Bug 38754 - Race condition in new school-dc setup
Race condition in new school-dc setup
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: UMC - Installer
UCS@school 3.2 R2
Other Linux
: P1 normal (vote)
: UCS@school 4.0 R2 Errata
Assigned To: Sönke Schwardt-Krummrich
Felix Botner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-23 14:27 CEST by Janis Meybohm
Modified: 2015-11-11 14:22 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2015-06-23 14:27:45 CEST
Ticket#2015052021000181

We had that twice now in the customer environment:

* A new DC-Save is set up in the environment (without samba4)
* The DC-Slave is joined
* UCS@school App is installed
* UCS@school installer is run
...installer hangs forever while trying to re-join the domain.

What happens is that the listener gets restarted during the package installation and newly installed modules get loaded (ucsschool-user-logonscripts among others).
After installation is completed the school-installer moves the DC-Slave to the OU and univention-join is started.

univention-join than changes UCR ldap/hostdn to the new DN and tries to stop the listener.
That fails because the listener is in initialization phase of the Module ucsschool-user-logonscripts (in the current case) that continuously tries a univention.uldap.getMachineConnection(ldap_master=False) with the new ldap/hostdn against the local (old) LDAP.

-> deadlock
Comment 1 Tim Petersen univentionstaff 2015-07-30 11:07:24 CEST
2015072021000276
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2015-10-01 22:51:50 CEST
(In reply to Janis Meybohm from comment #0)
> We had that twice now in the customer environment:
> 
> * A new DC-Save is set up in the environment (without samba4)
> * The DC-Slave is joined
> * UCS@school App is installed
> * UCS@school installer is run
> ...installer hangs forever while trying to re-join the domain.

"forever" seems to be up to 5min per DN that has to be processed → a long time.

> univention-join than changes UCR ldap/hostdn to the new DN and tries to stop
> the listener.
> That fails because the listener is in initialization phase of the Module
> ucsschool-user-logonscripts (in the current case) that continuously tries a
> univention.uldap.getMachineConnection(ldap_master=False) with the new
> ldap/hostdn against the local (old) LDAP.

The LDAP exception handling has been improved and the LDAP connection is dropped if an error occurs. Additionally the LDAP connection handling does not wait up to 5 mins on LDAP error "INVALID_CREDENTIALS" but fails fast.

This should improve the situation a lot.

ucs-school-netlogon-user-logonscripts (11.0.2-1):
r64155 | Bug #38754: added changelog entry
r64154 | Bug #38754: catch LDAP errors and invalidate LDAP connection / fail fast on error INVALID_CREDENTIALS
r64153 | Bug #38754: do not overwrite variable "dn"
r64152 | Bug #38754: increased log level
r64151 | Bug #38754: connection should be never a boolean value / fixed indention
r64150 | Bug #38754: removed useless imports / code
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2015-10-01 23:13:32 CEST
The package has been published to app repo ucsschool_devel.
Comment 4 Felix Botner univentionstaff 2015-10-19 14:10:55 CEST
OK, code looks good, tests OK 
i wasn't able to reproduce this, but all my test were OK
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2015-11-11 14:20:27 CET
UCS@school 4.0 R2 v3 has been released.

If this error occurs again, please use "Clone This Bug".