Univention Bugzilla – Bug 32893
Joining DC Backup into ucs-school-singlemaster fails: LDAP_UNWILLING_TO_PERFORM
Last modified: 2021-06-21 12:20:04 CEST
The Samba4 re-join of an UCS@school DC Backup failed with an LDB exception claiming that the account object of the DC already exists. Since this was not the first attempt to re-join (to fix a replication issue), the join was attempted manually by 1. moving the samba-directory out of the way 2. removing the DC account from samba4 on the DC master. Note that the UDM-Object for the DC backup was still existing. 3. running the samba-tool domain join commmand as it was performed by the joinscript (without --keep-existing), with "Administrator" credentials As explained above, the join fails with an exception, claiming that the object already exists. To track this down, a small LDIF was crafted manually on the DC master, which contained the LDIF-record as it was used by the samba join.py, to create the DC backup account in Samba4 LDB. Running ldbadd on this hand-creafted LDIF showed the following traceback: ========================================================================== ARGUMENTS: selectiveudm/create_windows_computer MIMETYPE : application/json STATUS : 590 MESSAGE : Failed to create windows computer Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/management/console/modules/selective-udm/__init__.py", line 116, in create_windows_computer self._check_usersid_join_permissions(ldap_user_read, usersid) File "/usr/lib/pymodules/python2.6/univention/management/console/modules/selective-udm/__init__.py", line 88, in _check_usersid_join_permissions raise CreationDenied('SID %s was not found' % usersid) CreationDenied: SID S-1-5-18 was not found ========================================================================== This traceback indicates that the ldbadd triggered the LDB module univention_samaccountname_ldap_check, which called the UMC module command selectiveudm/create_windows_computer, obviously passing the SID "S-1-5-18" as the authentication-SID ("Local System"), which then is not found in OpenLDAP. This might not be an artefact of the specific environment, but a problem in the SID-detection code in the LDB module.
In case this is indeed not reproducable, it would be good if the return code could be improved to something like "authentication failed" (i.e. the selectiveudm module should retrun a more specific return code and the LDB module should transpate this into a useful error message).
2014031921010642 Customer reported LDAP_ENTRY_ALREADY_EXISTS errors when rejoining a DC-Backup against an UCS@school DC-Master (single server environment). repository/online/component/ucsschool/version: current repository/online/component/ucsschool_20131007/version: current version/erratalevel: 201 version/patchlevel: 1 version/version: 3.1 Means: UCS 3.1-1 errata201; UCS@school 3.1rev2-2 --- join.log: ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS - <00002071: ldb_request: Entry already exists (68)> <> File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 560, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.6/dist-packages/samba/join.py", line 1152, in join_DC ctx.do_join() File "/usr/lib/python2.6/dist-packages/samba/join.py", line 1035, in do_join ctx.join_add_objects() File "/usr/lib/python2.6/dist-packages/samba/join.py", line 527, in join_add_objects ctx.samdb.add(rec) Finding a writeable DC for domain 'x.local' Found DC master.h17.local NO DNS zone information found in source domain, not replicating DNS workgroup is X realm is x.local checking sAMAccountName Adding CN=DC-BACKUP1,OU=Domain Controllers,DC=x,DC=local Join failed - cleaning up --- --- log.samba (on DC-Master) 27.03.14 16:41:20.150 DEBUG_INIT [2014/03/27 16:41:20, 1] ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug) ldb: univention_samaccountname_ldap_check: LDB_ERR_ENTRY_ALREADY_EXISTS --- Turns out that adding the DC-Backup to the LDB failed because of the univention_samaccountname_ldap_check (DC-Backup host object existed in OpenLDAP, removing all references on LDAP and S4 does not help). I worked around this by unregistering the ldb module on the DC-Master for the time of the rejoin: # /usr/share/univention-samba4/scripts/register_ldb_module.py -H /var/lib/samba/private/sam.ldb -v --remove univention_samaccountname_ldap_check # univention-join on DC-Backup # /usr/share/univention-samba4/scripts/register_ldb_module.py -H /var/lib/samba/private/sam.ldb -v --prepend univention_samaccountname_ldap_check
happened again: Ticket#2016042021000271
This issue has been filled against UCS@school 3. The maintenance with bug and security fixes for the last UCS@school version for UCS 3.x (→ UCS@school 3.2) has ended on Dec 31, 2016. Customers still on UCS 3.x are encouraged to update to UCS 4.3 (or later). Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
Still a problem in 4.4 with a backup trying to join into a single school server environment. Note: My first join attempt failed due to bug 37828 and only join scripts before 85italc-windows there executed. On the second join I tried to join without italc-windows. ''' ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <00002035: ldb_request: Unwilling to perform (53)> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 184, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 699, in run backend_store=backend_store) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1535, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1427, in do_join ctx.join_add_objects() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 641, in join_add_objects ctx.samdb.add(rec, controls=controls) Adding CN=BACKUP,OU=Domain Controllers,DC=single44,DC=intranet Join failed - cleaning up Failed to join the domain single44.intranet. Make sure the server is online or if this server is no longer in use, please completely remove the server object from the domain. '''
> backup trying to join into a single school server environment That actually cannot have worked since we fixed Bug 31443. Maybe we can improve the selectiveudm/create_windows_computer command to do a modify instead of an add if the object already exists. Please note that the original bug description is about something else, but the bug has been hijacked starting with Comment 2 and turned into a bug about "cannot (re-)join a DC Backup into an ucs-school-singlemaster".
Happened today at a customer workshop: root@master:~# univention-app info UCS: 4.4-1 errata251 Installed: cups=2.2.1 samba4=4.10 squid=3.5 ucsschool=4.4 v3 Upgradable: Workaround from Comment 2 worked.