Univention Bugzilla – Bug 30105
dns-<hostname> account can't be created
Last modified: 2013-02-15 17:51:05 CET
The dns-<hostname> account can't be created in the join script of a school slave: Configure 98univention-samba4-dns.inst Waiting for RID Pool replication: done. univention_samaccountname_ldap_check: ldb_add of user and group object is disabled ERROR(ldb): Failed to add user 'dns-slave523': - ldb_request: Unwilling to perform (53) WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. As a result only some of the SRV records are available after the join: root@slave523:~# host -al deadlock52.local | grep SRV _ldap._tcp.deadlock52.local. 900 IN SRV 100 0 389 slave523.deadlock52.local. _kerberos._udp.deadlock52.local. 900 IN SRV 100 0 88 slave523.deadlock52.local. _kerberos._tcp.deadlock52.local. 900 IN SRV 100 0 88 slave523.deadlock52.local. _kerberos-adm._tcp.deadlock52.local. 900 IN SRV 100 0 88 slave523.deadlock52.local. _domaincontroller_master._tcp.deadlock52.local. 900 IN SRV 0 0 0 master521.deadlock52.local.
In UCS 3.0 the dns-<hostname> account was created in 96univention-samba4.inst locally in the sam.ldb, before 97libunivention-ldb-modules.inst registered the LDB module denying local user and group creation. In UCS 3.1 the creation of the DNS service account was postponed to 98univention-samba4-dns.inst, so the univention_samaccountname_ldap_check now denies local account creation. Due to the workaround for Bug 26841 the DNS service account is explicitely ignored by the S4 Connector (Bug 26861, the corresponding variable is set in 62ucs-school-slave.inst and 62ucs-school-master.inst), so the account only exists locally in the sam.ldb of the corresponding Slave-PDC. Note: Bug 26504 shifted the rIDAllocationPool a bit on the Slave-PDCs (to 2100), so there are no immediate collisions with a DC Master (rIDAllocationPool: 1100-1599) and a DC Backup (rIDAllocationPool: 1600-2099) in the school headquaters. The joinscript univention-squid-kerberos/98univention-squid-samba4.inst gives an example how these service accounts can be created via UDM, probably this would be a good approach. This would require to take dns-<hostname> from the connector/s4/mapping/user/ignorelist though.
As a workaround the relevant initial portion of 98univention-samba4-dns.inst was duplicated now as univention-ldb-modules/96univention-samba4-slavepdc.inst. The new Bug #30115 recommends the solution described in Comment 1 for a later release of the UCS platform product. Updated changelog is commited to SVN.
OK, the account is now created.
The join script order is wrong: RUNNING 96univention-samba4-slavepdc.inst Samba4 backend database not available yet, exiting joinscript 98univention-samba4-dns. EXITCODE=1 RUNNING 96univention-samba4.inst Multifile: /etc/samba/smb.conf Setting samba/quota/command
In der Testumgebung war LC_COLLATE='C' gesetzt, der Bug müsste in univention-join gefixt werden: LC_COLLATE="C" bash -c 'ls /usr/lib/univention-install/*.inst' vs. LC_COLLATE="de_E.UTF-8" bash -c 'ls /usr/lib/univention-install/*.inst'
Fixed by renaming the scripts: univention-ldb-modules/96univention-samba4-slavepdc.inst to univention-ldb-modules/96univention-samba4slavepdc.inst and univention-ldb-modules/98univention-samba4-dns-slavepdc.inst to univention-ldb-modules/98univention-samba4slavepdc-dns.inst The general problem should be fixed via Bug #30168.
The updated package is actually built now as well, changelog not required for a bug in an unreleased version.
OK
UCS@school 3.1 has been released: http://forum.univention.de/viewtopic.php?f=26&t=2364 If this error occurs again, please use "Clone This Bug".