Univention Bugzilla – Bug 45596
96univention-samba4.inst aborts in UCS@school environments with administrative slaves
Last modified: 2018-03-06 11:16:48 CET
A customer tried to rejoin a administrative UCS@school slave: root@slaveadm:/# tail /var/log/univention/join.log No modification: cn=Enterprise Domain Controllers,cn=groups,dc=schulen,dc=example,dc=com WARNING: cannot append cn=slaveadm,cn=dc,cn=server,cn=computers,ou=ghsli,dc=schulen,dc=example,dc=com to hosts, value exists No modification: cn=Enterprise Domain Controllers,cn=groups,dc=schulen,dc=example,dc=com ERROR: More than one S4 Connector hosts available: slaveedu slaveadm EXITCODE=1 96univention-samba4.inst is looking for available s4 connectors (via get_available_s4connector_dc() in base.sh). Since 2 S4 connectors are found below the school OU (1x educational slave, 1x administrative slave), the join script aborts. This seems to affect all customer environments with educational AND administrative UCS@school slave in one OU.
get_available_s4connector_dc in univention-samba4/lib/base.sh now checks for school department server if the localhost is a administrative or a education server and ignores "univentionService=UCS@school Administration" or "univentionService=UCS@school Education" during the search for s4connector_dc's. my test: OK - install education school slave (school1) OK - install education school slave (school2) OK - install administration school slave (school1) OK - univention-join on all systems OK - samba installation on master OK - samba installation on backup OK - backup rejoin OK - backup rejoin FAIL - secondary school slace Bug #43155 univention-samba4 6.0.10-41A~4.2.0.201711061824
Created attachment 9277 [details] bug45596-qa-proposal.diff As discussed, proposal for more precise LDAP filter
fixed
The Jenkins tests failed since three runs: http://jenkins.knut.univention.de:8080/job/UCSschool%204.2/job/UCSschool%204.2%20Multiserver/SambaVersion=s4/ join.log of the slaves shows that the LDAP search against the ldap/master doesn't work: =============================================================== ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ERROR: This seems to be a UCS@school school department server, ERROR: but is neither a administrative nor a educative server. ERROR: This is not supported, make sure that UCS@school metapackages are installed properly Tue Nov 7 19:00:40 EST 2017: finish /usr/sbin/univention-join =============================================================== Since you explicitly specify ldapsearch -h, it doesn't take the URI configured in ldap.conf and takes the default 389, trying to bind against the master Samba/AD.
I've pushed and built a fixed version and adjusted the advisory to quickly obtain new Jenkins results.
There is a UCR variable "ldap/master/port" which probably should be used instead?
> There is a UCR variable "ldap/master/port" which probably should be used instead? Yes, I fixed it.
patch looks good
<http://errata.software-univention.de/ucs/4.2/218.html>