Univention Bugzilla – Bug 32522
Endless sync of the new school DC password
Last modified: 2013-10-07 20:17:55 CEST
Seen in a customer environment with Samba 4 on the school DCs and the DC master. The password of the school DC was changed by the password change scripts. The password change script changed the password in S4 on the school DC and in OpenLDAP on the master. The OpenLDAP password was synced back to the school DC and the password between OpenLDAP and S4 on the school DC was in sync. Currently we do not sync the password from UCS OpenLDAP into S4. From modules/univention/s4connector/s4/password.py in function password_sync_ucs_to_s4: services=res[0][1].get('univentionService', []) if 'Samba 4' in services: ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: %s is a S4 server, skip password sync" % ucs_object['dn']) return Since the connector did not change the password from UCS to S4, S4 has the old password. Thus the connector changed other attributes of the school DC object, the old password was synced back from S4 to OpenLDAP. Workaround is to ignore the S4 school DCs: ucr set connector/s4/mapping/dc/ignorelist="schooldc1,schooldc2,..."
The slave pdc package should add a server password change script which changes the password in the central S4 before the password is changed via UDM. The school slave can check for other S4 or S4 Connector systems in this way: univention-ldapsearch '(univentionService=S4 Connector)' dn -LLL If the server finds more than only himself, the password should be changed. Preferable on the S4 connector host.
I've checked this issue a little bit more. The problem is the first join of the school dc because at that point the slave is a standard s4 slave, not a school dc. So it is joined and the password of the slave is set. I changed the slavepdc join script that it sets the password to the current password but I don't have credentials to do that at a later point because S4 does not allow the password change as server. So, role back. I'll add a univentionService for the slave pdcs and the connector will ignore these objects.
S4 Connector bug to ignore these objects: Bug #32690 Code UCS@school: r44470 Changelog UCS@school: r44471 Code UCS@school 3.2: r44472 Changelog UCS@school 3.2: I think it is not necessary.
OK - ucsschool-3.1-R2, 96univention-samba4slavepdc add service "S4 SlavePDC" OK - Changelog OK - ucs-school-3.2
UCS@school 3.1 R2-2 has been released: http://download.univention.de/doc/release-notes-ucsschool-3.1-rev2-2.pdf If this error occurs again, please use "Clone This Bug".