Bug 38983 - adconnector/take_over_domain: handle LdbError
adconnector/take_over_domain: handle LdbError
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Takeover
UCS 4.0
amd64 Windows 7
: P5 normal (vote)
: UCS 4.2-0-errata
Assigned To: Arvid Requate
Felix Botner
:
: 44583 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-20 11:29 CEST by FMPIT
Modified: 2017-06-07 15:22 CEST (History)
9 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.046
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2016092721000436, 2016093021000402
Bug group (optional): Error handling, External feedback
Max CVSS v3 score:
requate: Patch_Available+


Attachments
takeover.patch (4.34 KB, patch)
2015-07-20 17:44 CEST, Arvid Requate
Details | Diff
Adjusted takeover.patch for errata4.0-2 and later (4.33 KB, patch)
2016-10-11 15:43 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description FMPIT 2015-07-20 11:29:20 CEST
We almost finished the AD takeover process, but at the end when UCS told me click Next with the message 

"The group policies have been transferred successfully.

In order to complete the takeover process, all previous Active Directory Domain Controllers need to be switched off now. Click "Next" as soon as all Domain Controllers are shutdown completely"

After click Next, we got error as below:

Execution of command 'take_over_domain' has failed:

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/adtakeover/__init__.py", line 60, in _background
    result = func(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/adtakeover/__init__.py", line 119, in take_over_domain
    takeover.take_over_domain(self.progress)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/adtakeover/takeover.py", line 354, in take_over_domain
    takeover_final.create_DNS_SPN()
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/adtakeover/takeover.py", line 1759, in create_DNS_SPN
    "msDS-KeyVersionNumber": dnsKeyVersion})
LdbError: (68, 'Entry samAccountName=dns-fmp-ucs-298,CN=Principals already exists')

Now we cannot continue or rollback the system.
Comment 1 FMPIT 2015-07-20 16:54:32 CEST
Ticket#2015071821000208 with log files attachment, pls help us
Comment 2 Arvid Requate univentionstaff 2015-07-20 17:44:01 CEST
Created attachment 7036 [details]
takeover.patch

As far as I understand the logs the UCS DC had been configured as AD member before running AD takeover. The traceback occurs because the DNS service account already exists in secrets.ldb. The patch should avoid that traceback in the future.
Comment 3 FMPIT 2015-07-20 20:17:02 CEST
Hi Arvid,

You are true about the event to be AD member before takeover. Honestly, I haved checked 3 options in the setup: (as DC backup)
- AD connection
- AD Takeover
- DHCP Server
and it will be DC master, but after the setup, it does not appear as a DC. I checked carefully, it only appeared in Computer OU (which hold computer client objects), and did not appear in Domain Controller OU. After that, I discovered that AD Takeover had not been installed as I choose. Then I installed AD Takeover from AppCenter and start the AD Takeover process as you know. 

Thank you again for your help, Arvid.

Regards,
Comment 4 Arvid Requate univentionstaff 2015-07-20 20:36:10 CEST
I reopened this bug because we want to improve the product with the attached patch. Please leave the this bug open.

Details regarding customer setups are better discussed on a non-public channel.
Comment 5 Stefan Gohmann univentionstaff 2015-08-06 07:32:09 CEST
Reported again: Ticket #2015072921000411
Comment 6 Florian Best univentionstaff 2016-05-20 06:45:19 CEST
Reported again, 4.1-2 errata176 (Vahr)

Execution of command 'take_over_domain' has failed:

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/modules/adtakeover/__init__.py", line 60, in _background
    result = func(self, request)
  File "%PY2.7%/univention/management/console/modules/adtakeover/__init__.py", line 119, in take_over_domain
    takeover.take_over_domain(self.progress)
  File "%PY2.7%/univention/management/console/modules/adtakeover/takeover.py", line 355, in take_over_domain
    takeover_final.create_DNS_SPN()
  File "%PY2.7%/univention/management/console/modules/adtakeover/takeover.py", line 1793, in create_DNS_SPN
    self.samdb.modify(delta)
LdbError: (32, 'No such Base DN: CN=dns-ucsserver1,CN=Users,DC=XXX,DC=LOCAL')
Comment 7 Jens Thorp-Hansen univentionstaff 2016-10-04 09:48:36 CEST
again at: Ticket#2016093021000402
Comment 8 Florian Best univentionstaff 2016-10-04 12:24:50 CEST
Version: 4.1-3 errata239 (Vahr)

Execution of command 'take_over_domain' has failed:

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/modules/adtakeover/__init__.py", line 60, in _background
    result = func(self, request)
  File "%PY2.7%/univention/management/console/modules/adtakeover/__init__.py", line 119, in take_over_domain
    takeover.take_over_domain(self.progress)
  File "%PY2.7%/univention/management/console/modules/adtakeover/takeover.py", line 355, in take_over_domain
    takeover_final.create_DNS_SPN()
  File "%PY2.7%/univention/management/console/modules/adtakeover/takeover.py", line 1793, in create_DNS_SPN
    self.samdb.modify(delta)
LdbError: (32, 'No such Base DN: CN=dns-*,CN=Users,DC=*,DC=LOCAL')
Comment 9 Florian Best univentionstaff 2016-10-10 14:33:32 CEST
*** Bug 34650 has been marked as a duplicate of this bug. ***
Comment 10 Arvid Requate univentionstaff 2016-10-11 15:43:25 CEST
Created attachment 8088 [details]
Adjusted takeover.patch for errata4.0-2 and later

Thanks to collateral whitespace cleanup during Bug 38729 the initial patch trivially fails for all releases >= errata4.0-2.
Comment 11 Arvid Requate univentionstaff 2017-04-24 20:11:23 CEST
Package rebuilt in errata4.2-0 with patch.

