Univention Bugzilla – Bug 43620
sysvol-cleanup.py deletes grouppolicy folder for GPOs with an uppercase "CN="
Last modified: 2017-06-15 17:58:03 CEST
sysvol-cleanup.py "cleans" grouppolicy folder for GPOs with an uppercase "CN=". Example: on master (the GPOs are replicated to here): root@master:~# univention-s4search objectClass=groupPolicyContainer cn | grep -i ^cn:' CN: {07D23440-some more stuff} cn: {14DA1D9A-some more stuff} cn: {17504898-some more stuff} cn: {2EAAE6A3-some more stuff} cn: {2F60254E-some more stuff} cn: {31B2F340-some more stuff} cn: {33532C2C-some more stuff} CN: {3BD9B2EB-some more stuff} on backup (the GPOs were created here): root@backup:~# univention-s4search objectClass=groupPolicyContainer cn | grep -i ^cn:' cn: {07D23440-some more stuff} cn: {14DA1D9A-some more stuff} cn: {17504898-some more stuff} cn: {2EAAE6A3-some more stuff} cn: {2F60254E-some more stuff} cn: {31B2F340-some more stuff} cn: {33532C2C-some more stuff} cn: {3BD9B2EB-some more stuff} The folder for the uppercase "CN=" GPOs are regularly deleted in the customer environment. It seems to happen at the replication and the sysvol-cleanup.py script only recognizes GPOs with a lowercase "cn=" (and deletes the folder for the uppercase "CN=" it does not see).
Yes, from a quick look into /usr/share/univention-samba4/scripts/sysvol-cleanup.py I guess that it takes the output of univention-s4search and filters for lowercase cn= . We also need to check if samba-tool ntacl sysvolreset/sysvolcheck can deal with this "case". And it would really be interesting why CN is different on both DCs, but, well.
Advisory: univention-samba4.yaml
YAML: OK Tests: Fail ------------------------------------------------------------------------------------------------------------------------------------------------------- root@master421:~# ls -la /var/lib/samba/sysvol/deadlock42.intranet/Policies/ insgesamt 32 drwxrwx---+ 4 Administrator Administrators 4096 Mai 3 08:10 . drwxrwx---+ 4 Administrator Administrators 4096 Mai 3 08:08 .. drwxrwx---+ 4 Administrator Domain Admins 4096 Apr 4 14:54 {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrwx---+ 4 Administrator Domain Admins 4096 Apr 4 14:54 {6AC1786C-016F-11D2-945F-00C04FB984F9} root@master421:~# /usr/share/univention-samba4/scripts/sysvol-cleanup.py --verbose --move /var/lib/samba/sysvol_backup The following LDAP GPOs were found: - {31B2F340-016D-11D2-945F-00C04FB984F9} - {6AC1786C-016F-11D2-945F-00C04FB984F9} The following file system GPOs were found: - {6AC1786C-016F-11D2-945F-00C04FB984F9} - {31B2F340-016D-11D2-945F-00C04FB984F9} root@master421:~# apt-get dist-upgrade [...] Die folgenden Pakete werden aktualisiert (Upgrade): univention-samba4 univention-samba4-sysvol-sync 2 aktualisiert, 0 neu installiert, 0 zu entfernen und 0 nicht aktualisiert. Es müssen noch 0 B von 125 kB an Archiven heruntergeladen werden. Nach dieser Operation werden 0 B Plattenplatz zusätzlich benutzt. Möchten Sie fortfahren? [J/n] y (Lese Datenbank ... 