Univention Bugzilla – Bug 56021
Situation unclear: Can GPOs for wireless devices (IEEE80211) be managed from School-replica servers?
Last modified: 2023-06-08 14:06:14 CEST
For customers and support the situation is unclear regarding the question if GPOs, in particular for wireless devices (IEEE80211) can be managed (add/modify/delete) from School-replica servers. For Bug 50626 we enabled the replication from UCS@school primary to the replicas. It's unclear if the reverse is supported. In a support case we saw an S4-Connector reject for this operation in the logs of a School replica server: ==================================================== 26.04.2023 16:49:15.820 LDAP (PROCESS): sync AD > UCS: [ms/gpwl-wireless] [ add] 'CN=Foo,CN=IEEE80211,CN=Windows,CN=Microsoft,CN=Machine,CN={D8F4385A-EC6D-43FE-A292-F147DEB146E2},CN=Policies,CN=System,dc=customer,dc=domain' [...] ldap.INSUFFICIENT_ACCESS: {'desc': 'Insufficient access', 'info': 'no write access to entry'} ==================================================== Apart from the question of LDAP-ACLs, supporting management of GPOs on/from School replica servers would require "upstream" replication of sysvol data from the School replica to the UCS@school primary. I'm unsure if this is still enabled by default or what general recommendations are with respect to that topic. So it's unclear, what needs to be adjusted here: a) expectations -> documentation b) concept -> documentation & code c) just a bug -> code