after modifying / creating GPOs in UCS@school 4.3
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.4-1-errata
Assigned To: Arvid Requate
Erik Damrose
https://hutten.knut.univention.de/med...
:
Depends on: 46643
Blocks: 50085
  Show dependency treegraph
 
Reported: 2019-04-15 14:32 CEST by Arvid Requate
Modified: 2019-09-03 14:47 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2019032721000316, 2019070221000301
Bug group (optional):
Max CVSS v3 score:


Attachments
1.diff (9.71 KB, patch)
2019-04-15 14:35 CEST, Arvid Requate
Details | Diff
log-samba-level10-ABAEADCF-E88C-4C9D-B449-B196350A4E0C.txt (7.54 KB, text/plain)
2019-07-04 13:07 CEST, Arvid Requate
Details
bug49293.patch (1.07 KB, patch)
2019-07-31 18:10 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2019-04-15 14:32:29 CEST
Ticket #2019032721000316 reported that samba-tool ntacl sysvolcheck finds errors. I tested with the improved checks from Bug #46643 and found yet another type of difference between the NTACL in the filesystem (FSACL) and and the NTACL configured in the Samba/AD directory service (DSACL):

root@master:~# samba-tool ntacl sysvolcheck --mask-msad-differences
ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/foo.bar.com/Policies/{2109D849-36E1-5DDC-8505-CFAD2F230E4}/Machine/Registry.pol does not match value expected from GPO object
FSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
DSACL: O:DAG:DAD:ARAI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/foo.bar.com/Policies/{B9B3B5DA-63E7-63BE-A8C6-12506B2AE1BC}/Machine/Registry.pol does not match value expected from GPO object
FSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;LA)(A;ID;0x001200a9;;;AU)(A;ID;0x001f01ff;;;SY)(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;S-1-5-21-123-456-769-123)
DSACL: O:DAG:DAD:ARAI(A;ID;0x001200a9;;;AU)(A;ID;0x001f01ff;;;SY)(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;S-1-5-21-123-456-769-123)
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/foo.bar.com/Policies/{2109D849-36E1-5DDC-8505-CFAD2F230E4}/Machine/Registry.pol does not match value expected from GPO object
FSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
DSACL: O:DAG:DAD:ARAI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/foo.bar.com/Policies/{B9B3B5DA-63E7-63BE-A8C6-12506B2AE1BC}/Machine/Registry.pol does not match value expected from GPO object
FSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;LA)(A;ID;0x001200a9;;;AU)(A;ID;0x001f01ff;;;SY)(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;S-1-5-21-123-456-769-123)
DSACL: O:DAG:DAD:ARAI(A;ID;0x001200a9;;;AU)(A;ID;0x001f01ff;;;SY)(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;S-1-5-21-123-456-769-123)

There are actually two new things here: SEC_DESC_DACL_AUTO_INHERIT_REQ on a file and LA before DA in the FSACL (rather than DA before LA in the DSACL).

The system was UCS 4.3-3 and I just copied the check_dir_acl function from 4.4 into the provision/__init__.py file to test it there.
Comment 1 Arvid Requate univentionstaff 2019-04-15 14:35:04 CEST
Created attachment 9972 [details]
1.diff

A rough idea to fix the SEC_DESC_DACL_AUTO_INHERIT_REQ difference. Pretty ugly, because the ACLs written by GPMC (via smbd) seem to differ per file type.

The LA/DA issue is not well understood yet (never was).
Comment 2 Arvid Requate univentionstaff 2019-04-23 17:35:07 CEST
> because the ACLs written by GPMC (via smbd) seem to differ per file type

To be precise: The patch introduces a special handling for "Registry.pol" and all other files (they have no "AR" DACL flag in the Filesystem).
In contrast, the "GPT.INI", "GptTmpl.inf" and "comment.cmtx" are handled as before (behavior as in Bug 46643 Comment 8).
Comment 4 Christina Scheinig univentionstaff 2019-07-04 12:15:52 CEST
The customer reported, that creating or modifying a GPO, the GPO is not reliably applied.
He gets ProvisioningError messages with samba-tool ntacl sysvolcheck.

This is fixable with samba-tool ntacl sysvolreset, BUT this takes nearly an hour now.
Comment 5 Arvid Requate univentionstaff 2019-07-04 13:07:56 CEST
Created attachment 10103 [details]
log-samba-level10-ABAEADCF-E88C-4C9D-B449-B196350A4E0C.txt

I can reproduce this issue simply by starting GPMC from a Windows 7 Client as Domain Administrator, creating a new empty GPO and then adding a user to the security filter. The attached file shows parts of the samba/debug/level=10 logs. From that it looks like the client writes SEC_DESC_DACL_AUTO_INHERIT_REQ = 1 to Samba/AD LDAP, but SEC_DESC_DACL_AUTO_INHERIT_REQ = 0 into the sysvol share.

