Univention Bugzilla – Bug 50520
Installing a new school slave not possible with samba4 dns/backend on the master
Last modified: 2023-05-08 13:54:04 CEST
Created attachment 10226 [details] picture1 I customer reported and I could reproduce the issue, that when he installed a new master ucs 4.4-2 errata350 with samba4 and ucs@school, he ran into the following problem, when he tries to install and join a new school slave. First you set the DNS Server on the slave to the IP from the master → see picture1 and you get "Warnung Unter der Adresse des DNS-Servers konnte kein Dmänencontroller gefunden werden. Die Netzwerkeinstellungen sollten überprüft werden." → picture2 Setting now the dns/bakend to ldap everything goes fine and the next window for systemrole selection comes up. ----------------------------------------------------------------------------------------- This is the DNS output from testenvironment: root@master:~# ucr get dns/backend samba4 ----------------------------------------------------------------------------------------- root@master:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh gc._msdcs.schein.intranet has address 10.200.43.191 _gc._tcp.schein.intranet has SRV record 0 100 3268 master.schein.intranet. _ldap._tcp.gc._msdcs.schein.intranet has SRV record 0 100 3268 master.schein.intranet. _ldap._tcp.schein.intranet has SRV record 0 100 389 master.schein.intranet. _ldap._tcp.dc._msdcs.schein.intranet has SRV record 0 100 389 master.schein.intranet. _ldap._tcp.pdc._msdcs.schein.intranet has SRV record 0 100 389 master.schein.intranet. _ldap._tcp.7d1ef4b1-465e-4a86-8c1a-83899826c1be.domains._msdcs.schein.intranet has SRV record 0 100 389 master.schein.intranet. _kerberos._tcp.dc._msdcs.schein.intranet has SRV record 0 100 88 master.schein.intranet. _kerberos._tcp.schein.intranet has SRV record 0 100 88 master.schein.intranet. _kerberos._udp.schein.intranet has SRV record 0 100 88 master.schein.intranet. _kpasswd._tcp.schein.intranet has SRV record 0 100 464 master.schein.intranet. _kpasswd._udp.schein.intranet has SRV record 0 100 464 master.schein.intranet. Located DC 'master' in site 'Default-First-Site-Name' 94e484fa-d14d-4c9b-90c8-93f80d615e2b._msdcs.schein.intranet is an alias for master.schein.intranet. ## Records for site Default-First-Site-Name: _ldap._tcp.Default-First-Site-Name._sites.schein.intranet has SRV record 0 100 389 master.schein.intranet. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.schein.intranet has SRV record 0 100 389 master.schein.intranet. _kerberos._tcp.Default-First-Site-Name._sites.schein.intranet has SRV record 0 100 88 master.schein.intranet. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.schein.intranet has SRV record 0 100 88 master.schein.intranet. ## Optional GC Records for site Default-First-Site-Name: _gc._tcp.Default-First-Site-Name._sites.schein.intranet has SRV record 0 100 3268 master.schein.intranet. _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.schein.intranet has SRV record 0 100 3268 master.schein.intranet. _kerberos.schein.intranet descriptive text "SCHEIN.INTRANET" ----------------------------------------------------------------------------------------- root@master:~# dig _ldap._tcp.schein.intranet SRV ; <<>> DiG 9.10.3-P4-Univention <<>> _ldap._tcp.schein.intranet SRV ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15848 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.schein.intranet. IN SRV ;; ANSWER SECTION: _ldap._tcp.schein.intranet. 900 IN SRV 0 100 389 master.schein.intranet. ;; AUTHORITY SECTION: schein.intranet. 900 IN NS master.schein.intranet. ;; ADDITIONAL SECTION: master.schein.intranet. 900 IN A 10.200.43.191 ;; Query time: 3 msec ;; SERVER: 10.200.43.191#53(10.200.43.191) ;; WHEN: Tue Nov 19 15:39:57 CET 2019 ;; MSG SIZE rcvd: 127 ----------------------------------------------------------------------------------------- root@master:~# ucr set dns/backend='ldap' Setting dns/backend File: /etc/systemd/system/bind9.service.d/10-configure-backend.conf File: /etc/init.d/bind9 root@master:~# systemctl restart bind9.service nscd.service root@master:~# dig _ldap._tcp.schein.intranet SRV ; <<>> DiG 9.10.3-P4-Univention <<>> _ldap._tcp.schein.intranet SRV ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9388 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.schein.intranet. IN SRV ;; ANSWER SECTION: _ldap._tcp.schein.intranet. 10800 IN SRV 0 100 389 master.schein.intranet. ;; AUTHORITY SECTION: schein.intranet. 10800 IN NS master.schein.intranet. ;; ADDITIONAL SECTION: master.schein.intranet. 80600 IN A 10.200.43.191 ;; Query time: 0 msec ;; SERVER: 10.200.43.191#53(10.200.43.191) ;; WHEN: Tue Nov 19 15:41:18 CET 2019 ;; MSG SIZE rcvd: 127 ----------------------------------------------------------------------------------------- root@master:~# host -al $(dnsdomainname) Trying "schein.intranet" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62662 ;; flags: qr aa ra; QUERY: 1, ANSWER: 28, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;schein.intranet. IN AXFR ;; ANSWER SECTION: schein.intranet. 