Univention Bugzilla – Bug 40705
Set timeserver for UCC clients to school DC slave in multiserver env
Last modified: 2016-10-04 13:24:49 CEST
The timeserver for UCC clients should be set to the school DC slave in multiserver environments because the current default (DC master) is not always reachable due to firewall restrictions.
It should be sufficient to set the UCR variable "ucc/timeserver" in policy cn=ou-default-ucr-policy,cn=policies,${oudn}. The policy is modified in ucs-school-ucc-integration/40ucs-school-ucc-integration.inst → ucs-school-ucc-integration/add_ucc_settings_to_ou
* The UCR policy was modified. * Script was adapted to changes caused by ou-overlapping users: create UCR policy only for OUs we are responsible for, not all we can read Code: r70842 Advisory: r70843
Switched Version, because accidentally fixed Bug #40706 (was 4.1) instead of this one.
*** Bug 40706 has been marked as a duplicate of this bug. ***
The code to detect the OUs a server is responsible for was moved to ucs-school-lib. 70852 ucs-school-lib 70853 ucs-school-metapackage 70854 ucs-school-ucc-integration 70855 advisories
*** Bug 41743 has been marked as a duplicate of this bug. ***
"servers_school_ous" cannot be used this way in 00ucs-school-slave-check-ou.inst because it uses the local LDAP server. And the local LDAP is initialized in join script 03univention-directory-listener.inst (3 join scripts later). Therefore the local LDAP might not be available when 00ucs-school-slave-check-ou.inst is called. This is why the UCS master is used in LDAP queries. → REOPEN
Maybe passing arguments for "univention-ldapsearch" to servers_school_ous() would be a simple solution.
ucs-school-lib r71237: add support for ldap server and port arguments to shell function servers_school_ous ucs-school-metapackage r71240: use ldap of dc master in first join script advisories: 71241
The test case 05_check_join_status fails now: http://jenkins.knut.univention.de:8080/job/UCSschool%204.1/job/UCSschool%204.1%20(R2)%20Multiserver/SambaVersion=s4-school-only/197/testReport/ [2016-08-10 19:09:59.552801] Warning: 'ucs-school-slave-check-ou' is not configured. [2016-08-10 19:09:59.731178] Error: Not all install files configured: 1 missing (2016-08-10 19:09:59.732226) error 2016-08-10 19:09:59 check_join_status failed (2016-08-10 19:09:59.733021) error 2016-08-10 19:09:59 **************** Test failed above this line (110) **************** http://jenkins.knut.univention.de:8080/job/UCSschool%204.1/job/UCSschool%204.1%20(R2)%20Multiserver/SambaVersion=s4-school-only/197/artifact/autotest-204-ucsschool-multiserver-s4.log Domänenbeitritt - Ausführung des Join-Skriptes 00ucs-school-slave-check-ou Domänenbeitritt - beendet... ERROR: installation failed! output: {u'info': u'beendet...', u'steps': 36.520125164690384, u'finished': True, u'errors': [u'Die Softwarepakete wurden erfolgreich installiert, jedoch konnte der Dom\xe4nenbeitritt nicht abgeschlossen werden: FAILED: 00ucs-school-slave-check-ou.inst. Mehr Hinweise k\xf6nnen in der Log-Datei /var/log/univention/join.log gefunden werden. Nach Beheben der entsprechenden Konflikte kann der Dom\xe4nenbeitritt \xfcber das UMC-Modul "Dom\xe4nenbeitritt" abgeschlossen werden.'], u'component': u'Dom\xe4nenbeitritt'} *** Failed 1: /root/schoolinstaller.py -uAdministrator -p univention -o School1 -M -e -s 4
ucs-school-4.1r2/ucs-school-lib$ checkbashisms shell/base.sh script shell/base.sh does not appear to have a #! interpreter line; you may get strange results possible bashism in shell/base.sh line 121 ('((' should be '$(('): while (( "$#" )); do possible bashism in shell/base.sh line 122 (alternative test command ([[ foo ]] should be [ foo ])): if [[ "$1" == "-d" ]]; then possible bashism in shell/base.sh line 122 (should be 'b = a'): if [[ "$1" == "-d" ]]; then possible bashism in shell/base.sh line 124 (should be 'b = a'): elif [ "$1" == "-h" ] ; then possible bashism in shell/base.sh line 126 (should be 'b = a'): elif [ "$1" == "-p" ] ; then ucs-school-4.1r2/ucs-school-lib → removed with r71688
