Bug 29772 - UCS 3.1 Migration Samba3 zu Samba4: DC Backup samba join failed
UCS 3.1 Migration Samba3 zu Samba4: DC Backup samba join failed
Status: RESOLVED DUPLICATE of bug 8429
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 3.1
Other Linux
: P5 normal (vote)
: UCS 3.x
Assigned To: Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-12 12:27 CET by Arvid Requate
Modified: 2013-09-09 13:05 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
Console output der Migration auf dem Master (47.50 KB, text/plain)
2012-12-12 12:27 CET, Arvid Requate
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2012-12-12 12:27:09 CET
Bei der Migration einer UCS 3.1 Domäne bricht univention-samba4.inst bei

  univention-run-join-scripts --ask-pass

ab mit der folgenden Meldung im join.log:

Finding a writeable DC for domain 'arucs31i23.qa'
Found DC master23.arucs31i23.qa
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <SASL:[GSS-SPNEGO]: NT_STATUS_PASSWORD_EXPIRED> <>


Ein Test auf dem schon migrierten Master liefert:

root@master23:~# date
Mi 12. Dez 12:13:01 CET 2012
root@master23:~# kinit Administrator
Administrator@ARUCS31I23.QA's Password: 

Your password will expire at Wed Dec 12 11:30:36 2012

Changing password
New password:
Comment 1 Arvid Requate univentionstaff 2012-12-12 12:27:58 CET
Created attachment 4912 [details]
Console output der Migration auf dem Master
Comment 2 Arvid Requate univentionstaff 2012-12-12 12:44:01 CET
=============================================================================
root@master23:~# udm settings/sambadomain list
Value must be a number!.

root@master23:~# univention-ldapsearch -xLLL objectclass=sambadomain
dn: sambaDomainName=ARUCS31I23,cn=samba,dc=arucs31i23,dc=qa
sambaDomainName: ARUCS31I23
sambaSID: S-1-5-21-1429084368-1943113508-3274989293
objectClass: sambaDomain
objectClass: univentionObject
univentionObjectType: settings/sambadomain
sambaNextUserRid: 1000
sambaNextGroupRid: 1000
sambaMinPwdLength: 8
sambaPwdHistoryLength: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaRefuseMachinePwdChange: 0
sambaNextRid: 1001
sambaLogonToChgPwd: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1

root@master23:~# samba-tool domain passwordsettings show
Password informations for domain 'DC=arucs31i23,DC=qa'

Password complexity: on
Store plaintext passwords: off
Password history length: 0
Minimum password length: 8
Minimum password age (days): 0
Maximum password age (days): 0

root@master23:~# univention-s4search -b DC=arucs31i23,DC=qa -s base maxPwdAge minPwdAge pwdHistoryLength minPwdLength lockoutDuration lockOutObservationWindow lockoutThreshold forceLogoff 
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS
# record 1
dn: DC=arucs31i23,DC=qa
forceLogoff: -9223372036854775808
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
minPwdLength: 8
pwdHistoryLength: 0
minPwdAge: 0
maxPwdAge: 10000000
lockoutDuration: -300000000
=============================================================================


Das Problem ist hier, dass maxPwdAge auf einem falschen Wert steht. Hier sollte der Connector-Code ggf. nochmal geprüft werden:
=============================================================================
12.12.2012 12:01:42,243 LDAP        (PROCESS): sync from ucs: [  container_dc] [       add] sambaDomainName=ARUCS31I23,cn=samba,dc=arucs31i23,dc=qa
[...]
12.12.2012 12:26:08,641 LDAP        (PROCESS): sync from ucs: [  container_dc] [    modify] sambadomainname=arucs31i23,cn=samba,dc=arucs31i23,dc=qa
=============================================================================


Folgender Workaround sollte in das Migrationsdokument aufgenommen werden:
=============================================================================
root@master23:~# samba-tool domain passwordsettings set --max-pwd-age 0
Maximum password age changed!
All changes applied successfully!

root@master23:~# samba-tool domain passwordsettings set --max-pwd-age 0
Maximum password age changed!
All changes applied successfully!
root@master23:~# univention-s4search -b DC=arucs31i23,DC=qa -s base maxPwdAge minPwdAge pwdHistoryLength minPwdLength lockoutDuration lockOutObservationWindow lockoutThreshold forceLogoff 
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS
# record 1
dn: DC=arucs31i23,DC=qa
forceLogoff: -9223372036854775808
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
minPwdLength: 8
pwdHistoryLength: 0
minPwdAge: 0
lockoutDuration: -300000000
maxPwdAge: -9223372036854775808
=============================================================================

Danach funktioniert der Backup-samba-join. Aber das udm Modul kommt trotzdem noch nicht klar:

root@master23:~# udm settings/sambadomain list
Value must be a number!.
Comment 3 Arvid Requate univentionstaff 2012-12-12 13:00:20 CET
Der S4 Connector Konvertierungs-Bug ist jetzt als Bug 29775 abgespalten.
Comment 4 Arvid Requate univentionstaff 2012-12-12 13:16:03 CET
In den Migrations-Leitfaden ist jetzt die Empfehlung eingearbeitet, das maximale Passwortalter manuell neu zu setzen. Als Beispiel wird der Wert 0 beschreiben.
http://wiki.univention.de/index.php?title=Migration_from_Samba_3_to_Samba_4#Migration_of_the_first_Samba_3_DC

Über diesen Bug sollte also noch

root@master23:~# udm settings/sambadomain list
Value must be a number!.

behoben werden.
Comment 5 Arvid Requate univentionstaff 2013-09-09 13:05:54 CEST
> Über diesen Bug sollte also noch
> 
> root@master23:~# udm settings/sambadomain list
> Value must be a number!.
> 
> behoben werden.


This seems to be a just a variation of Bug #8429.

*** This bug has been marked as a duplicate of bug 8429 ***