Univention Bugzilla – Full Text Bug Listing |
Summary: | ProvisioningError with 'samba-tool ntacl sysvolcheck' | ||
---|---|---|---|
Product: | UCS | Reporter: | Stefan Gohmann <gohmann> |
Component: | Samba4 | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Stefan Gohmann <gohmann> |
Severity: | enhancement | ||
Priority: | P5 | CC: | hahn, hupertz, requate |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-4 | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=38217 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 3: Simply Wrong: The implementation doesn't match the docu |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.069 | Enterprise Customer affected?: | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 42624 | ||
Attachments: | Provisional fix for Provisioningerror of samba-tool ntacl sysvolcheck |
Description
Stefan Gohmann
2015-10-26 16:35:28 CET
Created attachment 7890 [details] Provisional fix for Provisioningerror of samba-tool ntacl sysvolcheck During implementing a check for the system diagnostics module in ucs that should test if replication between GPO- and SYSVOL-ACLs is consistent, we realized that 'samba-tool ntacl sysvolcheck' showed the same behaviour as described here in the bug. Also calling 'samba-tool ntacl sysvolreset' before calling 'samba-tool ntacl sysvolcheck' did not resolve this problem. First, the attached patch will catch the exception, print it to stdout and turn on with further policies. Secondly, when 'samba-tool ntacl sysvolreset' is called, the acls of the directories behind sysvol are not overwritten by the gpo-acls, but are modified explicitly with another acl of the group "Local Administrators". This behaviour was transferred to 'sysvolcheck'. Some information about environment from UCR. repository/online/component/4.1-0-errata/version: 4.1 repository/online/component/4.1-1-errata/version: 4.1 repository/online/component/4.1-2-errata/version: 4.1 update/umc/nextversion: true version/erratalevel: 206 version/patchlevel: 2 version/releasename: Vahr version/version: 4.1 appcenter/apps/samba4/status: installed appcenter/apps/samba4/version: 4.3 Also discussed on samba-mailing-list: https://lists.samba.org/archive/samba/2015-September/194297.html It seems that this behaviour was implemented consciously but at the moment it is not clear why. The sysvolreset behaviour was probably chosen consciously, but the corresponding part in sysvolcheck is simply missing AFAICS. Since UCS patches are a bit tricky in combination with Debian quilt, I'll do the package build if that's ok with you. I assume it is. Asked for during UCS Technical training 2016-08 Task #4773 Since this requires a Samba rebuild I propose to fix it along with Bug 42624. Samba 4.5.1 has been built with Julians patch. Mentioned in changelog-4.1-4. Code review: Fail, can you re-check tab / spaces mix, for example: + if fsacl_sddl != acl_sddl: + raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl_sddl)) Tests: OK (I've added a simple test case for this: r74001 + r 74002 00_checks/46_ntacl_sysvolcheck) 4.2 merge: OK Changelog: OK True, fixed and merged. (In reply to Arvid Requate from comment #8) > True, fixed and merged. OK UCS 4.1-4 has been released: https://docs.software-univention.de/release-notes-4.1-4-en.html https://docs.software-univention.de/release-notes-4.1-4-de.html If this error occurs again, please use "Clone This Bug". |