Bug 48815 – Backup with samba can not join into single server environment

Bug 48815 - Backup with samba can not join into single server environment


Summary:	Backup with samba can not join into single server environment

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	Samba 4
Version:	UCS@school 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 4.4 v1
Assigned To:	Arvid Requate
QA Contact:	Sönke Schwardt-Krummrich

URL:
Keywords:

Depends on:
Blocks:	52758
	Show dependency tree / graph

Reported:	2019-02-27 22:49 CET by Jürn Brodersen
Modified:	2021-02-08 14:04 CET (History)
CC List:	3 users (show)

See Also:	32893
What kind of report is it?:	Bug Report
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.103
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Join log 4.3 (114.51 KB, text/x-log) 2019-02-28 10:21 CET, Jürn Brodersen	Details
join log 4.4 (without @school pre join hook) (113.33 KB, text/x-log) 2019-02-28 10:22 CET, Jürn Brodersen	Details
log.samba 4.3 (master) (21.21 KB, text/plain) 2019-02-28 10:33 CET, Jürn Brodersen	Details
skip_DCs_in_samaccountname_ldap_check.patch (1.84 KB, patch) 2019-02-28 13:39 CET, Arvid Requate	Details \| Diff
skip_DCs_in_samaccountname_ldap_check 2 (1.58 KB, patch) 2019-02-28 17:02 CET, Jürn Brodersen	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jürn Brodersen

2019-02-27 22:49:45 CET

Backup with samba can not join into single server environment


Join against S4 Connector server: master
Forest           : single44.intranet
Domain           : single44.intranet
Netbios domain   : SINGLE44
DC name          : master.single44.intranet
DC netbios name  : MASTER
Server site      : Default-First-Site-Name
Client site      : Default-First-Site-Name
INFO 2019-02-27 20:53:25,351 pid:10266 /usr/lib/python2.7/dist-packages/samba/join.py #1519: workgroup is SINGLE44
INFO 2019-02-27 20:53:25,352 pid:10266 /usr/lib/python2.7/dist-packages/samba/join.py #1522: realm is single44.intranet
ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <00002035: ldb_request: Unwilling to perform (53)> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 184, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 699, in run
    backend_store=backend_store)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1535, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1427, in do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 641, in join_add_objects
    ctx.samdb.add(rec, controls=controls)
Adding CN=BACKUP,OU=Domain Controllers,DC=single44,DC=intranet
Join failed - cleaning up
Failed to join against the S4 Connector server master.
Make sure the server is online or if this server is no longer in use,
please completely remove the server object from the domain.
Forest           : single44.intranet
Domain           : single44.intranet
Netbios domain   : SINGLE44
DC name          : master.single44.intranet
DC netbios name  : MASTER
Server site      : Default-First-Site-Name
Client site      : Default-First-Site-Name
INFO 2019-02-27 20:53:29,219 pid:10274 /usr/lib/python2.7/dist-packages/samba/join.py #103: Finding a writeable DC for domain 'single44.intranet'
INFO 2019-02-27 20:53:29,227 pid:10274 /usr/lib/python2.7/dist-packages/samba/join.py #105: Found DC master.single44.intranet
INFO 2019-02-27 20:53:29,503 pid:10274 /usr/lib/python2.7/dist-packages/samba/join.py #1519: workgroup is SINGLE44
INFO 2019-02-27 20:53:29,503 pid:10274 /usr/lib/python2.7/dist-packages/samba/join.py #1522: realm is single44.intranet
ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <00002035: ldb_request: Unwilling to perform (53)> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 184, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 699, in run
    backend_store=backend_store)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1535, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1427, in do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 641, in join_add_objects
    ctx.samdb.add(rec, controls=controls)
Adding CN=BACKUP,OU=Domain Controllers,DC=single44,DC=intranet
Join failed - cleaning up
Failed to join the domain single44.intranet.
Make sure the server is online or if this server is no longer in use,
please completely remove the server object from the domain.

