Bug 35564
| Summary: | sysvol replication fails on slave after ad takeover from member mode | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Felix Botner <botner> |
| Component: | Samba4 | Assignee: | Arvid Requate <requate> |
| Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
| Severity: | normal | ||
| Priority: | P5 | CC: | gohmann, requate, schwardt, walkenhorst |
| Version: | UCS 3.2 | ||
| Target Milestone: | UCS 3.2-3-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| What kind of report is it?: | --- | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | ||
| Max CVSS v3 score: | |||
| Attachments: |
getfacl.log
idmap.log wbinfo.log ntacl.log idmap_ldb.ldif net_cache_flush_before_sysvolreset.patch |
||
|
Description
Felix Botner
Created attachment 6048 [details]
getfacl.log
Created attachment 6049 [details]
idmap.log
The gidNumbers 55002 and 55003 correspond to idmap objects in OpenLDAP, probably generated by samba during AD Member mode.
Created attachment 6050 [details]
wbinfo.log
Samba4 wbinfo doesn't seem to consider the cn=idmap objects in OpenLDAP. It finds the correct official gidNumbers.
Created attachment 6051 [details]
ntacl.log
Just for completeness, the ntacls. Looks like nothing's new or wrong here.
Created attachment 6052 [details]
idmap_ldb.ldif
/var/lib/samba/private/idmap.ldb is also correct for S-1-5-11 (Authenticated Users) and S-1-5-18 (System).
Created attachment 6053 [details]
net_cache_flush_before_sysvolreset.patch
This seems to fix the problem:
net cache flush
samba-tool ntacl sysvolreset
After running this on the master the facls are fixed:
========================================================
root@master:~# getfacl /var/lib/samba/sysvol/w2k12.test
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: var/lib/samba/sysvol/w2k12.test
# owner: Administrator
# group: Administratoren
user::rwx
user:Administrator:rwx
group::rwx
group:Authenticated\040Users:r-x
group:System:rwx
group:Administratoren:rwx
group:Server-Operatoren:r-x
mask::rwx
other::---
default:user::rwx
default:user:Administrator:rwx
default:group::---
default:group:Authenticated\040Users:r-x
default:group:System:rwx
default:group:Administratoren:rwx
default:group:Server-Operatoren:r-x
default:mask::rwx
default:other::---
========================================================
So we should run "net cache flush" in adtakeover before running sysvolreset, see attached patch.
After this the slave was was able to sync the sysvol GPOs from the master. Fixed, Advisory: 2014-08-12-univention-management-console-module-adtakeover.yaml OK - sysvol-sync on slaves after adtakeover out of AD member mode OK - YAML please merge the changes to 4.0 > please merge the changes to 4.0
Done. the Package has not been built in the ucs_4.0-0 scope yet.
OK |