57667 – Teacher home NT ACLs are changed on exam start

Bug 57667 - Teacher home NT ACLs are changed on exam start

Summary: Teacher home NT ACLs are changed on exam start

Status:	CLOSED FIXED

Alias:	None

Product:	UCS@school
Classification:	Unclassified
Component:	UMC - Exam mode
Version:	UCS@school 5.0
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	UCS@school maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-10-10 11:18 CEST by Jürn Brodersen
Modified:	2024-10-17 11:57 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.286
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:	Yes
Flags outvoted (downgraded) after PO Review:
Ticket number:	2024041721000145
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jürn Brodersen

2024-10-10 11:18:07 CEST

If a teacher is part of a group that should write an exam, we change their NT ACLs on their hoe directories.

We should only do this for exam students.

Error:
09.10.24 17:05:29.022  MAIN        ( ERROR   ) : ('Interner Server-Fehler in "schoolexam/exam/start".\nRequest: schoolexam/exam/start\n\nTraceback (most recent call last):\n  File "/usr/lib/python3/dist-packages/univention/management/console/modules/decorators.py", line 259, in _run\n    result = self._function(*args, **kwargs)  # type: Union[BaseException, _T]\n  File "/usr/lib/python3/dist-packages/univention/management/console/modules/schoolexam/__init__.py", line 813, in _thread\n    self.set_nt_acls_on_exam_folders(my.project.getRecipients())\n  File "/usr/lib/python3/dist-packages/univention/management/console/modules/schoolexam/__init__.py", line 289, in set_nt_acls_on_exam_folders\n    self.deny_owner_change_permissions(filename=str(os.path.join(root, f)))\n  File "/usr/lib/python3/dist-packages/univention/management/console/modules/schoolexam/__init__.py", line 274, in deny_owner_change_permissions\n    setntacl(self.lp, filename, new_sddl, owner_sid, system_session_unix())\n  File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 227, in setntacl\n    ndr_pack(ntacl))\nOSError: [Errno 28] Auf dem Gerät ist kein Speicherplatz mehr verfügbar: \'/home/mejneschool2/lehrer/s.gohmann/windows-profiles/default.V6/Documents/desktop.ini\'',)

Comment 3 Mirac Erdemiroglu

2024-10-14 10:27:20 CEST

Emergency execution.

Even after the following execution, the teacher will run into the error again. Therefore, move and copy is not a final solution.


Before:
 
root@mejneschool2:/home/mejneschool2/lehrer/s.gohmann/windows-profiles# samba-tool ntacl get /root/univention-support/default.V6.old/Documents/desktop.ini --as-sddl
O:S-1-5-21-1150003711-260972013-2878653590-6456G:S-1-5-21-1150003711-260972013-2878653590-11611D:PAI(D;ID;WOWD;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-287
8653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(D;OICI;WOWD;;;S-1-5-21-1150003711-26097201
3-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711
-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1
150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S
-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001
301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A
;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301b
f;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;
0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;
WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)
(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-28786535
90-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013
-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-
260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-11
50003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-
1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A
;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;OICI;0x001301bf;;;OW)(A;OICI;0x001301bf;;;S-1-5-21-1150
003711-260972013-2878653590-6456)(A;OICI;0x001301bf;;;OW)(A;OICI;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;OICI;0x001301bf;;;OW)(A;OICI;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6
456)(A;OICI;0x001301bf;;;OW)(A;OICI;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)




mv default.V6 default.V6.old

cp -rp default.V6.old/ default.V6



root@mejneschool2:/home/mejneschool2/lehrer/s.gohmann/windows-profiles# ls -lah
insgesamt 60K
drwx--x--x  8 s.gohmann Domain Users mejneschool2 4,0K Okt 11 11:25 .
drwx--x--x  4 s.gohmann Domain Users mejneschool2 4,0K Jun 12 11:31 ..
drwx--x--x  2 s.gohmann Domain Users mejneschool2 4,0K Jun 12 11:16 default.V2
drwx--x--x  2 s.gohmann Domain Users mejneschool2 4,0K Jun 12 11:16 default.V3
drwx--x--x  2 s.gohmann Domain Users mejneschool2 4,0K Jun 12 11:16 default.V4
drwx--x--x  2 s.gohmann Domain Users mejneschool2 4,0K Jun 12 11:16 default.V5
drwx--x--x 15 s.gohmann Domain Users mejneschool2 4,0K Okt 10 13:31 default.V6
drwx--x--x 15 s.gohmann Domain Users mejneschool2 4,0K Okt 10 13:31 default.V6.old


After:

root@mejneschool2:/home/mejneschool2/lehrer/s.gohmann/windows-profiles# samba-tool ntacl get default.V6/Documents/desktop.ini --as-sddl
O:S-1-5-21-1150003711-260972013-2878653590-6456G:S-1-5-21-1150003711-260972013-2878653590-11611D:PAI(D;OICI;WOWD;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;;0x001f019f;;;S-1-5-21-1150003711-260972013-287
8653590-6456)(A;;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;;0x00120089;;;OW)(A;;0x00120089;;;OW)(A;;0x00120089;;;S-1-5-21-1150003711-260972013-287
8653590-6456)(A;;0x00120089;;;WD)(A;OICI;0x001301bf;;;OW)(A;OICI;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)
root@mejneschool2:/home/mejneschool2/lehrer/s.gohmann/windows-profiles# 



After a successful login with the relevant teacher, the file default.V6.old must be removed or moved, because our script create exam goes through all the files in /windows-profiles and sets ACLs.
This would lead to the same error again.

Comment 4 Alexander Steffen

2024-10-15 15:52:27 CEST

Package: ucs-school-umc-exam
Version: 10.0.15
Branch: 5.0-0
Scope: ucs-school-5.0
User: jbroders

Comment 5 Mirac Erdemiroglu

2024-10-16 13:37:33 CEST

To fix affected profiles/files:

https://help.univention.com/t/problem-cleanup-of-duplicated-nt-aces-oserror-errno-28-no-space-left-on-device/23543

Comment 6 Ole Schwiegert

2024-10-17 11:57:14 CEST

Errata updates for UCS@school 5.0 v6 have been released.

https://docs.software-univention.de/ucsschool-changelog/5.0v6/en/changelog.html
https://docs.software-univention.de/ucsschool-changelog/5.0v6/de/changelog.html

If this error occurs again, please clone this bug.