Bug 43745 - Master join as AD member fails due to old _domaincontroller_master._tcp record
Master join as AD member fails due to old _domaincontroller_master._tcp record
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Florian Best
Felix Botner
:
: 37880 38343 40342 41796 42918 43683 45253 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-07 11:47 CET by Arvid Requate
Modified: 2017-11-30 11:47 CET (History)
10 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.309
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2017022421000167, 2017022421000167, 2016111721000183, 2016081521000111, 2016081221000421, 2016081221000402, 2016123021000718, 2017022221000465, 2017040621000358, 2017033021001241, 2017042121000249, 2017020721000421, 2017030921000498, 2017032221000365
Bug group (optional): External feedback, Usability
Max CVSS v3 score:


Attachments
Screenshot (30.20 KB, image/png)
2017-11-10 14:25 CET, Florian Best
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-03-07 11:47:22 CET
If the SRV record _domaincontroller_master._tcp is already (or still) present in the DNS domain zone of the Active Directory nameserver, the setup of the AD connection (aka member mode) doesn't work.


We should help the user to avoid running into this. We could e.g. check for this record in the setup wizard, ping that system and offer to delete that record if that system is not reachable.



+++ This bug was initially created as a clone of SDB Bug #43683 +++
Comment 1 Ingo Steuwer univentionstaff 2017-09-01 11:35:52 CEST
This happens fairly often, there are several reports on help.univention.com. Today we had a potential customer in sales with this problem.
Comment 2 Florian Best univentionstaff 2017-11-06 17:19:44 CET
*** Bug 45253 has been marked as a duplicate of this bug. ***
Comment 3 Florian Best univentionstaff 2017-11-06 17:20:59 CET
*** Bug 42918 has been marked as a duplicate of this bug. ***
Comment 4 Florian Best univentionstaff 2017-11-06 17:22:20 CET
(In reply to Florian Best from comment #3)
> *** Bug 42918 has been marked as a duplicate of this bug. ***

(In reply to Jürn Brodersen from comment #19)
> (In reply to Florian Best from comment #3)
> > Version: 4.1-3 errata239 (Vahr)
> > 
> > Remark: One UCS Kopano-Core system is already installed as an AD member
> > server.
> > When installing the second UCS server this "connection
> > refused/authentication error" persists.
> > 
> > During installation it was selected to "Join existing AD domain".
> > Tried even the option of "Join existing USC domain" which ended in a similar
> > error.
> 
> This was not fixed in bug 44995 :(
> 
> The problem happens if there is already one ucs system joined into an ad
> domain and a user tries to join an additional ucs system (an app appliance)
> into that domain.
> 
> The error happens because the licence check is done against the windows dc
> and not against the ucs master.
> 
> Relevant file: base/univention-system-setup/umc/python/setup/util.py
> 
> The ucs master can be found with the SRV record:
> _domaincontroller_master._tcp.$DOMAIN. See for example is_ucs_domain(). If
> something like a get_ucs_master() function gets added it might make sense to
> fix bug 45170 as well.
> 
> As a workaround I had success using the ucs master as the dns and choosing
> "Join existing ucs domain".
> 
> Note: As described in bug 44995 non master app appliances aren't working
> that well at the moment. So that should be fixed first.
Comment 5 Florian Best univentionstaff 2017-11-06 17:30:43 CET
*** Bug 43683 has been marked as a duplicate of this bug. ***
Comment 6 Florian Best univentionstaff 2017-11-06 17:31:37 CET
(In reply to Florian Best from comment #5)
> *** Bug 43683 has been marked as a duplicate of this bug. ***

(In reply to Nico Gulden from comment #0)
> Background: The user already had a UCS system joined into a Microsoft Active
> Directory domain. He deleted the system. The records in AD remained. The
> join of another system failed because of these left overs.
> 
> The forum has the solution:
> http://forum.univention.de/viewtopic.php?f=48&t=3889&p=14035#p14008
Comment 7 Florian Best univentionstaff 2017-11-10 14:24:35 CET
The following changes have been done:
* If a _domaincontroller_master._tcp exists and one selects to join into an AD domain, it is tried to reach the system via SSH. If that succeeds everything is fine and the system can be configured as DC Backup/Slave/Member. If not a pop up asks to replace the record or to retry the connection.
* When a DC Backup/Slave/Member as AD-Member is selected the credentials for the AD domain are checked. This check now includes a check also against the DC Master to ensure that a connection via SSH is possible. Otherwise the join will end up in "ping to $DCNAME failed".
* If a DC Master joins while there is already an _domaincontroller_master._tcp SRV record the record will be removed with Domain Admin credentials and a new one is created with machine credentials
* Mulitline error messages (like tracebacks) in any python system setup script are now correctly send to the frontend.

