Univention Bugzilla – Bug 46105
dns account missing after ad takeover
Last modified: 2019-02-27 18:05:53 CET
see http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-0/job/AD%20Takeover%20Tests/mode=basic-ad-takeover-win2k12-de/ After the takeover, there is no dns-$hostname account and SP in my domain. -> univention-s4search samAccountName=dns-ucs-adto -> grep dns-ucs-adto /var/log/univention/connector-s4.log 22.01.2018 08:19:08,286 LDAP (PROCESS): sync to ucs: [ user] [ add] uid=dns-ucs-adto,CN=Users,dc=adtakeover,dc=local 22.01.2018 08:19:12,26 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=dns-ucs-adto,cn=users,dc=adtakeover,dc=local 22.01.2018 08:19:36,320 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=dns-ucs-adto,cn=users,DC=adtakeover,DC=local 22.01.2018 08:19:36,504 LDAP (PROCESS): sync from ucs: [ user] [ delete] cn=dns-ucs-adto,cn=users,DC=adtakeover,DC=local 22.01.2018 08:19:38,97 LDAP (PROCESS): sync to ucs: [ user] [ delete] uid=dns-ucs-adto,cn=users,dc=adtakeover,dc=local
Created attachment 9355 [details] ad-takeover.log
Created attachment 9356 [details] connector-s4.log
Created attachment 9357 [details] join.log
Before re-starting the S4-Connector, the UMC modules/adtakeover/takeover.py waits for three minutes for the listener to be done with replication. That fails, as logged in ad-takeover.log: =========================================================================== 2018-02-26 09:37:40,010 Waiting for listener to finish (max. 180 seconds) 2018-02-26 09:40:40,237 Warning: Listener ID not yet up to date (last_id=1273, listener ID=1170). Waited for about 180 seconds. 2018-02-26 09:40:40,237 Warning: Stopping Listener now anyway. =========================================================================== The listener.log at that point: =========================================================================== 26.02.18 09:40:36.800 LISTENER ( PROCESS ) : updating 'cn=Organisations-Admins,cn=groups,dc=adtakeover,dc=local' command a 26.02.18 09:40:36.807 LISTENER ( PROCESS ) : well-known-sid-name-mapping: ucr set groups/default/enterpriseadmins=Organisations-Admins 26.02.18 09:40:45.165 LISTENER ( WARN ) : received signal 15 26.02.18 09:41:12.437 LISTENER ( ERROR ) : well-known-sid-name-mapping.d/univention-ldap-server.py: postrun: Restarting slapd (via systemctl): slapd.service. 26.02.18 09:41:42.162 DEBUG_INIT =========================================================================== I guess things the delete of the "old" dns-service account is still coming and deletes the "new" one instead: =========================================================================== 26.02.18 09:48:23.715 LISTENER ( PROCESS ) : updating 'uid=dns-ucs-adto,cn=Users,dc=adtakeover,dc=local' command a [... Creation and removal of temporary allocation objects ...] 26.02.18 09:48:23.755 LISTENER ( PROCESS ) : updating 'uid=dns-ucs-adto,cn=Users,dc=adtakeover,dc=local' command m 26.02.18 09:48:23.769 LISTENER ( PROCESS ) : updating 'uid=dns-ucs-adto,cn=Users,dc=adtakeover,dc=local' command m 26.02.18 09:48:23.771 LISTENER ( PROCESS ) : updating 'cn=domänen-benutzer,cn=groups,dc=adtakeover,dc=local' command m 26.02.18 09:48:23.804 LISTENER ( PROCESS ) : updating 'uid=dns-ucs-adto,cn=Users,dc=adtakeover,dc=local' command m 26.02.18 09:48:23.806 LISTENER ( PROCESS ) : updating 'uid=dns-ucs-adto,cn=users,dc=adtakeover,dc=local' command d =========================================================================== The last delete also goes against lowercase "cn=users". I've increased the timeout to 600 seconds.
