Univention Bugzilla – Bug 32187
support for second school-DC
Last modified: 2017-04-05 16:55:48 CEST
UCS@school setups officialy support only one DC per school, both in single- and multischool-setups. In larger schools a second DC is needed to handle authentication-requests, in particular because of the small time slot for client authentications at begin of a lesson. In practice, a second DC in a single school setup already works (because Samba4 in single school setups is nearly identical to default UCS domains). It should principally work in multi school setups also, but isn't tested and documented yet. requested by 2013080221003399 and 2013053021002128
The ucs-school-slave package in its current state might not be suitable for this yet, as it activates another S4-Connector locally. So either an extension of the existing package or yet another meta package would be required to set a small subset of UCR variables, e.g. the variables * dns/register/srv_records/ldap * dns/register/srv_records/kerberos * connector/s4/mapping/dns/srv_record/_kerberos._tcp.$domainname/location (for Bug #31651)
This blocks the ucs-school-slave installation with samba 3, because ucs-school-slave depend on ucs-school-s4-branch-site and ucs-school-s4-branch-site depend on univention-s4-connector: root@master181:~# apt-get install -s ucs-school-slave Reading package lists... Done Building dependency tree Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: ucs-school-slave : Depends: univention-s4-connector (>= 6.0.128-24) but it is not going to be installed or univention-samba-slave-pdc but it is not going to be installed Depends: ucs-school-s4-branch-site but it is not going to be installed E: Broken packages root@master181:~#
* The new package ucs-school-s4-branch-site installs a listener which filters for services ("S4 Slave PDC") and (one of the services defined via Bug 34172). * On start of the listener it reads the UCS@school service type (Education or Management) from the machine account of the local system. This way, it will adjust the filter to match "S4 Slave PDC" systems specifically of the same UCS@school service type. * When the listener is triggered (for cn, associatedDomain and description), it checks if the filter has been specified already, otherwise it will ignore the change. * For add or modify operations the module checks if the handled DN is below a school OU, otherwise it will ignore it. For delete/modrdn it processes the change anyway. * For each relevant change it does not only differentially look the the current DN but it actually takes the oportunity to look into the LDAP (as visible from the slave perspective) and extract all relevant DCs (matching that same filter). * It iterates through a static table of SRV relativeDomainNames and reads from UCR the corresponding connector/s4/mapping/dns/srv_record/.*/location variable. * For each variable it checks each fqdn listed in it. Only FQDNs still relevant (=on the list gathered from LDAP) are maintained in the variable with their current priority/weight/port as found in the UCR variable. Relevant FQDNs not yet found in the UCR variable are appended to it with the default priority/weight/port, corresponding to the service type (_kerberos/_ldap/_gc). * If one of the UCR variables was set to "ignore" or not set at all, the listener will not touch it. * After making the necesarry UCR changes, the listener passes a list to it's postrun, holding all relevant SRV record names which didn't get "ignored". * In the postrun, the listener module processes this list and writes an s4-connector pickle file for each of them, re-triggering sync to S4. * This retriggering is also done if all UCR variables where already up to date. This way, the sync to S4 can be retriggered at any time simply by changing a description on one of the relevant DCs.
Until now, these dry-runs have been done to test this: * ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record.py * Manual installation/preparation of a second Educational DC at the same school. * Join of a pre-created Managment-DC at the same school. The SRV record filtering seemed to work fine. We still need to check if all Samba4 related operations work as desired after setting additional School DCs up with the UCS@school wizzard. Changelog has been adjusted. Setting to fixed for now.
As discussed, there are a couple of additional aspects left to address here to really add value in UCS@school. I removed the dependency on ucs-school-s4-branch-site from the ucs-school-*slave packages. Changelog and Target milestone adjusted.
