Bug 51782 - Installing Samba AD DC on a UCS@school Master leads to reject of CN=AppCategories
Installing Samba AD DC on a UCS@school Master leads to reject of CN=AppCatego...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-6-errata
Assigned To: Julia Bremer
Felix Botner
https://git.knut.univention.de/univen...
:
: 51805 (view as bug list)
Depends on:
Blocks: 52049
  Show dependency treegraph
 
Reported: 2020-08-06 14:25 CEST by Erik Damrose
Modified: 2021-01-26 11:44 CET (History)
14 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.137
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020082021000193, 2020082821000295, 2020012821000575, 2021011521000481
Bug group (optional): Regression
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2020-08-06 14:25:24 CEST
At Bug #50626 the configuration of UCR variables was done, to allow synchronisation of several GPO policies in UCS@school environments.

The release of UCS@school 4.4 v6 now causes rejects in our Tests when the latest school release is installed:

[2020-08-06 01:38:09.953442] UCS rejected
[2020-08-06 01:38:09.953517] 
[2020-08-06 01:38:09.953695] 
[2020-08-06 01:38:09.953713] S4 rejected
[2020-08-06 01:38:09.953760] 
[2020-08-06 01:38:09.953933]     1:    S4 DN: CN=AppCategories,CN=Default Domain Policy,CN=System,DC=test,DC=local
[2020-08-06 01:38:09.954099]          UCS DN: <not found>
[2020-08-06 01:38:09.954192] 
[2020-08-06 01:38:09.954233] 	last synced USN: 4020
[2020-08-06 01:38:11.672095] S4CONNECTOR WARNING: Found 1 reject(s)! Please check output of univention-s4connector-list-rejected.

Bug 50641 and bug 50642 were mentioned as 'depends on' Bugs at the original bug, we need to avoid rejects for at least the following container in default installations
CN=Default Domain Policy,CN=System,<ldap_base>
Comment 1 Erik Damrose univentionstaff 2020-08-06 14:34:54 CEST
The UCRvs get activated upon package update as well, not only new installations. This bug will hit all installations at some time.
Comment 3 Florian Best univentionstaff 2020-08-11 14:41:57 CEST
*** Bug 51805 has been marked as a duplicate of this bug. ***
Comment 4 Christina Scheinig univentionstaff 2020-08-20 11:00:43 CEST
This also happend on two new installed school slaves.
Comment 5 Christina Scheinig univentionstaff 2020-08-20 11:51:41 CEST
Is there a workaround to get rid of the reject? It is save to delete it, or can it be solved, so nagios does not spams the schooladmins with emails?
Comment 7 Christian Völker univentionstaff 2020-08-31 11:27:37 CEST
Happened again on a customer. Going to ignore...
Comment 8 Julia Bremer univentionstaff 2020-09-17 07:50:38 CEST
Fix of the issue by synchonizing the "Default Domain Policy" as well, is in branch
jbremer/51782-default-domain-policy including a test.

The activation of the mapping by setting "connector/s4/mapping/domainpolicy=yes" 
will be tracked on a different bug since this needs to happen in ucsschool.
Comment 9 Erik Damrose univentionstaff 2020-09-25 10:54:43 CEST
I merged the branch to UCS 4.4-6, it contains the following commits:

ce9833066f Bug #49838: sync "CN=Default Domain Policy,CN=System,$ldap_base"
a2a3be11b2 Bug #49838: syncronize CN=IP Security,CN=SYTEM
9947daebe7 Bug #49838: replace microsoft large integer syntax with regular integer

0c3d3191eb Bug #51782: do not traceback and reject if no mapping is specified
7a76d70b83 Bug #51782: remove duplicate definition of "managedby", increase joinscript, rename domainpolicy because it must be activated after msgpsi Sync default domain policy in joinscript
185d6e215c Bug #51782: Dont synchonize per default in UCS. Default activation only in ucsschool (TODO)
64b4410c95 Bug #51782: Add test
72cf013d66 Bug #51782: Merge branch 'jbremer/51782-default-domain-policy' into 4.4-6
e0ef46a791 Bug #51782: changelogs

ucs-test 9.0.5-4A~4.4.0.202009251053
univention-s4-connector 13.0.2-77A~4.4.0.202009251048
Comment 10 Felix Botner univentionstaff 2020-09-28 12:00:48 CEST
this breaks UCS 4.3 (appbox!), see 80_docker.40_app_install_4_3