Looks better now: ad-takeover.log: =========================================================================== 2018-02-27 06:57:43,929 Waiting for listener to finish (max. 10 minutes) 2018-02-27 07:04:38,280 Restarting Univention Directory Listener 2018-02-27 07:04:38,281 Calling: /etc/init.d/univention-directory-listener stop =========================================================================== listener.log: =========================================================================== 27.02.18 07:08:57.314 LISTENER ( PROCESS ) : updating 'uid=dns-ucs-adto,cn=Users,dc=adtakeover,dc=local' command a [... Creation and removal of temporary allocation objects ...] 27.02.18 07:08:57.397 LISTENER ( PROCESS ) : updating 'cn=dns-ucs-adto,cn=uid,cn=temporary,cn=univention,dc=adtakeover,dc=local' command d 27.02.18 07:08:57.426 LISTENER ( PROCESS ) : updating 'uid=dns-ucs-adto,cn=Users,dc=adtakeover,dc=local' command m 27.02.18 07:08:57.440 LISTENER ( PROCESS ) : updating 'uid=dns-ucs-adto,cn=Users,dc=adtakeover,dc=local' command m 27.02.18 07:08:57.460 LISTENER ( PROCESS ) : updating 'cn=domänen-benutzer,cn=groups,dc=adtakeover,dc=local' command m 27.02.18 07:08:57.498 LISTENER ( PROCESS ) : updating 'uid=dns-ucs-adto,cn=Users,dc=adtakeover,dc=local' command m =========================================================================== No delete in the end. Also not in connector-s4.log: =========================================================================== 27.02.2018 07:08:56,418 LDAP (PROCESS): sync to ucs: [ user] [ add] uid=dns-ucs-adto,CN=Users,dc=adtakeover,dc=local 27.02.2018 07:08:56,643 LDAP (WARNING): __set_values: The attributes for lastname have not been removed as it represents a mandatory attribute 27.02.2018 07:09:03,635 LDAP (PROCESS): sync from ucs: [ user] [ add] cn=dns-ucs-adto,cn=users,DC=adtakeover,DC=local 27.02.2018 07:09:03,728 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=dns-ucs-adto,cn=users,DC=adtakeover,DC=local 27.02.2018 07:09:03,805 LDAP (PROCESS): sync from ucs: [ group] [ modify] cn=domänen-benutzer,cn=users,DC=adtakeover,DC=local 27.02.2018 07:09:03,897 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=dns-ucs-adto,cn=users,DC=adtakeover,DC=local 27.02.2018 07:09:05,85 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=dns-ucs-adto,cn=users,dc=adtakeover,dc=local =========================================================================== Account is now still present after ad-takeover finished. The other tests are still running, I hope they confirm this.
OK, yes but why -> /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh gc._msdcs.adtakeover.local has address 10.210.121.219 _gc._tcp.adtakeover.local has SRV record 0 100 3268 ucs-adto.adtakeover.local. _ldap._tcp.gc._msdcs.adtakeover.local has SRV record 0 100 3268 ucs-adto.adtakeover.local. _ldap._tcp.adtakeover.local has SRV record 0 100 389 ucs-adto.adtakeover.local. _ldap._tcp.dc._msdcs.adtakeover.local has SRV record 0 100 389 ucs-adto.adtakeover.local. _ldap._tcp.pdc._msdcs.adtakeover.local has SRV record 0 100 389 ucs-adto.adtakeover.local. Host _ldap._tcp.39f5c54d-4454-4464-982d-14f1363bdf4e.domains._msdcs.adtakeover.local not found: 3(NXDOMAIN) _kerberos._tcp.dc._msdcs.adtakeover.local has SRV record 0 100 88 ucs-adto.adtakeover.local. _kerberos._tcp.adtakeover.local has SRV record 0 100 88 ucs-adto.adtakeover.local. _kerberos._udp.adtakeover.local has SRV record 0 100 88 ucs-adto.adtakeover.local. _kpasswd._tcp.adtakeover.local