Plan B): Add a standard UCS Slave and let it join via DRS. This currently avoids potential issues with Bug 34226 and the Samba4-cousin of Bug 32082. ucs-school-import now ships a script, which can be used to install and join Samba4 on a non-UCS@school DC. The script takes the IP of a regular UCS@school PDC (with univentionService=S4 Connector) and is implemented as a frontend to univention-join and additionally asks for the root-password of the regular UCS@school PDC. In its current version the steps for the Administrator would be: 1. Install and join a standard UCS DC Slave without Samba4. 2. On the UCS@school DC Master manually add the new Slave to the groups DC-Edukativnetz and "OU${school}-DC-Edkukativnetz". 3. On the UCS@school DC Master run /usr/share/ucs-school-import/scripts/move_domaincontroller_to_ou 4. scp /usr/share/ucs-school-import/scripts/ucs-school-join-secondary-samba4 from the UCS@school DC Master to the standard UCS DC Slave. 5. Run ucs-school-join-secondary-samba4 on the standard UCS DC Slave. Unfortunately move_domaincontroller_to_ou only works on the UCS@school Master, otherwise the steps 2 and 3 could be automized easily by the script. * The script performs a number of sanity checks first: ** verify that the local system is already joined (LDAP access via hostdn) ** verify that the local system doesn't offer univentionService=UCS@school ** check root access to the regular UCS@school PDC ** univention-install univention-samba4 libunivention-ldb-modules * If all of this worked, the script ** Sets nameserver1 and samba4/dc to the IP of the UCS@school PDC ** Unsets nameserver2 nameserver3 ** Sets samba5/join/site to the site of the UCS@school PDC ** Sets samba4/ldb/sam/module/prepend="univention_samaccountname_ldap_check" ** Sets dns/register/srv_records/kerberos?false ** Sets dns/register/srv_records/ldap?false ** Sets samba4/dns/domain/register?false ** Sets samba4/join/dnsupdate?true ** Removes the new DC from the Kerberos and LDAP SRV records in UDM ** remotely deactivates the univention_samaccountname_ldap_check LDB module on the UCS@school PDC and restarts samba4 there ** runs univention-join with the given credentials ** remotely re-activates the univention_samaccountname_ldap_check LDB module on the UCS@school PDC and restarts samba4 there
Maybe this needs some adjustment, as libunivention-ldb-modules probably only exists in the UCS@school component repostory? Changelog adjusted.
Ok, after consulting more appcenter savvy developers I now install libunivention-ldb-modules via univention-add-app. I also needed to re-enable the ucs-school-s4-branch-site package/listener module again to: 1. Support separate DC-Verwaltungsnetz DCs in the same school (Bug 34097) 2. Avoid removing secondary S4-DCs from the Samba4 SRV records in Samba4 DNS Setting to fixed for now but this will probably need a bunch of testing and readjustment.
The join after the installation of UCS@school on a slave failed in 96univention-samab4.inst. Within join.log there is also this traceback: Configure 00ucs-school-slave-check-ou.inst Thu May 15 12:11:30 CEST 2014 Configure 01univention-ldap-server-init.inst Thu May 15 12:11:30 CEST 2014 Configure 03univention-directory-listener.inst Thu May 15 12:11:31 CEST 2014 Setting ldap/database/ldbm/dbsync Multifile: /etc/ldap/slapd.conf 15.05.14 12:11:31.990 DEBUG_INIT UNIVENTION_DEBUG_BEGIN : uldap.__open host=slave71.nstx.local port=7389 base=dc=nstx,dc=local 15.05.14 12:11:33.078 LISTENER ( ERROR ) : import of filename=/usr/lib/univention-directory-listener/system/ucsschool-s4-branch-site.py failed Traceback (most recent call last): File "/usr/lib/univention-directory-listener/system/ucsschool-s4-branch-site.py", line 131, in <module> on_load() File "/usr/lib/pymodules/python2.6/ucsschool/lib/schoolldap.py", line 185, in wrapper_func connections = get_ldap_connections( _connection_types ) File "/usr/lib/pymodules/python2.6/ucsschool/lib/schoolldap.py", line 134, in get_ldap_connections lo, pos = udm_uldap.getMachineConnection( ldap_master = False ) File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 75, in getMachineConnection lo=univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master) File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 109, in getMachineConnection lo=access(host=ucr['ldap/server/name'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist) File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 182, in __init__ self.