Univention Bugzilla – Full Text Bug Listing |
Summary: | UCS@school: Wireless/Wired group GPO not replicated from Master Samba/AD to School Slave via OpenLDAP | ||
---|---|---|---|
Product: | UCS@school | Reporter: | Florian Best <best> |
Component: | Samba 4 | Assignee: | Tobias Wenzel <wenzel> |
Status: | CLOSED FIXED | QA Contact: | Daniel Tröder <troeder> |
Severity: | normal | ||
Priority: | P5 | CC: | best, botner, bremer, brodersen, goericke, markus.daehlmann, michelsmidt, requate, troeder, voelker, wenzel |
Version: | UCS@school 4.4 | Flags: | best:
Patch_Available+
|
Target Milestone: | UCS@school 4.4 v5-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | https://docs.microsoft.com/de-de/windows-server/networking/core-network-guide/cncg/wireless/e-wireless-access-deployment | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 3: Will affect average number of installed domains | How will those affected feel about the bug?: | 3: A User would likely not purchase the product |
User Pain: | 0.257 | Enterprise Customer affected?: | Yes |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2019071021000966, 2020042821000221 | Bug group (optional): | |
Max CVSS v3 score: | |||
Bug Depends on: | 50642, 49838, 50641 | ||
Bug Blocks: | 56021 | ||
Attachments: | patch (git:fbest/50626-enable-windows-policies) |
Description
Florian Best
2019-12-11 10:56:14 CET
Created attachment 10261 [details]
patch (git:fbest/50626-enable-windows-policies)
Happening for a customer. Trying to create wireless policies causes a "Richtlinienobjekt ist nicht vorhanden" on the school slave. I tried to reproduce the bug as described in otrs, but no error was raised. I added a policy with gpmc -> right click on default policy or add new policy and finally adding a new non-configured entry in "Drahtlosnetzwerkrichtlinien (IEEE 802.11)" (in gpedit). Afterwards gpupdate did not yield any errors. Did I miss anything? ----- My Setup: **Master** ```$ univention-app info UCS: 4.4-4 errata624 Installed: ucsschool=4.4 v5 ``` **Slave** ```$ univention-app info UCS: 4.4-4 errata624 Installed: cups=2.2.1 samba4=4.10 squid=3.5 ucsschool=4.4 v5 ``` Windows 10 Client UCR-V ``` connector/s4/mapping/msgpwl connector/s4/mapping/msgpipsec connector/s4/mapping/msgpsi ``` are not set. The Wireless/Wired group GPOs don't get replicated from Master Samba/AD to School Slave via OpenLDAP unless the UCR variables are activated on both, Master and School-Slaves and the S4-Conenctor is restarted. Unlike other GPOs these are special, because they have sub-objects in AD, which the S4-Connector didn't recognize before Bug #49838. The bug fix for that didn't activate the synchronization for all UCS@school domains automatically. This bug is about doing exactly that. There's a general thing to be aware of for this kind of adjustments of the S4-Connector synchronization: When activating synchronization of a new object/attribute in the S4-Connector, we have to take care not to overwrite existing values in Samba/AD with values (possibly empty) from OpenLDAP (See 26926#c1). When the S4-C starts, it first starts with the sync_from_ucs. Assuming nothing changed, nothing happens (there is no automatic scan of all objects). But then, at some later point, some admin may change one of the objects. In UCS@school this may happen in three locations: a) UDM -> Primary OpenLDAP b) Windows-Client joined to Primary/Central Samba/AD c) Windows-Client joined to School Samba/AD Case a) could trigger the removal of an attribute value in Samba/AD. Case b) could trigger the removal/overwrite of an attribute value in the School Samba/ADs. etc. The exact risk depends on the case of objects/attributes that are added to the S4-C mapping. To avoid problems of this kind in similar earlier cases, we have created dedicated update-scripts, that trigger the S4-Connector to synchronize all of the affected Samba/AD objects during the update (via joinscript) once from Samba/AD to UDM/OpenLDAP (Bug 26926#c1 and Bug 33936#c1): grep "write2ucs" services/univention-s4-connector/97univention-s4-connector.inst and back: grep "write2samba" services/univention-s4-connector/97univention-s4-connector.inst Patch-QA Code -> Ok Functionality -> ok Before patch: "Richtlinienobjekt ist nicht vorhanden" after creating wireless-gpo on client joined vs. master and updating on client joined vs. slave. After patch (applied on master & slave) - UCR-V were set - after restarting master & slave as well as restarting the s4-connector. - creating new wireless-gpo on client joined vs. master & updating on client joined vs. slave => no error => ok I added a ucs-test with [fbest/50626-enable-windows-policies] 7ccdeffcf Bug #50626: add ucs-test OK: code review OK: functional test (GPO replication master->schoolserver failed; update; GPO replication works) OK: tests Please merge; build; advisory. Thanks a lot for the QA! [4.4] 42bab3cf5 Bug #50626: Changelog & yaml [4.4] c5ee17ea0 Bug #50626: Merge branch 'fbest/50626-enable-windows-policies' into 4.4 [4.4] 59363b913 Bug #50626: implemented remarks [4.4] 7ccdeffcf Bug #50626: add ucs-test [4.4] 327db0b9d Bug #50626: enable MS policies Package: ucs-school-metapackage Version: 12.0.3-2A~4.4.0.202007081729 Branch: ucs_4.4-0 Scope: ucs-school-4.4 [4.4] 73282b197 Bug #50626: ucs-test changelog [4.4] a4171a371 Bug #50626: fix typo in file name [4.4] af4343210 Bug #50626: wording OK: code war merged to 4.4 OK: advisory OK: installs as expected UCS@school 4.4 v6 has been released. https://docs.software-univention.de/changelog-ucsschool-4.4v6-de.html If this error occurs again, please clone this bug. |