Bug 50520 – Installing a new school slave not possible with samba4 dns/backend on the master

Bug 50520 - Installing a new school slave not possible with samba4 dns/backend on the master


Summary:	Installing a new school slave not possible with samba4 dns/backend on the master

Status:	CLOSED WONTFIX

Product:	UCS@school
Classification:	Unclassified
Component:	General
Version:	UCS@school 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS@school maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-11-20 10:45 CET by Christina Scheinig
Modified:	2023-05-08 13:54 CEST (History)
CC List:	3 users (show)

See Also:	27168 40432
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.429
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019111921000674
Bug group (optional):
Max CVSS v3 score:

Attachments
picture1 (43.31 KB, image/png) 2019-11-20 10:45 CET, Christina Scheinig	Details
picture2 (49.23 KB, image/png) 2019-11-20 10:45 CET, Christina Scheinig	Details
join.log from my fresh master (74.55 KB, text/x-log) 2019-11-20 10:59 CET, Christina Scheinig	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2019-11-20 10:45:13 CET

Created attachment 10226 [details]
picture1

I customer reported and I could reproduce the issue, that when he installed a new master ucs 4.4-2 errata350 with samba4 and ucs@school, he ran into the following problem, when he tries to install and join a new school slave.

First you set the DNS Server on the slave to the IP from the master → see picture1
and you get 

"Warnung
Unter der Adresse des DNS-Servers konnte kein Dmänencontroller gefunden werden. Die Netzwerkeinstellungen sollten überprüft werden."
→ picture2

Setting now the dns/bakend to ldap everything goes fine and the next window for systemrole selection comes up.

-----------------------------------------------------------------------------------------

This is the DNS output from testenvironment:
root@master:~# ucr get dns/backend 
samba4
-----------------------------------------------------------------------------------------
root@master:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh 
gc._msdcs.schein.intranet has address 10.200.43.191
_gc._tcp.schein.intranet has SRV record 0 100 3268 master.schein.intranet.
_ldap._tcp.gc._msdcs.schein.intranet has SRV record 0 100 3268 master.schein.intranet.
_ldap._tcp.schein.intranet has SRV record 0 100 389 master.schein.intranet.
_ldap._tcp.dc._msdcs.schein.intranet has SRV record 0 100 389 master.schein.intranet.
_ldap._tcp.pdc._msdcs.schein.intranet has SRV record 0 100 389 master.schein.intranet.
_ldap._tcp.7d1ef4b1-465e-4a86-8c1a-83899826c1be.domains._msdcs.schein.intranet has SRV record 0 100 389 master.schein.intranet.
_kerberos._tcp.dc._msdcs.schein.intranet has SRV record 0 100 88 master.schein.intranet.
_kerberos._tcp.schein.intranet has SRV record 0 100 88 master.schein.intranet.
_kerberos._udp.schein.intranet has SRV record 0 100 88 master.schein.intranet.
_kpasswd._tcp.schein.intranet has SRV record 0 100 464 master.schein.intranet.
_kpasswd._udp.schein.intranet has SRV record 0 100 464 master.schein.intranet.
Located DC 'master' in site 'Default-First-Site-Name'
94e484fa-d14d-4c9b-90c8-93f80d615e2b._msdcs.schein.intranet is an alias for master.schein.intranet.
## Records for site Default-First-Site-Name:
_ldap._tcp.Default-First-Site-Name._sites.schein.intranet has SRV record 0 100 389 master.schein.intranet.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.schein.intranet has SRV record 0 100 389 master.schein.intranet.
_kerberos._tcp.Default-First-Site-Name._sites.schein.intranet has SRV record 0 100 88 master.schein.intranet.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.schein.intranet has SRV record 0 100 88 master.schein.intranet.
## Optional GC Records for site Default-First-Site-Name:
_gc._tcp.Default-First-Site-Name._sites.schein.intranet has SRV record 0 100 3268 master.schein.intranet.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.schein.intranet has SRV record 0 100 3268 master.schein.intranet.
_kerberos.schein.intranet descriptive text "SCHEIN.INTRANET"

-----------------------------------------------------------------------------------------
root@master:~# dig _ldap._tcp.schein.intranet SRV

; <<>> DiG 9.10.3-P4-Univention <<>> _ldap._tcp.schein.intranet SRV
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15848
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.schein.intranet.	IN	SRV

;; ANSWER SECTION:
_ldap._tcp.schein.intranet. 900	IN	SRV	0 100 389 master.schein.intranet.

;; AUTHORITY SECTION:
schein.intranet.	900	IN	NS	master.schein.intranet.

