Univention Bugzilla – Bug 29462
OpenLDAP-Einträge in srv-Record _ldap._tcp in S4-Umgebungen
Last modified: 2013-11-19 06:44:32 CET
In einer Samba4-Umgebung unter UCS 3.0 erscheinen mit jedem (erneuten) Domänenbeitritt eines der DCs wieder die Service-Records in _ldap._tcp mit Verweis auf Port 7389 (OpenLDAP) neben denen mit Port 389 (Samba4). Sobald Samba4 in der Domäne aktiv ist sollten die Joinskripte das nicht mehr eintragen.
We will not ship a UCS 3.1-2 release; the next UCS release will be UCS 3.2. As such, this bug is moved to the new target milestone.
A customer told us that his mac clients are using the _ldap._tcp SRV record instead of the site records (or the default-first-site record). By doing that they sometimes hit the wrong port and get timeout issues while login. I didn't find any technical documentation which verifies this yet. This article uses the srv record for analysing dns consistency in ad for example: http://support.apple.com/kb/ht3394 Perhaps this affects the tm?
Arvid, we should check if it is possible to backport the fix as erratum for UCS 3.1-1, because it might be in some environments a big problem.
For joining systems this now gets fixed in 10univention-ldap-server. For the UCS Samba4 DC Master this also gets fixed during the join of the univention-samba4 package. changelog added.
I'm not complete sure if this bug is the reason but the setup-join now fails: Create windows/wins-support Multifile: /etc/samba/smb.conf Adding CNAME record "a555b46f-6011-46d4-bd08-a8d85fb6c42a._msdcs master30.school30000.local." to zone school30000.local... done Adding SRV record "ldap tcp 0 100 389 master30.school30000.local." to zone school30000.local... done Adding SRV record "ldap._tcp.dc msdcs 0 100 389 master30.school30000.local." to zone school30000.local... done Adding SRV record "ldap._tcp.df485650-b95d-44a1-93ad-ff8b91c0865b.domains msdcs 0 100 389 master30.school30000.local." to zone school30000.local... done Adding SRV record "kerberos tcp 0 100 88 master30.school30000.local." to zone school30000.local... done Adding SRV record "kerberos udp 0 100 88 master30.school30000.local." to zone school30000.local... done Adding SRV record "kerberos._tcp.dc msdcs 0 100 88 master30.school30000.local." to zone school30000.local... done Adding SRV record "kpasswd tcp 0 100 464 master30.school30000.local." to zone school30000.local... done Adding SRV record "kpasswd udp 0 100 464 master30.school30000.local." to zone school30000.local... done Adding SRV record "ldap._tcp.Default-First-Site-Name sites 0 100 389 master30.school30000.local." to zone school30000.local... done Adding SRV record "ldap._tcp.Default-First-Site-Name._sites.dc msdcs 0 100 389 master30.school30000.local." to zone school30000.local... done Adding SRV record "kerberos._tcp.Default-First-Site-Name sites 0 100 88 master30.school30000.local." to zone school30000.local... done Adding SRV record "kerberos._tcp.Default-First-Site-Name._sites.dc msdcs 0 100 88 master30.school30000.local." to zone school30000.local... done Adding TXT record "_kerberos SCHOOL30000.LOCAL" to zone school30000.local... done Adding A record "gc._msdcs 10.210.7.43" to zone school30000.local... done Adding SRV record "gc tcp 0 100 3268 master30.school30000.local." to zone school30000.local... done Adding SRV record "ldap._tcp.gc msdcs 0 100 3268 master30.school30000.local." to zone school30000.local... done Adding SRV record "gc._tcp.Default-First-Site-Name sites 0 100 3268 master30.school30000.local." to zone school30000.local... done Adding SRV record "ldap._tcp.Default-First-Site-Name._sites.gc msdcs 0 100 3268 master30.school30000.local." to zone school30000.local... done Adding SRV record "ldap._tcp.pdc msdcs 0 100 389 master30.school30000.local." to zone school30000.local... done Modified 1 records successfully Starting Samba 4 daemon: samba. *** Failed -1: /usr/lib/univention-system-setup/scripts/setup-join.sh See attached file for a complete log.
Created attachment 5304 [details] ucsschool-performance-30000.log
(In reply to Stefan Gohmann from comment #5) > I'm not complete sure if this bug is the reason but the setup-join now fails: This seems to be a different issue. I set this bug to fixed again.
*** Bug 30890 has been marked as a duplicate of this bug. ***
Created attachment 5361 [details] updater.log No, master (s4connector) and a slave (samba4) both UCS 3.1-1 -> host -t SRV _ldap._tcp.test.fb _ldap._tcp.test.fb has SRV record 0 100 7389 master.test.fb. _ldap._tcp.test.fb has SRV record 0 100 7389 slave.test.fb. _ldap._tcp.test.fb has SRV record 0 100 389 master.test.fb. _ldap._tcp.test.fb has SRV record 0 100 389 slave.test.fb. -> host -t SRV _ldap._tcp.dc._msdcs.test.fb _ldap._tcp.dc._msdcs.test.fb has SRV record 0 100 389 slave.test.fb. _ldap._tcp.dc._msdcs.test.fb has SRV record 0 100 389 master.test.fb. Then i updated the master but during the update the 7386 DNS SRV records could not be removed: Setting kerberos/kpasswdserver^M File: /etc/krb5.conf^M master.test.fb port 7389 is not offering the Service 'Samba 4'^M ^[[B^[[BE: Can`t connect daemon after 30 seconds.^M slave.test.fb port 7389 is not offering the Service 'Samba 4'^M E: Can`t connect daemon after 30 seconds.^M Restarting univention-directory-listener daemon.^M -> host -t SRV _ldap._tcp.test.fb _ldap._tcp.test.fb has SRV record 0 100 389 slave.test.fb. _ldap._tcp.test.fb has SRV record 0 100 7389 master.test.fb. _ldap._tcp.test.fb has SRV record 0 100 7389 slave.test.fb. _ldap._tcp.test.fb has SRV record 0 100 389 master.test.fb.
For ucs3.2-0 the Joinscript version is now increased so that the cleanup-code runs during join time. The corresponding code block has been removed from the univention-samba4.postinst (this was only a workaround for errata3.1-1).
Changelog: OK Test: OK (no 7389 SRV records in a S4 domain) After updating an environment from 3.1-1 to 3.2 I do still have SRV records with port 7389: root@master501:~# host -t SRV _ldap._tcp.deadlock50.local _ldap._tcp.deadlock50.local has SRV record 0 100 389 master501.deadlock50.local. _ldap._tcp.deadlock50.local has SRV record 0 100 389 slave503.deadlock50.local. _ldap._tcp.deadlock50.local has SRV record 0 100 389 backup502.deadlock50.local. _ldap._tcp.deadlock50.local has SRV record 0 100 7389 slave505.deadlock50.local. root@master501:~# /usr/share/univention-join/check_join_status Joined successfully root@master501:~# It matches the changelog description but I think we should change it automatically during the upgrade. Alternative we should add a note to the release notes that the admin should do it manually.
(In reply to Stefan Gohmann from comment #11) > After updating an environment from 3.1-1 to 3.2 I do still have SRV records > with port 7389: My fault I didn't run univention-run-join-scripts.
(In reply to Stefan Gohmann from comment #12) > (In reply to Stefan Gohmann from comment #11) > > After updating an environment from 3.1-1 to 3.2 I do still have SRV records > > with port 7389: > > My fault I didn't run univention-run-join-scripts. Set to fixed.
OK, the changelog explains now that 7389 entries are automatically removed in a S4 domain.
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".