Bug 29462 - OpenLDAP-Einträge in srv-Record _ldap._tcp in S4-Umgebungen
OpenLDAP-Einträge in srv-Record _ldap._tcp in S4-Umgebungen
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 3.0
Other Linux
: P5 normal (vote)
: UCS 3.2
Assigned To: Arvid Requate
Stefan Gohmann
: interim-1
: 30890 (view as bug list)
Depends on:
Blocks: 31887
  Show dependency treegraph
 
Reported: 2012-11-29 14:21 CET by Ingo Steuwer
Modified: 2013-11-19 06:44 CET (History)
5 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
ucsschool-performance-30000.log (166.73 KB, text/plain)
2013-07-05 12:26 CEST, Stefan Gohmann
Details
updater.log (149.96 KB, application/text)
2013-08-08 16:39 CEST, Felix Botner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ingo Steuwer univentionstaff 2012-11-29 14:21:57 CET
In einer Samba4-Umgebung unter UCS 3.0 erscheinen mit jedem (erneuten) Domänenbeitritt eines der DCs wieder die Service-Records in _ldap._tcp mit Verweis auf Port 7389 (OpenLDAP) neben denen mit Port 389 (Samba4).

Sobald Samba4 in der Domäne aktiv ist sollten die Joinskripte das nicht mehr eintragen.
Comment 1 Moritz Muehlenhoff univentionstaff 2013-05-31 10:46:12 CEST
We will not ship a UCS 3.1-2 release; the next UCS release will be UCS 3.2.

As such, this bug is moved to the new target milestone.
Comment 2 Tim Petersen univentionstaff 2013-06-19 08:22:58 CEST
A customer told us that his mac clients are using the _ldap._tcp SRV record instead of the site records (or the default-first-site record). By doing that they sometimes hit the wrong port and get timeout issues while login.

I didn't find any technical documentation which verifies this yet.
This article uses the srv record for analysing dns consistency in ad for example:
http://support.apple.com/kb/ht3394

Perhaps this affects the tm?
Comment 3 Stefan Gohmann univentionstaff 2013-07-02 06:24:29 CEST
Arvid, we should check if it is possible to backport the fix as erratum for UCS 3.1-1, because it might be in some environments a big problem.
Comment 4 Arvid Requate univentionstaff 2013-07-03 20:28:39 CEST
For joining systems this now gets fixed in 10univention-ldap-server. For the UCS Samba4 DC Master this also gets fixed during the join of the univention-samba4 package. changelog added.
Comment 5 Stefan Gohmann univentionstaff 2013-07-05 12:26:05 CEST
I'm not complete sure if this bug is the reason but the setup-join now fails:

Create windows/wins-support
Multifile: /etc/samba/smb.conf
Adding CNAME record "a555b46f-6011-46d4-bd08-a8d85fb6c42a._msdcs master30.school30000.local." to zone school30000.local...
done
Adding SRV record "ldap tcp 0 100 389 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "ldap._tcp.dc msdcs 0 100 389 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "ldap._tcp.df485650-b95d-44a1-93ad-ff8b91c0865b.domains msdcs 0 100 389 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "kerberos tcp 0 100 88 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "kerberos udp 0 100 88 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "kerberos._tcp.dc msdcs 0 100 88 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "kpasswd tcp 0 100 464 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "kpasswd udp 0 100 464 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "ldap._tcp.Default-First-Site-Name sites 0 100 389 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "ldap._tcp.Default-First-Site-Name._sites.dc msdcs 0 100 389 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "kerberos._tcp.Default-First-Site-Name sites 0 100 88 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "kerberos._tcp.Default-First-Site-Name._sites.dc msdcs 0 100 88 master30.school30000.local." to zone school30000.local...
done
Adding TXT record "_kerberos SCHOOL30000.LOCAL" to zone school30000.local...
done
Adding A record "gc._msdcs 10.210.7.43" to zone school30000.local...
done
Adding SRV record "gc tcp 0 100 3268 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "ldap._tcp.gc msdcs 0 100 3268 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "gc._tcp.Default-First-Site-Name sites 0 100 3268 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "ldap._tcp.Default-First-Site-Name._sites.gc msdcs 0 100 3268 master30.school30000.local." to zone school30000.local...
done
Adding SRV record "ldap._tcp.pdc msdcs 0 100 389 master30.school30000.local." to zone school30000.local...
done
Modified 1 records successfully
Starting Samba 4 daemon: samba.
*** Failed -1: /usr/lib/univention-system-setup/scripts/setup-join.sh

