Bug 46118 - Remove NT DC functionality
Remove NT DC functionality
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba
UCS 4.3
Other Linux
: P5 enhancement (vote)
: UCS 4.3
Assigned To: Arvid Requate
Stefan Gohmann
: interim-2
: 35530 (view as bug list)
Depends on: 35655
Blocks: 46250 46338
  Show dependency treegraph
 
Reported: 2018-01-23 15:26 CET by Arvid Requate
Modified: 2018-03-14 14:38 CET (History)
5 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Cleanup
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-01-23 15:26:30 CET
The Windows NT DC functionality should be removed with UCS 4.3.

* Updates of UCS Samba/NT DCs should be blocked from updating.
* Support for Samba3 to Samba4 Migration should be removed.
* Documentation should be adjusted accordingly.
* UMC fields that only work with UCS Samba/NT domains should also be removed.
* Jenkins "s3" integration test series should be adjusted to test "without Samba" instead.

AD-Member mode and UCS Samba Memberservers will still be supported.
Comment 1 Arvid Requate univentionstaff 2018-02-05 18:30:37 CET
The first four points plus documentation have been adjusted in UCS and UCS@school.

* https://git.knut.univention.de/univention/ucs/commits/arequate/bug46118
* https://git.knut.univention.de/univention/ucsschool/commits/arequate/bug46118

These UCS packages have been imported from that scope and built in ucs_4.3-0-bug46118:

* univention-samba                       12.0.0-7A~4.3.0.201802051826
* univention-samba4                       7.0.2-1A~4.3.0.201802051826
* univention-directory-manager-modules   13.1.12-2A~4.3.0.201802051827
Comment 2 Arvid Requate univentionstaff 2018-02-07 11:29:39 CET
I've updated the documentation patch commit. Our executive git merge manager says that QA has to happen from the feature scope first, so, there you go.
Comment 3 Florian Best univentionstaff 2018-02-07 11:34:00 CET
*** Bug 35530 has been marked as a duplicate of this bug. ***
Comment 4 Felix Botner univentionstaff 2018-02-08 10:35:07 CET
the first join of univention-samba always seems to fail

http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-0/job/AutotestJoin/SambaVersion=samba-pdc,Systemrolle=slave/ws/test/join.log/*view*/

Configure 26univention-samba.inst Wed Feb  7 20:45:19 EST 2018
2018-02-07 20:45:20.009388062-05:00 (in joinscript_init)
Create samba/role
Multifile: /etc/samba/smb.conf
07.02.18 20:45:22.469  DEBUG_INIT
UNIVENTION_DEBUG_BEGIN  : uldap.__open host=master098.autotest098.local port=7389 base=dc=autotest098,dc=local
UNIVENTION_DEBUG_END    : uldap.__open host=master098.autotest098.local port=7389 base=dc=autotest098,dc=local
Create samba/profileserver
Create samba/profilepath
Create samba/homedirserver
Create samba/homedirpath
Create samba/homedirletter
Multifile: /etc/samba/smb.conf
Create samba/domain/security
Multifile: /etc/samba/smb.conf
No handlers could be found for logger "univention.service_info"
Setting samba/autostart
Module: autostart
Multifile: /etc/samba/smb.conf
Not updating samba/autostart
Stopping nfs-kernel-server (via systemctl): nfs-kernel-server.serviceWarning: nfs-kernel-server.service changed on disk. Run 'systemctl daemon-reload' to reload units.
.
Stopping winbind (via systemctl): winbind.service.
Create samba/user
Create samba/user/pwdfile
Multifile: /etc/samba/smb.conf
Setting stored password for "cn=slave098,cn=dc,cn=computers,dc=autotest098,dc=local" in secrets.tdb
setting idmap secret for '*' from /etc/machine.secret
Secret stored
Restarting samba (via systemctl): samba.service.
Object modified: cn=slave098,cn=dc,cn=computers,dc=autotest098,dc=local
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] 87 F1 12 02 84 30 90 1D   3D 8E BD 85 4F 3A A2 9D   .....0.. =...O:..
Failed to join domain: failed to lookup DC info for domain 'AUTOTEST098' over rpc: {Access Denied} A process has requested access to an object but has not been granted those access rights.
Failed to join domain: failed to lookup DC info for domain 'AUTOTEST098' over rpc: The transport-connection attempt was refused by the remote system.
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] C8 B4 7F A1 BF E0 DB 0A   80 63 68 33 0C 47 0E CA   ........ .ch3.G..
Failed to join domain: failed to lookup DC info for domain 'AUTOTEST098' over rpc: {Access Denied} A process has requested access to an object but has not been granted those access rights.
ERROR: Failed to join via net rpc join. Please check your Samba DCs and your DNS and WINS configuration.
Wed Feb  7 20:45:36 EST 2018: finish /usr/share/univention-join/univention-join
07.02.18 21:04:48.787  DEBUG_INIT

