Bug 50358 - samba-tool dbcheck issues after installing school slave
samba-tool dbcheck issues after installing school slave
Status: NEW
Product: UCS@school
Classification: Unclassified
Component: Samba 4 - Slave PDC
UCS@school 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-10-14 10:53 CEST by Felix Botner
Modified: 2023-04-24 15:29 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.051
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2023042421000204
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2019-10-14 10:53:12 CEST
The school installation test (http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-2/job/Installation%20Tests/mode=school/, test/scenarios/install-testing/school.cfg with samba on the master) reveals a samba db problem in school slave after the installation

00_checks.81_diagnostic_checks.slave1
 ########################### Start 40_samba_tool_dbcheck ############################
[2019-10-14 02:14:08.502049] ## Check failed: 40_samba_tool_dbcheck - Teste die lokale AD Datenbank auf Fehler ##
[2019-10-14 02:14:08.502080] `samba-tool dbcheck` fand einen Fehler in der lokalen AD Datenbank.
[2019-10-14 02:14:08.502107] STDOUT:
[2019-10-14 02:14:08.502136] Checking 297 objects
[2019-10-14 02:14:08.502188] ERROR: incorrect DN SID component for member in object CN=OUschool1-DC-Edukativnetz,CN=ucsschool,CN=Groups,DC=test,DC=local - <GUID=42a289d3-e330-40ea-96a3-4e23eb80aede>;<RMD_ADDTIME=132154849410000000>;<RMD_CHANGETIME=132154849410000000>;<RMD_FLAGS=0>;<RMD_INVOCID=3b41bcaf-0edb-4c65-a1ec-ea3c8b694964>;<RMD_LOCAL_USN=3945>;<RMD_ORIGINATING_USN=3945>;<RMD_VERSION=1>;<SID=S-1-5-21-788668466-3138991424-4042240873-1000>;CN=SLAVE1,OU=Domain Controllers,DC=test,DC=local
[2019-10-14 02:14:08.502229] Not fixing SID component mismatch
[2019-10-14 02:14:08.502341] ERROR: incorrect DN SID component for member in object CN=DC-Edukativnetz,CN=ucsschool,CN=Groups,DC=test,DC=local - <GUID=42a289d3-e330-40ea-96a3-4e23eb80aede>;<RMD_ADDTIME=132154849400000000>;<RMD_CHANGETIME=132154849400000000>;<RMD_FLAGS=0>;<RMD_INVOCID=3b41bcaf-0edb-4c65-a1ec-ea3c8b694964>;<RMD_LOCAL_USN=3925>;<RMD_ORIGINATING_USN=3925>;<RMD_VERSION=1>;<SID=S-1-5-21-788668466-3138991424-4042240873-1000>;CN=SLAVE1,OU=Domain Controllers,DC=test,DC=local
[2019-10-14 02:14:08.502374] Not fixing SID component mismatch
[2019-10-14 02:14:08.502401] Please use --fix to fix these errors
[2019-10-14 02:14:08.502428] Checked 297 objects (2 errors)
[2019-10-14 02:14:08.502458] Sie können `samba-tool dbcheck --fix` ausführen um die Probleme zu beheben.
[2019-10-14 02:14:08.502488] ############################ End 40_samba_tool_dbcheck #############################
Comment 1 Felix Botner univentionstaff 2019-10-14 10:54:16 CEST
Added a workaround (samba-tool dbcheck --fix --yes) in the school slave.
Comment 2 Arvid Requate univentionstaff 2019-10-14 13:47:03 CEST
To me this looks like under some circumstances the "SID component" of the extended DN of group *member* objects doesn't get updated when the objectSID of the member changed. For example in this case, the machine account of the slave itself is amongst the affected group members:

<SID=S-1-5-21-788668466-3138991424-4042240873-1000>;CN=SLAVE1,OU=Domain Controllers,DC=test,DC=local

That objectSID is the default from Samba's provisioning tool. Later the S4-Connector changes the objectSID of this object to the UDM sambaSID. We should try to reproduce this, it could be either a samba bug or something the S4-Connector doesn't handle correctly.
Comment 3 Florian Best univentionstaff 2019-10-14 13:58:15 CEST
Since when does the error occurr?
We had some changes lately in the S4-connector and in UDM.
Especially in UDM: Bug #50161:
We now set "sambaPrimaryGroupSID" during the ldap-add operation instead of a ldap-modify operation when creating user objects in UCS.
Comment 4 Arvid Requate univentionstaff 2023-04-24 15:23:52 CEST
Still occurs in UCS@school environments (5.0-3 errata645).