1) The new shell function servers_school_ous returns a space-separated list of OU DNs. This is problematic if the DN contains whitespace. The following patch makes the function (hopefully) invulnerable against whitespace in DNs. → REOPEN --- a/ucs-school-4.1r2/ucs-school-lib/shell/base.sh +++ b/ucs-school-4.1r2/ucs-school-lib/shell/base.sh @@ -133,12 +133,16 @@ servers_school_ous() { shift 2 done + local IFS + IFS=" +" res="" for oudn in $(univention-ldapsearch $ldap_server $ldap_port -xLLL -b "$ldap_base" 'objectClass=ucsschoolOrganizationalUnit' dn | ldapsearch-wrapper | sed -nre 's/^dn: //p') ; do ouname="$(school_ou "$oudn")" if univention-ldapsearch $ldap_server $ldap_port -xLLL "(&(|(cn=OU${ouname}-DC-Edukativnetz)(cn=OU${ouname}-DC-Verwaltungsnetz))(uniqueMember=${ldap_hostdn}))" dn | grep -q "^dn: "; then - res="$res $oudn" + res="$res +$oudn" fi done - echo -n "${res}" | sed -e 's/^[[:space:]]*//' + echo -n "${res}" | egrep -v "^\s*$" } 2) servers_school_ous returns nothing if called on a UCS@school singleserver (i.e. dc master). Therefore add_ucc_settings_to_ou does not set UCC settings to OU. Is this the intended behaviour? → REOPEN
Both (and handling of uppercase OUs) fixed in r71989.
Please re-check the last commit (r71989). From the /var/log/univention/join.log ***************************************************************************** Configure 00ucs-school-slave-check-ou.inst Tue Aug 30 13:07:04 EDT 2016 2016-08-30 13:07:04.273707616-04:00 (in joinscript_init) /usr/lib/univention-install/00ucs-school-slave-check-ou.inst: 114: /usr/lib/univention-install/00ucs-school-slave-check-ou.inst: source: not found ***************************************************************************** ucs-school-4.1r2$ /usr/bin/checkbashisms ucs-school-lib/shell/base.sh script ucs-school-lib/shell/base.sh does not appear to have a #! interpreter line; you may get strange results possible bashism in ucs-school-lib/shell/base.sh line 114 (should be '.', not 'source'): source /usr/share/univention-lib/ucr.sh possible bashism in ucs-school-lib/shell/base.sh line 142 (${parm,[,][pat]} or ${parm^[^][pat]}): search_str="(|(cn=OU${ouname,}-DC-Edukativnetz)(cn=OU${ouname,}-DC-Verwaltungsnetz))" possible bashism in ucs-school-lib/shell/base.sh line 144 (${parm,[,][pat]} or ${parm^[^][pat]}): search_str="(&(|(cn=OU${ouname,}-DC-Edukativnetz)(cn=OU${ouname,}-DC-Verwaltungsnetz))(uniqueMember=${ldap_hostdn}))" ucs-school-4.1r2$
r72081: removed bashisms
72114: adapt parameter handling to changed IFS, don't lowercase OU name, change policy also on update 72115: yaml Packages ucs-school-lib ucs-school-ucc-integration have been rebuilt.
If executing this twice I get the following error message: E: Invalid Syntax: Duplicated variables not allowed: 'ucc/timeserver' There are two same calls to: univention-directory-manager policies/registry modify Is this on purpose? add_ucc_settings_to_ou contains space/tab mixes (also prior to the changes, but also some newly introduced ones).
r72879 removes the error message if run twice and adds the missing dn to the udm call
OK: no bashisms found anymore OK: IF=\n hack (I like python btw) OK: servers_school_ous() seems to work on all roles REOPEN: ucc/timeserver is not set after upgrading to ucs-school-ucc-integration 3.0.0-5.17.201609281524 → the join script version was not increased OK: when re executing the joinscript the value is properly set OK: error message is suppressed IGNORED: still tab/space mix OK: YAML offtopic: the QA for Bug #31966 was incomplete: The values never gets updated when upgrading (so this only worked for new installations): E: Invalid Syntax: Duplicated variables not allowed: 'ucc/italc/key/filename', 'ucc/cups/server', 'ucc/proxy/http', 'ucc/italc/key/sambasource', 'ucc/mount/cifshome/server'
r72892: raised joinscript VERSION, so it will try to set the UCR policy when updating too
OK: joinscript adjusted the YAML in svn r72894
UCS@school 4.1 R2 v5 has been released. http://docs.software-univention.de/changelog-ucsschool-4.1R2v5-de.html If this error occurs again, please clone this bug.