Bug 39068 - Join hangs because of upper/lowercase mismatch
Join hangs because of upper/lowercase mismatch
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-4-errata
Assigned To: Philipp Hahn
Felix Botner
:
Depends on:
Blocks: 43381
  Show dependency treegraph
 
Reported: 2015-08-03 15:10 CEST by Michael Grandjean
Modified: 2017-01-20 11:40 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2016090521000405
Bug group (optional): Error handling, External feedback
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2015-08-03 15:10:09 CEST
I'm not sure if this is "only" a univention-ssl-issue or more generic:

A technical training attendee created a UCS system (DC Slave) via the UMC. The hostname contained at least one uppercase letter (e.g. "ucs-Slave1").

The attendee then installed the DC Slave, but specified an all lowercase hostname (e.g. "ucs-slave1"). The rest of the installation went fine, and even the subsequent join started, but ran into a loop while trying to receive the host certificate. 

The path on the master was created with uppercase:
> /etc/univention/ssl/ucs-Slave1.example.org
> /etc/univention/ssl/ucs-Slave1

While the system was searching for:
> /etc/univention/ssl/ucs-slave1.example.org
> /etc/univention/ssl/ucs-slave1

I guess the join should not have started at all because of the case mismatch?
Comment 1 Florian Best univentionstaff 2015-08-11 09:23:42 CEST
Might be caused by Bug #37816 ? We can do a "hostname = hostname.lower()" in the UMC backend of system-setup.
Comment 2 Michael Grandjean univentionstaff 2016-09-13 13:48:07 CEST
Ticket#2016090521000405
Comment 3 Philipp Hahn univentionstaff 2016-12-05 15:47:42 CET
The Listener module uses the casing from LDAP, while the host tries to find the certificate using his writing.

4.1-4:
r74975 | Bug #39068 join: Strip root DNS zone
r74974 | Bug #39068 join: Use hostname from LDAP
r74973 | Bug #39068 join: Only used 1st entry
4.2-0:
r74983 | Bug #39068 join: Strip root DNS zone
r74982 | Bug #39068 join: Use hostname from LDAP
r74981 | Bug #39068 join: Only used 1st entry
YAML:
r74976 | Bug #39068,Bug #39179,Bug #42837: SSL


Package: univention-join
Version: 8.0.4-6.520.201612051533
Branch: ucs_4.1-0
Scope: errata4.1-4

QA:
 ucr set hostname=$(ucr get hostname|tr '[:upper:][:lower:]' '[:lower:][:upper:]')
 univention-join

FYI:
 If the casing of $domainname does not match, things go wrong very bad - not touched!
Comment 4 Stefan Gohmann univentionstaff 2016-12-07 06:51:07 CET
The join.log now throws the following error:

univention-server-join: joins a server to an univention domain
copyright (c) 2001-2016 Univention GmbH, Germany

ldap_dn="cn=slave094,cn=dc,cn=computers,dc=autotest094,dc=local"
Traceback (most recent call last):
  File "<stdin>", line 13, in <module>
IOError: [Errno 2] No such file or directory: '/etc/machine.secret'
Setting hostname

See here:
http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-4/job/AutotestJoin/SambaVersion=s3,Systemrolle=slave/ws/join.log

This is recognized by the test case 99check_log_files:
http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-4/job/AutotestJoin/SambaVersion=s3,Systemrolle=slave/lastCompletedBuild/testReport/00_checks/99check_log_files/test/

I guess these changes are responsible for the error. 

One other comment while reading you comment:

(In reply to Philipp Hahn from comment #3)
> r74975 | Bug #39068 join: Strip root DNS zone

Does it have something to do with this bug? If not, please file a new bug and fix it through the new bug. If yes, I'm fine with it.
Comment 5 Philipp Hahn univentionstaff 2016-12-07 17:30:54 CET
(In reply to Stefan Gohmann from comment #4)
> The join.log now throws the following error:
> 
> univention-server-join: joins a server to an univention domain
> copyright (c) 2001-2016 Univention GmbH, Germany
> 
> ldap_dn="cn=slave094,cn=dc,cn=computers,dc=autotest094,dc=local"
> Traceback (most recent call last):
>   File "<stdin>", line 13, in <module>
> IOError: [Errno 2] No such file or directory: '/etc/machine.secret'
> Setting hostname

This is triggered by
 ucr set ldap/hostdn=...
while /etc/machine.secret does not yet exists. The culprit is
 ucr commit /etc/postgresql/pam_ldap.conf

> I guess these changes are responsible for the error. 

UCS-4.1-4:
r75074 | Bug #39068 join: Only update hostane and hosdn after /etc/machine.secret
YAML:
r75075 | Bug #39068 join: Only update hostane and hosdn after /etc/machine.secret YAML
UCS-4.2-0:
r75076 | Bug #39068 join: Only update hostane and hosdn after /etc/machine.secret

Package: univention-join
Version: 8.0.4-7.521.201612071726
Branch: ucs_4.1-0
Scope: errata4.1-4


> One other comment while reading you comment:
> 
> (In reply to Philipp Hahn from comment #3)
> > r74975 | Bug #39068 join: Strip root DNS zone
> 
> Does it have something to do with this bug? If not, please file a new bug
> and fix it through the new bug. If yes, I'm fine with it.

Found while testing my change: any decent UNIX tool understand how to handle an explicit trailing dot; UCS doesn't and breaks badly.
Comment 6 Felix Botner univentionstaff 2016-12-20 18:46:41 CET
OK - normal join (no computer object in ldap)
OK - join "backup" with object BackUP present -> hostname BackUP
OK - join BACKUP with object backup present -> hostname backup

OK - code
OK - YAML
OK - merged to 4.2-0

I removed 3 from the yaml version (4.1-3 is no longer maintained)
Comment 7 Philipp Hahn univentionstaff 2016-12-21 15:32:51 CET
<http://errata.software-univention.de/ucs/4.1/362.html>