Comment 1 Arvid Requate 2013-08-08 12:24:33 CEST

The ucs-school-slave package in its current state might not be suitable for this yet, as it activates another S4-Connector locally. So either an extension of the existing package or yet another meta package would be required to set a small subset of UCR variables, e.g. the variables
* dns/register/srv_records/ldap
* dns/register/srv_records/kerberos
* connector/s4/mapping/dns/srv_record/_kerberos._tcp.$domainname/location (for Bug #31651)

Comment 2 Stefan Gohmann 2014-05-08 10:56:36 CEST

This blocks the ucs-school-slave installation with samba 3, because  ucs-school-slave depend on ucs-school-s4-branch-site and ucs-school-s4-branch-site depend on univention-s4-connector:


root@master181:~# apt-get install -s ucs-school-slave
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 ucs-school-slave : Depends: univention-s4-connector (>= 6.0.128-24) but it is not going to be installed or
                             univention-samba-slave-pdc but it is not going to be installed
                    Depends: ucs-school-s4-branch-site but it is not going to be installed
E: Broken packages
root@master181:~#

Comment 3 Arvid Requate 2014-05-08 21:49:44 CEST

* The new package ucs-school-s4-branch-site installs a listener which filters for services ("S4 Slave PDC") and (one of the services defined via Bug 34172).

* On start of the listener it reads the UCS@school service type (Education or Management) from the machine account of the local system. This way, it will adjust the filter to match "S4 Slave PDC" systems specifically of the same UCS@school service type.

* When the listener is triggered (for cn, associatedDomain and description), it checks if the filter has been specified already, otherwise it will ignore the change.

* For add or modify operations the module checks if the handled DN is below a school OU, otherwise it will ignore it. For delete/modrdn it processes the change anyway.

* For each relevant change it does not only differentially look the the current DN but it actually takes the oportunity to look into the LDAP (as visible from the slave perspective) and extract all relevant DCs (matching that same filter).

* It iterates through a static table of SRV relativeDomainNames and reads from UCR the corresponding connector/s4/mapping/dns/srv_record/.*/location variable.

* For each variable it checks each fqdn listed in it. Only FQDNs still relevant (=on the list gathered from LDAP) are maintained in the variable with their current priority/weight/port as found in the UCR variable. Relevant FQDNs not yet found in the UCR variable are appended to it with the default priority/weight/port, corresponding to the service type (_kerberos/_ldap/_gc).

* If one of the UCR variables was set to "ignore" or not set at all, the listener will not touch it.

* After making the necesarry UCR changes, the listener passes a list to it's postrun, holding all relevant SRV record names which didn't get "ignored".

* In the postrun, the listener module processes this list and writes an s4-connector pickle file for each of them, re-triggering sync to S4.

* This retriggering is also done if all UCR variables where already up to date. This way, the sync to S4 can be retriggered at any time simply by changing a description on one of the relevant DCs.

Comment 4 Arvid Requate 2014-05-08 21:55:09 CEST

Until now, these dry-runs have been done to test this:

 * ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record.py

 * Manual installation/preparation of a second Educational DC at the same school.
 * Join of a pre-created Managment-DC at the same school.

The SRV record filtering seemed to work fine.
We still need to check if all Samba4 related operations work as desired after setting additional School DCs up with the UCS@school wizzard.

Changelog has been adjusted. Setting to fixed for now.

Comment 5 Arvid Requate 2014-05-13 13:37:13 CEST

As discussed, there are a couple of additional aspects left to address here to really add value in UCS@school.

I removed the dependency on ucs-school-s4-branch-site from the ucs-school-*slave packages.

Changelog and Target milestone adjusted.

Comment 6 Arvid Requate 2014-05-13 18:35:22 CEST

Plan B): Add a standard UCS Slave and let it join via DRS. This currently avoids potential issues with Bug 34226 and the Samba4-cousin of Bug 32082.


ucs-school-import now ships a script, which can be used to install and join Samba4 on a non-UCS@school DC. The script takes the IP of a regular UCS@school PDC (with univentionService=S4 Connector) and is implemented as a frontend to univention-join and additionally asks for the root-password of the regular UCS@school PDC.