and later

RUNNING 26univention-samba.inst
2018-02-07 23:31:04.786374288-05:00 (in joinscript_init)
Not updating samba/role
07.02.18 23:31:06.169  DEBUG_INIT
UNIVENTION_DEBUG_BEGIN  : uldap.__open host=master098.autotest098.local port=7389 base=dc=autotest098,dc=local
UNIVENTION_DEBUG_END    : uldap.__open host=master098.autotest098.local port=7389 base=dc=autotest098,dc=local
Not updating samba/profileserver
Not updating samba/profilepath
Not updating samba/homedirserver
Not updating samba/homedirpath
Not updating samba/homedirletter
Setting samba/domain/security
Multifile: /etc/samba/smb.conf
Setting samba/autostart
Module: autostart
Multifile: /etc/samba/smb.conf
Not updating samba/autostart
Stopping nfs-kernel-server (via systemctl): nfs-kernel-server.serviceWarning: nfs-kernel-server.service changed on disk. Run 'systemctl daemon-reload' to reload units.
.
Stopping winbind (via systemctl): winbind.service.
Setting samba/user
Not updating samba/user/pwdfile
Multifile: /etc/samba/smb.conf
Setting stored password for "cn=slave098,cn=dc,cn=computers,dc=autotest098,dc=local" in secrets.tdb
setting idmap secret for '*' from /etc/machine.secret
Secret stored
Restarting samba (via systemctl): samba.service.
Object modified: cn=slave098,cn=dc,cn=computers,dc=autotest098,dc=local
Using short domain name -- AUTOTEST098
Joined 'SLAVE098' to domain 'AUTOTEST098'
Setting windows/wins-support
Multifile: /etc/samba/smb.conf
Stopping samba (via systemctl): samba.service.
Stopping winbind (via systemctl): winbind.service.
Starting samba (via systemctl): samba.service.
Starting winbind (via systemctl): winbind.service.
Successfully granted rights.
Successfully granted rights.
Object created: cn=slave098.autotest098.local,cn=shares,dc=autotest098,dc=local
Object modified: cn=slave098.autotest098.local,cn=shares,dc=autotest098,dc=local
Starting nfs-kernel-server (via systemctl): nfs-kernel-server.serviceWarning: nfs-kernel-server.service changed on disk. Run 'systemctl daemon-reload' to reload units.
.
Object exists: cn=services,cn=univention,dc=autotest098,dc=local
Object created: cn=Samba 3,cn=services,cn=univention,dc=autotest098,dc=local
Object modified: cn=slave098,cn=dc,cn=computers,dc=autotest098,dc=local
Could not chdir to home directory /dev/null: Not a directory
rsync: change_dir "/var/lib/samba/account-policy" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1668) [Receiver=3.1.2]
rsync: [Receiver] write error: Broken pipe (32)
2018-02-07 23:31:57.233559209-05:00 (in joinscript_save_current_version)
EXITCODE=0

still some errors, but at least EXITCODE=0
Comment 5 Arvid Requate univentionstaff 2018-02-08 15:20:44 CET
> the first join of univention-samba always seems to fail

I assume you mean univention-samba-slave-pdc. I guess this fails because the LDAP ACLs on the master are much more strict in recent UCS versions. Customers running this setup have set this up with earlier UCS versions. We'll need to discuss with the TAM how to proceed with the test cases to make them testable (Bug 46218).

Anyway, we didn't change anything about univention-samba-slave-pdc in that package, so let's proceed.
Comment 6 Stefan Gohmann univentionstaff 2018-02-09 11:45:59 CET
ucs-test adjustment:
* 53_samba-common/30winbind: Samba is also required (Bug #46118)

https://git.knut.univention.de/univention/ucs/commit/e37e07472efd082bcca59346f7b0ec3fd42a0331
Comment 7 Felix Botner univentionstaff 2018-02-15 10:11:10 CET
s4 connector in the installation tests gets rejects now

