Univention Bugzilla – Bug 48815
Backup with samba can not join into single server environment
Last modified: 2021-02-08 14:04:08 CET
Backup with samba can not join into single server environment Join against S4 Connector server: master Forest : single44.intranet Domain : single44.intranet Netbios domain : SINGLE44 DC name : master.single44.intranet DC netbios name : MASTER Server site : Default-First-Site-Name Client site : Default-First-Site-Name INFO 2019-02-27 20:53:25,351 pid:10266 /usr/lib/python2.7/dist-packages/samba/join.py #1519: workgroup is SINGLE44 INFO 2019-02-27 20:53:25,352 pid:10266 /usr/lib/python2.7/dist-packages/samba/join.py #1522: realm is single44.intranet ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <00002035: ldb_request: Unwilling to perform (53)> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 184, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 699, in run backend_store=backend_store) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1535, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1427, in do_join ctx.join_add_objects() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 641, in join_add_objects ctx.samdb.add(rec, controls=controls) Adding CN=BACKUP,OU=Domain Controllers,DC=single44,DC=intranet Join failed - cleaning up Failed to join against the S4 Connector server master. Make sure the server is online or if this server is no longer in use, please completely remove the server object from the domain. Forest : single44.intranet Domain : single44.intranet Netbios domain : SINGLE44 DC name : master.single44.intranet DC netbios name : MASTER Server site : Default-First-Site-Name Client site : Default-First-Site-Name INFO 2019-02-27 20:53:29,219 pid:10274 /usr/lib/python2.7/dist-packages/samba/join.py #103: Finding a writeable DC for domain 'single44.intranet' INFO 2019-02-27 20:53:29,227 pid:10274 /usr/lib/python2.7/dist-packages/samba/join.py #105: Found DC master.single44.intranet INFO 2019-02-27 20:53:29,503 pid:10274 /usr/lib/python2.7/dist-packages/samba/join.py #1519: workgroup is SINGLE44 INFO 2019-02-27 20:53:29,503 pid:10274 /usr/lib/python2.7/dist-packages/samba/join.py #1522: realm is single44.intranet ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <00002035: ldb_request: Unwilling to perform (53)> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 184, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 699, in run backend_store=backend_store) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1535, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1427, in do_join ctx.join_add_objects() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 641, in join_add_objects ctx.samdb.add(rec, controls=controls) Adding CN=BACKUP,OU=Domain Controllers,DC=single44,DC=intranet Join failed - cleaning up Failed to join the domain single44.intranet. Make sure the server is online or if this server is no longer in use, please completely remove the server object from the domain.
Created attachment 9873 [details] Join log 4.3
Created attachment 9874 [details] join log 4.4 (without @school pre join hook)
Created attachment 9875 [details] log.samba 4.3 (master) Looks like this traceback on the master is a problem: ''' [2019/02/27 21:50:52.801624, 1, pid=27279] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug) ldb: univention_samaccountname_ldap_check: calling ucs-school-create_windows_computer Traceback (most recent call last): File "/usr/sbin/ucs-school-create_windows_computer", line 80, in <module> main() File "/usr/sbin/ucs-school-create_windows_computer", line 63, in main result = client.umc_command(args.command, options).result File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 435, in umc_command return self.request('POST', 'command/%s' % (path,), data, headers) File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 515, in request return self.send(request) File "/usr/lib/pymodules/python2.7/univention/lib/umc.py", line 544, in send raise HTTPError(request, response, self.hostname) univention.lib.umc.HTTPError: 591 on qa43.univention.intranet (command/selectiveudm/create_windows_computer): {"status": 591, "message": "Interner Server-Fehler in \"selectiveudm/create_windows_computer\".", "traceback": "Interner Server-Fehler in \"selectiveudm/create_windows_computer\".\nRequest: selectiveudm/create_windows_computer\n\nTraceback (most recent call last):\n File \"/usr/lib/pymodules/python2.7/univention/management/console/base.py\", line 253, in execute\n function.__func__(self, request, *args, **kwargs)\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py\", line 192, in _response\n return function(self, request)\n File \"/usr/lib/pymodules/python2.7/ucsschool/lib/schoolldap.py\", line 145, in wrapper_func\n return func(*args, **kwargs)\n File \"/usr/lib/pymodules/python2.7/univention/management/console/modules/selective-udm/__init__.py\", line 126, in create_windows_computer\n computer_dn = computer.create()\n File \"/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py\", line 539, in create\n dn = self._create(response=response, serverctrls=serverctrls)\n File \"/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py\", line 1137, in _create\n al.extend(self._ldap_modlist())\n File \"/usr/lib/pymodules/python2.7/univention/admin/handlers/computers/windows.py\", line 546, in _ldap_modlist\n raise univention.admin.uexceptions.uidAlreadyUsed(': %s' % requested_uid)\nuidAlreadyUsed: : BACKUP$", "location": "https://qa43.univention.intranet/univention/command"} [2019/02/27 21:50:56.532176, 1, pid=27278] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug) ldb: univention_samaccountname_ldap_check: unknown error code from ucs-school-create_windows_computer: 1 '''