has SRV record 0 100 464 ucs-adto.adtakeover.local. _kpasswd._udp.adtakeover.local has SRV record 0 100 464 ucs-adto.adtakeover.local. Located DC 'ucs-adto' in site 'Default-First-Site-Name' Host e6abca62-444a-4e48-8436-fc4605b56068._msdcs.adtakeover.local not found: 3(NXDOMAIN) Alle fehlgeschlagenen Tests 82_saml.05_saml_login_kerberos.test 2,5 Sekunden 2 00_checks.01_univention_system_check.test 2 Minuten 5 Sekunden 18 00_checks.81_diagnostic_checks.test 14 Sekunden 18 51_samba4.45dns_tests.test 1 Minute 33 Sekunden 18 51_samba4.55dns_update.test
samba_dnsupdate seems to take a while, now they are there: ====================================================================== gc._msdcs.adtakeover.local has address 10.210.121.219 _gc._tcp.adtakeover.local has SRV record 0 100 3268 ucs-adto.adtakeover.local. _ldap._tcp.gc._msdcs.adtakeover.local has SRV record 0 100 3268 ucs-adto.adtakeover.local. _ldap._tcp.adtakeover.local has SRV record 0 100 389 ucs-adto.adtakeover.local. _ldap._tcp.dc._msdcs.adtakeover.local has SRV record 0 100 389 ucs-adto.adtakeover.local. _ldap._tcp.pdc._msdcs.adtakeover.local has SRV record 0 100 389 ucs-adto.adtakeover.local. _ldap._tcp.39f5c54d-4454-4464-982d-14f1363bdf4e.domains._msdcs.adtakeover.local has SRV record 0 100 389 win-f3m3idjv0ff.adtakeover.local. _ldap._tcp.39f5c54d-4454-4464-982d-14f1363bdf4e.domains._msdcs.adtakeover.local has SRV record 0 100 389 ucs-adto.adtakeover.local. _kerberos._tcp.dc._msdcs.adtakeover.local has SRV record 0 100 88 ucs-adto.adtakeover.local. _kerberos._tcp.adtakeover.local has SRV record 0 100 88 ucs-adto.adtakeover.local. _kerberos._udp.adtakeover.local has SRV record 0 100 88 ucs-adto.adtakeover.local. _kpasswd._tcp.adtakeover.local has SRV record 0 100 464 ucs-adto.adtakeover.local. _kpasswd._udp.adtakeover.local has SRV record 0 100 464 ucs-adto.adtakeover.local. Located DC 'ucs-adto' in site 'Default-First-Site-Name' e6abca62-444a-4e48-8436-fc4605b56068._msdcs.adtakeover.local is an alias for ucs-adto.adtakeover.local. ## Records for site Default-First-Site-Name: _ldap._tcp.Default-First-Site-Name._sites.adtakeover.local has SRV record 0 100 389 ucs-adto.adtakeover.local. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.adtakeover.local has SRV record 0 100 389 ucs-adto.adtakeover.local. _kerberos._tcp.Default-First-Site-Name._sites.adtakeover.local has SRV record 0 100 88 ucs-adto.adtakeover.local. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.adtakeover.local has SRV record 0 100 88 ucs-adto.adtakeover.local. ## Optional GC Records for site Default-First-Site-Name: _gc._tcp.Default-First-Site-Name._sites.adtakeover.local has SRV record 0 100 3268 ucs-adto.adtakeover.local. _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.adtakeover.local has SRV record 0 100 3268 ucs-adto.adtakeover.local. _kerberos.adtakeover.local descriptive text "ADTAKEOVER.LOCAL" ====================================================================== ====================================================================== root@ucs-adto:~/check/univention-system-check.d/samba# ./check_guid_msdcs_dns_alias.sh e6abca62-444a-4e48-8436-fc4605b56068._msdcs.adtakeover.local is an alias for ucs-adto.adtakeover.local. ucs-adto.adtakeover.local has address 10.210.121.219 - ====================================================================== I added a call to samba_dnsupdate: 085828ea94 | Additionally call samba_dnsupdate during takeover 317f8729d7 | Changelog Package has been rebuilt.