My next idea would be to join the Windows Client against a native MS AD DC and check the same thing there, i.e. the final GPO ACL in the sysvol vs AD LDAP.
Comment 6 Arvid Requate univentionstaff 2019-07-31 18:06:08 CEST
In my test with a Windows 7 Client joined to Windows 2008R2 AD DC I see that new GPOs are created with DACL flags "PAI" in LDAP and in the sysvol. In Samba constants thats (SEC_DESC_DACL_PROTECTED | SEC_DESC_DACL_AUTO_INHERITED).

Two things seem to be different in Samba:

* A new GPO doesn't have the "AI" (SEC_DESC_DACL_AUTO_INHERITED) flag in LDAP, only in the sysvol share. So you only have "P" in LDAP but "PAI" in the sysvol.

* After adjusting the security filtering of the GPO (add a group, remove the default "Authenticated Users"), the GPO has the "AR" flag in LDAP (SEC_DESC_DACL_AUTO_INHERIT_REQ). So you have "PAR" in LDAP but "PAI" in sysvol.

This difference doesn't seem to have any effect on the Windows (7) client though, GPO evaluation and security filtering worked none the less.

So my current recommendation is:

1. Continue debugging the customer specific issues in support

2. Adjust one additional line in the sysvolcheck python code. I'll attach a patch.
Comment 7 Arvid Requate univentionstaff 2019-07-31 18:10:25 CEST
Created attachment 10145 [details]
bug49293.patch

Patch for 97_Bug-46643-add-sysvolcheck-option-mask-msad-differences.quilt in ~/svn/patches/samba/4.4-0-0-ucs/

This adjusts the behavior of the sysvolcheck --mask-msad-differences switch, so this difference between P/PAI/PAR is masked during the normal check of the diagnostic module. The standard sysvolcheck without that option would still complain and that's good for further analysis.
Comment 8 Arvid Requate univentionstaff 2019-08-05 21:10:12 CEST
r18634     | Patch in samba/4.4-0-0-ucs/2:4.10.1-1-errata4.4-1
33f062988e | samba.yaml


QA:

1. Join a windows client to a UCS 4.4-1 Samba/AD DC Master
   (You may use VM arequate_Win7SP1.229, which has the GPMC feature installed)

2. Log in as Domain Administrator and start the Group Policy Management Console 
   to create a GPO (doesn't need to have any content)

3. Login to your UCS Samba/AD DC Master and run
   samba-tool ntacl sysvolcheck --mask-msad-differences
   No error output should appear.

   Note: If you run
     univention-s4search displayName=YourGPOName nTSecurityDescriptor
   then you can see "nTSecurityDescriptor: O:DAG:DAD:P(..."

4. In the Group Policy Management Console click on the GPO and adjust the
   "security filtering" by adding e.g. "Domain Users" and removing
   "Authenticated Users".

5. Login to your UCS Samba/AD DC Master and run
   samba-tool ntacl sysvolcheck --mask-msad-differences
   If you have updated the packages to the versions in errata4.4-1, then
   no error output should appear.

   Note: If you run
     univention-s4search displayName=YourGPOName nTSecurityDescriptor
   then you can see "nTSecurityDescriptor: O:DAG:DAD:PAR(..."


FYI: The nTSecurityDescriptor in Samba/AD LDAP differs in this point from the
NTALCs in the fileystem, which can be checked by running e.g. something like this:

samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/ar41i1.qa/Policies/\{7D5A2A26-2D2F-47A4-BD9C-47B3075D8598\}/

O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)

The "AI" flag says, that the "Auto Inheritance" feature is supported (Since Windows 2000). It's an informative flag. As recommended in Bug 43120#c3 we now don't alert the users if the P/PAI/PAR flags differ. The --mask-msad-differences options was introduced by us to allow masking these non-critical issues. This option is only used in the UMC system diagnostic. If you don't use the special option, then you can see all the differences. See Comment 6 for further details.
Comment 9 Erik Damrose univentionstaff 2019-08-26 18:57:28 CEST
OK: Following the description from comment #8 does indeed fix the GPO that was created before updating samba. With the flag --mask-msad-differences no issues are shown, while omitting the flag does present errors.

FAIL: i cannot reproduce this once the samba packages are updated. I created another GPO, edited it, and samba-tool ntacl sysvolcheck --mask-msad-differences shows errors:
ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/mydomain.intranet/Policies/{090E72CC-72E0-42DC-9D18-4C3FEE6B6E7E} does not match value expected from GPO object
FSACL: O:DAG:DAD:PARAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
DSACL: O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/mydomain.intranet/Policies/{090E72CC-72E0-42DC-9D18-4C3FEE6B6E7E} does not match value expected from GPO object
FSACL: O:DAG:DAD:PARAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)
DSACL: O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU)

# samba-tool ntacl sysvolcheck
ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/mydomain.intranet/Policies/{EB931722-215B-4BC9-8C3A-1B6F432465FA} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) does not match value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) expected from GPO object
ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/mydomain.intranet/Policies/{EB931722-215B-4BC9-8C3A-1B6F432465FA} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) does not match value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) expected from GPO object


