Bug 36805 - Shares on member server unreachable if master is shut down
Shares on member server unreachable if master is shut down
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-1-errata
Assigned To: Stefan Gohmann
Felix Botner
:
Depends on:
Blocks: 38078
  Show dependency treegraph
 
Reported: 2014-11-18 12:53 CET by Felix Botner
Modified: 2015-03-25 16:41 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2014-11-18 12:53:13 CET
UCS 4.0 master, backup, slave and member

on the member i set

 ucr set ldap/server/addition="slave.fb.test backup.fb.test"
 ucr set nameserver2='10.200.7.80' # master
 ucr set nameserver2='10.200.7.81' # slave

is i shut down the master, samba shares on the slave and backup are still accessible, but not on the member

@member

->  wbinfo -u
FB+join-slave
FB+join-backup
FB+administrator
FB+töst1
FB+töst2
FB+töst3
FB+töst4
FB+töst7


-> getent passwd
...
win7pro$:x:2014:1005:win7pro:/dev/null:/bin/false
töst1:x:2016:5001:test1:/home/töst1:/bin/bash
töst2:x:2017:5001:test1:/home/töst2:/bin/bash
töst3:x:2018:5001:test1:/home/töst3:/bin/bash
töst4:x:2019:5001:test1:/home/töst4:/bin/bash
töst7:x:2022:5001:test1:/home/töst7:/bin/bash


-> smbclient   //member/opt -U Administrator%univention
session setup failed: NT_STATUS_IO_TIMEOUT

-> smbstatus
Samba version 4.2.0rc2-Debian
PID     Username      Group         Machine            Protocol Version       
------------------------------------------------------------------------------
24590     -1            -1          10.200.7.83  (ipv4:10.200.7.83:46673) NT1
24593     -1            -1          10.200.7.83  (ipv4:10.200.7.83:46681) NT1
Comment 1 Stefan Gohmann univentionstaff 2015-01-30 08:59:57 CET
I was able to add multiple LDAP server. Unfortunately, winbind didn't switch automatically. 

root@member405:~# testparm -s 2>&1 | grep -i ldap_url
        idmap config * : ldap_url = ldap://slve403.deadlock40.intranet:7389 ldap://backup402.deadlock40.intranet:7389 ldap://master401.deadlock40.intranet:7389
root@member405:~#
Comment 2 Stefan Gohmann univentionstaff 2015-01-30 09:02:54 CET
Ticket #2015012921000958
Comment 3 Stefan Gohmann univentionstaff 2015-03-18 16:18:03 CET
At least with UCS 4.0 it is not a samba/winbind issue. The problem is the univention-home-mounter which creates a LDAP connection via getMachineConnection. By default getMachineConnection uses the reconnect option which results into a 10 seconds timeout.
Comment 4 Stefan Gohmann univentionstaff 2015-03-19 06:37:44 CET
(In reply to Stefan Gohmann from comment #3)
> At least with UCS 4.0 it is not a samba/winbind issue. The problem is the
> univention-home-mounter which creates a LDAP connection via
> getMachineConnection. By default getMachineConnection uses the reconnect
> option which results into a 10 seconds timeout.

To be exact not only a samba/winbind issue. I also need to add the multiple LDAP servers to the idmap backend otherwise winbindd will run into a timeout:

[2015/01/14 02:29:55.614817,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
  Failed to issue the StartTLS instruction: Can't contact LDAP server
[2015/01/14 02:29:55.615582,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
  Connection to LDAP server failed for the 11 try!
[2015/01/14 02:29:56.617526,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
  Failed to issue the StartTLS instruction: Can't contact LDAP server
[2015/01/14 02:29:56.620058,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
  Connection to LDAP server failed for the 12 try!
Comment 5 Stefan Gohmann univentionstaff 2015-03-19 07:01:27 CET
I've changed the following packages to solve this issue:


* univention-python

I've added an option to disable the reconnect to getAdminConnection and getMachineConnection.
YAML: 2015-03-18-univention-python.yaml
Fix: r59175


* univention-home-mounter

The home-mounter script now disables the LDAP reconnect.
YAML: 2015-03-18-univention-home-mounter.yaml
Fix: r59177


* univention-quota

The user-quota script now disables the LDAP reconnect.

YAML: 2015-03-18-univention-quota.yaml
Fix: r59192


* univention-samba

ldap/server/addtion LDAP servers are now automatically added to the ldap_url idmap configuration.
YAML: 2015-03-19-univention-samba.yaml
Fix: r59199
Comment 6 Felix Botner univentionstaff 2015-03-23 10:06:01 CET
still some long timeouts (master with s4 shut down, slave with s4 and member with univention-samba)

-> time smbclient   //member/opt -U Administrator%univention -c exit
session setup failed: NT_STATUS_IO_TIMEOUT

->time smbclient   //member/opt -U Administrator%univention -c exit
Domain=[FOUR] OS=[Windows 6.1] Server=[Samba 4.2.0rc2-Debian]
real    0m12.210s

-> time smbclient   //member/opt -U Administrator%univention -c exit
real    0m10.369s

-> time smbclient   //member/opt -U Administrator%univention -c exit
real    0m12.185s

-> time smbclient   //member/opt -U Administrator%univention -c exit
Domain=[FOUR] OS=[Windows 6.1] Server=[Samba 4.2.0rc2-Debian]

Problem seems to be /etc/pam.d/common-session. Without univention-mount-homedir and univention-user-quota in /etc/pam.d/common-session, i get 

-> time smbclient   //member/opt -U Administrator%univention -c exit
real    0m3.263s

-> time smbclient   //member/opt -U Administrator%univention -c exit
real    0m2.056s
Comment 7 Stefan Gohmann univentionstaff 2015-03-23 16:40:22 CET
That's right. As discussed, we will solve it with Bug #36989 / Bug #28729.
Comment 8 Felix Botner univentionstaff 2015-03-23 17:06:55 CET
OK - share access without running master server (univention-samba, s4)

OK - univention-home-mounter (reconnect option)
OK - univention-python (reconnect option)
OK - univention-quota (reconnect option)
OK - univention-samba (idmap config * : ldap_url)

OK - 2015-03-19-univention-samba.yaml
OK - 2015-03-18-univention-home-mounter.yaml
OK - 2015-03-18-univention-quota.yaml
OK - 2015-03-18-univention-python.yaml
Comment 9 Janek Walkenhorst univentionstaff 2015-03-25 16:39:15 CET
<http://errata.univention.de/ucs/4.0/134.html>
Comment 10 Janek Walkenhorst univentionstaff 2015-03-25 16:39:33 CET
<http://errata.univention.de/ucs/4.0/135.html>
Comment 11 Janek Walkenhorst univentionstaff 2015-03-25 16:40:40 CET
<http://errata.univention.de/ucs/4.0/140.html>
Comment 12 Janek Walkenhorst univentionstaff 2015-03-25 16:41:44 CET
<http://errata.univention.de/ucs/4.0/136.html>