Bug 41079 - Check AD Connector / Member mode with UCS 3.3
Check AD Connector / Member mode with UCS 3.3
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 3.3
Other Linux
: P5 normal (vote)
: UCS 3.3
Assigned To: Felix Botner
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-19 15:30 CEST by Stefan Gohmann
Modified: 2016-06-07 21:35 CEST (History)
0 users

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2016-04-19 15:30:28 CEST
The AD Connector / Member mode should be checked with UCS 3.3.
Comment 1 Felix Botner univentionstaff 2016-04-29 13:16:00 CEST
FAIL - takeover

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/management/console/modules/adtakeover/__init__.py", line 60, in _background
    result = func(self, request)
  File "/usr/lib/pymodules/python2.6/univention/management/console/modules/adtakeover/__init__.py", line 107, in copy_domain_data
    takeover.join_to_domain_and_copy_domain_data(ip, username, password, self.progress)
  File "/usr/lib/pymodules/python2.6/univention/management/console/modules/adtakeover/takeover.py", line 282, in join_to_domain_and_copy_domain_data
    takeover.join_AD(progress)
  File "/usr/lib/pymodules/python2.6/univention/management/console/modules/adtakeover/takeover.py", line 855, in join_AD
    run_and_output_to_log(["/etc/init.d/samba4", "stop"], log.debug)
  File "/usr/lib/pymodules/python2.6/univention/management/console/modules/adtakeover/takeover.py", line 1971, in run_and_output_to_log
    p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
  File "/usr/lib/python2.6/subprocess.py", line 623, in __init__
    errread, errwrite)
  File "/usr/lib/python2.6/subprocess.py", line 1141, in _execute_child
    raise child_exception
OSError: [Errno 2] Datei oder Verzeichnis nicht gefunden

I guess this is the /etc/init.d/samba4 stop/start stuff in takeover.py. There is no such init script on my UCS 3.3 (only /etc/init.d/samba and /etc/init.d/samba-ad-dc).

We have to 

(a)

Provide a link /etc/init.d/samba4 to the right init script (i am not sure if samba4 has to point to samba or samba-ad-dc, probably samba-ad-dc).

or, (b)

fix our package, /etc/init.d/samba4 is used in 
 univention-ldap
  - univention-backup2master
 univention-join
  - univention-join
 univention-management-console-module-adtakeover
  - umc/python/adtakeover/takeover.py
 univention-ldb-modules
  - debian/libunivention-ldb-modules.postinst
  - 97libunivention-ldb-modules.inst
  - 03libunivention-ldb-modules.uinst
 univention-s4-connector
  - 97univention-s4-connector.inst
 univention-printserver
  - debian/univention-printserver.postinst
 univention-printserver
  - cups-printers.py

OK - AD connector
 * installation/initialization
 * sync (win <-> ucs)
 * password change via win/ucs
 * logon (ucs users on win, win users on ucs)