10800 IN SOA master.schein.intranet. root.schein.intranet. 28 28800 7200 604800 10800 schein.intranet. 10800 IN NS master.schein.intranet. schein.intranet. 10800 IN A 10.200.43.191 _kerberos.schein.intranet. 80600 IN TXT "SCHEIN.INTRANET" 94e484fa-d14d-4c9b-90c8-93f80d615e2b._msdcs.schein.intranet. 80600 IN CNAME master.schein.intranet. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.schein.intranet. 10800 IN SRV 0 100 88 master.schein.intranet. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.schein.intranet. 10800 IN SRV 0 100 389 master.schein.intranet. _kerberos._tcp.dc._msdcs.schein.intranet. 10800 IN SRV 0 100 88 master.schein.intranet. _ldap._tcp.dc._msdcs.schein.intranet. 10800 IN SRV 0 100 389 master.schein.intranet. _ldap._tcp.7d1ef4b1-465e-4a86-8c1a-83899826c1be.domains._msdcs.schein.intranet. 10800 IN SRV 0 100 389 master.schein.intranet. gc._msdcs.schein.intranet. 80600 IN A 10.200.43.191 _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.schein.intranet. 10800 IN SRV 0 100 3268 master.schein.intranet. _ldap._tcp.gc._msdcs.schein.intranet. 10800 IN SRV 0 100 3268 master.schein.intranet. _ldap._tcp.pdc._msdcs.schein.intranet. 10800 IN SRV 0 100 389 master.schein.intranet. _gc._tcp.Default-First-Site-Name._sites.schein.intranet. 10800 IN SRV 0 100 3268 master.schein.intranet. _kerberos._tcp.Default-First-Site-Name._sites.schein.intranet. 10800 IN SRV 0 100 88 master.schein.intranet. _ldap._tcp.Default-First-Site-Name._sites.schein.intranet. 10800 IN SRV 0 100 389 master.schein.intranet. _domaincontroller_master._tcp.schein.intranet. 10800 IN SRV 0 0 0 master.schein.intranet. _gc._tcp.schein.intranet. 10800 IN SRV 0 100 3268 master.schein.intranet. _kerberos._tcp.schein.intranet. 10800 IN SRV 0 100 88 master.schein.intranet. _kerberos-adm._tcp.schein.intranet. 10800 IN SRV 0 100 88 master.schein.intranet. _kpasswd._tcp.schein.intranet. 10800 IN SRV 0 100 464 master.schein.intranet. _ldap._tcp.schein.intranet. 10800 IN SRV 0 100 389 master.schein.intranet. _kerberos._udp.schein.intranet. 10800 IN SRV 0 100 88 master.schein.intranet. _kpasswd._udp.schein.intranet. 10800 IN SRV 0 100 464 master.schein.intranet. master.schein.intranet. 80600 IN A 10.200.43.191 ucs-sso.schein.intranet. 80600 IN A 10.200.43.191 schein.intranet. 10800 IN SOA master.schein.intranet. root.schein.intranet. 28 28800 7200 604800 10800 Received 1453 bytes from 10.200.43.191#53 in 7 ms
Created attachment 10227 [details] picture2
Created attachment 10228 [details] join.log from my fresh master Additional: and maybe the root cause on (just) my machine? My fresh installed master shows missing joinscripts: root@master:~# univention-app info UCS: 4.4-2 errata350 Installed: samba4=4.10 ucsschool=4.4 v4 Upgradable: root@master:~# univention-check-join-status Warning: 'univention-samba4-dns' is not configured. Warning: 'univention-samba4-saml-kerberos' is not configured. Error: Not all install files configured: 2 missing root@master:~# date Di 19. Nov 16:06:54 CET 2019 I attached my join.log
The customer has a successfully joined master and still the problem, but in my environment the problem is gone with the finally run joinscripts
> In my test environment i first installed @school and samba4 afterwards. That should work since Bug 43478 was fixed. But IIRC it still requires a univention-run-join-scripts after installing, otherwise the 98univention-samba4-dns.inst Joinscript has not run (due to <reasons>). To answer the question at the ticket regarding the recommended value of the UCR variable dns/backend: On UCS servers that are Samba/AD DCs it is "samba4" by default and that should not be changed, because that's required to allow Windows clients to update their DNS records via DDNS/Kerberos. On UCS servers that are not not Samba/AD DCs it needs to be "ldap". Generally I'm not sure how to rate this bug report, because dns/backend=samba4 is actually the default on UCS Servers with Samba/AD and that works.
I am not sure, which additional info is/was needed here. I do not remember this issue, and it does not occur again. So this seems not to be a general problem, if this is not reported again.
(In reply to Christina Scheinig from comment #6) > I am not sure, which additional info is/was needed here. I do not remember > this issue, and it does not occur again. So this seems not to be a general > problem, if this is not reported again. As this last comment is already some years old, there were no additional reports, the initial problem was solved and we were unable to reproduce it I will close this bug. I give it a WONTFIX because actually `ldap` as DNS backend is unsupported in UCS@school nowadays at least.