Comment 1 Jürn Brodersen

2019-02-28 10:21:32 CET

Created attachment 9873 [details]
Join log 4.3

Comment 2 Jürn Brodersen

2019-02-28 10:22:27 CET

Created attachment 9874 [details]
join log 4.4 (without @school pre join hook)

Comment 3 Jürn Brodersen

2019-02-28 10:33:18 CET

Created attachment 9875 [details]
log.samba 4.3 (master)

Looks like this traceback on the master is a problem:


'''
[2019/02/27 21:50:52.801624,  1, pid=27279] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
  ldb: univention_samaccountname_ldap_check: calling ucs-school-create_windows_computer
  
Traceback (most recent call last):
  File "/usr/sbin/ucs-school-create_windows_computer", line 80, in <module>
    main()
  File "/usr/sbin/ucs-school-create_windows_computer", line 63, in main
    result = client.umc_command(args.command, options).result
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 435, in umc_command
    return self.request('POST', 'command/%s' % (path,), data, headers)
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 515, in request
    return self.send(request)
  File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 544, in send
    raise HTTPError(request, response, self.hostname)
univention.lib.umc.HTTPError: 591 on qa43.univention.intranet (command/selectiveudm/create_windows_computer): {"status": 591, "message": "Interner Server-Fehler in \"selectiveudm/create_windows_computer\".", "traceback": "Interner Server-Fehler in \"selectiveudm/create_windows_computer\".\nRequest: selectiveudm/create_windows_computer\n\nTraceback (most recent call last):\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/base.py\", line 253, in execute\n    function.__func__(self, request, *args, **kwargs)\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 192, in _response\n    return function(self, request)\n  File \"/usr/lib/pymodules/python2.7/ucsschool/lib/schoolldap.py\", line 145, in wrapper_func\n    return func(*args, **kwargs)\n  File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/selective-udm/__init__.py\", line 126, in create_windows_computer\n    computer_dn = computer.create()\n  File \"/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py\", line 539, in create\n    dn = self._create(response=response, serverctrls=serverctrls)\n  File \"/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py\", line 1137, in _create\n    al.extend(self._ldap_modlist())\n  File \"/usr/lib/pymodules/python2.7/univention/admin/handlers/computers/windows.py\", line 546, in _ldap_modlist\n    raise univention.admin.uexceptions.uidAlreadyUsed(': %s' % requested_uid)\nuidAlreadyUsed: : BACKUP$", "location": "https://qa43.univention.intranet/univention/command"}
[2019/02/27 21:50:56.532176,  1, pid=27278] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
  ldb: univention_samaccountname_ldap_check: unknown error code from ucs-school-create_windows_computer: 1
'''

Comment 4 Arvid Requate

2019-02-28 12:45:47 CET

As discussed, the problem may be caused by the fact that we have removed the --keep-existing option from samba-tool domain join (apparently removed in 4.1-4, see Bug 43176#c2, see also Bug #36090). The theory is this:

1. univention-join creates the computers/domaincontroller_backup object
2. 96uinvention-samba4 runs samba-tool domain join, which IIRC first removes
the machine account from the Samba/AD of the Master before creating it new
3. The S4-connector doesn't sync DC deletes from Samba to OpenLDAP by default
4. When samba-tool domain join wants to add the account for the DC backup
again, the LDB module samaccountname_ldap_check intervenes and calls
the UMC module selective-udm/create_windows_computer
5. The UMC module selective-udm/create_windows_computer then attempts
to create an UDM object computers/windows, which fails because
there is already a computers/domaincontroller_backup account with the
name cn=backup.

To handle this situation, three options come to my mind:
1. Reactivate the --keep-existing option
2. Adjust selective-udm/create_windows_computer to handle DCs properly.
3. Adjust the LDB module to call selective-udm/create_windows_computer only
for windows clients, but not for DCs.
4. Avoid using the LDB module at all in the central UCS@school department.