See attached file for a complete log.
Comment 6 Stefan Gohmann univentionstaff 2013-07-05 12:26:42 CEST
Created attachment 5304 [details]
ucsschool-performance-30000.log
Comment 7 Stefan Gohmann univentionstaff 2013-07-05 13:43:27 CEST
(In reply to Stefan Gohmann from comment #5)
> I'm not complete sure if this bug is the reason but the setup-join now fails:

This seems to be a different issue. I set this bug to fixed again.
Comment 8 Stefan Gohmann univentionstaff 2013-07-10 10:29:51 CEST
*** Bug 30890 has been marked as a duplicate of this bug. ***
Comment 9 Felix Botner univentionstaff 2013-08-08 16:39:42 CEST
Created attachment 5361 [details]
updater.log

No, 

master (s4connector) and a slave (samba4) both UCS 3.1-1

-> host -t SRV _ldap._tcp.test.fb
_ldap._tcp.test.fb has SRV record 0 100 7389 master.test.fb.
_ldap._tcp.test.fb has SRV record 0 100 7389 slave.test.fb.
_ldap._tcp.test.fb has SRV record 0 100 389 master.test.fb.
_ldap._tcp.test.fb has SRV record 0 100 389 slave.test.fb.

-> host -t SRV _ldap._tcp.dc._msdcs.test.fb
_ldap._tcp.dc._msdcs.test.fb has SRV record 0 100 389 slave.test.fb.
_ldap._tcp.dc._msdcs.test.fb has SRV record 0 100 389 master.test.fb.

Then i updated the master but during the update the 7386 DNS SRV records could not be removed:

Setting kerberos/kpasswdserver^M
File: /etc/krb5.conf^M
master.test.fb port 7389 is not offering the Service 'Samba 4'^M
^[[B^[[BE: Can`t connect daemon after 30 seconds.^M
slave.test.fb port 7389 is not offering the Service 'Samba 4'^M
E: Can`t connect daemon after 30 seconds.^M
Restarting univention-directory-listener daemon.^M

-> host -t SRV _ldap._tcp.test.fb
_ldap._tcp.test.fb has SRV record 0 100 389 slave.test.fb.
_ldap._tcp.test.fb has SRV record 0 100 7389 master.test.fb.
_ldap._tcp.test.fb has SRV record 0 100 7389 slave.test.fb.
_ldap._tcp.test.fb has SRV record 0 100 389 master.test.fb.
Comment 10 Arvid Requate univentionstaff 2013-08-13 17:28:25 CEST
For ucs3.2-0 the Joinscript version is now increased so that the cleanup-code runs during join time. The corresponding code block has been removed from the univention-samba4.postinst (this was only a workaround for errata3.1-1).
Comment 11 Stefan Gohmann univentionstaff 2013-08-20 10:27:26 CEST
Changelog: OK

Test: OK (no 7389 SRV records in a S4 domain)

After updating an environment from 3.1-1 to 3.2 I do still have SRV records with port 7389:

root@master501:~# host -t SRV _ldap._tcp.deadlock50.local
_ldap._tcp.deadlock50.local has SRV record 0 100 389 master501.deadlock50.local.
_ldap._tcp.deadlock50.local has SRV record 0 100 389 slave503.deadlock50.local.
_ldap._tcp.deadlock50.local has SRV record 0 100 389 backup502.deadlock50.local.
_ldap._tcp.deadlock50.local has SRV record 0 100 7389 slave505.deadlock50.local.
root@master501:~# /usr/share/univention-join/check_join_status 
Joined successfully
root@master501:~# 

It matches the changelog description but I think we should change it automatically during the upgrade. Alternative we should add a note to the release notes that the admin should do it manually.
Comment 12 Stefan Gohmann univentionstaff 2013-08-20 11:39:25 CEST
(In reply to Stefan Gohmann from comment #11)
> After updating an environment from 3.1-1 to 3.2 I do still have SRV records
> with port 7389:

My fault I didn't run univention-run-join-scripts.
Comment 13 Stefan Gohmann univentionstaff 2013-08-20 12:07:46 CEST
(In reply to Stefan Gohmann from comment #12)
> (In reply to Stefan Gohmann from comment #11)
> > After updating an environment from 3.1-1 to 3.2 I do still have SRV records
> > with port 7389:
> 
> My fault I didn't run univention-run-join-scripts.

Set to fixed.
Comment 14 Stefan Gohmann univentionstaff 2013-08-20 12:09:19 CEST
OK, the changelog explains now that 7389 entries are automatically removed in a S4 domain.
Comment 15 Stefan Gohmann univentionstaff 2013-11-19 06:44:32 CET
UCS 3.2 has been released:
 http://docs.univention.de/release-notes-3.2-en.html
 http://docs.univention.de/release-notes-3.2-de.html

If this error occurs again, please use "Clone This Bug".