Bug 45263 - univention_samaccountname_ldap_check should return better error code
univention_samaccountname_ldap_check should return better error code
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Florian Best
Arvid Requate
Depends on:
Blocks: 45708
  Show dependency treegraph
Reported: 2017-08-28 19:15 CEST by Arvid Requate
Modified: 2017-12-14 12:55 CET (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.011
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+

patch (3.72 KB, patch)
2017-08-29 13:33 CEST, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-08-28 19:15:53 CEST
A customer reported that windows clients could not be joined with his UCS@school Slave PDC if the client machine object had not been created manually beforehand.

The error message was misleading the customer (or professional service) to believe that something was wrong with the RID Pool or so. Bug log.samba shows that it was actually a UMC connection failing due to a certificate issue:
[2017/08/23 13:01:52.732651,  1, pid=27714] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
  ldb: univention_samaccountname_ldap_check: calling ucs-school-create_windows_computer
Traceback (most recent call last):
  File "/usr/sbin/ucs-school-create_windows_computer", line 77, in <module>
  File "/usr/sbin/ucs-school-create_windows_computer", line 62, in main
    client = Client(args.server, args.username, args.password)
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 242, in __init__
    self.authenticate(username, password)
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 250, in authenticate
    return self.umc_auth(username, password)
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 286, in umc_auth
    return self.request('POST', 'auth', data)
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 297, in request
    return self.send(request)
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 312, in send
    raise ConnectionError('Could not send request.', reason=exc)
univention.lib.umc.ConnectionError: ('Could not send request.', CertificateError("hostname 'master.ucs.school' doesn't match either of 'portal.ucs.school', 'portal'",))
[2017/08/23 13:01:54.160896,  1, pid=10915] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
  ldb: univention_samaccountname_ldap_check: LDB_ERR_ENTRY_ALREADY_EXISTS
[2017/08/23 13:01:54.161120,  0, pid=10915] ../source4/dsdb/common/util_samr.c:184(dsdb_add_user)
  Failed to create user record CN=CLIENMAME,CN=Computers,DC=ucs,DC=school: ldb_request: Entry already exists (68)

We should check if we can return a less misleading generic error code.
Comment 1 Florian Best univentionstaff 2017-08-29 13:33:02 CEST
Created attachment 9153 [details]
Comment 2 Florian Best univentionstaff 2017-11-14 14:26:21 CET
I applied the patch, renamed the variable name.

univention-ldb-modules (5.0.9-4)
5c1046544643 | Bug #45263: improve return codes

3186f608a9e2 | YAML Bug #45263
Comment 3 Arvid Requate univentionstaff 2017-12-12 22:01:04 CET
Ok, the fix tag in the advisory is empty and the package needs to be cherrypicked and rebuilt for errata4.2-3.
Comment 4 Florian Best univentionstaff 2017-12-13 10:45:00 CET
(In reply to Arvid Requate from comment #3)
> Ok, the fix tag in the advisory is empty and the package needs to be
> cherrypicked and rebuilt for errata4.2-3.
package has been cherry-picked and build. YAML file adjusted.
Comment 5 Arvid Requate univentionstaff 2017-12-14 12:03:10 CET
Code review: Ok
Function test: Ok
Advisory: Ok
Comment 6 Arvid Requate univentionstaff 2017-12-14 12:55:56 CET