Bug 36805 – Shares on member server unreachable if master is shut down

Bug 36805 - Shares on member server unreachable if master is shut down


Summary:	Shares on member server unreachable if master is shut down

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 4.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.0-1-errata
Assigned To:	Stefan Gohmann
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:	38078
	Show dependency tree / graph

Reported:	2014-11-18 12:53 CET by Felix Botner
Modified:	2015-03-25 16:41 CET (History)
CC List:	2 users (show)

See Also:	13784
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2014-11-18 12:53:13 CET

UCS 4.0 master, backup, slave and member

on the member i set

 ucr set ldap/server/addition="slave.fb.test backup.fb.test"
 ucr set nameserver2='10.200.7.80' # master
 ucr set nameserver2='10.200.7.81' # slave

is i shut down the master, samba shares on the slave and backup are still accessible, but not on the member

@member

->  wbinfo -u
FB+join-slave
FB+join-backup
FB+administrator
FB+töst1
FB+töst2
FB+töst3
FB+töst4
FB+töst7


-> getent passwd
...
win7pro$:x:2014:1005:win7pro:/dev/null:/bin/false
töst1:x:2016:5001:test1:/home/töst1:/bin/bash
töst2:x:2017:5001:test1:/home/töst2:/bin/bash
töst3:x:2018:5001:test1:/home/töst3:/bin/bash
töst4:x:2019:5001:test1:/home/töst4:/bin/bash
töst7:x:2022:5001:test1:/home/töst7:/bin/bash


-> smbclient   //member/opt -U Administrator%univention
session setup failed: NT_STATUS_IO_TIMEOUT

-> smbstatus
Samba version 4.2.0rc2-Debian
PID     Username      Group         Machine            Protocol Version       
------------------------------------------------------------------------------
24590     -1            -1          10.200.7.83  (ipv4:10.200.7.83:46673) NT1
24593     -1            -1          10.200.7.83  (ipv4:10.200.7.83:46681) NT1

Comment 1 Stefan Gohmann

2015-01-30 08:59:57 CET

I was able to add multiple LDAP server. Unfortunately, winbind didn't switch automatically. 

root@member405:~# testparm -s 2>&1 | grep -i ldap_url
        idmap config * : ldap_url = ldap://slve403.deadlock40.intranet:7389 ldap://backup402.deadlock40.intranet:7389 ldap://master401.deadlock40.intranet:7389
root@member405:~#

Comment 2 Stefan Gohmann

2015-01-30 09:02:54 CET

Ticket #2015012921000958

Comment 3 Stefan Gohmann

2015-03-18 16:18:03 CET

At least with UCS 4.0 it is not a samba/winbind issue. The problem is the univention-home-mounter which creates a LDAP connection via getMachineConnection. By default getMachineConnection uses the reconnect option which results into a 10 seconds timeout.

Comment 4 Stefan Gohmann

2015-03-19 06:37:44 CET

(In reply to Stefan Gohmann from comment #3)
> At least with UCS 4.0 it is not a samba/winbind issue. The problem is the
> univention-home-mounter which creates a LDAP connection via
> getMachineConnection. By default getMachineConnection uses the reconnect
> option which results into a 10 seconds timeout.

To be exact not only a samba/winbind issue. I also need to add the multiple LDAP servers to the idmap backend otherwise winbindd will run into a timeout:

[2015/01/14 02:29:55.614817,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
  Failed to issue the StartTLS instruction: Can't contact LDAP server
[2015/01/14 02:29:55.615582,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
  Connection to LDAP server failed for the 11 try!
[2015/01/14 02:29:56.617526,  0] ../source3/lib/smbldap.c:575(smbldap_start_tls)
  Failed to issue the StartTLS instruction: Can't contact LDAP server
[2015/01/14 02:29:56.620058,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
  Connection to LDAP server failed for the 12 try!

Comment 5 Stefan Gohmann

2015-03-19 07:01:27 CET

I've changed the following packages to solve this issue:


* univention-python

I've added an option to disable the reconnect to getAdminConnection and getMachineConnection.
YAML: 2015-03-18-univention-python.yaml
Fix: r59175


* univention-home-mounter

The home-mounter script now disables the LDAP reconnect.
YAML: 2015-03-18-univention-home-mounter.yaml
Fix: r59177


* univention-quota

The user-quota script now disables the LDAP reconnect.

YAML: 2015-03-18-univention-quota.yaml
Fix: r59192


* univention-samba

ldap/server/addtion LDAP servers are now automatically added to the ldap_url idmap configuration.
YAML: 2015-03-19-univention-samba.yaml
Fix: r59199

Comment 6 Felix Botner

2015-03-23 10:06:01 CET

still some long timeouts (master with s4 shut down, slave with s4 and member with univention-samba)

-> time smbclient   //member/opt -U Administrator%univention -c exit
session setup failed: NT_STATUS_IO_TIMEOUT

->time smbclient   //member/opt -U Administrator%univention -c exit
Domain=[FOUR] OS=[Windows 6.1] Server=[Samba 4.2.0rc2-Debian]
real    0m12.210s

-> time smbclient   //member/opt -U Administrator%univention -c exit
real    0m10.369s

-> time smbclient   //member/opt -U Administrator%univention -c exit
real    0m12.185s

-> time smbclient   //member/opt -U Administrator%univention -c exit
Domain=[FOUR] OS=[Windows 6.1] Server=[Samba 4.2.0rc2-Debian]

Problem seems to be /etc/pam.d/common-session. Without univention-mount-homedir and univention-user-quota in /etc/pam.d/common-session, i get 

-> time smbclient   //member/opt -U Administrator%univention -c exit
real    0m3.263s

-> time smbclient   //member/opt -U Administrator%univention -c exit
real    0m2.056s

Comment 7 Stefan Gohmann

2015-03-23 16:40:22 CET

That's right. As discussed, we will solve it with Bug #36989 / Bug #28729.

Comment 8 Felix Botner

2015-03-23 17:06:55 CET

OK - share access without running master server (univention-samba, s4)

OK - univention-home-mounter (reconnect option)
OK - univention-python (reconnect option)
OK - univention-quota (reconnect option)
OK - univention-samba (idmap config * : ldap_url)

OK - 2015-03-19-univention-samba.yaml
OK - 2015-03-18-univention-home-mounter.yaml
OK - 2015-03-18-univention-quota.yaml
OK - 2015-03-18-univention-python.yaml

Comment 9 Janek Walkenhorst

2015-03-25 16:39:15 CET

<http://errata.univention.de/ucs/4.0/134.html>

Comment 10 Janek Walkenhorst

2015-03-25 16:39:33 CET

<http://errata.univention.de/ucs/4.0/135.html>

Comment 11 Janek Walkenhorst

2015-03-25 16:40:40 CET

<http://errata.univention.de/ucs/4.0/140.html>

Comment 12 Janek Walkenhorst

2015-03-25 16:41:44 CET

<http://errata.univention.de/ucs/4.0/136.html>