First Last Prev Next    This bug is not in your last search results.
Bug 45452 - Rejoin of UCS@school 4.2 slave purges GPOs from LDAP
Rejoin of UCS@school 4.2 slave purges GPOs from LDAP
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba
UCS 4.2
Other Linux
: P5 major (vote)
: UCS 4.2-1-errata
Assigned To: Stefan Gohmann
Felix Botner
:
Depends on: 45439
Blocks: 45440
  Show dependency treegraph
 
Reported: 2017-09-25 17:03 CEST by Stefan Gohmann
Modified: 2017-09-26 16:46 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.571
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017081521000495
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2017-09-25 17:03:46 CEST 
A backport for UCS 4.2-1 is needed

+++ This bug was initially created as a clone of Bug #45439 +++

The joinscript 97univention-s4-connector.inst of UCS 4.2 seems to contain defect logic when syncing GPOs during (re)join of UCS@school slaves.

The relevant part of 97univention-s4-connector.inst looks like this:

if ! is_ucr_true 'connector/s4/allow/secondary'; then
    s4connector_dc=$(get_available_s4connector_dc) || exit $?

fi
if [ -z "$s4connector_dc" ] \
    || [ "$s4connector_dc" = "$hostname" ]; then

    if [ $JS_LAST_EXECUTED_VERSION -le 0 ] && is_ucr_true connector/s4/mapping/gpo; then
        /etc/init.d/univention-s4-connector stop

        if [ -z "$s4connector_dc" ] \
            || [ "$s4connector_dc" = "$hostname" ]; then
            # First or only Sama 4 server
            /usr/share/univention-s4-connector/msgpo.py --write2ucs "$@"
        elif ! is_ucr_true 'connector/s4/allow/secondary'; then
            # Normal Samba 4 DC
            /usr/share/univention-s4-connector/msgpo.py --write2ucs "$@"
        else
            # Slave PDC
            /usr/share/univention-s4-connector/msgpo.py --write2samba4 "$@"
        fi
    fi
fi

In school environments on the school slave connector/s4/allow/secondary=yes ist set, therefore s4connector_dc is not set. Even if the UCRV is not set or set to "no", the hostname of the school slave is stored in s4connector_dc via  get_available_s4connector_dc().
So the condition [ -z "$s4connector_dc" ] || [ "$s4connector_dc" = "$hostname" ]
is always met and therefore the branch "First or only Sama 4 server" is always executed on UCS@school slaves, which results in a
/usr/share/univention-s4-connector/msgpo.py --write2ucs "$@"

In UCS 4.1-4 the query for the s4connector host looked quite different:

        s4connectorservicehost_dns="$(univention-directory-manager computers/computer list "$@" --filter "(&(univentionService=${NAME})(!(cn=$hostname)))" | sed -ne 's|^DN: ||p')"

        if [ -z "$s4connectorservicehost_dns" ]; then
            # First Sama 4 server
            /usr/share/univention-s4-connector/msgpo.py --write2ucs "$@"
        elif ! is_ucr_true 'connector/s4/allow/secondary'; then
            # Normal Samba 4 DC
            /usr/share/univention-s4-connector/msgpo.py --write2ucs "$@"
        else
            # Slave PDC
            /usr/share/univention-s4-connector/msgpo.py --write2samba4 "$@"
        fi
Comment 2 Stefan Gohmann univentionstaff 2017-09-26 08:28:27 CEST 
The upgrade path works too.
Comment 3 Felix Botner univentionstaff 2017-09-26 13:49:21 CEST 
OK - univention-s4-connector
OK - upgrade to 4.2-2
OK - YAML
Comment 4 Philipp Hahn univentionstaff 2017-09-26 16:46:09 CEST 
<http://errata.software-univention.de/ucs/4.2/185.html>
First Last Prev Next    This bug is not in your last search results.