__open(ca_certfile) File "/usr/lib/pymodules/python2.6/univention/uldap.py", line 227, in __open self.lo.simple_bind_s(self.binddn, self.__encode_pwd(self.bindpw)) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 781, in simple_bind_s return SimpleLDAPObject.simple_bind_s(self,*args,**kwargs) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 207, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 422, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 426, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 432, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call result = func(*args,**kwargs) ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'} 15.05.14 12:11:33.088 LISTENER ( ERROR ) : import of filename=/usr/lib/univention-directory-listener/system/ucsschool-s4-branch-site.py failed in module_import() 15.05.14 12:11:33.143 LISTENER ( WARN ) : replication: ldap server changed to master70.nstx.local UNIVENTION_DEBUG_BEGIN : uldap.__open host=master70.nstx.local port=7389 base=dc=nstx,dc=local UNIVENTION_DEBUG_END : uldap.__open host=master70.nstx.local port=7389 base=dc=nstx,dc=local 15.05.14 12:11:33.178 LISTENER ( WARN ) : handler: replication (not ready) (ignore) Restarting ldap server(s). Stopping ldap server(s): slapd ...done. Check database: ...done. Starting ldap server(s): slapd ...done. 1
Created attachment 5913 [details] join.log from slave join.log of the slave
(In reply to Arvid Requate from comment #4) > Until now, these dry-runs have been done to test this: > > * ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record.py Currently, the test case fails in Jenkins. For example: http://jenkins.knut.univention.de:8080/view/UCSschool/job/UCSschool%203.2%20Multiserver/SambaVersion=s4-all-components/51/testReport/junit/90_ucsschool.16_s4_slave_automatic_srv_record/py/test/
I now added a dynamic delay mechanism to wait for the S4 Connector sync.
Ok, the script move_domaincontroller_to_ou has been improved a lot, handing over for QA verification.
The installation was successful but the sysvol sync does not work: slave1 (10.210.48.2) root@slave2042:~# ucr search --brief sysvol samba/share/sysvol/readonly: no samba/share/sysvol/update_mtime: <empty> samba/share/sysvol: <empty> samba4/sysvol/cleanup/cron: 4 4 * * * samba4/sysvol/cleanup/parameters: <empty> samba4/sysvol/sync/cron: */5 * * * * samba4/sysvol/sync/host: master204 samba4/sysvol/sync/jitter: 60 samba4/sysvol/sync/setfacl/AU: false root@slave2042:~# ls -la /var/lib/samba/sysvol/autotest204.local/ insgesamt 28 drwxrwx---+ 4 Administrator Administrators 4096 21. Mai 02:21 . drwxr-xr-x 3 root adm 4096 21. Mai 01:39 .. drwxrwx---+ 4 Administrator Administrators 4096 21. Mai 02:21 Policies drwxrwx---+ 3 Administrator Administrators 4096 21. Mai 02:24 scripts root@slave2042:~# slave2 (10.210.169.53) root@slave2043:~# ucr search --brief sysvol samba/share/sysvol/readonly: no samba/share/sysvol/update_mtime: <empty> samba/share/sysvol: <empty> samba4/sysvol/cleanup/cron: 4 4 * * * samba4/sysvol/cleanup/parameters: <empty> samba4/sysvol/sync/cron: */5 * * * * samba4/sysvol/sync/host: master204 samba4/sysvol/sync/jitter: 60 samba4/sysvol/sync/setfacl/AU: false root@slave2043:~# ls -la /var/lib/samba/sysvol/autotest204.local/ insgesamt 20 drwxrwx---+ 3 Administrator Administrators 4096 21. Mai 02:31 . drwxr-xr-x 3 root adm 4096 21. Mai 01:39 .. drwxrwx---+ 2 Administrator Administrators 4096 21. Mai 02:31 scripts root@slave2043:~# The join.log contains some errors: 96univention-samba4.inst ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error') File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.6/dist-packages/samba/netcmd/ntacl.py", line 218, in run lp, use_ntvfs=use_ntvfs) File "/usr/lib/python2.6/dist-packages/samba/provision/__init__.py", line 1581, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/lib/python2.6/dist-packages/samba/provision/__init__.py", line 