Bug 35563 - s4 connector transforms dc slave into windows domaincontroller during 96univention-samba4.inst on slave after ad takeover from ad member mode
s4 connector transforms dc slave into windows domaincontroller during 96univ...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-3-errata
Assigned To: Stefan Gohmann
Felix Botner
:
: 35559 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-08-04 19:07 CEST by Felix Botner
Modified: 2017-07-11 22:17 CEST (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
connector-s4.log (165.98 KB, text/x-log)
2014-08-04 19:07 CEST, Felix Botner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2014-08-04 19:07:16 CEST
UCS master and slave, w2k12

 * configured AD member mode on master - OK
 * rejoin slave - OK
 * adtakeover on master - OK
 * rejoin slave - OK
 * installation of univention-samba4 on slave - OK
 * univention-run-join-scripts on slave - FAIL/slave no longer usable 

@slave -> univention-ldapsearch 
ldap_bind: Invalid credentials (49)


during the 96univention-samba4.inst on the slave the s4 connector on the master deletes/creates the UDM slave objects 

sync to ucs:   [windowscomputer] [    modify] cn=slave,cn=dc,cn=computers,dc=w2k12,dc=test
sync to ucs:   [windowscomputer] [    modify] cn=slave,cn=dc,cn=computers,dc=w2k12,dc=test
sync to ucs:   [            dc] [    modify] cn=slave,cn=dc,cn=computers,dc=w2k12,dc=test
sync to ucs:   [windowscomputer] [    delete] cn=slave,cn=dc,cn=computers,dc=w2k12,dc=test
sync to ucs:   [            dc] [       add] cn=SLAVE,cn=dc,cn=computers,dc=w2k12,dc=test
sync from ucs: [            dc] [       add] cn=slave,ou=domain controllers,dc=w2k12,dc=test
sync from ucs: [            dc] [    modify] cn=slave,ou=domain controllers,dc=w2k12,dc=test
sync from ucs: [            dc] [    modify] cn=slave,ou=domain controllers,dc=w2k12,dc=test
sync to ucs:   [            dc] [    modify] cn=slave,cn=dc,cn=computers,dc=w2k12,dc=test
sync to ucs:   [            dc] [    modify] cn=slave,cn=dc,cn=computers,dc=w2k12,dc=test
sync from ucs: [            dc] [    modify] cn=slave,ou=domain controllers,dc=w2k12,dc=test

After this, the slave is no longer usable 

-> univention-ldapsearch 
ldap_bind: Invalid credentials (49)

and my slave is now a windows_domaincontroller??


-> univention-s4search cn=slave
# record 1
dn: CN=SLAVE,OU=Domain Controllers,DC=w2k12,DC=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: SLAVE
instanceType: 4
whenCreated: 20140804173044.0Z
displayName: SLAVE$
uSNCreated: 3975
name: SLAVE
objectGUID: bd22f576-7abb-4dbe-a68c-2903e03f7a16
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 516
objectSid: S-1-5-21-4081652553-1298243908-2397940796-1610
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: SLAVE$
sAMAccountType: 805306369
dNSHostName: SLAVE.w2k12.test
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=w2k12,DC=test
isCriticalSystemObject: TRUE
msDS-SupportedEncryptionTypes: 31
serverReferenceBL: CN=SLAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
 Configuration,DC=w2k12,DC=test
servicePrincipalName: HOST/SLAVE
servicePrincipalName: HOST/SLAVE.w2k12.test
servicePrincipalName: GC/SLAVE.w2k12.test/w2k12.test
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/0c2e25a6-80c9-4a74-
 a3d2-4f88b10b134d/w2k12.test
pwdLastSet: 130516470450000000
userAccountControl: 532480
rIDSetReferences: CN=RID Set,CN=SLAVE,OU=Domain Controllers,DC=w2k12,DC=test
userPrincipalName: host/SLAVE.w2k12.test@W2K12.TEST
whenChanged: 20140804174041.0Z
uSNChanged: 4038
distinguishedName: CN=SLAVE,OU=Domain Controllers,DC=w2k12,DC=test