univention-system-setup (10.0.10-44)
ef3f6eb77352 | Bug #43745: make joining into AD domains possible if a dead _domaincontroller_master._tcp SRV record exists

univention-system-setup (10.0.10-45)
2fd1226363c3 | Bug #43745: Merge branch 'fbest/45253-42918-43683-45170-43745-45246-ad-member-mode-join' into 4.2-2
ecb97ce7f70e | Bug #43745: adapt translations
7319cd787264 | Bug #43745: debian/changelog

univention-system-setup (10.0.10-43)
a149d9f0149c | Bug #43745: remove existing _domaincontroller_master._tcp SRV record before adding another entry
69c3662bfc85 | Bug #43745: make sure that multiline errors (e.g. tracebacks) are send to the frontend

univention-lib (6.0.9-20)
2fd1226363c3 | Bug #43745: Merge branch 'fbest/45253-42918-43683-45170-43745-45246-ad-member-mode-join' into 4.2-2
7319cd787264 | Bug #43745: debian/changelog

univention-systen-setup.yaml
2fd1226363c3 | Bug #43745: Merge branch 'fbest/45253-42918-43683-45170-43745-45246-ad-member-mode-join' into 4.2-2
5ca5952e6fca | YAML Bug #43745

univention-ad-connector (11.0.6-32)
2fd1226363c3 | Bug #43745: Merge branch 'fbest/45253-42918-43683-45170-43745-45246-ad-member-mode-join' into 4.2-2
7319cd787264 | Bug #43745: debian/changelog

univention-ad-connector.yaml
2fd1226363c3 | Bug #43745: Merge branch 'fbest/45253-42918-43683-45170-43745-45246-ad-member-mode-join' into 4.2-2
5ca5952e6fca | YAML Bug #43745

univention-lib.yaml
2fd1226363c3 | Bug #43745: Merge branch 'fbest/45253-42918-43683-45170-43745-45246-ad-member-mode-join' into 4.2-2
5ca5952e6fca | YAML Bug #43745

univention-lib (6.0.9-19)
a149d9f0149c | Bug #43745: remove existing _domaincontroller_master._tcp SRV record before adding another entry

univention-ad-connector (11.0.6-31)
a149d9f0149c | Bug #43745: remove existing _domaincontroller_master._tcp SRV record before adding another entry
Comment 8 Florian Best univentionstaff 2017-11-10 14:25:00 CET
Created attachment 9280 [details]
Screenshot
Comment 9 Nico Stöckigt univentionstaff 2017-11-10 14:59:20 CET
I would suggest to swap the button position due to psychological behavior of people!
Comment 10 Felix Botner univentionstaff 2017-11-10 23:20:12 CET
commit 69c3662bfc859e806df2ff3193fb36eac7e91df4 seems to break the jenkins tests

Reading package lists...
=== 05_role/10role (2017-11-10 16:52:25) ===
__NAME__:05_role/10role Configuring server role
__ERR__:Traceback (most recent call last):
__ERR__:  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/setup/setup_script.py", line 310, in run
__ERR__:    success = self.inner_run()
__ERR__:  File "/usr/lib/univention-system-setup/scripts/05_role/10role", line 46, in inner_run
__ERR__:    self.steps(3 * 100)
__ERR__:  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/setup/setup_script.py", line 272, in steps
__ERR__:    self.inform_progress_parser('steps', steps)
__ERR__:  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/setup/setup_script.py", line 236, in inform_progress_parser
__ERR__:    msg = '\n'.join('__%s__:%s' % (progress_attribute.upper(), message) for message in msg.splitlines())
__ERR__:AttributeError: 'int' object has no attribute 'splitlines'
Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/setup/setup_script.py", line 310, in run
    success = self.inner_run()
  File "/usr/lib/univention-system-setup/scripts/05_role/10role", line 46, in inner_run
    self.steps(3 * 100)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/setup/setup_script.py", line 272, in steps
    self.inform_progress_parser('steps', steps)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/setup/setup_script.py", line 236, in inform_progress_parser
    msg = '\n'.join('__%s__:%s' % (progress_attribute.upper(), message) for message in msg.splitlines())
AttributeError: 'int' object has no attribute 'splitlines'
Comment 11 Florian Best univentionstaff 2017-11-11 10:30:48 CET
(In reply to Felix Botner from comment #10)
> commit 69c3662bfc859e806df2ff3193fb36eac7e91df4 seems to break the jenkins
> tests
Thank you for reporting this so soon. Fixed in:

univention-system-setup (10.0.10-46)
38d2d10219df | Bug #43745: fix AttributeError when logging non string
Comment 12 Arvid Requate univentionstaff 2017-11-13 16:59:09 CET
Advisory:   sed "s/n-setup/m-setup/"
Comment 13 Arvid Requate univentionstaff 2017-11-13 18:35:20 CET
61d363aaa9: rename doc/errata/staging/{univention-systen-setup.yaml => univention-system-setup.yaml}
Comment 14 Felix Botner univentionstaff 2017-11-20 10:22:26 CET
OK - clean setup (ad + ucs master as member)
OK - new master replaces old UCS Master during setup
OK - slave in ad, first with ucs master turned off (got warning), restarted 
     master and i could continue the ad member slave setup

OK - YAML
Comment 16 Florian Best univentionstaff 2017-11-30 11:10:38 CET
*** Bug 38343 has been marked as a duplicate of this bug. ***
Comment 17 Florian Best univentionstaff 2017-11-30 11:21:02 CET
*** Bug 40342 has been marked as a duplicate of this bug. ***
Comment 18 Florian Best univentionstaff 2017-11-30 11:46:56 CET
*** Bug 37880 has been marked as a duplicate of this bug. ***
Comment 19 Florian Best univentionstaff 2017-11-30 11:47:03 CET
*** Bug 41796 has been marked as a duplicate of this bug. ***