Bug 30544 – Call purge_s4_computer.py during join

Bug 30544 - Call purge_s4_computer.py during join


Summary:	Call purge_s4_computer.py during join

Status:	RESOLVED WORKSFORME

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 3.0
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:

URL:
Keywords:

Depends on:	29460
Blocks:
	Show dependency tree / graph

Reported:	2013-02-22 07:59 CET by Stefan Gohmann
Modified:	2013-02-23 10:16 CET (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2013-02-22 07:59:34 CET

I think we should call the script when the DC is joined again.


+++ This bug was initially created as a clone of Bug #29460 +++

Das Entfernen eines Samba4-DCs aus UCS und Samba4 benötigt im Moment mehrere,
teils sehr technische und potentiell gefährliche Schritte. Dazu sollte es ein
Tool geben oder es sollte vollständig über den S4-Connector/Samba4 abgebildet
werden.

Mindestens notwendig sind:
- Entfernen via UDM inkl. DNS/DHCP-Einträge
- (rekursives) Entfernen der Server-Objekte unter cn=configuration,$LDAP_BASE
im Samba4 per ldbdel

Entfernt werden sollten auch weitere Einträge im S4 sofern vorhanden sowie
Einträge im DNS (Service Records, Alias sofern nicht automatisch entfernt).

Comment 1 Arvid Requate

2013-02-22 21:25:36 CET

Is there really anything we need to run purge_s4_computer.py for?

* During the join of a prestine UCS DC with Samba4 ("Reinstall") it is supposed to remove an existing computer account of the same name by itself (it's done with Administrative credentials..). Before Bug 29083 Comment 5 this was prevented with --keep-existing, but now we don't keep the account in this case. Supposedly this also cleans up all DC related objects.

* During "Re-Join" of a Samba4 DC that already had Samba4 running (local sam.ldb exists), we use --keep-existing to explicitely maintain the SID of the DC.

* Generally the GUID ._msdcs alias schould be removed now as well during any kind of Samba4 join (also via Bug 29083 Comment 5).

Maybe I'm overlooking something but currently I'm leaning towards the feeling that purge_s4_computer.py would be a "too big gun". If there is anything else to clean up, maybe Bug 29461 is a good start and we should then automate some additional precise cleanups during join once we have identified the need for it? Just my gut feeling.

Comment 2 Stefan Gohmann

2013-02-23 10:16:30 CET

(In reply to comment #1)
> Is there really anything we need to run purge_s4_computer.py for?
> 
> * During the join of a prestine UCS DC with Samba4 ("Reinstall") it is supposed
> to remove an existing computer account of the same name by itself (it's done
> with Administrative credentials..). Before Bug 29083 Comment 5 this was
> prevented with --keep-existing, but now we don't keep the account in this case.
> Supposedly this also cleans up all DC related objects.

OK, I think I'd forgotten this. If the Admin is able to reinstall an existing Server with the same hostname without any problem, everything is fine.