Opionions about the options:
1. The --keep-existing option also caused issues in the past
and the patch is ugly and relatively high-maintenance for upstream changes.
2. Adjusting selective-udm/create_windows_computer to differenciate between
Windows-Clients and DCs is probably pretty complex. Also you have to
keep it safe from account takeovers (check the hashed password).
3. I guess adjusting the LDB module filter would be the best option.
4. That might be an even better solution: After all we initially created
the LDB module just to avoid naming conflicts for windows clients
joining a UCS@school Slave PDC, which doesn't know about all
account names existing in the central LDAP.

Just FYI for the technically inclined: The S4-Connector avoids problems with this, by passing a special LDAP control: ldb_ctrl_bypass_samaccountname_ldap_check = LDAPControl('1.3.6.1.4.1.10176.1004.0.4.1', criticality=0)

Comment 5 Arvid Requate

2019-02-28 13:00:10 CET

Ok regarding Option 4 (avoiding the registration of the LDB module on master and singlemaster):

We introduced the use of the LDB module in the singlemaster for Bug #31443. Bummer.

Comment 6 Arvid Requate

2019-02-28 13:14:48 CET

Re: Comment 5:

As an alternative solution for the OU-problem of the singlemaster we could configure Samba/AD to use a different default container for new computer objects:

============================================================================
#!/bin/bash
MYOU=$1

eval "$(ucr shell)"

ldbmodify -H /var/lib/samba/private/sam.ldb <<-%EOF
dn: $samba4_ldap_base
changetype: modify
add: wellKnownObjects
wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:OU=$MYOU,CN=Computers,$samba4_ldap_base
%EOF
============================================================================

You could also do that for users:

wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:OU=$MYOU,CN=Users,$samba4_ldap_base

Comment 7 Arvid Requate

2019-02-28 13:39:52 CET

Created attachment 9876 [details]
skip_DCs_in_samaccountname_ldap_check.patch

Ok, this would be a suggestion for Option 3, a patch for univention_samaccountname_ldap_check.c, untested but pair programmed with Jürn :-)

Comment 8 Sönke Schwardt-Krummrich

2019-02-28 15:19:53 CET

(In reply to Arvid Requate from comment #7)
> Created attachment 9876 [details]
> skip_DCs_in_samaccountname_ldap_check.patch
> 
> Ok, this would be a suggestion for Option 3, a patch for
> univention_samaccountname_ldap_check.c, untested but pair programmed with
> Jürn :-)

Please test this code in compiled form :-)

Btw: aren't backup with samba in multiserver environments also affected?

Comment 9 Arvid Requate

2019-02-28 16:20:59 CET

Ok, as discussed, I chose option 4:

452713cd4 |  Partial revert of commit 8733b84d1: Don't activate
 UCRV samba4/ldb/sam/module/prepend="univention_samaccountname_ldap_check"
 in ucs-school-master and ucs-school-central-slave

Package: ucs-school-metapackage
Version: 12.0.0-48A~4.4.0.201902281618
Branch: ucs_4.4-0
Scope: ucs-school-4.4

Comment 10 Jürn Brodersen

2019-02-28 17:02:43 CET

Created attachment 9877 [details]
skip_DCs_in_samaccountname_ldap_check 2

In case we need option 3, the patch seems to work with same changes.

Comment 11 Sönke Schwardt-Krummrich

2019-03-05 15:12:44 CET

> 452713cd4 |  Partial revert of commit 8733b84d1: Don't activate
>  UCRV samba4/ldb/sam/module/prepend="univention_samaccountname_ldap_check"
>  in ucs-school-master and ucs-school-central-slave

OK: join of DC backup with samba4 into multiserver environment

Comment 12 Sönke Schwardt-Krummrich

2019-03-06 10:42:34 CET

> OK: join of DC backup with samba4 into multiserver environment

OK: join of DC backup with samba4 into single server environment
OK: code change

Comment 13 Sönke Schwardt-Krummrich

2019-03-12 10:59:11 CET

UCS@school 4.4 v1 has been released.

https://docs.software-univention.de/release-notes-ucsschool-4.4v1-de.html

If this error occurs again, please clone this bug.