 15.02.2018 06:33:52,339 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=ucs-sso,CN=Users,DC=test,DC=local
15.02.2018 06:33:52,346 LDAP        (PROCESS): sync to ucs:   [          user] [    modify] uid=ucs-sso,cn=users,dc=test,dc=local
15.02.2018 06:33:52,427 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
15.02.2018 06:33:52,428 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1588, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1365, in modify_in_ucs
    res = ucs_object.modify(serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1657, in modify
    return super(object, self).modify(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 526, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1068, in _modify
    ml = self._ldap_modlist()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1957, in _ldap_modlist
    ml = self._modlist_samba_mungeddial(ml)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 2307, in _modlist_samba_mungeddial
    sambaMunged = self.sambaMungedDialMap()
  File "/usr/lib/pymodules/python2.7/univention/admin/mungeddial.py", line 408, in sambaMungedDialMap
    sambaMungedDial = base64.decodestring('bQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABkAA%sAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAFAA==' % dialin_val)
  File "/usr/lib/python2.7/base64.py", line 328, in decodestring
    return binascii.a2b_base64(s)
Error: Incorrect padding

I guess this is due to some udm backend changes, nevertheless this whole MungedDial stuff is removed from udm with this bug. So please merge the changes from here to ucs asap to fix the tests
Comment 9 Arvid Requate univentionstaff 2018-02-15 12:50:00 CET
> Comment 7

That's not this bug, because that code wouldn't be even present any more if this branch had been merged.

I guess it's due to the regression caused by the refactoring of users/user self.open() done for Bug #45842 and my attempt to fix that. I have checked that code again and adjusted it again a bit. I think that would fix it. Anyway, the sambaMungedDial code will be removed once this branch gets merged.
Comment 10 Arvid Requate univentionstaff 2018-02-16 11:02:45 CET
Feature branch merge commit: cc07e6ba7c

Package: univention-samba
Version: 12.0.1-0A~4.3.0.201802161020
Branch: ucs_4.3-0

Package: univention-samba4
Version: 7.0.2-2A~4.3.0.201802161059
Branch: ucs_4.3-0

Package: univention-directory-manager-modules
Version: 13.0.20-1A~4.3.0.201802161042
Branch: ucs_4.3-0

Package: univention-l10n-fr
Version: 2.0.0-5A~4.3.0.201802161101
Branch: ucs_4.3-0

Package: ucs-test
Version: 8.0.28-13A~4.3.0.201802161044
Branch: ucs_4.3-0

preup.sh and changelog-4.3 adjusted too.
Comment 11 Stefan Gohmann univentionstaff 2018-02-20 13:50:19 CET
Code review: OK
 https://git.knut.univention.de/univention/ucs/commit/cc07e6ba7c6019520ae4a7298ccbad7523eee065

Changelog / Release Notes: OK: Changelog is available; I've added a comment to the release notes bug.

Tests: Failed. On my Samba 3 test system, the update was started. The preup script seems to be old. Did you rebuild univention-updater?
Comment 12 Arvid Requate univentionstaff 2018-02-20 22:00:38 CET
> Tests: Failed. On my Samba 3 test system, the update was started. The preup
> script seems to be old. Did you rebuild univention-updater?

No I had not, I thought they get copied from git/svn. I've rebuilt it now:

Package: univention-updater
Version: 13.0.1-19A~4.3.0.201802202159
Branch: ucs_4.3-0
Comment 13 Stefan Gohmann univentionstaff 2018-02-21 07:11:45 CET
Tests Samba 3 4.2-3 environment: OK, the update is blocked on DCs with Samba 3 and without Slave PDC. The upgrade is possible after the Samba 4 migration.

Slave PDC installation: OK, the update is not blocked

Update without Samba or with Samba 4: OK


Other issues:
 - The samba privileges don't have an effect in Samba 4 / AD environments. See Bug #24075. I've added it to the board discussion.
 - The logon hours are now useless. See Bug #24204. I've added it to the board discussion as well.
Comment 14 Stefan Gohmann univentionstaff 2018-02-21 07:12:02 CET
(In reply to Stefan Gohmann from comment #13)
> Tests Samba 3 4.2-3 environment: OK, the update is blocked on DCs with Samba
> 3 and without Slave PDC. The upgrade is possible after the Samba 4 migration.
> 
> Slave PDC installation: OK, the update is not blocked
> 
> Update without Samba or with Samba 4: OK
> 
> 
> Other issues:
>  - The samba privileges don't have an effect in Samba 4 / AD environments.
> See Bug #24075. I've added it to the board discussion.
>  - The logon hours are now useless. See Bug #24204. I've added it to the
> board discussion as well.
Comment 15 Stefan Gohmann univentionstaff 2018-03-14 14:38:24 CET
UCS 4.3 has been released:
 https://docs.software-univention.de/release-notes-4.3-0-en.html
 https://docs.software-univention.de/release-notes-4.3-0-de.html

If this error occurs again, please use "Clone This Bug".