Advisory: univention-management-console-module-adtakeover.yaml
Comment 12 Felix Botner univentionstaff 2017-05-11 17:28:02 CEST
Created Bug #44583 for the "LdbError: (32, 'No such Base DN: CN=dns-ucsserver1,CN=Users,DC=XXX,DC=LOCAL')" error. This is something else.
Comment 13 Arvid Requate univentionstaff 2017-05-11 18:39:33 CEST
Ok, as discussed, I've tried to add some workaround, by using a subtree search instead of a base search. Advisory updated.
Comment 15 Arvid Requate univentionstaff 2017-05-11 19:47:37 CEST
*** Bug 44583 has been marked as a duplicate of this bug. ***
Comment 16 Arvid Requate univentionstaff 2017-05-11 19:48:50 CEST
Felix had the brilliant idea to get rid of the whole special create_DNS_SPN code and run the univention-samba4-dns joinscript instead.

Advisory updated.
Comment 18 Felix Botner univentionstaff 2017-05-12 12:41:49 CEST
Unfortunately, we allow the takeover on master, back and slave 
-> https://docs.software-univention.de/manual-4.2.html#windows:adtakeover

   The UCS domain controller (master domain controller, backup domain controller 
   or slave domain controller) needs to be installed with a unique hostname, not 
   used in the AD domain. 

If the ucs server is not a master univention-run-join-scripts asks for the password and the takeover process hangs forever.

What now?
Comment 19 Arvid Requate univentionstaff 2017-05-12 12:48:21 CEST
But that already happens before this change for the other two joinscripts? So that would be a separate issue, or am I missing something?

Re Comment 17: yeah, we discussed that option but that script masks the return code by exit 0. Then the user doesn't get feedback about a possible failure. That's the whole point we discussed about for different bug: If an incomplete "fix" for a bug masks the original problem, then it's not good.
Comment 20 Florian Best univentionstaff 2017-05-12 12:49:33 CEST
The password of the user (is the module forced to be executed by an Administrator?) is available in self.username/self.password - if not logged in via SAML. If logged in via SAML there is a decorator @required_password.

There were already 2 joinscripts which were executed, what about them? The problem exists before, too?!
Comment 21 Erik Damrose univentionstaff 2017-05-12 13:06:52 CEST
(In reply to Florian Best from comment #20)
> The password of the user (is the module forced to be executed by an
> Administrator?) is available in self.username/self.password - if not logged
> in via SAML. If logged in via SAML there is a decorator @required_password.

You can also do an AD takeover via system-setup, which is an anonymous User. It has to be made sure that the credentials are also passed correctly from the setup wizard
Comment 22 Felix Botner univentionstaff 2017-05-12 13:43:24 CEST
(In reply to Arvid Requate from comment #19)
> But that already happens before this change for the other two joinscripts?
> So that would be a separate issue, or am I missing something?
> 
> Re Comment 17: yeah, we discussed that option but that script masks the
> return code by exit 0. Then the user doesn't get feedback about a possible
> failure. That's the whole point we discussed about for different bug: If an
> incomplete "fix" for a bug masks the original problem, then it's not good.

yes, but the other two join scripts are very rare exceptions while univention-samba4-dns is always installed. So we have increased the chance of hitting this bug by 1000 + x %.

I think we have to fix this now (or revert the change and reactive create_DNS_SPN).

possible fixes:
 * run univention-run-join-scripts only on MASTER
 * use -dcaccount -dcpwd
Comment 23 Erik Damrose univentionstaff 2017-05-15 14:21:04 CEST
(In reply to Erik Damrose from comment #21)
> You can also do an AD takeover via system-setup

I was wrong, one can only install the ad-takeover during system setup, but the takeover itself is not possible.
Comment 24 Arvid Requate univentionstaff 2017-05-15 17:55:13 CEST
> possible fixes:
> * use -dcaccount -dcpwd

Ok, adjusted. Advisory updated.
Comment 25 Felix Botner univentionstaff 2017-05-18 11:36:38 CEST
(In reply to Felix Botner from comment #18)
> Unfortunately, we allow the takeover on master, back and slave 
> -> https://docs.software-univention.de/manual-4.2.html#windows:adtakeover
> 
>    The UCS domain controller (master domain controller, backup domain
> controller 
>    or slave domain controller) needs to be installed with a unique hostname,
> not 
>    used in the AD domain. 
> 
> If the ucs server is not a master univention-run-join-scripts asks for the
> password and the takeover process hangs forever.
> 
> What now?

NO, the takeover app requires a UCS master, and the takeover itself also (fails on back during

 Samba domain join successful.
2017-05-18 11:13:19,779 Calling: univention-run-join-scripts --run-scripts 96univention-samba4.inst
2017-05-18 11:13:20,334 **************************************************************************
2017-05-18 11:13:20,334 * Running join scripts failed!                                           *
2017-05-18 11:13:20,334 **************************************************************************
2017-05-18 11:13:20,335 * Message:  binddn for user  not found
2017-05-18 11:13:20,335 **************************************************************************
2017-05-18 11:13:20,336 ERROR: Final univention-run-join-scripts --run-scripts 96univention-samba4.inst failed (1)


So the manual is broken

i am afraid to say, but we should revert the last change
Comment 26 Arvid Requate univentionstaff 2017-06-01 19:55:58 CEST
Ok, reverted to Comment 16. Advisory updated.
Comment 27 Felix Botner univentionstaff 2017-06-02 14:48:21 CEST
OK - takeover
OK - YAML
Comment 28 Janek Walkenhorst univentionstaff 2017-06-07 15:22:34 CEST
<http://errata.software-univention.de/ucs/4.2/29.html>