Bug 35564 – sysvol replication fails on slave after ad takeover from member mode

Bug 35564 - sysvol replication fails on slave after ad takeover from member mode


Summary:	sysvol replication fails on slave after ad takeover from member mode

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.2-3-errata
Assigned To:	Arvid Requate
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-08-04 19:13 CEST by Felix Botner
Modified:	2014-09-10 17:45 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
getfacl.log (13.05 KB, text/plain) 2014-08-04 19:20 CEST, Arvid Requate	Details
idmap.log (1.66 KB, text/plain) 2014-08-04 19:22 CEST, Arvid Requate	Details
wbinfo.log (98 bytes, text/plain) 2014-08-04 19:25 CEST, Arvid Requate	Details
ntacl.log (9.26 KB, text/plain) 2014-08-04 19:26 CEST, Arvid Requate	Details
idmap_ldb.ldif (19.21 KB, text/plain) 2014-08-04 19:29 CEST, Arvid Requate	Details
net_cache_flush_before_sysvolreset.patch (992 bytes, patch) 2014-08-04 19:45 CEST, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2014-08-04 19:13:59 CEST

The slave account has no read permission for /var/lib/samba/sysvol on the master.

-> getfacl sysvol
# file: sysvol
# owner: Administrator
# group: Administratoren
user::rwx
user:Administrator:rwx
group::rwx
group:Administratoren:rwx
group:Server-Operatoren:r-x
group:55002:r-x
group:55003:rwx
mask::rwx
other::---
default:user::rwx
default:user:Administrator:rwx
default:group::---
default:group:Administratoren:rwx
default:group:Server-Operatoren:r-x
default:group:55002:r-x
default:group:55003:rwx
default:mask::rwx
default:other::---

Seems that id mapping is broken.

-> univention-ldapsearch   sambaSid=S-1-5-11 gidNumber -LLL
dn: sambaSID=S-1-5-11,cn=idmap,cn=univention,dc=w2k12,dc=test
gidNumber: 55002

dn: cn=Authenticated Users,cn=Builtin,dc=w2k12,dc=test
gidNumber: 5026

Comment 1 Arvid Requate

2014-08-04 19:20:48 CEST

Created attachment 6048 [details]
getfacl.log

Comment 2 Arvid Requate

2014-08-04 19:22:23 CEST

Created attachment 6049 [details]
idmap.log

The gidNumbers 55002 and 55003 correspond to idmap objects in OpenLDAP, probably generated by samba during AD Member mode.

Comment 3 Arvid Requate

2014-08-04 19:25:21 CEST

Created attachment 6050 [details]
wbinfo.log

Samba4 wbinfo doesn't seem to consider the cn=idmap objects in OpenLDAP. It finds the correct official gidNumbers.

Comment 4 Arvid Requate

2014-08-04 19:26:23 CEST

Created attachment 6051 [details]
ntacl.log

Just for completeness, the ntacls. Looks like nothing's new or wrong here.

Comment 5 Arvid Requate

2014-08-04 19:29:22 CEST

Created attachment 6052 [details]
idmap_ldb.ldif

/var/lib/samba/private/idmap.ldb is also correct for S-1-5-11 (Authenticated Users) and S-1-5-18 (System).

Comment 6 Arvid Requate

2014-08-04 19:45:55 CEST

Created attachment 6053 [details]
net_cache_flush_before_sysvolreset.patch

This seems to fix the problem:


net cache flush
samba-tool ntacl sysvolreset

After running this on the master the facls are fixed:
========================================================
root@master:~# getfacl  /var/lib/samba/sysvol/w2k12.test
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: var/lib/samba/sysvol/w2k12.test
# owner: Administrator
# group: Administratoren
user::rwx
user:Administrator:rwx
group::rwx
group:Authenticated\040Users:r-x
group:System:rwx
group:Administratoren:rwx
group:Server-Operatoren:r-x
mask::rwx
other::---
default:user::rwx
default:user:Administrator:rwx
default:group::---
default:group:Authenticated\040Users:r-x
default:group:System:rwx
default:group:Administratoren:rwx
default:group:Server-Operatoren:r-x
default:mask::rwx
default:other::---
========================================================

So we should run "net cache flush" in adtakeover before running sysvolreset, see attached patch.

Comment 7 Arvid Requate

2014-08-04 19:46:52 CEST

After this the slave was was able to sync the sysvol GPOs from the master.

Comment 8 Arvid Requate

2014-08-12 17:47:28 CEST

Fixed, Advisory: 2014-08-12-univention-management-console-module-adtakeover.yaml

Comment 9 Felix Botner

2014-08-19 16:11:35 CEST

OK - sysvol-sync on slaves after adtakeover out of AD member mode
OK - YAML

Comment 10 Felix Botner

2014-08-19 16:12:35 CEST

please merge the changes to 4.0

Comment 11 Arvid Requate

2014-08-20 14:09:16 CEST

> please merge the changes to 4.0

Done. the Package has not been built in the ucs_4.0-0 scope yet.

Comment 12 Felix Botner

2014-08-25 11:01:22 CEST

OK

Comment 13 Janek Walkenhorst

2014-09-10 17:45:01 CEST

http://errata.univention.de/ucs/3.2/203.html