Univention Bugzilla – Bug 36831
Rejects on school slave after installing distributed UCS@school env
Last modified: 2016-09-14 15:38:55 CEST
I've several rejects after the update to UCS@school 4.0 on a school slave if Samba 4 is not installed on the master:
1: S4 DN: CN=Domain Users,CN=Groups,DC=deadlock43,DC=intranet
UCS DN: cn=domain users,cn=groups,dc=deadlock43,dc=intranet
2: S4 DN: CN=Domain Admins,CN=Groups,DC=deadlock43,DC=intranet
UCS DN: cn=domain admins,cn=groups,dc=deadlock43,dc=intranet
3: S4 DN: CN=System,DC=deadlock43,DC=intranet
UCS DN: cn=system,dc=deadlock43,dc=intranet
4: S4 DN: DC=deadlock43,DC=intranet
UCS DN: dc=deadlock43,dc=intranet
5: S4 DN: OU=Domain Controllers,DC=deadlock43,DC=intranet
UCS DN: ou=domain controllers,dc=deadlock43,dc=intranet
6: S4 DN: CN=Group Policy Creator Owners,CN=Groups,DC=deadlock43,DC=intranet
UCS DN: cn=group policy creator owners,cn=groups,dc=deadlock43,dc=intranet
7: S4 DN: CN=Administrator,CN=Users,DC=deadlock43,DC=intranet
UCS DN: uid=administrator,cn=users,dc=deadlock43,dc=intranet
8: S4 DN: CN=Domain Guests,CN=Groups,DC=deadlock43,DC=intranet
UCS DN: cn=domain guests,cn=groups,dc=deadlock43,dc=intranet
root@slave432:~# univention-ldapsearch 'cn=domain guests' -LLL description ; univention-s4search 'cn=domain guests' description
dn: cn=Domain Guests,cn=groups,dc=deadlock43,dc=intranet
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
# record 1
dn: CN=Domain Guests,CN=Groups,DC=deadlock43,DC=intranet
description: All domain guests
This was already before updating to UCS 4.
*** Bug 37834 has been marked as a duplicate of this bug. ***
Created attachment 6704 [details]
connector-s4.log with debug level set to 4, same system as Bug 37834
I reverted my system of Bug 37834 to an older snapshot and set connector/debug/level=4 before installing UCS@school. I was then able to reproduce the rejects by just installing UCS@school with Samba 4. I attached th connector-s4.log.
Ok, thanks, that should give a pretty clear idea what things need to be written with Admin credentials during join.
To avoid pre-seeding all this nitty gritty detail, we could "simply" initialize the S4-Connector during join with Admin credentials. But that would require to implement a mechanism in the S4-Connector to drop the initialization-Credentials after it has initialzed, to continue normal operations with host credentials. For this we would in turn need to find a way to recognize at which pount the initial sync is done (not too easy, USN tracking..). Just brainstorming..
again with 4.1-2 and school 4.1R2
UCS Master + school (no univention-samba4!)
UCS Slave + school with univention-samba4/connector
After installing school on the slave the connector complains about the following rejects:
1: S4 DN: OU=Domain Controllers,DC=w2k12,DC=test
UCS DN: ou=domain controllers,dc=w2k12,dc=test
2: S4 DN: CN=System,DC=w2k12,DC=test
UCS DN: cn=system,dc=w2k12,dc=test
3: S4 DN: CN=Administrator,CN=Users,DC=w2k12,DC=test
UCS DN: uid=administrator,cn=users,dc=w2k12,dc=test
4: S4 DN: DC=w2k12,DC=test
UCS DN: dc=w2k12,dc=test
All rejects a caused by a permission problem:
09.06.2016 10:54:04,126 LDAP (PROCESS): sync to ucs: [ container_dc] [ modify] dc=w2k12,dc=test
09.06.2016 10:54:04,151 LDAP (ERROR ): Unknown Exception during sync_to_ucs
09.06.2016 10:54:04,151 LDAP (ERROR ): Traceback (most recent call last):
File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1438, in sync_to_ucs
result = self.property[property_type].ucs_sync_function(self, property_type, object)
File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dc.py", line 180, in con2ucs
File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 420, in modify
We should either
* ignore those objects on school slaves in the connector
* or changes the ldap acls for school slave
But rejects are not good ...
here too, same as above. It is cosmetic, but may mask other problems: If we recommend resolving these "legit" rejects or ignoring them, other problems may rear its head in the future with causes that are ignored in this earlier states.
rejects are not good.
This hit me some weeks ago, too.
We already create several groups in the 96univention-samba4slavepdc.inst join script. We should do these changes there as well.
* Update some default settings in the LDAP directory to prevent
rejects if no S4 connector is installed on the DC master
Waiting for Jenkins test results.
(In reply to Stefan Gohmann from comment #9)
> YAML: r71761
> Fix: r71760
> * Update some default settings in the LDAP directory to prevent
> rejects if no S4 connector is installed on the DC master
> (Bug #36831)
> Waiting for Jenkins test results.
Some more updates: r71768 + r71770 + r71780
We've decided to increase the join script version so the rejects will be removed after running the join scripts.
I've also merged these changes to UCS 4.2.
Rebuild package for Bug #36831, #41167 due to buildsystem error
OK - merged to 4.2
OK - no rejects on slave - no samba4 on master
OK - no rejects on slave - samba4 on master
OK - rejects are gone after upgrade/univention-run-join-scripts on slave
OK - yaml