In its current version the steps for the Administrator would be:
1. Install and join a standard UCS DC Slave without Samba4.
2. On the UCS@school DC Master manually add the new Slave to the groups DC-Edukativnetz and "OU${school}-DC-Edkukativnetz".
3. On the UCS@school DC Master run /usr/share/ucs-school-import/scripts/move_domaincontroller_to_ou
4. scp /usr/share/ucs-school-import/scripts/ucs-school-join-secondary-samba4 from the UCS@school DC Master to the standard UCS DC Slave.
5. Run ucs-school-join-secondary-samba4 on the standard UCS DC Slave.


Unfortunately move_domaincontroller_to_ou only works on the UCS@school Master, otherwise the steps 2 and 3 could be automized easily by the script.


* The script performs a number of sanity checks first:
** verify that the local system is already joined (LDAP access via hostdn)
** verify that the local system doesn't offer univentionService=UCS@school
** check root access to the regular UCS@school PDC
** univention-install univention-samba4 libunivention-ldb-modules


* If all of this worked, the script
** Sets nameserver1 and samba4/dc to the IP of the UCS@school PDC
** Unsets nameserver2 nameserver3
** Sets samba5/join/site to the site of the UCS@school PDC
** Sets samba4/ldb/sam/module/prepend="univention_samaccountname_ldap_check"
** Sets dns/register/srv_records/kerberos?false
** Sets dns/register/srv_records/ldap?false
** Sets samba4/dns/domain/register?false
** Sets samba4/join/dnsupdate?true
** Removes the new DC from the Kerberos and LDAP SRV records in UDM
** remotely deactivates the univention_samaccountname_ldap_check LDB module
   on the UCS@school PDC and restarts samba4 there
** runs univention-join with the given credentials
** remotely re-activates the univention_samaccountname_ldap_check LDB module
   on the UCS@school PDC and restarts samba4 there

Comment 7 Arvid Requate 2014-05-13 18:35:55 CEST

Maybe this needs some adjustment, as libunivention-ldb-modules probably only exists in the UCS@school component repostory?

Changelog adjusted.

Comment 8 Arvid Requate 2014-05-13 19:21:05 CEST

Ok, after consulting more appcenter savvy developers I now install libunivention-ldb-modules via univention-add-app.

I also needed to re-enable the ucs-school-s4-branch-site package/listener module again to:
1. Support separate DC-Verwaltungsnetz DCs in the same school (Bug 34097)
2. Avoid removing secondary S4-DCs from the Samba4 SRV records in Samba4 DNS

Setting to fixed for now but this will probably need a bunch of testing and readjustment.

Comment 9 Sönke Schwardt-Krummrich 2014-05-15 12:19:11 CEST

The join after the installation of UCS@school on a slave failed in 96univention-samab4.inst. Within join.log there is also this traceback:

Configure 00ucs-school-slave-check-ou.inst Thu May 15 12:11:30 CEST 2014
Configure 01univention-ldap-server-init.inst Thu May 15 12:11:30 CEST 2014
Configure 03univention-directory-listener.inst Thu May 15 12:11:31 CEST 2014
Setting ldap/database/ldbm/dbsync
Multifile: /etc/ldap/slapd.conf
15.05.14 12:11:31.990  DEBUG_INIT
UNIVENTION_DEBUG_BEGIN  : uldap.__open host=slave71.nstx.local port=7389 base=dc=nstx,dc=local
15.05.14 12:11:33.078  LISTENER    ( ERROR   ) : import of filename=/usr/lib/univention-directory-listener/system/ucsschool-s4-branch-site.py failed
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/ucsschool-s4-branch-site.py", line 131, in <module>
    on_load()
  File "/usr/lib/pymodules/python2.6/ucsschool/lib/schoolldap.py", line 185, in wrapper_func
    connections = get_ldap_connections( _connection_types )
  File "/usr/lib/pymodules/python2.6/ucsschool/lib/schoolldap.py", line 134, in get_ldap_connections
    lo, pos = udm_uldap.getMachineConnection( ldap_master = False )
  File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 75, in getMachineConnection
    lo=univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master)
  File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 109, in getMachineConnection
    lo=access(host=ucr['ldap/server/name'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist)
  File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 182, in __init__
    self.__open(ca_certfile)
  File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 227, in __open
    self.lo.simple_bind_s(self.binddn, self.__encode_pwd(self.bindpw))
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 781, in simple_bind_s
    return SimpleLDAPObject.simple_bind_s(self,*args,**kwargs)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 207, in simple_bind_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 422, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 426, in result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 432, in result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}
15.05.14 12:11:33.088  LISTENER    ( ERROR   ) : import of filename=/usr/lib/univention-directory-listener/system/ucsschool-s4-branch-site.py failed in module_import()
15.05.14 12:11:33.143  LISTENER    ( WARN    ) : replication: ldap server changed to master70.nstx.local
UNIVENTION_DEBUG_BEGIN  : uldap.__open host=master70.nstx.local port=7389 base=dc=nstx,dc=local
UNIVENTION_DEBUG_END    : uldap.__open host=master70.nstx.local port=7389 base=dc=nstx,dc=local
15.05.14 12:11:33.178  LISTENER    ( WARN    ) : handler: replication (not ready) (ignore)
Restarting ldap server(s).
Stopping ldap server(s): slapd ...done.
Check database: ...done.
Starting ldap server(s): slapd ...done.
1

