Univention Bugzilla – Bug 43211
Don't use univention-skel for system acounts
Last modified: 2021-08-09 14:53:01 CEST
skel should no be created for system accounts: # find /etc/univention/skel `getent passwd|cut -d: -f6` -maxdepth 1 -name windows-profiles 2>/dev/null /etc/univention/skel/windows-profiles /root/windows-profiles /var/lib/postgresql/windows-profiles /var/lib/spamassassin/windows-profiles
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Just recently I had a broken customer system because of univention-skel
Remove it for UCS-5: - baldy maintained: creates very old Windows profile directories (Bug #48587) - not documented (Bug #32513) - not yet migrated to Python3 (Bug #49060) - K-Desktop is removed for UCS-5.
We may still need to have a mechanism to create the default / default.v2 profile folders for Windows clients. Did you check that?
I think we still need this, see Bug #44895. Please restore.
Due to this change bash-completion is not installed any longer. I reverted the commit. I don't even know how it was decided that this change was to be made. dfd1ddfb56 Revert "Bug #43211 skel: Remove univention-skel" The package was still built in the ucs_5.0-0 Release-Scope.
(In reply to Arvid Requate from comment #6) > Due to this change bash-completion is not installed any longer. I reverted > the commit. > I don't even know how it was decided that this change was to be made. > > dfd1ddfb56 Revert "Bug #43211 skel: Remove univention-skel" > > The package was still built in the ucs_5.0-0 Release-Scope. The removement of univention-skel implied for me that the default Debian behaviour "kicks in". Does Bash completion work with stock Debian? I still favor to not port univention-skel to UCS 5 to reduce "UCS specialities" in areas which are not our focus. But systems have to behave like a "normal Debian".
We should make bash-completion a dependency of univention-base-packages. (If the dependency was the problem).
(In reply to Ingo Steuwer from comment #7) > (In reply to Arvid Requate from comment #6) > > Due to this change bash-completion is not installed any longer. I reverted > > the commit. > > I don't even know how it was decided that this change was to be made. > > > > dfd1ddfb56 Revert "Bug #43211 skel: Remove univention-skel" > > > > The package was still built in the ucs_5.0-0 Release-Scope. > > The removement of univention-skel implied for me that the default Debian > behaviour "kicks in". Does Bash completion work with stock Debian? There are multiple path how bash-completion gets loaded on Debian: /etc/skel/.profile → /etc/skel/.bashrc /etc/profile → /etc/profile.d/bash_completion.sh /etc/bash.bashrc The main error here is that UCS is ignorant of upstream changes; read /usr/share/doc/bash-completion/README.Debian # ls -1 /etc/bash_completion.d/ univention-config-registry univention-directory-manager univention-updater They should be installed to /usr/share/bash-completion/completions/ instead and the old conffiles should be deleted via rm_conffile. > I still favor to not port univention-skel to UCS 5 to reduce "UCS > specialities" in areas which are not our focus. But systems have to behave > like a "normal Debian". The main difference between `univention-skel` and `/etc/skel/` is, that the later is only used when $HOME is first created. `univention-skel` on the other hand is invoked though PAM each time a user logs in and thus can be used to update user files later on: It re-creates any missing files or updates all unmodified files. Those files also get deleted if the template is removed. The main bug here is that the PAM module is invoked locally on each server, even for $HOME on NFS: If you login to MULTIPLE servers with DIFFERENT template directories, your $HOME will be modified each time. Regarding the Windows profile directories: - why are we still shipping directories for versions of the past century in services/univention-samba4/debian/univention-samba4.postinst: # ls -1 /etc/univention/skel/windows-profiles/ default (Windows XP, Windows Server 2003, Windows Server 2003 R2) default.V2 (Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2) default.V3 (Windows 8, Windows Server 2012) default.V4 (Windows 8.1, Windows Server 2012 R2) default.V5 (Windows 10) default.V6 (Windows 10 Vista Vista.V2 Win2k Win2K3 Win95 WinNT WinXP - Why are they created by .postinst and not included with the package .dirs? - According to my research Windows should create them on demand - why doesn't this work with our Samba? https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles https://docs.microsoft.com/de-de/windows/client-management/mandatory-user-profile https://docs.microsoft.com/de-de/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj649079(v=ws.11)
I set the TM to 5.0 again, to make sure we do or don't do something here later.
I understand that the current implementation of univention-skel causes issues and we should address them one by one. Still, it serves a purpose and we cannot remove it as we desire without finding replacements. Regarding the diverse range of statements in Comment 9: > - why are we still shipping directories for versions of the past century in services/univention-samba4/debian/univention-samba4.postinst: > [...] > - Why are they created by .postinst and not included with the package .dirs? These are questions not relevant to this bug, I guess. - According to my research Windows should create them on demand - why doesn't this work with our Samba? We can research this, if required. Until now, there was no requirement. IMHO we should keep focus in the development on UCS 5 and not touch all things at once. *If* the changes required to retire univention-skel are transparent to the user, which I believe is required, then this can be done in an errata-Update.