QA: manually start the ad takeover test http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-0/job/AD%20Takeover%20Tests/ and check for failed tests
At least the automated tests fail now. Maybe there is an option to allow one specific UMC module to be inactive for more than the timeout? management-console-module-adtakeover.log 01.03.18 15:08:36.242 PARSER ( INFO ) : UMCP REQUEST 151993491617858-5 parsed successfully 01.03.18 15:08:36.242 MODULE ( INFO ) : Received request 151993491617858-5 01.03.18 15:08:36.242 PROTOCOL ( INFO ) : Received UMCP COMMAND REQUEST 151993491617858-5 01.03.18 15:08:36.242 MODULE ( INFO ) : Executing ['adtakeover/run/takeover'] 01.03.18 15:08:36.242 MAIN ( INFO ) : Setting locale 'en_US' 01.03.18 15:08:36.243 MODULE ( PROCESS ) : Running take_over_domain 01.03.18 15:08:36.427 MODULE ( PROCESS ) : ### Search for 10.210.197.232 in network ### 01.03.18 15:08:41.447 MODULE ( PROCESS ) : ### Taking over Active Directory domain controller roles ### 01.03.18 15:08:41.447 MODULE ( PROCESS ) : Adjusting settings in Samba directory service 01.03.18 15:09:01.091 MODULE ( PROCESS ) : Claiming FSMO roles 01.03.18 15:09:13.061 MODULE ( PROCESS ) : Removing the previous AD server account 01.03.18 15:09:15.763 MODULE ( PROCESS ) : Taking over DNS address management-console-server.log 01.03.18 15:08:36.241 RESOURCES ( INFO ) : Searching for module providing command adtakeover/run/takeover 01.03.18 15:08:36.242 RESOURCES ( INFO ) : Found module adtakeover 01.03.18 15:08:36.242 MAIN ( INFO ) : Passing new request to running module adtakeover 01.03.18 15:08:36.242 PROTOCOL ( INFO ) : Sending UMCP COMMAND REQUEST 151993491617858-5 01.03.18 15:18:36.984 MAIN ( INFO ) : The module adtakeover is inactive for too long. Sending EXIT request to module 01.03.18 15:18:36.984 MAIN ( INFO ) : There are unfinished requests. Waiting for 151993491617858-5 management-console-web-server.log 01.03.18 15:08:36.178 MAIN ( INFO ) : CPCommand (10.210.219.188:38134) got new request 01.03.18 15:08:36.178 MAIN ( INFO ) : CPCommand (10.210.219.188:38134) pushed request(0x7f1b94423890) to queue(0x7f1b96c67ab8) - waiting for response 01.03.18 15:08:36.241 MAIN ( INFO ) : UMCP_Dispatcher: check_queue: new request: 0x7f1b94423890 01.03.18 15:08:36.241 MAIN ( INFO ) : SessionClient(0x7f1b96c6d6d0): sending request(151993491617858-5) 01.03.18 15:08:36.241 PROTOCOL ( INFO ) : Sending UMCP COMMAND REQUEST 151993491617858-5
I've now started a takeover via UMC module. The UMC module sends every few seconds the command adtakeover/process. So, the main problem is the tool which is used for the automated test. I'll create a new bug for it. One suggestion for this issue. It takes now more that 10 minutes to takeover a very small domain and the UMC module shows only "Übernahme der DNS-Adresse" without any progress for 10 minutes. Can we add a hint for example "Please be patient this will take more than 10 minutes" or something similar?
(In reply to Stefan Gohmann from comment #11) > I've now started a takeover via UMC module. The UMC module sends every few > seconds the command adtakeover/process. So, the main problem is the tool > which is used for the automated test. I'll create a new bug for it. That will be done through Bug #46108.
On my test system, it shows since 1 hour the "Übernehmen der DNS-Adresse" message: root@master7120:~# rgrep PROCESS /var/log/univention/management-console-module-adtakeover.log | tail -n 5 02.03.18 06:50:29.421 MODULE ( PROCESS ) : ### Übernahme der Active Directory Domänencontroller-Rollen ### 02.03.18 06:50:29.422 MODULE ( PROCESS ) : Anpassung von Einstellungen im Samba-Verzeichnisdienst 02.03.18 06:50:48.584 MODULE ( PROCESS ) : Übernahme der FSMO-Rollen 02.03.18 06:51:00.224 MODULE ( PROCESS ) : Entfernen des alten AD Server-Kontos 02.03.18 06:51:03.047 MODULE ( PROCESS ) : Übernahme der DNS-Adresse root@master7120:~# tail -n 5 /var/log/univention/management-console-module-adtakeover.log 02.03.18 07:51:47.056 MODULE ( INFO ) : Received request 151997350702592-12727 02.03.18 07:51:47.056 PROTOCOL ( INFO ) : Received UMCP COMMAND REQUEST 151997350702592-12727 02.03.18 07:51:47.056 MODULE ( INFO ) : Executing ['adtakeover/progress'] 02.03.18 07:51:47.056 MAIN ( INFO ) : Setting locale 'de_DE' 02.03.18 07:51:47.057 PROTOCOL ( INFO ) : Sending UMCP RESPONSE 151997350702592-12727 root@master7120:~# The system is up and running if you want to check it: 10.201.71.20
5f5fbe4306eea39067e664f71b570aed5b4d3075 Added a wait_for_s4_connector_replication in create_DNS_alias_for_AD_hostname(). This hangs forever in the sqlite query for some unknown reason, reverted.