OK - Member mode
 * installation/initialization
 * sync (win -> ucs)
 * logon (win users on ucs)
 * password change ucs/Win
Comment 2 Felix Botner univentionstaff 2016-05-03 19:50:50 CEST
(In reply to Felix Botner from comment #1)
> FAIL - takeover
> 
> Traceback (most recent call last):
>   File
> "/usr/lib/pymodules/python2.6/univention/management/console/modules/
> adtakeover/__init__.py", line 60, in _background
>     result = func(self, request)
>   File
> "/usr/lib/pymodules/python2.6/univention/management/console/modules/
> adtakeover/__init__.py", line 107, in copy_domain_data
>     takeover.join_to_domain_and_copy_domain_data(ip, username, password,
> self.progress)
>   File
> "/usr/lib/pymodules/python2.6/univention/management/console/modules/
> adtakeover/takeover.py", line 282, in join_to_domain_and_copy_domain_data
>     takeover.join_AD(progress)
>   File
> "/usr/lib/pymodules/python2.6/univention/management/console/modules/
> adtakeover/takeover.py", line 855, in join_AD
>     run_and_output_to_log(["/etc/init.d/samba4", "stop"], log.debug)
>   File
> "/usr/lib/pymodules/python2.6/univention/management/console/modules/
> adtakeover/takeover.py", line 1971, in run_and_output_to_log
>     p = subprocess.Popen(cmd, stdout=subprocess.PIPE,
> stderr=subprocess.STDOUT)
>   File "/usr/lib/python2.6/subprocess.py", line 623, in __init__
>     errread, errwrite)
>   File "/usr/lib/python2.6/subprocess.py", line 1141, in _execute_child
>     raise child_exception
> OSError: [Errno 2] Datei oder Verzeichnis nicht gefunden
> 
> I guess this is the /etc/init.d/samba4 stop/start stuff in takeover.py.
> There is no such init script on my UCS 3.3 (only /etc/init.d/samba and
> /etc/init.d/samba-ad-dc).
> 
> We have to 
> 
> (a)
> 
> Provide a link /etc/init.d/samba4 to the right init script (i am not sure if
> samba4 has to point to samba or samba-ad-dc, probably samba-ad-dc).
> 
> or, (b)
> 
> fix our package, /etc/init.d/samba4 is used in 
>  univention-ldap
>   - univention-backup2master
>  univention-join
>   - univention-join
>  univention-management-console-module-adtakeover
>   - umc/python/adtakeover/takeover.py
>  univention-ldb-modules
>   - debian/libunivention-ldb-modules.postinst
>   - 97libunivention-ldb-modules.inst
>   - 03libunivention-ldb-modules.uinst
>  univention-s4-connector
>   - 97univention-s4-connector.inst
>  univention-printserver
>   - debian/univention-printserver.postinst
>  univention-printserver
>   - cups-printers.py
> 
> OK - AD connector
>  * installation/initialization
>  * sync (win <-> ucs)
>  * password change via win/ucs
>  * logon (ucs users on win, win users on ucs)
> 
> OK - Member mode
>  * installation/initialization
>  * sync (win -> ucs)
>  * logon (win users on ucs)
>  * password change ucs/Win

arvid rebuilt samba with 15_add_samba4_init.patch
Comment 3 Felix Botner univentionstaff 2016-05-03 19:53:17 CEST
We need the changes from https://forge.univention.org/bugzilla/show_bug.cgi?id=39222