It seems that the samba package update fixed something else, too
Comment 10 Arvid Requate univentionstaff 2019-08-27 17:28:16 CEST
Together, we could not reproduce the issue reported in Comment 9 in my test env.
Comment 11 Erik Damrose univentionstaff 2019-08-27 18:16:56 CEST
I did not fully log all my attemps to reproduce the issue, sorry for the noise. The issue i could produce occurs when executing a sysvolreset with the updated samba package,

samba-tool ntacl sysvolcheck will show no errors, but sysvolcheck --mask-msad-differences shows the errors from comment#9
As discussed -> Reopen
Comment 12 Arvid Requate univentionstaff 2019-08-28 14:08:43 CEST
r18645     | Patch update
r18646     | Patch update
9a6c460e08 | Advisory update
Comment 13 Erik Damrose univentionstaff 2019-08-28 18:21:55 CEST
As discussed, now we see a different error:

samba-tool ntacl sysvolcheck --mask-msad-differences
ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/mydomain.intranet/Policies/{46781564-58F7-4770-9A55-3726DC2F0E3A}/GPT.INI does not match value expected from GPO object
FSACL: O:DAG:DAD:AI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)
DSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/mydomain.intranet/Policies/{46781564-58F7-4770-9A55-3726DC2F0E3A}/GPT.INI does not match value expected from GPO object
FSACL: O:DAG:DAD:AI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)
DSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)
Comment 14 Arvid Requate univentionstaff 2019-08-28 18:39:46 CEST
Yes, you are right, I fixed it in

r18650     | Update patch
d401fad234 | Advisory version

The package is building, I'll close the bug once it's done and tested.
Comment 15 Erik Damrose univentionstaff 2019-08-29 09:43:13 CEST
obviously fixed as mentioned by last comment -> resolved
Comment 16 Erik Damrose univentionstaff 2019-08-29 09:57:53 CEST
Sorry for the last comment, i was to eager to finally mark this verified. I can still reproduce an issue when changing the security filter:

tested: samba 2:4.10.1-1A~4.4.0.201908281834

create new GPO, modify security filter by deleting current and adding new group.
sysvolcheck + sysvolcheck --mask-msad-differences is fine.
Now do a sysvolreset + change the security filter again: error from sysvolcheck --mask-msad-differences:

ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/mydomain.intranet/Policies/{8EAD3636-8544-41B5-8A7F-4098353A9232}/GPT.INI does not match value expected from GPO object
FSACL: O:DAG:DAD:ARAI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;DU)
DSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/mydomain.intranet/Policies/{8EAD3636-8544-41B5-8A7F-4098353A9232}/GPT.INI does not match value expected from GPO object
FSACL: O:DAG:DAD:ARAI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;DU)
DSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)
Comment 17 Arvid Requate univentionstaff 2019-08-29 10:18:04 CEST
r18650     | Update patch
d401fad234 | Update Advisory version
Comment 18 Erik Damrose univentionstaff 2019-08-29 12:59:55 CEST
root@ucsmaster:~# samba-tool ntacl sysvolcheck --mask-msad-differences
ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/mydomain.intranet/Policies/{8EAD3636-8544-41B5-8A7F-4098353A9232}/GPT.INI does not match value expected from GPO object
FSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)
DSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;DU)
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/mydomain.intranet/Policies/{8EAD3636-8544-41B5-8A7F-4098353A9232}/GPT.INI does not match value expected from GPO object
FSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)
DSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;DU)
root@ucsmaster:~# samba-tool ntacl sysvolcheck 
ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/mydomain.intranet/Policies/{8EAD3636-8544-41B5-8A7F-4098353A9232} O:DAG:DAD:PAI(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)(A;OICI;0x001200a9;;;DU) does not match value O:DAG:DAD:PAR(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)(A;OICI;0x001200a9;;;DU) expected from GPO object
ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/mydomain.intranet/Policies/{8EAD3636-8544-41B5-8A7F-4098353A9232} O:DAG:DAD:PAI(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)(A;OICI;0x001200a9;;;DU) does not match value O:DAG:DAD:PAR(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)(A;OICI;0x001200a9;;;DU) expected from GPO object
Comment 19 Arvid Requate univentionstaff 2019-08-29 14:17:19 CEST
Thanks, real good catch reported in Comment 16 and Comment 18!

That's actually not a shortcomming of sysvolcheck but a real issue and I created Bug #50085 for that.

Let's get this improvement shipped and then we need to go for the real issue, which might be a bug in Samba.
Comment 20 Erik Damrose univentionstaff 2019-09-02 17:49:42 CEST
OK: Bug #50085
OK: current behavior within bug scope
OK: yaml
Verified
Comment 21 Arvid Requate univentionstaff 2019-09-03 14:47:06 CEST
<http://errata.software-univention.de/ucs/4.4/246.html>