Bug 41057 - showrepl WERR_SEM_TIMEOUT due to multiple interfaces
showrepl WERR_SEM_TIMEOUT due to multiple interfaces
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Stefan Gohmann
Felix Botner
https://bugzilla.samba.org/show_bug.c...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-14 20:20 CEST by Arvid Requate
Modified: 2017-10-18 12:02 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.103
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2015072221000236
Bug group (optional): Error handling
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-04-14 20:20:41 CEST
In the environment of Ticket#: 2015072221000236 the join of a DC Backup failed in 98univention-samba4-dns with symptoms similar to Bug 30836. Additionally samba-tool showrepl on the joining system showed "WERR_SEM_TIMEOUT" for the inbound replication.

As it turned out, the DC Master had three network interfaces configured for three different /24 networks, and Samba was binding to all of them. As a result the dnsupdate process on the DC Master wrote all 3 IPs into DNS.

Now the DC Backup only had one network interface but it apparently persistently attempted to connect to the master on one of the IPs that were not reachable.

As a workaround we set samba/interfaces="eth1" (the right one) and samba/interfaces/bindonly=yes on the master and restarted the samba services. Then we used ldbedit (could have used nsupdate instead) to remove the useless IP adresses from the DNS record of the master. After some pushing and shoving on the DC Backup (temporarily setting nameserver1 to point to the master too and restarting samba) replication started to flow normally and the final joinscript could be finished successfully too (Note: Possibly there are additional DNS records that need fixing now, e.g. the IP addresses registered to the dns-domain itself and the IPs for gc._msdcs).

Probably Samba should be more graceful with this and attempt to use (and prefer) IPs that are reachable.
Comment 1 Arvid Requate univentionstaff 2016-05-19 18:04:31 CEST
I filed an upstream bug for this, see URL.
Comment 2 Stefan Gohmann univentionstaff 2017-09-14 08:53:15 CEST
Changing Samba would be the best option. Unfortunately, Samba doesn't support it yet.

I guess we currently see these errors in Nagios and in our diagnostic checks. So, maybe a SDB article would alleviate the pain of the customers. I think it would be good enough because the systems gives feedback that the error exists and one can change the configuration via UCR.

Any other suggestions?
Comment 3 Arvid Requate univentionstaff 2017-09-14 09:22:57 CEST
Maybe we can check the number of interfaces (similar to what we do for the docker0 interface) somewhere, e.g. in the diagnostic module (which would already show the DRS replication issue).
Comment 4 Stefan Gohmann univentionstaff 2017-09-14 09:38:44 CEST
(In reply to Arvid Requate from comment #3)
> Maybe we can check the number of interfaces (similar to what we do for the
> docker0 interface) somewhere, e.g. in the diagnostic module (which would
> already show the DRS replication issue).

You mean for a newly installed UCS system we use only the default interface?
Comment 5 Arvid Requate univentionstaff 2017-09-14 10:05:25 CEST
If we can identify a good default, that would be the best I guess. If not, we should just warn.
Comment 6 Stefan Gohmann univentionstaff 2017-09-14 10:48:20 CEST
(In reply to Arvid Requate from comment #5)
> If we can identify a good default, that would be the best I guess. If not,
> we should just warn.

We can:

root@master421:~# ucr search interfaces/primary
interfaces/primary: eth0
 If multiple network interfaces exist on a system, this variable allows configuring the primary network interface. If no value is set, 'eth0' is assumed.

root@master421:~#
Comment 7 Arvid Requate univentionstaff 2017-09-14 12:42:54 CEST
interfaces/primary

Ok, we should use that in smb.conf. This would limit the interfaces to exactly one, as intended.

Q: But is this set automatically? Or is it up to the admin to know and configure this option?
Comment 8 Stefan Gohmann univentionstaff 2017-09-14 13:51:48 CEST
(In reply to Arvid Requate from comment #7)
> interfaces/primary
> 
> Ok, we should use that in smb.conf. This would limit the interfaces to
> exactly one, as intended.
> 
> Q: But is this set automatically? Or is it up to the admin to know and
> configure this option?

Not so easy. First of all, I think we shouldn't change already installed systems.

If Samba is installed we should configure it in this way:

* interfaces/primary is set during the installation but it can be change by the admin later for example via UMC network settings.

* samba/interfaces/bindonly should be set to yes by default

* samba/interfaces should be set to "lo <interfaces/primary>" by default. The smb.conf will replace <interfaces/primary> with the interface configured in interfaces/primary.

* samba/register/exclude/interfaces can be set to docker0 but it would only be used if samba/interfaces/bindonly is set to no or unset
Comment 9 Stefan Gohmann univentionstaff 2017-09-15 06:54:44 CEST
Support <interfaces/primary> as a keyword for the UCR variable samba/interfaces has been added. Now, newly installed Samba 4 systems will set samba/interfaces to lo and the primary interface which is represented via interfaces/primary. Thus, Samba will by default only listen on those two interfaces. This can be configured afterwards via samba/interfaces, samba/interfaces/bindonly and samba/register/exclude/interfaces.

Fix:

https://git.knut.univention.de/univention/ucs/commit/caae9797aaaf66b4e2741ded7fec4aaa582a1d33

YAML:

https://git.knut.univention.de/univention/ucs/commit/d8abf9d99e86b3240c38dd015d526591494f1237
Comment 10 Felix Botner univentionstaff 2017-10-02 14:55:53 CEST
OK - update (no samba/interfaces)
OK - install, samba/interfaces to lo <interfaces/primary> (or eth0)
OK - jenkins tests
OK - YAML
Comment 11 Arvid Requate univentionstaff 2017-10-18 12:02:42 CEST
<http://errata.software-univention.de/ucs/4.2/200.html>