Bug 43311 - Running ucs-school-join-secondary-samba4 against a DC Master results in undefined behavior
Running ucs-school-join-secondary-samba4 against a DC Master results in undef...
Product: UCS@school
Classification: Unclassified
Component: Samba 4 - Slave PDC
UCS@school 4.1 R2
Other Linux
: P5 normal (vote)
: UCS@school 4.2 v4
Assigned To: Stefan Gohmann
Daniel Tröder
Depends on: 32187 32559 41167
Blocks: 44227
  Show dependency treegraph
Reported: 2017-01-06 16:34 CET by Nico Stöckigt
Modified: 2017-10-16 21:34 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.114
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2016121921000427
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Nico Stöckigt univentionstaff 2017-01-06 16:34:33 CET
In an environment with no Administrative servers - like many 'Berufsschulen' - it is fatal when demoting a S4-Slave-DC. The joinscript '/usr/lib/univention-install/96univention-samba4slavepdc.inst' should determine if we are in a single school environment and skip the demote else, in such environments, the S4-Slave has no replication partner and is instantly out of sync.

--- 96univention-samba4slavepdc.inst:431 ---
_demote_slavepdc_in_central_s4 "$@"
Comment 1 Arvid Requate univentionstaff 2017-01-18 16:29:57 CET
* I guess that the terms "no Administrative servers" and "single school environment" refer to a singlemaster environment. E.g. the package ucs-school-singlemaster *and* Samba/AD is installed (only) in the central school department

* The wording of section 14.1.2 of http://docs.software-univention.de/ucsschool-handbuch-4.1R2.html is not precise enough: The goal of the section is to explain the steps required to setup an additional UCS@school Slave PDC ("sekundären Domänencontroller an einem Schulstandort"). In the case of the ticket it has been wrongly interpreted as the steps required to setup an additional DC in the central school department instead. That interpretation is expected to lead to undefined behavior.

So we should do two things to avoid this:

1. improve the script ucs-school-join-secondary-samba4 to check if it is running against a UCS@school Slave PDC (running Samba/AD). Stop if that is not the case.

2. improve documentation of the tool and clearly define the terms  like "Schulstandort" and "school DC" and "central school department".
Comment 2 Stefan Gohmann univentionstaff 2017-09-29 16:03:04 CEST

It is now checked if the S4 SlavePDC is set.

We've checked the manual twice and it looked OK for us. Anyway, the script checks it now.
Comment 3 Daniel Tröder univentionstaff 2017-10-10 16:44:05 CEST
OK: advisory
OK: code: result of LDAP filter without '(service=S4 SlavePDC)' did include the DC master, the new LDAP filter excludes it (returns only slaves with s4)
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2017-10-16 21:32:08 CEST
UCS@school 4.2 v4 has been released.


If this error occurs again, please clone this bug.