Bug 45596 - 96univention-samba4.inst aborts in UCS@school environments with administrative slaves
96univention-samba4.inst aborts in UCS@school environments with administrativ...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Felix Botner
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-25 18:08 CEST by Sönke Schwardt-Krummrich
Modified: 2018-03-06 11:16 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2017102321000555,2018030121000581
Bug group (optional):
Max CVSS v3 score:


Attachments
bug45596-qa-proposal.diff (1.27 KB, patch)
2017-11-07 18:31 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2017-10-25 18:08:16 CEST
A customer tried to rejoin a administrative UCS@school slave:

root@slaveadm:/# tail /var/log/univention/join.log
No modification: cn=Enterprise Domain Controllers,cn=groups,dc=schulen,dc=example,dc=com
WARNING: cannot append cn=slaveadm,cn=dc,cn=server,cn=computers,ou=ghsli,dc=schulen,dc=example,dc=com to hosts, value exists
No modification: cn=Enterprise Domain Controllers,cn=groups,dc=schulen,dc=example,dc=com
ERROR: More than one S4 Connector hosts available: slaveedu
slaveadm
EXITCODE=1

96univention-samba4.inst is looking for available s4 connectors (via get_available_s4connector_dc() in base.sh).
Since 2 S4 connectors are found below the school OU (1x educational slave, 1x administrative slave), the join script aborts.

This seems to affect all customer environments with educational AND administrative UCS@school slave in one OU.
Comment 1 Felix Botner univentionstaff 2017-11-07 16:15:10 CET
get_available_s4connector_dc in univention-samba4/lib/base.sh now checks for school department server if the localhost is a administrative or a education server and ignores "univentionService=UCS@school Administration" or "univentionService=UCS@school Education" during the search for s4connector_dc's.

my test:
OK - install education school slave (school1)
OK - install education school slave (school2)
OK - install administration school slave (school1)
OK - univention-join on all systems
OK - samba installation on master
OK - samba installation on backup
OK - backup rejoin
OK - backup rejoin
FAIL - secondary school slace Bug #43155

univention-samba4 6.0.10-41A~4.2.0.201711061824
Comment 2 Arvid Requate univentionstaff 2017-11-07 18:31:37 CET
Created attachment 9277 [details]
bug45596-qa-proposal.diff

As discussed, proposal for more precise LDAP filter
Comment 3 Felix Botner univentionstaff 2017-11-08 08:56:41 CET
fixed
Comment 4 Arvid Requate univentionstaff 2017-11-08 14:17:51 CET
The Jenkins tests failed since three runs:

http://jenkins.knut.univention.de:8080/job/UCSschool%204.2/job/UCSschool%204.2%20Multiserver/SambaVersion=s4/

join.log of the slaves shows that the LDAP search against the ldap/master doesn't work:
===============================================================
ldap_bind: Invalid credentials (49)
	additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
ldap_bind: Invalid credentials (49)
	additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
ERROR: This seems to be a UCS@school school department server,
ERROR: but is neither a administrative nor a educative server.
ERROR: This is not supported, make sure that UCS@school metapackages are installed properly
Tue Nov  7 19:00:40 EST 2017: finish /usr/sbin/univention-join
===============================================================

Since you explicitly specify ldapsearch -h, it doesn't take the URI configured in ldap.conf and takes the default 389, trying to bind against the master Samba/AD.
Comment 5 Arvid Requate univentionstaff 2017-11-08 14:19:43 CET
I've pushed and built a fixed version and adjusted the advisory to quickly obtain new Jenkins results.
Comment 6 Florian Best univentionstaff 2017-11-08 14:32:19 CET
There is a UCR variable "ldap/master/port" which probably should be used instead?
Comment 7 Arvid Requate univentionstaff 2017-11-08 19:25:14 CET
> There is a UCR variable "ldap/master/port" which probably should be used instead?

Yes, I fixed it.
Comment 8 Felix Botner univentionstaff 2017-11-09 11:30:35 CET
patch looks good
Comment 9 Arvid Requate univentionstaff 2017-11-09 16:56:52 CET
<http://errata.software-univention.de/ucs/4.2/218.html>