Traceback (most recent call last):
  File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 44, in <module>
    import univention.admincli.admin
  File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 56, in <module>
    univention.admin.modules.update()
  File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 93, in update
    os.path.walk(dir, _walk, p)
  File "/usr/lib/python2.7/posixpath.py", line 239, in walk
    walk(name, func, arg)
  File "/usr/lib/python2.7/posixpath.py", line 231, in walk
    func(arg, top, names)
  File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 78, in _walk
    m = __import__(mod, globals(), locals(), name)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/ms/domainpolicy.py", line 262, in <module>
    identify = object.identify
AttributeError: type object 'object' has no attribute 'identify'
Comment 11 Florian Best univentionstaff 2020-09-28 12:07:20 CEST
(In reply to Felix Botner from comment #10)
> AttributeError: type object 'object' has no attribute 'identify'

To solve this --ucsversionstart "4.4-0" can be given when registering the UDM module.
Comment 12 Felix Botner univentionstaff 2020-09-28 12:27:07 CEST
(In reply to Florian Best from comment #11)
> (In reply to Felix Botner from comment #10)
> > AttributeError: type object 'object' has no attribute 'identify'
> 
> To solve this --ucsversionstart "4.4-0" can be given when registering the
> UDM module.

yes, that would be ok as we do not really need that module in appbox (and UCS 4.3 is out of maintenance)
Comment 13 Julia Bremer univentionstaff 2020-09-29 09:28:07 CEST
318d735d6c Bug #51782: add --ucs-versionstart 4.4-0 at activation of udm module


Successful build
Package: univention-s4-connector
Version: 13.0.2-78A~4.4.0.202009282149
Branch: ucs_4.4-0
Scope: errata4.4-6


Added --ucsversionstart 4.4-0
Comment 14 Julia Bremer univentionstaff 2020-09-29 11:53:16 CEST
We had some internal discussions about synchronizing all these additional default objects.
If default domain policy is synced, each school slave could overwrite all the existing default-domainpolicies in the whole UCS domain.
This is a big change and the how and ifs of this change should be discussed at another bug. 

Since the original Bug #49838 only demanded the syncronization of msgpwl-* objects, 
we think it is a better idea to deactivate the unused objects for now by unsetting the UCR Variables again in ucs@school in Bug #52049.
Here, we should revert the activation of the domainpolicy synchronization, the joinscript number increase and the removal of "CN=IP Security" from the ignorelist.
Comment 15 Julia Bremer univentionstaff 2020-09-29 12:05:51 CEST
ce00b9f962 Bug #51782: Skip new testcase since the domainpolicy schema will not be activated anymore
17ca54d374 Bug #51782: Revert activation of domainpolicy, revert taking IP Security from ignorelist


Package: ucs-test
Version: 9.0.5-7A~4.4.0.202009291201
Branch: ucs_4.4-0
Scope: errata4.4-6

Successful build
Package: univention-s4-connector
Version: 13.0.2-79A~4.4.0.202009291157
Branch: ucs_4.4-0
Scope: errata4.4-6
Comment 16 Julia Bremer univentionstaff 2020-09-29 16:34:32 CEST
01e13185b0 Bug #51782: update yaml
Comment 17 Felix Botner univentionstaff 2020-09-29 16:54:04 CEST
TODO - jenkins tests


OK - ignore reject of unknown object
OK - msgpsi, msgpipsec and domainpolicy still (+LDAP schema) still packages,
     but not activated
OK - test
OK - yaml
Comment 18 Felix Botner univentionstaff 2020-09-30 20:27:43 CEST
Looks good, please create merge request.
Comment 19 Julia Bremer univentionstaff 2020-10-01 09:32:33 CEST
merge request created:
https://git.knut.univention.de/univention/ucs/-/merge_requests/6
Comment 20 Felix Botner univentionstaff 2020-10-01 16:51:38 CEST
OK
Comment 22 Florian Best univentionstaff 2020-10-08 14:45:33 CEST
FYI: you did not upgrade the de.po translations. I get fuzzy entries in UCS 5.0-0. I will fix them in UCS 5.0-0.