93708 Dateien und Verzeichnisse sind derzeit installiert.) Vorbereitung zum Entpacken von .../univention-samba4_6.0.10-3A~4.2.0.201704252056_amd64.deb ... Entpacken von univention-samba4 (6.0.10-3A~4.2.0.201704252056) über (6.0.9-10A~4.2.0.201703301128) ... Vorbereitung zum Entpacken von .../univention-samba4-sysvol-sync_6.0.10-3A~4.2.0.201704252056_all.deb ... Entpacken von univention-samba4-sysvol-sync (6.0.10-3A~4.2.0.201704252056) über (6.0.9-10A~4.2.0.201703301128) ... Trigger für univention-config (12.0.1-5A~4.2.0.201703151910) werden verarbeitet ... dpkg-query: Kein Paket gefunden, das auf ldapacl_66univention-appcenter_app.acl passt univention-samba4-sysvol-sync (6.0.10-3A~4.2.0.201704252056) wird eingerichtet ... File: /etc/cron.d/sysvol-cleanup File: /etc/cron.d/sysvol-sync Not updating samba4/sysvol/cleanup/cron univention-samba4 (6.0.10-3A~4.2.0.201704252056) wird eingerichtet ... [...] root@master421:~# /usr/share/univention-samba4/scripts/sysvol-cleanup.py --verbose --move /var/lib/samba/sysvol_backup The following LDAP GPOs were found: - {31b2f340-016d-11d2-945f-00c04fb984f9} - {6ac1786c-016f-11d2-945f-00c04fb984f9} The following file system GPOs were found: - {6AC1786C-016F-11D2-945F-00C04FB984F9} - {31B2F340-016D-11D2-945F-00C04FB984F9} Move unused GPO {6AC1786C-016F-11D2-945F-00C04FB984F9} to /var/lib/samba/sysvol_backup/{6AC1786C-016F-11D2-945F-00C04FB984F9}_201705030812 Move unused GPO {31B2F340-016D-11D2-945F-00C04FB984F9} to /var/lib/samba/sysvol_backup/{31B2F340-016D-11D2-945F-00C04FB984F9}_201705030812 root@master421:~# ls -la /var/lib/samba/sysvol/deadlock42.intranet/Policies/ insgesamt 16 drwxrwx---+ 2 Administrator Administrators 4096 Mai 3 08:12 . drwxrwx---+ 4 Administrator Administrators 4096 Mai 3 08:08 .. root@master421:~# -------------------------------------------------------------------------------------------------------------------------------------------------------
Ok, fixed.
@slave univention-s4search objectClass=groupPolicyContainer cn | grep -i cn: cn: {31B2F340-016D-11D2-945F-00C04FB984F9} cn: {6AC1786C-016F-11D2-945F-00C04FB984F9} CN: {7FE24A72-5C6E-43CB-9527-93D5DA966864} @master univention-s4search objectClass=groupPolicyContainer cn | grep -i cn: cn: {31B2F340-016D-11D2-945F-00C04FB984F9} cn: {6AC1786C-016F-11D2-945F-00C04FB984F9} cn: {7FE24A72-5C6E-43CB-9527-93D5DA966864} before the update @slave sysvol-cleanup.py --verbose The following LDAP GPOs were found: - {31B2F340-016D-11D2-945F-00C04FB984F9} - {6AC1786C-016F-11D2-945F-00C04FB984F9} The following file system GPOs were found: - {31B2F340-016D-11D2-945F-00C04FB984F9} - {085209BD-1E7A-4E08-A0BF-C4764CE9DA82} - {7FE24A72-5C6E-43CB-9527-93D5DA966864} - {6AC1786C-016F-11D2-945F-00C04FB984F9} Found unused GPO: {7FE24A72-5C6E-43CB-9527-93D5DA966864} after the update @slave ysvol-cleanup.py --verbose The following LDAP GPOs were found: - {31B2F340-016D-11D2-945F-00C04FB984F9} - {6AC1786C-016F-11D2-945F-00C04FB984F9} - {7FE24A72-5C6E-43CB-9527-93D5DA966864} The following file system GPOs were found: - {31B2F340-016D-11D2-945F-00C04FB984F9} - {7FE24A72-5C6E-43CB-9527-93D5DA966864} - {6AC1786C-016F-11D2-945F-00C04FB984F9} Found unused GPO: {085209BD-1E7A-4E08-A0BF-C4764CE9DA82} @master OK OK - samba-tool ntacl sysvolreset/check OK - YAML
<http://errata.software-univention.de/ucs/4.2/42.html>