Comment 10 Sönke Schwardt-Krummrich 2014-05-15 12:20:30 CEST

Created attachment 5913 [details]
join.log from slave

join.log of the slave

Comment 11 Stefan Gohmann 2014-05-19 08:06:07 CEST

(In reply to Arvid Requate from comment #4)
> Until now, these dry-runs have been done to test this:
> 
>  * ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record.py

Currently, the test case fails in Jenkins. For example:
  
http://jenkins.knut.univention.de:8080/view/UCSschool/job/UCSschool%203.2%20Multiserver/SambaVersion=s4-all-components/51/testReport/junit/90_ucsschool.16_s4_slave_automatic_srv_record/py/test/

Comment 12 Arvid Requate 2014-05-19 20:15:45 CEST

I now added a dynamic delay mechanism to wait for the S4 Connector sync.

Comment 13 Arvid Requate 2014-05-20 14:21:15 CEST

Ok, the script move_domaincontroller_to_ou has been improved a lot, handing over for QA verification.

Comment 14 Stefan Gohmann 2014-05-21 08:42:45 CEST

The installation was successful but the sysvol sync does not work:

slave1 (10.210.48.2)

root@slave2042:~# ucr search --brief sysvol
samba/share/sysvol/readonly: no
samba/share/sysvol/update_mtime: <empty>
samba/share/sysvol: <empty>
samba4/sysvol/cleanup/cron: 4 4 * * *
samba4/sysvol/cleanup/parameters: <empty>
samba4/sysvol/sync/cron: */5 * * * *
samba4/sysvol/sync/host: master204
samba4/sysvol/sync/jitter: 60
samba4/sysvol/sync/setfacl/AU: false
root@slave2042:~# ls -la /var/lib/samba/sysvol/autotest204.local/
insgesamt 28
drwxrwx---+ 4 Administrator Administrators 4096 21. Mai 02:21 .
drwxr-xr-x  3 root          adm            4096 21. Mai 01:39 ..
drwxrwx---+ 4 Administrator Administrators 4096 21. Mai 02:21 Policies
drwxrwx---+ 3 Administrator Administrators 4096 21. Mai 02:24 scripts
root@slave2042:~#

slave2 (10.210.169.53)

root@slave2043:~# ucr search --brief sysvol
samba/share/sysvol/readonly: no
samba/share/sysvol/update_mtime: <empty>
samba/share/sysvol: <empty>
samba4/sysvol/cleanup/cron: 4 4 * * *
samba4/sysvol/cleanup/parameters: <empty>
samba4/sysvol/sync/cron: */5 * * * *
samba4/sysvol/sync/host: master204
samba4/sysvol/sync/jitter: 60
samba4/sysvol/sync/setfacl/AU: false
root@slave2043:~# ls -la /var/lib/samba/sysvol/autotest204.local/
insgesamt 20
drwxrwx---+ 3 Administrator Administrators 4096 21. Mai 02:31 .
drwxr-xr-x  3 root          adm            4096 21. Mai 01:39 ..
drwxrwx---+ 2 Administrator Administrators 4096 21. Mai 02:31 scripts
root@slave2043:~#

The join.log contains some errors:

96univention-samba4.inst

ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/ntacl.py", line 218, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/lib/python2.6/dist-packages/samba/provision/__init__.py", line 1581, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
  File "/usr/lib/python2.6/dist-packages/samba/provision/__init__.py", line 1499, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
  File "/usr/lib/python2.6/dist-packages/samba/ntacls.py", line 154, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
open: error=2 (No such file or directory)

subnet 10.210.0.0/16 already exists
Traceback (most recent call last):
  File "/usr/share/univention-samba4/scripts/univention-samba4-site-tool.py", line 218, in <module>
    samdb.add_ldif(subnet_add_ldif)
  File "/usr/lib/python2.6/dist-packages/samba/__init__.py", line 224, in add_ldif
    self.add(msg, controls)
_ldb.LdbError: (68, 'Entry CN=10.210.0.0/16,CN=Subnets,CN=Sites,CN=Configuration,DC=autotest204,DC=local already exists')


