Bug 41549 - sysvol sync broken: always add master/DCs in the central school department to Enterprise Domain Controllers
sysvol sync broken: always add master/DCs in the central school department to...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-3-errata
Assigned To: Stefan Gohmann
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-13 17:45 CEST by Felix Botner
Modified: 2016-10-20 12:40 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.343
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2016-06-13 17:45:49 CEST
UCS school master (NO s4)
 + UCS school slaves with samba4
master is samba4/sysvol/sync/host

Joined a windows client into a slave domain and added a new gpo, changed security filter: removed authenticated users, added lehrer-$ou ...

-> getfacl  \{99785FC0-43AE-4E79-910A-1FE8E7FE5B74\}/
# file: {99785FC0-43AE-4E79-910A-1FE8E7FE5B74}/
# owner: root
# group: Domain\040Admins
user::rwx
user:root:rwx
user:5040:r-x
user:5059:rwx
group::rwx
group:Domain\040Admins:rwx
group:OUschool1-Klassenarbeit:r-x
group:Enterprise\040Domain\040Controllers:r-x
group:System:rwx
group:Enterprise\040Admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:5040:r-x
default:user:5059:rwx
default:group::---
default:group:Domain\040Admins:rwx
default:group:OUschool1-Klassenarbeit:r-x
default:group:Enterprise\040Domain\040Controllers:r-x
default:group:System:rwx
default:group:Enterprise\040Admins:rwx
default:mask::rwx
default:other::---

Now the master is unable to read the GPO and sysvol-sync stops working:
-> univention-ssh-rsync /etc/machine.secret -naAX --delete --delete-excluded '--exclude=scripts/user/.*.vbs.[[:alnum:]][[:alnum:]][[:alnum:]][[:alnum:]][[:alnum:]][[:alnum:]]' 'master$@slave:/var/lib/samba/sysvol/' /var/cache/univention-samba4/sysvol-sync/slave
Could not chdir to home directory /dev/null: Not a directory
rsync: get_xattr_data: lgetxattr(""/var/lib/samba/sysvol/w2k12.test/Policies/{99785FC0-43AE-4E79-910A-1FE8E7FE5B74}"","user.DOSATTRIB",0) failed: Permission denied (13)
IO error encountered -- skipping file deletion
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1536) [generator=3.0.9]

Reason is that the master is NOT member of "Enterprise Domain Controllers". Only the join script 96univention-samba4.inst adds the $ldap_hostdn to this group but if samba4 is not installed in the central school department (as in my case) the central school department DC's are not member of the "Enterprise Domain Controllers" group and sysvol-sync may fail.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2016-06-29 15:48:00 CEST
Isn't this a generic problem in domains that don't have samba4 installed on DC master?
Comment 2 Felix Botner univentionstaff 2016-06-29 18:12:01 CEST
(In reply to Sönke Schwardt-Krummrich from comment #1)
> Isn't this a generic problem in domains that don't have samba4 installed on
> DC master?

yes

(In reply to Sönke Schwardt-Krummrich from comment #1)
> Isn't this a generic problem in domains that don't have samba4 installed on
> DC master?

yes, i think so
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2016-06-30 10:59:48 CEST
This affects all UCS@school environments with no S4 on DC master.
Comment 4 Arvid Requate univentionstaff 2016-09-27 17:50:59 CEST
Ok, but univention-samba4-sysvol-sync gets installed on the master in any case, so that package should do the necessary steps to make sysvol replication work.
Comment 5 Arvid Requate univentionstaff 2016-09-28 11:09:29 CEST
The problem about Comment 4 is, that "Enterprise Domain Controllers" doesn't exist yet at the moment the ucs-school-master package pulls univention-samba4-sysvol-sync.

We could explicitly always add the Master to "Enterprise Domain Controllers" in the univention-samba4 joinscript (slightly bending the semantics of that group). Alternatively we could make the "DC Backup Hosts" group member of it.
Comment 6 Stefan Gohmann univentionstaff 2016-10-14 08:30:05 CEST
* The group DC Backup Hosts is now member of the group Enterprise
  Domain Controllers. This is needed for the sysvol replication in
  case Samba 4 is not installed on the DC master.

The UCS 4.1-3-errata postinst does it automatically on master or backup.

UCS 4.1-3: r73197
UCS 4.2: r73198
YAML: r73199

Simple test case has been added as well:
UCS 4.1-3: r73200
UCS 4.2: r73201

root@master411:~# /usr/share/ucs-test/00_checks/23_enterprise_domain_controller_membership
uid=2001(master411$) gid=5005(DC Backup Hosts) Gruppen=5005(DC Backup Hosts),1005(Windows Hosts),5006(DC Slave Hosts),5007(Computers),5011(Authenticated Users),5017(Enterprise Domain Controllers),5042(Domain Controllers),5051(Denied RODC Password Replication Group)
Starting 1 ucs-test at 2015-11-18 23:41:27 to /dev/null
Check if the DC master is member of Enterprise Domain Controller........................................................................................................................................................................... Test passed
root@master411:~#
Comment 7 Arvid Requate univentionstaff 2016-10-17 17:22:40 CEST
I think the udm command for the update needs to go into univention-samba4-sysvol-sync.postinst so it runs on the master.
Comment 8 Stefan Gohmann univentionstaff 2016-10-17 20:16:11 CEST
(In reply to Arvid Requate from comment #7)
> I think the udm command for the update needs to go into
> univention-samba4-sysvol-sync.postinst so it runs on the master.

Sure: r73307 + r73308
Comment 9 Arvid Requate univentionstaff 2016-10-17 21:09:32 CEST
Ok, works, only the merge to 4.2 is missing
Comment 10 Stefan Gohmann univentionstaff 2016-10-18 05:52:35 CEST
(In reply to Arvid Requate from comment #9)
> Ok, works, only the merge to 4.2 is missing

The upgrade code is not needed in 4.2 because the upgrade to 4.1-3 will be done in every case.
Comment 11 Arvid Requate univentionstaff 2016-10-18 10:08:11 CEST
Indeed :-) verified.
Comment 12 Janek Walkenhorst univentionstaff 2016-10-20 12:40:14 CEST
<http://errata.software-univention.de/ucs/4.1/309.html>