First Last Prev Next    This bug is not in your last search results.
Bug 55403 - [5.0] Kerberos-based SAML-SSO is not working for Windows clients joined to a UCS@school schoolserver
[5.0] Kerberos-based SAML-SSO is not working for Windows clients joined to a ...
Status: NEW
Product: UCS@school
Classification: Unclassified
Component: General
UCS@school 5.0
Other All
: P5 normal (vote)
: ---
Assigned To: UCS@school maintainers
:
Depends on: 51078
Blocks:
  Show dependency treegraph
 
Reported: 2022-11-09 11:28 CET by Erik Damrose
Modified: 2022-11-18 11:00 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.114
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2022101421000339
Bug group (optional): Regression
Max CVSS v3 score:

Attachments
schoolserver join.log (178.22 KB, text/x-log)
2022-11-09 12:12 CET, Erik Damrose 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2022-11-09 11:28:46 CET 
Bug #51078 added the samba SPN for the ucs-sso user on schoolservers. This is broken on UCS 5, at least on new installations with UCS 5.0-2e476

The code in the joinscript ucs-school-metapackage/62ucs-school-replica.inst to add the SPN fails during the initial join. This might be okay, as samba is not provisioned at that time yet, it's done in a later joinscript. But the joinscript must then fail, to be re-executed later. Currently the joinscript completes successfully.

The part in the joinscript not running correctly: 62ucs-school-replica.inst line 168

if [ $JS_LAST_EXECUTED_VERSION -lt 9 ]; then
    if samba-tool spn list "ucs-sso" | grep -q 'no servicePrincipalName'; then
        samba-tool spn add "HTTP/ucs-sso.$(hostname -d)" "ucs-sso" || die
    fi
fi

Relevant part from the join.log:
ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file /var/lib/samba/private/sam.ldb: No such file or directory

Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory
Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory
ERROR(ldb): uncaught exception - Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/spn.py", line 56, in run
    credentials=creds, lp=lp)
  File "/usr/lib/python3/dist-packages/samba/samdb.py", line 72, in __init__
    options=options)
  File "/usr/lib/python3/dist-packages/samba/__init__.py", line 114, in __init__
    self.connect(url, flags, options)
  File "/usr/lib/python3/dist-packages/samba/samdb.py", line 87, in connect
    options=options)
Comment 1 Erik Damrose univentionstaff 2022-11-09 11:31:06 CET 
Maybe see also bug 54038
Comment 2 Erik Damrose univentionstaff 2022-11-09 12:12:48 CET 
Created attachment 11009 [details]
schoolserver join.log
First Last Prev Next    This bug is not in your last search results.