Univention Bugzilla – Bug 33768
sync ntSecurityDescriptor of groupPolicyContainer objects
Last modified: 2015-07-20 09:16:43 CEST
For a proper sysvol synchronization, we need to sync the ntSecurityDescriptor (the acl's for the gpo) for gpo objects. This is especially necessary for ucs@school environments, because here gpo objects are replicated to the domain dc's via s4connector|UCS ldap replication (not by drs replication).
Reported via 2014092421000347
Scheduled for end of November.
Fixed. Testcase: 52_s4connector/100sync_gpo_ntsecurity_descriptor Advisory: 2014-11-27-univention-s4-connector.yaml
I've a UCS@school setup with S4 on master and two slaves. If I create a GPO and remove Authenticated Users from the GPO permissions and add another group, Authenticated Users is re-added. If I stop the s4 connector, Authenticated Users is not re-added. The problem is the attribute based sync. As discussed, maybe we sync the ntSecurityDesciptor in @school setups only.
Ok, code and advisory have been updated. There is a new errata bug for UCS@schoool 4.0 to activate synchronization.
(In reply to Arvid Requate from comment #5) > Ok, code and advisory have been updated. There is a new errata bug for > UCS@schoool 4.0 to activate synchronization. That's Bug #37350. Code review: OK Tests: OK
http://errata.univention.de/ucs/3.2/276.html