What are UCS@school shares?
Shares are automatically created UCS@school objects, which simplify file sharing within a specific group.
Each school class and work group has its own share (see this article for more information on work groups and school classes). Furthermore, a so-called “Marktplatz” (engl.: market place) exists, which serves as a school-wide share for all users of the group Domain Users $OU
.
The creation of a work group share can be controlled by unchecking the checkbox “create share” in the UMC.
It can also be prevented to automatically create a Marktkplatz for each OU by setting the UCRV ucsschool/import/generate/marktplatz=no
.
Because Shares are always bound to a specific group, they should never exist without it in the LDAP tree.
When creating or modifying a class share or a work group share via UDM command, one can easily miss one of these essential features, which might lead to errors. As with all UCS@school objects, to prevent inconsistencies, shares should only be modified using the UCS@school UMC modules.
Example:
$ udm shares/share list --filter cn=DEMOSCHOOL-Democlass
DN: cn=DEMOSCHOOL-Democlass,cn=klassen,cn=shares,ou=DEMOSCHOOL,dc=example,dc=com
host: DEMOSCHOOL.example.com
name: DEMOSCHOOL-Democlass
path: /home/DEMOSCHOOL/groups/klassen/DEMOSCHOOL-Democlass
ucsschoolRole: school_class_share:school:DEMOSCHOOL
...
$ udm shares/share list --filter cn=DEMOSCHOOL-Demoworkgroup
DN: cn=DEMOSCHOOL-Demoworkgroup,cn=shares,ou=DEMOSCHOOL,dc=example,dc=com
host: DEMOSCHOOL.example.com
name: DEMOSCHOOL-Demoworkgroup
path: /home/DEMOSCHOOL/groups/DEMOSCHOOL-Demoworkgroup
ucsschoolRole: workgroup_share:school:DEMOSCHOOL
...
$ udm shares/share list --filter cn=Marktplatz
DN: cn=Marktplatz,cn=shares,ou=DEMOSCHOOL,dc=example,dc=com
host: DEMOSCHOOL.example.com
name: Marktplatz
path: /home/DEMOSCHOOL/groups/Marktplatz
ucsschoolRole: marketplace_share:school:DEMOSCHOOL
...
In UCS@school 4.4 v8 work group shares are now validated before usage, when loading them from LDAP and errors will be logged to the regular log files (see manual).
In UCS@school 4.4 v9 the diagnostic module UCS@school Consistency Check is introduced. It checks, amongst other things, if existing school group shares are consistent. If this diagnostic module displays errors, this does not necessarily mean that the UCS@school system is not working. Rather, it warns of objects that do not look the way UCS@school expects and that could cause future problems when using them.
School name prefix
When creating a class share or a work group share, the school name will be prefixed to the group name in order to ensure that the group’s name is unique across the whole domain. For a valid school class or work group share name, a school name prefix is required.
Example: school name GS1
and work group name Robotics
result in a work group share name GS1-Robotics
.
Position in LDAP Tree
Share containers must be placed below the OU of the school under cn=shares,ou=$SCHOOL,$ldap_base
Examples:
- school class share:
cn=GS1-2b,cn=klassen,cn=shares,ou=GS1,$ldap_base
- work group share:
cn=GS1-Robotics,cn=shares,ou=GS1,$ldap_base
- Marktplatz share:
cn=Marktplatz,cn=shares,ou=GS1,$ldap_base
Share Path
A share is located on its corresponding school server or primary node in a single-server environment.
Its path should be placed below its school directory /home/$SCHOOL/groups/
Examples:
- school class share:
/home/GS1/groups/klassen/2b
- work group share:
/home/GS1/groups/Robotics
- Marktplatz share:
/home/GS1/groups/Marktplatz
The path can be edited in the UMC under Domain/Shares.
Role attribute
Like all UCS@school objects, shares have an attribute ucsschoolRole
, which is managed internally.
It must be set as followed:
- school class share:
school_class_share:school:$SCHOOL
- work group share:
workgroup_share:school:$SCHOOL
- Marktplatz share:
marketplace_share:school:$SCHOOL
Permission Configuration
Information on permissions for files and folders in a share on a UCS system can be found in this article.
However, in a UCS@school environment, there are some important things to note:
By default, when a share gets created in UCS@school, some Windows NT ACLs get automatically set, which primarily restrict students permissions within the share.
For class and work group shares those are:
- deny students to change permissions and take ownership
- allow the corresponding group members to read, write and modify
- allow OU-admins full control
Marktplatz shares are created with the following ACL:
- deny students to change permissions and take ownership
- allow all domain users to read, write and modify
- allow OU-admins full control
Changing those permissions via CLI can easily lead to errors and is not officially supported.