First Last Prev Next    This bug is not in your last search results.
Bug 40611 - Skip ad member mode join in docker container
Skip ad member mode join in docker container
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Docker
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-4
Assigned To: Felix Botner
Stefan Gohmann
:
: 42543 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-09 16:22 CET by Felix Botner
Modified: 2016-11-08 13:26 CET (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.286
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2016-02-09 16:22:18 CET 
In ad member mode, the installation of docker apps fails during the initialization of the ad member mode during the join:

Entering AD Member Mode:  done
Configure 03univention-directory-listener.inst  done
Configure 04univention-ldap-client.inst  done
Configure 11univention-pam.inst  done
Configure 18python-univention-directory-manager.inst  done
Configure 20univention-directory-policy.inst  done
Configure 20univention-join.inst  done
Configure 26univention-samba.inst  failed


**************************************************************************
* Join failed!                                                           *
* Contact your system administrator                                      *
**************************************************************************
* Message:  FAILED: 26univention-samba.inst
**************************************************************************

join.log:
Object modified: cn=zolsdofx8p-1455022821183307,cn=memberserver,cn=computers,dc=w2k12,dc=test
Invalid configuration.  Exiting....
Our netbios name can be at most 15 chars long, "ZOLSDOFX8P-1455022821183307" is 27 chars long
Failed to join domain: The format of the specified computer name is invalid.
ERROR: Failed to join to AD DC via net ads join. Please check your Samba DCs and your DNS and WINS configuration.
Tue Feb  9 14:03:27 CET 2016: finish /usr/sbin/univention-join

We probably want to skip the ad member mode for docker container.
Comment 1 Felix Botner univentionstaff 2016-02-09 16:59:53 CET 
Disabled docker tests in examples/jenkins/utils/utils.sh run_admember_tests()

Please enable test once this is fixed.
Comment 2 Felix Botner univentionstaff 2016-10-20 18:58:39 CEST 
*** Bug 42543 has been marked as a duplicate of this bug. ***
Comment 3 Felix Botner univentionstaff 2016-10-24 14:02:16 CEST 
changelog-4.1-4.xml: r73488, r73492
univention-join (ucs-4.1-4): r73486
 * added -skipAdMemberMode (skip check_and_configure_ad_member_mode during join)
univention-docker-container-mode (ucs-4.1-4): r73490
 * run univention-join with -skipAdMemberMode in setup script

merged to 4.2
Comment 4 Stefan Gohmann univentionstaff 2016-11-02 12:31:20 CET 
I was able to reproduce it with the 4.1-3 appbox image and it works with a 4.1-4 test appbox image: 

 Search DC Master:  done
 Check DC Master:  done
 Search ldap/base done
 Search LDAP binddn  done
 Join Computer Account:  done
 Check TLS connection:  done
 Download host certificate:  done
 AD Member Mode disabled by -skipAdMemberMode
 Configure 03univention-directory-listener.inst  done
 Configure 04univention-ldap-client.inst  done
 Configure 11univention-pam.inst  done
 Configure 18python-univention-directory-manager.inst  done
 Configure 20univention-directory-policy.inst  done
 Configure 20univention-join.inst  done
 Configure 30univention-appcenter.inst  done
 Installing packages for cizoczj2lz=6.1.3


That means we need to change all existing Docker Apps to 4.1-4 otherwise the installation fails in AD member mode.

Not installing univention-samba by default is a good idea. But I think we should also change the hostname generation and create hostnames with less than 15 characters.
Comment 5 Stefan Gohmann univentionstaff 2016-11-02 14:07:46 CET 
(In reply to Stefan Gohmann from comment #4)
> I was able to reproduce it with the 4.1-3 appbox image and it works with a
> 4.1-4 test appbox image: 
> 
>  Search DC Master:  done
>  Check DC Master:  done
>  Search ldap/base done
>  Search LDAP binddn  done
>  Join Computer Account:  done
>  Check TLS connection:  done
>  Download host certificate:  done
>  AD Member Mode disabled by -skipAdMemberMode
>  Configure 03univention-directory-listener.inst  done
>  Configure 04univention-ldap-client.inst  done
>  Configure 11univention-pam.inst  done
>  Configure 18python-univention-directory-manager.inst  done
>  Configure 20univention-directory-policy.inst  done
>  Configure 20univention-join.inst  done
>  Configure 30univention-appcenter.inst  done
>  Installing packages for cizoczj2lz=6.1.3
> 
> 
> That means we need to change all existing Docker Apps to 4.1-4 otherwise the
> installation fails in AD member mode.
> 
> Not installing univention-samba by default is a good idea. But I think we
> should also change the hostname generation and create hostnames with less
> than 15 characters.

I've created Bug #42816 for it.

The member mode settings are skipped. Authentication works in the container because the UCR variables from the host are used.

But I think we should still set the UCR variables like ad/member even if we don't install univention-samba. Otherwise I guess we will have trouble if we install univention-samba in the container.
Comment 6 Felix Botner univentionstaff 2016-11-03 14:34:21 CET 
* univention-join - added -containerAdMemberMode option, if set 
  configure_nonmaster_as_ad_member and revert_nonmaster_ad_member are called
  with role=container
  r74073  (74077 4.2-0)

* univention-docker-container-mode - use -containerAdMemberMode for joining
  r74074 (74075 4.2-0)

* univention-lib - added configure_container_as_ad_member (set UCR vars) and
  revert_container_ad_member (unset UCS vars) and support role container in 
  configure_nonmaster_as_ad_member and revert_nonmaster_ad_member
  r74071 (74072 4.2-0)

* changelog/changelog-4.1-4.xml r74076
Comment 7 Stefan Gohmann univentionstaff 2016-11-05 12:29:38 CET 
Tests: OK, it works now like expected. The UCR variable ad/member is set true in then container.

Changelog: OK
Comment 8 Stefan Gohmann univentionstaff 2016-11-08 13:26:34 CET 
UCS 4.1-4 has been released:
 https://docs.software-univention.de/release-notes-4.1-4-en.html
 https://docs.software-univention.de/release-notes-4.1-4-de.html

If this error occurs again, please use "Clone This Bug".
First Last Prev Next    This bug is not in your last search results.