98univention-samba4-dns.inst

ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/ntacl.py", line 218, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/lib/python2.6/dist-packages/samba/provision/__init__.py", line 1581, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
  File "/usr/lib/python2.6/dist-packages/samba/provision/__init__.py", line 1499, in set_gpos_acl
    use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
  File "/usr/lib/python2.6/dist-packages/samba/ntacls.py", line 154, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
open: error=2 (No such file or directory)


update failed: REFUSED
update failed: REFUSED

Comment 15 Arvid Requate 2014-05-21 21:57:17 CEST

Another bunch of fixes. I now tested running the script

1. on an unjoined slave

2. a second time


> The installation was successful but the sysvol sync does not work:

The origin of this is Bug #34905 . I now set samba4/sysvol/sync/host to point to the UCS@school Slave PDC, I guess that's not too bad in the long run.

I now log everything to /var/log/univention/join-secondary-samba4.log to work around Bug #34909. Also now I avoid the interactive mode of univention-install.

The fix for Bug #34880 is also in and seems to be necessary for the initial run of the script.

Comment 16 Arvid Requate 2014-05-21 21:59:56 CEST

Just for the eternal bugzilla logs: The fix from Bug 34908 Comment 1 is included as well.

Comment 17 Stefan Gohmann 2014-05-22 15:24:15 CEST

Changelog: OK

Singleserver tests:
 - Windows join: Failed 
 - Rejects: OK
 - sysvol replication: OK
 - rejoin: OK 
 - dns settings: OK
 - replication: OK

Multiserver tests: OK
 - Windows join: OK
 - Rejects: OK
 - sysvol replication: OK
 - rejoin: OK
 - dns settings: OK
 - replication: OK

I've added jenkins jobs for this issue:

The windows client was added twice in the S4 while joining a windows client:

root@master201:~# univention-s4search cn=win7* dn objectSid samAccountName
# record 1
dn: CN=WIN7PRO3,CN=computers,OU=School1,DC=autotest201,DC=local
objectSid: S-1-5-21-984479620-387015285-3486037011-5030
sAMAccountName: WIN7PRO3$

# record 2
dn: CN=WIN7PRO3,CN=Computers,DC=autotest201,DC=local
objectSid: S-1-5-21-984479620-387015285-3486037011-1602
sAMAccountName: WIN7PRO3$

Comment 18 Arvid Requate 2014-05-22 17:39:41 CEST

As discussed: The ucs-school-join-secondary-samba4 was adjusted to set a new UCR variable "samba4/addmachine"?"deny".

The ldb module univention_samaccountname_ldap_check was adjusted to

* call a wrapper script /usr/sbin/ucs-school-create_windows_computer

* The wrapper script evaluates the UCR variable samba4/addmachine

* If the UCR variable is set to "deny" the script exits 2 and the ldb module aborts the operation with LDB_ERROR_UNWILLING_TO_PERFORM

* Otherwise the wrapper script calls the original umc-command to create the Machine account in UMC.

* If the umc-command returns != 0, the wrapper script exits 1 and the ldb module aborts the operation with LDB_ERR_ENTRY_ALREADY_EXISTS (as before this change).

* If the umc-command succeeded, the wrapper script checks if the UCR variable is set to "dummy". If this is the case it exits 3 and the ldb module immediately returns with LDB_SUCCESS from ldb_add operation without calling any other ldb modules.

* Otherwise the wrapper script exits 0 and the ldb module continues to create the machine account by calling the next ldb module in the stack (as before this change).

Comment 19 Stefan Gohmann 2014-05-23 10:14:57 CEST

That works. During the windows client join I get sometimes the message "Access denied". In the scenario the default should be the previous import of computers.

Comment 20 Sönke Schwardt-Krummrich 2014-06-12 09:19:30 CEST

UCS@school 3.2 R2 has been released:
http://docs.univention.de/release-notes-ucsschool-3.2R2-de.html

If this error occurs again, please use "Clone This Bug".