[x] 8ea4b38a8e Bug #43211: univention-skel doc/changelog/changelog-5.0-0.xml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) https://taiga.knut.univention.de/project/oschwieg-ucs-5/task/5156?kanban-status=54 (In reply to Arvid Requate from comment #11) > Still, it serves a purpose and we cannot remove it as we desire without > finding replacements. The replacement is the standard `/etc/skel/` mechanism, which gets used when a user is initially created: install -m 755 -d /etc/skel/windows-profiles/default.V{6,5,4,3} adduser --gecos test --shell /bin/bash --disabled-password test # Kopiere Dateien aus »/etc/skel« ... tree /home/test/windows-profiles # /home/test/windows-profiles # ├── default.V3 # ├── default.V4 # ├── default.V5 # └── default.V6 The equivalent for `univention-samba` and/or `univention-samba4` is to either include those empty directories within the package or create them dynamically at postinst time: echo etc/skel/windows-profiles/default.V{6,5,4,3} | tr ' ' '\n' >> univention-samba/debian/univention-samba.dirs echo etc/skel/windows-profiles/default.V{6,5,4,3} | tr ' ' '\n' >> univention-samba4/debian/univention-samba4.dirs
Ok, please do so and check that roaming profiles still work for Windows clients.
[5.0-0] c95607fa91 feat[samba]: Create Windows profile directories services/univention-samba/debian/changelog | 6 ++++++ services/univention-samba/debian/univention-samba-local-config.dirs | 5 +++++ services/univention-samba/debian/univention-samba-local-config.postinst | 15 +++++++++++++++ 3 files changed, 26 insertions(+) [5.0-0] f98d711c45 fix[skel] skel: Remove univention-skel base/univention-errata-level/univention-maintained-packages.txt | 1 - base/univention-pam/conffiles/etc/pam.d/common-session.d/10univention-pam_common | 1 - base/univention-pam/debian/changelog | 6 ++++++ base/univention-pam/debian/control | 1 - base/univention-skel/debian/changelog | 10 ++++++---- base/univention-skel/debian/control | 9 ++++----- base/univention-skel/debian/rules | 7 ------- base/univention-skel/debian/univention-skel.dirs | 1 - base/univention-skel/debian/univention-skel.docs | 1 - base/univention-skel/debian/univention-skel.install | 2 -- ... 15 files changed, 25 insertions(+), 314 deletions(-) Package: univention-samba Version: 14.0.4-1A~5.0.0.202103180713 Package: univention-pam Version: 13.0.3-3A~5.0.0.202103180719 Package: univention-skel Version: 12.0.1-1A~5.0.0.202103180809 QA: I joined a Windows 8 into the domain and default.V2 was *automatically* created on first login. PAM seems not to be involeved at all. QA: /etc/pam.d/samba -> common-session -> now has "pam_mkhomedir.so skel=/etc/skel" only, previously it also did "pam_runasroot.so user program=/usr/bin/univention-skel'" afterwards, which is now removed. FYI: https://docs.software-univention.de/handbuch-4.4.html#windows:roamingprofiles:samba4
*** Bug 48587 has been marked as a duplicate of this bug. ***
*** Bug 32513 has been marked as a duplicate of this bug. ***
First test result: This only works for users created with adduser, but not with UCS domain users. No directories created below user. Consequently Windows CLients report an error writing the roaming profile.
Testes with * Windows 10 Client against UCS 5.0 installed Master * Windows 7 Client against UCS 5.0 Master updated from 4.4.7 Home directory gets created but: root@master200:~# ls -la /home/user3 insgesamt 8 drwx--x--x 2 user3 Domain Users 4096 Dez 13 12:16 . drwxr-xr-x 7 root root 4096 Dez 13 12:16 ..
Ok this happens in case homedir/mount is set to "false" (default: true). In that case /usr/sbin/univention-mount-homedir runs before pam_mkhomedir and creates the directory and the following pam_mkhomedir session call doesn't take any action. I'll attach a patch for univention-mount-homedir. I've improved the documentation of this feature (Bug #34346).
Created attachment 10662 [details] mount-homedir.diff
(In reply to Arvid Requate from comment #20) > Created attachment 10662 [details] > mount-homedir.diff Applied that patch: univention-home-mounter (11.0.1-1) ee3db54b824e | Bug #43211: don't create homedir for users without automountInformation
07454e3b63 | Explain migration in release changelog Verified.
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".