Univention Bugzilla – Bug 41057
showrepl WERR_SEM_TIMEOUT due to multiple interfaces
Last modified: 2017-10-18 12:02:42 CEST
In the environment of Ticket#: 2015072221000236 the join of a DC Backup failed in 98univention-samba4-dns with symptoms similar to Bug 30836. Additionally samba-tool showrepl on the joining system showed "WERR_SEM_TIMEOUT" for the inbound replication.
As it turned out, the DC Master had three network interfaces configured for three different /24 networks, and Samba was binding to all of them. As a result the dnsupdate process on the DC Master wrote all 3 IPs into DNS.
Now the DC Backup only had one network interface but it apparently persistently attempted to connect to the master on one of the IPs that were not reachable.
As a workaround we set samba/interfaces="eth1" (the right one) and samba/interfaces/bindonly=yes on the master and restarted the samba services. Then we used ldbedit (could have used nsupdate instead) to remove the useless IP adresses from the DNS record of the master. After some pushing and shoving on the DC Backup (temporarily setting nameserver1 to point to the master too and restarting samba) replication started to flow normally and the final joinscript could be finished successfully too (Note: Possibly there are additional DNS records that need fixing now, e.g. the IP addresses registered to the dns-domain itself and the IPs for gc._msdcs).
Probably Samba should be more graceful with this and attempt to use (and prefer) IPs that are reachable.
I filed an upstream bug for this, see URL.
Changing Samba would be the best option. Unfortunately, Samba doesn't support it yet.
I guess we currently see these errors in Nagios and in our diagnostic checks. So, maybe a SDB article would alleviate the pain of the customers. I think it would be good enough because the systems gives feedback that the error exists and one can change the configuration via UCR.
Any other suggestions?
Maybe we can check the number of interfaces (similar to what we do for the docker0 interface) somewhere, e.g. in the diagnostic module (which would already show the DRS replication issue).
(In reply to Arvid Requate from comment #3)
> Maybe we can check the number of interfaces (similar to what we do for the
> docker0 interface) somewhere, e.g. in the diagnostic module (which would
> already show the DRS replication issue).
You mean for a newly installed UCS system we use only the default interface?
If we can identify a good default, that would be the best I guess. If not, we should just warn.
(In reply to Arvid Requate from comment #5)
> If we can identify a good default, that would be the best I guess. If not,
> we should just warn.
root@master421:~# ucr search interfaces/primary
If multiple network interfaces exist on a system, this variable allows configuring the primary network interface. If no value is set, 'eth0' is assumed.
Ok, we should use that in smb.conf. This would limit the interfaces to exactly one, as intended.
Q: But is this set automatically? Or is it up to the admin to know and configure this option?
(In reply to Arvid Requate from comment #7)
> Ok, we should use that in smb.conf. This would limit the interfaces to
> exactly one, as intended.
> Q: But is this set automatically? Or is it up to the admin to know and
> configure this option?
Not so easy. First of all, I think we shouldn't change already installed systems.
If Samba is installed we should configure it in this way:
* interfaces/primary is set during the installation but it can be change by the admin later for example via UMC network settings.
* samba/interfaces/bindonly should be set to yes by default
* samba/interfaces should be set to "lo <interfaces/primary>" by default. The smb.conf will replace <interfaces/primary> with the interface configured in interfaces/primary.
* samba/register/exclude/interfaces can be set to docker0 but it would only be used if samba/interfaces/bindonly is set to no or unset
Support <interfaces/primary> as a keyword for the UCR variable samba/interfaces has been added. Now, newly installed Samba 4 systems will set samba/interfaces to lo and the primary interface which is represented via interfaces/primary. Thus, Samba will by default only listen on those two interfaces. This can be configured afterwards via samba/interfaces, samba/interfaces/bindonly and samba/register/exclude/interfaces.
OK - update (no samba/interfaces)
OK - install, samba/interfaces to lo <interfaces/primary> (or eth0)
OK - jenkins tests
OK - YAML