-> univention-ldapsearch cn=slave
dn: cn=SLAVE,cn=dc,cn=computers,dc=w2k12,dc=test
univentionServerRole: windows_domaincontroller
displayName: SLAVE
cn: SLAVE
krb5PrincipalName: host/SLAVE.w2k12.test@W2K12.TEST
objectClass: top
objectClass: person
objectClass: univentionHost
objectClass: univentionWindows
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: univentionObject
loginShell: /bin/false
univentionObjectType: computers/windows_domaincontroller
uidNumber: 2013
krb5KDCFlags: 126
sambaAcctFlags: [S          ]
krb5MaxRenew: 604800
krb5KeyVersionNumber: 1
sn: SLAVE
homeDirectory: /dev/null
sambaSID: S-1-4-2013
krb5MaxLife: 86400
uid: SLAVE$
gidNumber: 5006
sambaPrimaryGroupSID: S-1-5-21-4081652553-1298243908-2397940796-1607
sambaNTPassword: D05B4EB5DAFBC710C8C9069FEF80FE1E
krb5Key:: MB2hGzAZoAMCARehEgQQ0FtOtdr7xxDIyQaf74D+Hg==
krb5Key:: MFihKzApoAMCARKhIgQgQ6gT1x6nd8D3RHWxzMEro01xp3MhJJOS7UmZ3JoKa4eiKTAn
 oAMCAQOhIAQeVzJLMTIuVEVTVGhvc3RzbGF2ZS53MmsxMi50ZXN0
krb5Key:: MEihGzAZoAMCARGhEgQQIWRPBOWhxqt/S2VKq8xh5qIpMCegAwIBA6EgBB5XMksxMi5U
 RVNUaG9zdHNsYXZlLncyazEyLnRlc3Q=
krb5Key:: MEChEzARoAMCAQOhCgQIinAsirr+XmeiKTAnoAMCAQOhIAQeVzJLMTIuVEVTVGhvc3Rz
 bGF2ZS53MmsxMi50ZXN0
krb5Key:: MEChEzARoAMCAQGhCgQIinAsirr+XmeiKTAnoAMCAQOhIAQeVzJLMTIuVEVTVGhvc3Rz
 bGF2ZS53MmsxMi50ZXN0
sambaPwdLastSet: 1407173445


even a complete re-join does not work:

->  univention-join 
univention-join: joins a computer to an ucs domain
copyright (c) 2001-2014 Univention GmbH, Germany

Enter DC Master Account : Administrator
Enter DC Master Password: 

Search DC Master:                                          done
Check DC Master:                                           done
Stop LDAP Server:                                          done
Stop Samba 4 Server:                                       done
Search ldap/base                                           done
Start LDAP Server:                                         done
Search LDAP binddn                                         done
Sync time:                                                 done
Join Computer Account: 

**************************************************************************
* Join failed!                                                           *
* Contact your system administrator                                      *
**************************************************************************
* Message:  failed to create DC Slave (1) [E: Object exists: (uid) : slave$]
**************************************************************************

I have to delete the new "windows domaincntroller" ucs slave in order to successfully rejoin my slave.
Comment 1 Felix Botner univentionstaff 2014-08-04 19:07:51 CEST
Created attachment 6047 [details]
connector-s4.log
Comment 2 Arvid Requate univentionstaff 2014-08-04 19:51:52 CEST
See also Bug 35559
Comment 3 Felix Botner univentionstaff 2014-08-05 14:09:20 CEST
a "net ads leave -U Administrator%Univention.99" before the univention-join on the slave (after ad takeover) seems to help, but the object is deleted in samba4 and UCS.

univention-join
univention-install univention-samba4
univention-run-join-scripts

works now
Comment 4 Stefan Gohmann univentionstaff 2014-08-22 16:03:37 CEST
*** Bug 35559 has been marked as a duplicate of this bug. ***
Comment 5 Stefan Gohmann univentionstaff 2014-09-04 15:06:42 CEST
* delete_in_ucs: added a special handling for windows computer. If the
  computer is a normal member in AD and a DC in OpenLDAP, the computer
  will be removed and re-added if Samba 4 will be installed on the DC
  slave. Without this special check the object will be removed by the
  connector (Bug #35563)

UCS 3.2-3: r53367
UCS 4.0-0: r53368
YAML: r53369 + r53371
Comment 6 Felix Botner univentionstaff 2014-09-05 10:59:31 CEST
OK -  if a "windowscomputer" is a DC in UCS the s4-connector no longer deletes
      the object

sync to ucs:   [            dc] [    modify] cn=slave,cn=dc,cn=computers,dc=w2k8r2en,dc=test
sync to ucs:   [windowscomputer] [    delete] cn=slave,cn=dc,cn=computers,dc=w2k8r2en,dc=test
The windows computer cn=slave,cn=dc,cn=computers,dc=w2k8r2en,dc=test is a Domain Controller in OpenLDAP. The deletion will be skipped.
sync to ucs:   [            dc] [    modify] cn=slave,cn=dc,cn=computers,dc=w2k8r2en,dc=test

OK - other computer object are still deleted

sync to ucs:   [windowscomputer] [    delete] cn=ubuntu,dc=w2k8r2en,dc=test
sync from ucs: [windowscomputer] [    delete] cn=ubuntu,dc=w2k8r2en,dc=test
sync to ucs:   [windowscomputer] [    delete] cn=windows,dc=w2k8r2en,dc=test
sync from ucs: [windowscomputer] [    delete] cn=windows,dc=w2k8r2en,dc=test
sync to ucs:   [windowscomputer] [    delete] cn=macos,dc=w2k8r2en,dc=test
sync from ucs: [windowscomputer] [    delete] cn=macos,dc=w2k8r2en,dc=test
sync to ucs:   [windowscomputer] [    delete] cn=member,dc=w2k8r2en,dc=test
sync from ucs: [windowscomputer] [    delete] cn=member,dc=w2k8r2en,dc=test

OK - YAML

OK - UCS 4.0
Comment 7 Janek Walkenhorst univentionstaff 2014-09-10 17:41:07 CEST
http://errata.univention.de/ucs/3.2/199.html