adtakeover fails with

2016-05-03 19:41:14,211 WARNING: No path in service IPC$ - making it unavailable!
2016-05-03 19:41:14,211 NOTE: Service IPC$ is flagged unavailable.
2016-05-03 19:41:14,932 ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
2016-05-03 19:41:14,932   File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run
2016-05-03 19:41:14,933     return self.run(*args, **kwargs)
2016-05-03 19:41:14,933   File "/usr/lib/python2.6/dist-packages/samba/netcmd/fsmo.py", line 354, in run
2016-05-03 19:41:14,934     self.seize_role(role, samdb, force)
2016-05-03 19:41:14,934   File "/usr/lib/python2.6/dist-packages/samba/netcmd/fsmo.py", line 256, in seize_role
2016-05-03 19:41:14,935     master_owner = get_fsmo_roleowner(samdb, m.dn)
2016-05-03 19:41:14,935   File "/usr/lib/python2.6/dist-packages/samba/netcmd/fsmo.py", line 43, in get_fsmo_roleowner
2016-05-03 19:41:14,936     master_owner = res[0]["fSMORoleOwner"][0]
2016-05-03 19:41:16,053 trying samba-tool fsmo seize --role=naming --force again:
2016-05-03 19:41:16,054 Calling: samba-tool fsmo seize --role=naming --force
2016-05-03 19:41:16,396 WARNING: The "syslog" option is deprecated
Comment 4 Felix Botner univentionstaff 2016-05-04 11:21:11 CEST
(In reply to Felix Botner from comment #3)
> We need the changes from
> https://forge.univention.org/bugzilla/show_bug.cgi?id=39222
> 
> adtakeover fails with
> 
> 2016-05-03 19:41:14,211 WARNING: No path in service IPC$ - making it
> unavailable!
> 2016-05-03 19:41:14,211 NOTE: Service IPC$ is flagged unavailable.
> 2016-05-03 19:41:14,932 ERROR(<type 'exceptions.KeyError'>): uncaught
> exception - 'No such element'
> 2016-05-03 19:41:14,932   File
> "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in
> _run
> 2016-05-03 19:41:14,933     return self.run(*args, **kwargs)
> 2016-05-03 19:41:14,933   File
> "/usr/lib/python2.6/dist-packages/samba/netcmd/fsmo.py", line 354, in run
> 2016-05-03 19:41:14,934     self.seize_role(role, samdb, force)
> 2016-05-03 19:41:14,934   File
> "/usr/lib/python2.6/dist-packages/samba/netcmd/fsmo.py", line 256, in
> seize_role
> 2016-05-03 19:41:14,935     master_owner = get_fsmo_roleowner(samdb, m.dn)
> 2016-05-03 19:41:14,935   File
> "/usr/lib/python2.6/dist-packages/samba/netcmd/fsmo.py", line 43, in
> get_fsmo_roleowner
> 2016-05-03 19:41:14,936     master_owner = res[0]["fSMORoleOwner"][0]
> 2016-05-03 19:41:16,053 trying samba-tool fsmo seize --role=naming --force
> again:
> 2016-05-03 19:41:16,054 Calling: samba-tool fsmo seize --role=naming --force
> 2016-05-03 19:41:16,396 WARNING: The "syslog" option is deprecated

merged changes from Bug #39222

Tested:

AD Member
 * init/install
 * Join
 * AD sync (read)
 * Password change
AD Takeover
 * init/install
 * takeover
 * Windows join
 * Windows logon
AD Connector
 * init/install
 * sync (sync)
 * Password change
 * Windows logon
Comment 5 Arvid Requate univentionstaff 2016-05-24 19:46:36 CEST
Traditional AD-Connector setup with AD Password service (AD firewall off and no SSL certificates uploaded from AD) gives these rejects in connector.log:

============================================================================
24.02.2015 05:13:29,70 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/connector/__init__.py", line 1281, in sync_to_ucs
    f(self, property_type, object)
  File "/usr/lib/pymodules/python2.6/univention/connector/ad/password.py", line 331, in password_sync
    res = get_password_from_ad(connector, rid)
  File "/usr/lib/pymodules/python2.6/univention/connector/ad/password.py", line 138, in get_password_from_ad
    ssl=ssl_init(s.fileno())
  File "/usr/lib/pymodules/python2.6/univention/connector/ad/password.py", line 76, in ssl_init
    meth = M2Crypto.__m2crypto.sslv2_method();
AttributeError: 'module' object has no attribute 'sslv2_method'
============================================================================

So we need to backport the patch for Bug 36654.
Comment 6 Felix Botner univentionstaff 2016-05-26 11:40:14 CEST
merged changes from Bug 36654 (ssl_init), Bug 32265 (start after logrotate) and Bug 41141 (group members)

univention-ad-connector: 8.100.0-1.493.201605261127
Comment 7 Arvid Requate univentionstaff 2016-05-26 21:13:19 CEST
Ok, all three cases work against a W2K8R2 with latest updates:
* AD Takeover
* AD Member
* AD Connector bi-directional SSL with password service (updated pwdump version)

I added a changelog entry:

 The Univention AD-Connector has been rebuilt with SSLv3 support (<u:bug>41079</u:bug>)
Comment 8 Stefan Gohmann univentionstaff 2016-06-07 21:35:41 CEST
UCS 3.3 has been released:
 https://docs.software-univention.de/release-notes-3.3-0-en.html
 https://docs.software-univention.de/release-notes-3.3-0-de.html

If this error occurs again, please use "Clone This Bug".