Univention Bugzilla – Full Text Bug Listing |
Summary: | More robust sysvolreset | ||
---|---|---|---|
Product: | UCS | Reporter: | Janis Meybohm <meybohm> |
Component: | Samba4 | Assignee: | Lukas Oyen <oyen> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | enhancement | ||
Priority: | P5 | CC: | birkefeld, gohmann, hinrichs, requate |
Version: | UCS 4.2 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.2-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=39633 http://forge.univention.org/bugzilla/show_bug.cgi?id=44282 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 3: Will affect average number of installed domains | How will those affected feel about the bug?: | 3: A User would likely not purchase the product |
User Pain: | 0.257 | Enterprise Customer affected?: | Yes |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2016121321000581, 2016012921000411, 2017072421000327 | Bug group (optional): | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 39123, 44876 | ||
Attachments: |
try_except.patch
Patch for /usr/share/pyshared/samba/provision/__init__.py 38217-robust-sysvolreset-461.patch |
Description
Janis Meybohm
2015-04-08 14:24:06 CEST
Ok, we should check if we can improve this and submit an upstream patch. Created attachment 7225 [details]
try_except.patch
First basic patch
It should be first fixed for UCS 4.1. Afterwards we should consider a UCS 4.0 backport. I re-joined some DCs and the sysvolreset took a long time. strace showed that every file in the PolicyDefinitions was checked. # find /var/lib/samba/sysvol -type f | wc -l 7157 # find /var/lib/samba/sysvol/<domain>/Policies/PolicyDefinitions/ -type f | wc -l 6518 Ticket #2016012921000411 Created attachment 8292 [details]
Patch for /usr/share/pyshared/samba/provision/__init__.py
In this patch, ACLs are only set once for the Policies directory.
*** Bug 39123 has been marked as a duplicate of this bug. *** recheck priority There is a Customer ID set so I set the flag "Enterprise Customer affected". Created attachment 9206 [details] 38217-robust-sysvolreset-461.patch The attached patch (against 4.6.1) implements the new switch `--resume-on-error` for `samba-tool ntacl sysvolreset`. With this certain NTSTATUSErrors are ignored and logged as warnings. The first is a non existent symlink, the second a deleted policy folder, both throw the same error internally: root@ucs-master40:~# samba-tool ntacl sysvolreset --resume-on-error Unable to set ACL O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) on /var/lib/samba/sysvol/blabbel Unable to set ACL O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) on /var/lib/samba/sysvol/loyen.intranet/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} This is a different approach to Arvids patch, as the error-handling is performed one level up. `setntacl()` is a library function and not suited to print/log errors. This does not include Julius patch and does not handle the remark in comment 04. It is `sysvolreset`s job to (re)set the ACLs on every file in the SYSVOL. The attached patch does not change the behavior on provisioning. Non-existent symlinks and other errors will abort the procedure. A discussion could be had if instead of an opt-in `--resume-on-error`, logging should be the default and a flag like `--fail-on-first-error` enables the current behavior. With samba 4.7.X, a new package `samba.ntstatus` will be shipped. With this the constant `NT_STATUS_OBJECT_NAME_NOT_FOUND = 0xc0000034` could be replaced. Ok, I think "--resume-on-error" should be default (maybe even without any alternative), because I can think of no situation where aborting would help or continuing would be disastrous. I mean, the error messages are clearly visible, and the tool may return an exit status != 0 to indicate a problem, but it should at least to the job it was called for, as good as it can. Ok, `--resume-on-error` removed as a command line flag, but internally the behaviour is changed as if it was passed. Committed as a samba patch in r17673/4, YAML 8e0b713a. Ok, works much better now. Actually, now it's better than sysvolcheck itself: ========================================================================== root@master10:~# mv /var/lib/samba/sysvol/ar41i1.qa/Policies/\{108A861F-3CB8-4DD1-A6D1-23642C0CF23F\} \ /var/tmp/ root@master10:~# samba-tool ntacl sysvolcheck (2, 'No such file or directory') get_nt_acl_conn: get_nt_acl returned NT_STATUS_OBJECT_NAME_NOT_FOUND. (-1073741772, 'The object name is not found.') root@master10:~# samba-tool ntacl sysvolreset set_nt_acl_conn: open: error=2 (No such file or directory) Unable to set ACL O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) on /var/lib/samba/sysvol/ar41i1.qa/Policies/{108A861F-3CB8-4DD1-A6D1-23642C0CF23F} ========================================================================== |