1499, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) File "/usr/lib/python2.6/dist-packages/samba/ntacls.py", line 154, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) open: error=2 (No such file or directory) subnet 10.210.0.0/16 already exists Traceback (most recent call last): File "/usr/share/univention-samba4/scripts/univention-samba4-site-tool.py", line 218, in <module> samdb.add_ldif(subnet_add_ldif) File "/usr/lib/python2.6/dist-packages/samba/__init__.py", line 224, in add_ldif self.add(msg, controls) _ldb.LdbError: (68, 'Entry CN=10.210.0.0/16,CN=Subnets,CN=Sites,CN=Configuration,DC=autotest204,DC=local already exists') 98univention-samba4-dns.inst ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error') File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.6/dist-packages/samba/netcmd/ntacl.py", line 218, in run lp, use_ntvfs=use_ntvfs) File "/usr/lib/python2.6/dist-packages/samba/provision/__init__.py", line 1581, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/lib/python2.6/dist-packages/samba/provision/__init__.py", line 1499, in set_gpos_acl use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) File "/usr/lib/python2.6/dist-packages/samba/ntacls.py", line 154, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) open: error=2 (No such file or directory) update failed: REFUSED update failed: REFUSED
Another bunch of fixes. I now tested running the script 1. on an unjoined slave 2. a second time > The installation was successful but the sysvol sync does not work: The origin of this is Bug #34905 . I now set samba4/sysvol/sync/host to point to the UCS@school Slave PDC, I guess that's not too bad in the long run. I now log everything to /var/log/univention/join-secondary-samba4.log to work around Bug #34909. Also now I avoid the interactive mode of univention-install. The fix for Bug #34880 is also in and seems to be necessary for the initial run of the script.
Just for the eternal bugzilla logs: The fix from Bug 34908 Comment 1 is included as well.
Changelog: OK Singleserver tests: - Windows join: Failed - Rejects: OK - sysvol replication: OK - rejoin: OK - dns settings: OK - replication: OK Multiserver tests: OK - Windows join: OK - Rejects: OK - sysvol replication: OK - rejoin: OK - dns settings: OK - replication: OK I've added jenkins jobs for this issue: The windows client was added twice in the S4 while joining a windows client: root@master201:~# univention-s4search cn=win7* dn objectSid samAccountName # record 1 dn: CN=WIN7PRO3,CN=computers,OU=School1,DC=autotest201,DC=local objectSid: S-1-5-21-984479620-387015285-3486037011-5030 sAMAccountName: WIN7PRO3$ # record 2 dn: CN=WIN7PRO3,CN=Computers,DC=autotest201,DC=local objectSid: S-1-5-21-984479620-387015285-3486037011-1602 sAMAccountName: WIN7PRO3$
As discussed: The ucs-school-join-secondary-samba4 was adjusted to set a new UCR variable "samba4/addmachine"?"deny". The ldb module univention_samaccountname_ldap_check was adjusted to * call a wrapper script /usr/sbin/ucs-school-create_windows_computer * The wrapper script evaluates the UCR variable samba4/addmachine * If the UCR variable is set to "deny" the script exits 2 and the ldb module aborts the operation with LDB_ERROR_UNWILLING_TO_PERFORM * Otherwise the wrapper script calls the original umc-command to create the Machine account in UMC. * If the umc-command returns != 0, the wrapper script exits 1 and the ldb module aborts the operation with LDB_ERR_ENTRY_ALREADY_EXISTS (as before this change). * If the umc-command succeeded, the wrapper script checks if the UCR variable is set to "dummy". If this is the case it exits 3 and the ldb module immediately returns with LDB_SUCCESS from ldb_add operation without calling any other ldb modules. * Otherwise the wrapper script exits 0 and the ldb module continues to create the machine account by calling the next ldb module in the stack (as before this change).
That works. During the windows client join I get sometimes the message "Access denied". In the scenario the default should be the previous import of computers.
UCS@school 3.2 R2 has been released: http://docs.univention.de/release-notes-ucsschool-3.2R2-de.html If this error occurs again, please use "Clone This Bug".