Univention Bugzilla – Bug 41549
sysvol sync broken: always add master/DCs in the central school department to Enterprise Domain Controllers
Last modified: 2016-10-20 12:40:14 CEST
UCS school master (NO s4) + UCS school slaves with samba4 master is samba4/sysvol/sync/host Joined a windows client into a slave domain and added a new gpo, changed security filter: removed authenticated users, added lehrer-$ou ... -> getfacl \{99785FC0-43AE-4E79-910A-1FE8E7FE5B74\}/ # file: {99785FC0-43AE-4E79-910A-1FE8E7FE5B74}/ # owner: root # group: Domain\040Admins user::rwx user:root:rwx user:5040:r-x user:5059:rwx group::rwx group:Domain\040Admins:rwx group:OUschool1-Klassenarbeit:r-x group:Enterprise\040Domain\040Controllers:r-x group:System:rwx group:Enterprise\040Admins:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:5040:r-x default:user:5059:rwx default:group::--- default:group:Domain\040Admins:rwx default:group:OUschool1-Klassenarbeit:r-x default:group:Enterprise\040Domain\040Controllers:r-x default:group:System:rwx default:group:Enterprise\040Admins:rwx default:mask::rwx default:other::--- Now the master is unable to read the GPO and sysvol-sync stops working: -> univention-ssh-rsync /etc/machine.secret -naAX --delete --delete-excluded '--exclude=scripts/user/.*.vbs.[[:alnum:]][[:alnum:]][[:alnum:]][[:alnum:]][[:alnum:]][[:alnum:]]' 'master$@slave:/var/lib/samba/sysvol/' /var/cache/univention-samba4/sysvol-sync/slave Could not chdir to home directory /dev/null: Not a directory rsync: get_xattr_data: lgetxattr(""/var/lib/samba/sysvol/w2k12.test/Policies/{99785FC0-43AE-4E79-910A-1FE8E7FE5B74}"","user.DOSATTRIB",0) failed: Permission denied (13) IO error encountered -- skipping file deletion rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1536) [generator=3.0.9] Reason is that the master is NOT member of "Enterprise Domain Controllers". Only the join script 96univention-samba4.inst adds the $ldap_hostdn to this group but if samba4 is not installed in the central school department (as in my case) the central school department DC's are not member of the "Enterprise Domain Controllers" group and sysvol-sync may fail.
Isn't this a generic problem in domains that don't have samba4 installed on DC master?
(In reply to Sönke Schwardt-Krummrich from comment #1) > Isn't this a generic problem in domains that don't have samba4 installed on > DC master? yes (In reply to Sönke Schwardt-Krummrich from comment #1) > Isn't this a generic problem in domains that don't have samba4 installed on > DC master? yes, i think so
This affects all UCS@school environments with no S4 on DC master.
Ok, but univention-samba4-sysvol-sync gets installed on the master in any case, so that package should do the necessary steps to make sysvol replication work.
The problem about Comment 4 is, that "Enterprise Domain Controllers" doesn't exist yet at the moment the ucs-school-master package pulls univention-samba4-sysvol-sync. We could explicitly always add the Master to "Enterprise Domain Controllers" in the univention-samba4 joinscript (slightly bending the semantics of that group). Alternatively we could make the "DC Backup Hosts" group member of it.
* The group DC Backup Hosts is now member of the group Enterprise Domain Controllers. This is needed for the sysvol replication in case Samba 4 is not installed on the DC master. The UCS 4.1-3-errata postinst does it automatically on master or backup. UCS 4.1-3: r73197 UCS 4.2: r73198 YAML: r73199 Simple test case has been added as well: UCS 4.1-3: r73200 UCS 4.2: r73201 root@master411:~# /usr/share/ucs-test/00_checks/23_enterprise_domain_controller_membership uid=2001(master411$) gid=5005(DC Backup Hosts) Gruppen=5005(DC Backup Hosts),1005(Windows Hosts),5006(DC Slave Hosts),5007(Computers),5011(Authenticated Users),5017(Enterprise Domain Controllers),5042(Domain Controllers),5051(Denied RODC Password Replication Group) Starting 1 ucs-test at 2015-11-18 23:41:27 to /dev/null Check if the DC master is member of Enterprise Domain Controller........................................................................................................................................................................... Test passed root@master411:~#
I think the udm command for the update needs to go into univention-samba4-sysvol-sync.postinst so it runs on the master.
(In reply to Arvid Requate from comment #7) > I think the udm command for the update needs to go into > univention-samba4-sysvol-sync.postinst so it runs on the master. Sure: r73307 + r73308
Ok, works, only the merge to 4.2 is missing
(In reply to Arvid Requate from comment #9) > Ok, works, only the merge to 4.2 is missing The upgrade code is not needed in 4.2 because the upgrade to 4.1-3 will be done in every case.
Indeed :-) verified.
<http://errata.software-univention.de/ucs/4.1/309.html>