Looks better. I get a traceback on my newly installed UCS 4.3 VM: Traceback(00b34d74a35ed71adcbe5732bc61d104): Traceback (most recent call last): File "%PY2.7%/univention/management/console/modules/adtakeover/__init__.py", line 61, in _background result = func(self, request) File "%PY2.7%/univention/management/console/modules/adtakeover/__init__.py", line 122, in take_over_domain takeover.take_over_domain(self.progress) File "%PY2.7%/univention/management/console/modules/adtakeover/takeover.py", line 368, in take_over_domain takeover_final.create_reverse_DNS_records() File "%PY2.7%/univention/management/console/modules/adtakeover/takeover.py", line 1730, in create_reverse_DNS_records p = subprocess.Popen(["univention-ipcalc6", "--ip", self.ad_server_ip, "--netmask", self.ucr["interfaces/%s/netmask" % self.primary_interface], "--output", "pointer", "--calcdns"], stdout=subprocess.PIPE, stderr=subprocess.PIPE) AttributeError: AD_Takeover_Finalize instance has no attribute 'primary_interface' Role: domaincontroller_master
I think the problem is that in test/utils/ad-takeover.py wait() is called synchronously which is wrong. It should poll in the background in a thread like I suggested when the script initially was created. Then there won't be problems with broken modules when new sessions are created. Adjusting the UMC to allow modules with a longer session timeout seems no real solution to me. Btw. the indentation uses spaces and there are a lot of styling errors and one missing import (except univention.lib.umc.ConnectionError). 1 test/utils/ad-takeover.py|31 col 1 error| 'threading' imported but unused [F401] 2 test/utils/ad-takeover.py|33 col 1 error| 'cherrypy' imported but unused [F401] 3 test/utils/ad-takeover.py|36 col 1 error| 'sys.exit' imported but unused [F401] 4 test/utils/ad-takeover.py|37 col 1 error| 'ldap.dn.escape_dn_chars' imported but unused [F401] 5 test/utils/ad-takeover.py|60 col 1 error| expected 2 blank lines, found 1 [E302] 6 test/utils/ad-takeover.py|61 col 1 error| indentation contains mixed spaces and tabs [E101] 7 test/utils/ad-takeover.py|61 col 62 warning| trailing whitespace [W291] 8 test/utils/ad-takeover.py|62 col 24 warning| trailing whitespace [W291] 9 test/utils/ad-takeover.py|71 col 1 error| too many blank lines (3) [E303] 10 test/utils/ad-takeover.py|72 col 1 error| indentation contains mixed spaces and tabs [E101] 11 test/utils/ad-takeover.py|76 col 1 error| expected 2 blank lines, found 1 [E302] 12 test/utils/ad-takeover.py|77 col 1 error| indentation contains mixed spaces and tabs [E101] 13 test/utils/ad-takeover.py|85 col 16 error| undefined name 'univention' [F821] 14 test/utils/ad-takeover.py|99 col 1 error| indentation contains mixed spaces and tabs [E101] 15 test/utils/ad-takeover.py|106 col 23 error| missing whitespace around operator [E225] 16 test/utils/ad-takeover.py|109 col 1 error| indentation contains mixed spaces and tabs [E101] 17 test/utils/ad-takeover.py|116 col 14 error| missing whitespace around operator [E225] 18 test/utils/ad-takeover.py|119 col 23 error| missing whitespace around operator [E225] 19 test/utils/ad-takeover.py|122 col 144 error| missing whitespace after ',' [E231]
It works for me With the latest changes: https://git.knut.univention.de/univention/ucs/commit/3603853e20c8aa487bc21bdc70a3654e90f7b117 root@master7120:~# univention-s4search samAccountName=dns-$(hostname) dn | grep ^dn: dn: CN=dns-master7120,CN=Users,DC=ad71,DC=intranet root@master7120:~# samba_dnsupdate Rebuilding cache at /var/lib/samba/private/dns_update_cache root@master7120:~#
OK, added bind9 restart in finalize and update primary interface stuff
OK, my tests were successful now.
UCS 4.3 has been released: https://docs.software-univention.de/release-notes-4.3-0-en.html https://docs.software-univention.de/release-notes-4.3-0-de.html If this error occurs again, please use "Clone This Bug".