As discussed, the problem may be caused by the fact that we have removed the --keep-existing option from samba-tool domain join (apparently removed in 4.1-4, see Bug 43176#c2, see also Bug #36090). The theory is this: 1. univention-join creates the computers/domaincontroller_backup object 2. 96uinvention-samba4 runs samba-tool domain join, which IIRC first removes the machine account from the Samba/AD of the Master before creating it new 3. The S4-connector doesn't sync DC deletes from Samba to OpenLDAP by default 4. When samba-tool domain join wants to add the account for the DC backup again, the LDB module samaccountname_ldap_check intervenes and calls the UMC module selective-udm/create_windows_computer 5. The UMC module selective-udm/create_windows_computer then attempts to create an UDM object computers/windows, which fails because there is already a computers/domaincontroller_backup account with the name cn=backup. To handle this situation, three options come to my mind: 1. Reactivate the --keep-existing option 2. Adjust selective-udm/create_windows_computer to handle DCs properly. 3. Adjust the LDB module to call selective-udm/create_windows_computer only for windows clients, but not for DCs. 4. Avoid using the LDB module at all in the central UCS@school department. Opionions about the options: 1. The --keep-existing option also caused issues in the past and the patch is ugly and relatively high-maintenance for upstream changes. 2. Adjusting selective-udm/create_windows_computer to differenciate between Windows-Clients and DCs is probably pretty complex. Also you have to keep it safe from account takeovers (check the hashed password). 3. I guess adjusting the LDB module filter would be the best option. 4. That might be an even better solution: After all we initially created the LDB module just to avoid naming conflicts for windows clients joining a UCS@school Slave PDC, which doesn't know about all account names existing in the central LDAP. Just FYI for the technically inclined: The S4-Connector avoids problems with this, by passing a special LDAP control: ldb_ctrl_bypass_samaccountname_ldap_check = LDAPControl('1.3.6.1.4.1.10176.1004.0.4.1', criticality=0)
Ok regarding Option 4 (avoiding the registration of the LDB module on master and singlemaster): We introduced the use of the LDB module in the singlemaster for Bug #31443. Bummer.
Re: Comment 5: As an alternative solution for the OU-problem of the singlemaster we could configure Samba/AD to use a different default container for new computer objects: ============================================================================ #!/bin/bash MYOU=$1 eval "$(ucr shell)" ldbmodify -H /var/lib/samba/private/sam.ldb <<-%EOF dn: $samba4_ldap_base changetype: modify add: wellKnownObjects wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:OU=$MYOU,CN=Computers,$samba4_ldap_base %EOF ============================================================================ You could also do that for users: wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:OU=$MYOU,CN=Users,$samba4_ldap_base
Created attachment 9876 [details] skip_DCs_in_samaccountname_ldap_check.patch Ok, this would be a suggestion for Option 3, a patch for univention_samaccountname_ldap_check.c, untested but pair programmed with Jürn :-)
(In reply to Arvid Requate from comment #7) > Created attachment 9876 [details] > skip_DCs_in_samaccountname_ldap_check.patch > > Ok, this would be a suggestion for Option 3, a patch for > univention_samaccountname_ldap_check.c, untested but pair programmed with > Jürn :-) Please test this code in compiled form :-) Btw: aren't backup with samba in multiserver environments also affected?
Ok, as discussed, I chose option 4: 452713cd4 | Partial revert of commit 8733b84d1: Don't activate UCRV samba4/ldb/sam/module/prepend="univention_samaccountname_ldap_check" in ucs-school-master and ucs-school-central-slave Package: ucs-school-metapackage Version: 12.0.0-48A~4.4.0.201902281618 Branch: ucs_4.4-0 Scope: ucs-school-4.4
Created attachment 9877 [details] skip_DCs_in_samaccountname_ldap_check 2 In case we need option 3, the patch seems to work with same changes.
> 452713cd4 | Partial revert of commit 8733b84d1: Don't activate > UCRV samba4/ldb/sam/module/prepend="univention_samaccountname_ldap_check" > in ucs-school-master and ucs-school-central-slave OK: join of DC backup with samba4 into multiserver environment
> OK: join of DC backup with samba4 into multiserver environment OK: join of DC backup with samba4 into single server environment OK: code change
UCS@school 4.4 v1 has been released. https://docs.software-univention.de/release-notes-ucsschool-4.4v1-de.html If this error occurs again, please clone this bug.