Bug 42505 - join fails on slave/backup if memberOf overlay is installed on master
join fails on slave/backup if memberOf overlay is installed on master
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Join (univention-join)
UCS 4.1
Other Linux
: P5 normal with 2 votes (vote)
: UCS 4.2-2-errata
Assigned To: Felix Botner
Stefan Gohmann
:
Depends on:
Blocks: 44184
  Show dependency treegraph
 
Reported: 2016-09-26 15:35 CEST by Moritz Bunkus
Modified: 2017-11-29 19:52 CET (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.137
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2017060121000185
Bug group (optional): Workaround is available
Max CVSS v3 score:


Attachments
join.log from failed join attempt (29.92 KB, text/plain)
2016-09-26 15:35 CEST, Moritz Bunkus
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Bunkus 2016-09-26 15:35:04 CEST
Created attachment 8032 [details]
join.log from failed join attempt

Joining new DC slaves/DC backups to a UCS domain fails during the step "join computer account" if the memberOf overlay is installed on the DC master. The error message states that a "failed.ldif" exists (it does indeed exist).

I'm attaching a "join.log" from such a join attempt. Looking through that log reveals errors about the "memberOf" attribute.

How to reproduce:

1. Set up a UCS domain.
2. Install the "univention-ldap-overlay-memberof" package on the DC master. Restart slapd afterwards.
3. Set up a new DC slave.
4. Try to join the slave and observe the error.

How to work around this problem:

Uninstalling the package "univention-ldap-overlay-memberof" from the DC master, restarting slapd and removing the halfly-joined computer object via the UMC allows a subsequent join attempt from the (still unconfigured) new DC slave to succeed. After the successful join the "univention-ldap-overlay-memberof" package can be re-installed on the DC master and on the new DC slave.
Comment 1 Florian Best univentionstaff 2016-09-26 15:55:08 CEST
Thank you very much! Maybe this is (part of) the reason for Bug #40259 or Bug #39959.
Comment 2 Florian Best univentionstaff 2016-09-26 15:57:32 CEST
The important lines of the logfiles are:

26.09.16 13:46:34.747  LISTENER    ( ERROR   ) : replication: Undefined attribute type; dn="uid=cbonnie,cn=users,dc=mbu-test,dc=intranet": Error
26.09.16 13:46:34.747  LISTENER    ( ERROR   ) : 	additional info: memberOf: attribute type undefined

For the bugzilla search:
ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}
Comment 3 Michael Grandjean univentionstaff 2017-03-31 12:07:18 CEST
AFAICS this is stated quite clearly in the SDB article that covers the package "univention-ldap-overlay-memberof": http://sdb.univention.de/1278

A check during/before join with a meaningful error message would be great, though.
Comment 4 Arvid Requate univentionstaff 2017-06-01 12:50:40 CEST
It's strange that this still occurs, because the fix for Bug 35480 filters out the MEMBEROF attribute in replication.py.

Maybe we can improve the current solution:

Instead of filtering out MEMBEROF in replication.py, we could just simply activate the overlay automatically when we see it. We just would have to this:

1. Include the slapd.conf.d/41univention-ldap-overlay-memberof UCR template
   into standard univention-ldap, so it's always possible to activate via UCR.
2. Adjust replication.py to set the UCR variables as
   univention-ldap-overlay-memberof.postinst currently does
3. restart slapd
4. replicate the object
Comment 5 Felix Botner univentionstaff 2017-09-08 10:25:22 CEST
(In reply to Michael Grandjean from comment #3)
> AFAICS this is stated quite clearly in the SDB article that covers the
> package "univention-ldap-overlay-memberof": http://sdb.univention.de/1278
> 
> A check during/before join with a meaningful error message would be great,
> though.

Yes, the docu states that univention-ldap-overlay-memberof has to be installed before the join.
Added a test in univention-join. Join is aborted with an appropriate message if ldap/overlay/memberof is activated on the master and the memberof package is not installed/configured on the local system.

univention-join d387c8cae9e57655e11fec7323e8bf225bfb3f75

(In reply to Arvid Requate from comment #4)
> Instead of filtering out MEMBEROF in replication.py, we could just simply
> activate the overlay automatically when we see it. 

So only a test at the moment, if we want to automatically install memberOf, please reopen.
Comment 6 Stefan Gohmann univentionstaff 2017-09-14 07:14:51 CEST
The check is also done on a member server. That is wrong:

root@member425:~# univention-join
univention-join: joins a computer to an ucs domain
copyright (c) 2001-2017 Univention GmbH, Germany

Enter DC Master Account : Administrator
Enter DC Master Password:

Search DC Master:                                          done
Check DC Master:                                           done
Create tmp/join/test/master/memberof
Unsetting tmp/join/test/master/memberof
dpkg-query: Kein Paket gefunden, das auf univention-ldap-overlay-memberof passt


**************************************************************************
* Join failed!                                                           *
* Contact your system administrator                                      *
**************************************************************************
* Message:  The OpenLDAP extension memberOf is activated on the UCS master (UCR variable ldap/overlay/memberof is true). In order to join this system successfully the package "univention-ldap-overlay-memberof" has to be installed.
**************************************************************************
root@member425:~# univention-install univention-ldap-overlay-memberof
[...]
Paketlisten werden gelesen...
Paketlisten werden gelesen...
Abhängigkeitsbaum wird aufgebaut....
Statusinformationen werden eingelesen....
Die folgenden zusätzlichen Pakete werden installiert:
  libodbc1 libslp1 python-univention-directory-manager-uvmm slapd
  univention-ldap-config univention-ldap-server univention-newsid
  univention-virtual-machine-manager-schema
Vorgeschlagene Pakete:
  libmyodbc odbc-postgresql tdsodbc unixodbc-bin slpd openslp-doc
Die folgenden NEUEN Pakete werden installiert:
  libodbc1 libslp1 python-univention-directory-manager-uvmm slapd
  univention-ldap-config univention-ldap-overlay-memberof
  univention-ldap-server univention-newsid
  univention-virtual-machine-manager-schema
0 aktualisiert, 9 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
Es müssen 1.870 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 6.183 kB Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren? [J/n] n
Abbruch.
Comment 7 Felix Botner univentionstaff 2017-09-15 14:18:38 CEST
fixed, check only for domaincontroller_backup or domaincontroller_slave
Comment 8 Stefan Gohmann univentionstaff 2017-09-19 19:57:34 CEST
I've changed the YAML and limited the erratum to UCS 4.2-2:
 https://git.knut.univention.de/univention/ucs/commit/7ec98f2234f0fc55a2cf689d8fa849a3985ff615

It basically works good. Only one minor issue: the UCR output is written to the console, can you redirect it?

-------------------------------------------------------------------
univention-join: joins a computer to an ucs domain
copyright (c) 2001-2017 Univention GmbH, Germany

Enter DC Master Account : Administrator
Enter DC Master Password: 

Search DC Master:                                          done
Check DC Master:                                           done
Create tmp/join/test/master/memberof
Stop S4-Connector:                                         done
-------------------------------------------------------------------
Comment 9 Felix Botner univentionstaff 2017-09-20 10:05:08 CEST
ok, done
Comment 10 Stefan Gohmann univentionstaff 2017-09-20 10:56:02 CEST
Thanks, it works.
Comment 11 Erik Damrose univentionstaff 2017-09-20 15:03:52 CEST
<http://errata.software-univention.de/ucs/4.2/176.html>