Univention Bugzilla – Bug 43280
98univention-samba4-dns.inst creates invalid DNS alias causing join to fail and UDM to break
Last modified: 2017-06-15 17:58:01 CEST
The script "services/univention-samba4/scripts/setup-dns-in-ucsldap.sh" which is called by the joinscripts "96univention-samba4.inst" and "98univention-samba4-dns.inst" contains the following lines: 121 if [ -n "$dc" ] || [ -n "$rodc" ]; then»» ### determine NTDS_objectGUID 122 » server_object_dn=$(ldbsearch -H /var/lib/samba/private/sam.ldb samAccountName="${hostname}\$" serverReferenceBL | ldapsearch-wrapper | sed -n 's/^serverReferenceBL: //p') 123 » NTDS_objectGUID=$(ldbsearch -H /var/lib/samba/private/sam.ldb -b "$server_object_dn" "CN=NTDS Settings" objectGUID | sed -n 's/^objectGUID: //p') 124 fi Executing this reveals on the DC Backup the following output of $server_object_dn which matches two objects, which is obviously wrong: # ldbsearch -H /var/lib/samba/private/sam.ldb sAMAccountName="${hostname}\$" serverReferenceBL | ldapsearch-wrapper | sed -n 's/^serverReferenceBL: //p' CN=UCSDC1\0ACNF:e4263125-e036-4ede-b5d5-632ec98ba5a8,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=foobar,DC=local CN=UCSDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=foobar,DC=local This causes the next issue which creates a invalid DNS alias named "._msdcs": # /usr/share/univention-directory-manager-tools/univention-dnsedit "$@" --ignore-exists "$domainname" add cname "._msdcs" "$hostname.$domainname." Adding CNAME record "._msdcs ucs-master-412.foobar.local." to zone foobar.local... done → With the latest unreleased errata updates this is fixed, thanks to Philipp, Bug #25354: ~# /usr/share/univention-directory-manager-tools/univention-dnsedit "$@" --ignore-exists "$domainname" add cname "._msdcs" "$hostname.$domainname." Adding CNAME record "._msdcs xen7.school.local." to zone school.local... E: failed Alias: Labels must be between 1 and 63 characters long! Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-dnsedit", line 400, in <module> main() File "/usr/share/univention-directory-manager-tools/univention-dnsedit", line 371, in main add_cname_record(*args) File "/usr/share/univention-directory-manager-tools/univention-dnsedit", line 282, in add_cname_record record['name'] = name File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 261, in __setitem__ raise univention.admin.uexceptions.valueInvalidSyntax, "%s: %s" % (self.descriptions[key].short_description, err) univention.admin.uexceptions.valueInvalidSyntax: Alias: Labels must be between 1 and 63 characters long! But having this invalid alias record causes, that UDM is broken: # udm computers/domaincontroller_backup list This is not a valid DNS entry name. A valid name can only consist of numbers, letters, dots and hyphens. And this results in that the server can not join the domain anymore.
See also Bug #40457 which should be fixed as well, so that the joinscript fails and doesn't ignore such errors.
setup-dns-in-ucsldap.sh now ignores links to '\0ACNF:' object DNs. Advisory: univention-samba4.yaml
OK - setup-dns-in-ucsldap.sh OK - YAML
<http://errata.software-univention.de/ucs/4.2/42.html>