;; ADDITIONAL SECTION:
master.schein.intranet.	900	IN	A	10.200.43.191

;; Query time: 3 msec
;; SERVER: 10.200.43.191#53(10.200.43.191)
;; WHEN: Tue Nov 19 15:39:57 CET 2019
;; MSG SIZE  rcvd: 127

-----------------------------------------------------------------------------------------
root@master:~# ucr set dns/backend='ldap' 
Setting dns/backend
File: /etc/systemd/system/bind9.service.d/10-configure-backend.conf
File: /etc/init.d/bind9
root@master:~# systemctl restart bind9.service  nscd.service
root@master:~# dig _ldap._tcp.schein.intranet SRV

; <<>> DiG 9.10.3-P4-Univention <<>> _ldap._tcp.schein.intranet SRV
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9388
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.schein.intranet.	IN	SRV

;; ANSWER SECTION:
_ldap._tcp.schein.intranet. 10800 IN	SRV	0 100 389 master.schein.intranet.

;; AUTHORITY SECTION:
schein.intranet.	10800	IN	NS	master.schein.intranet.

;; ADDITIONAL SECTION:
master.schein.intranet.	80600	IN	A	10.200.43.191

;; Query time: 0 msec
;; SERVER: 10.200.43.191#53(10.200.43.191)
;; WHEN: Tue Nov 19 15:41:18 CET 2019
;; MSG SIZE  rcvd: 127

-----------------------------------------------------------------------------------------
root@master:~# host -al $(dnsdomainname)
Trying "schein.intranet"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62662
;; flags: qr aa ra; QUERY: 1, ANSWER: 28, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;schein.intranet.		IN	AXFR

;; ANSWER SECTION:
schein.intranet.	10800	IN	SOA	master.schein.intranet. root.schein.intranet. 28 28800 7200 604800 10800
schein.intranet.	10800	IN	NS	master.schein.intranet.
schein.intranet.	10800	IN	A	10.200.43.191
_kerberos.schein.intranet. 80600 IN	TXT	"SCHEIN.INTRANET"
94e484fa-d14d-4c9b-90c8-93f80d615e2b._msdcs.schein.intranet. 80600 IN CNAME master.schein.intranet.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.schein.intranet. 10800 IN SRV 0 100 88 master.schein.intranet.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.schein.intranet. 10800 IN SRV 0 100 389 master.schein.intranet.
_kerberos._tcp.dc._msdcs.schein.intranet. 10800	IN SRV 0 100 88 master.schein.intranet.
_ldap._tcp.dc._msdcs.schein.intranet. 10800 IN SRV 0 100 389 master.schein.intranet.
_ldap._tcp.7d1ef4b1-465e-4a86-8c1a-83899826c1be.domains._msdcs.schein.intranet.	10800 IN SRV 0 100 389 master.schein.intranet.
gc._msdcs.schein.intranet. 80600 IN	A	10.200.43.191
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.schein.intranet. 10800 IN SRV 0 100 3268 master.schein.intranet.
_ldap._tcp.gc._msdcs.schein.intranet. 10800 IN SRV 0 100 3268 master.schein.intranet.
_ldap._tcp.pdc._msdcs.schein.intranet. 10800 IN	SRV 0 100 389 master.schein.intranet.
_gc._tcp.Default-First-Site-Name._sites.schein.intranet. 10800 IN SRV 0 100 3268 master.schein.intranet.
_kerberos._tcp.Default-First-Site-Name._sites.schein.intranet. 10800 IN	SRV 0 100 88 master.schein.intranet.
_ldap._tcp.Default-First-Site-Name._sites.schein.intranet. 10800 IN SRV	0 100 389 master.schein.intranet.
_domaincontroller_master._tcp.schein.intranet. 10800 IN	SRV 0 0 0 master.schein.intranet.
_gc._tcp.schein.intranet. 10800	IN	SRV	0 100 3268 master.schein.intranet.
_kerberos._tcp.schein.intranet.	10800 IN SRV	0 100 88 master.schein.intranet.
_kerberos-adm._tcp.schein.intranet. 10800 IN SRV 0 100 88 master.schein.intranet.
_kpasswd._tcp.schein.intranet. 10800 IN	SRV	0 100 464 master.schein.intranet.
_ldap._tcp.schein.intranet. 10800 IN	SRV	0 100 389 master.schein.intranet.
_kerberos._udp.schein.intranet.	10800 IN SRV	0 100 88 master.schein.intranet.
_kpasswd._udp.schein.intranet. 10800 IN	SRV	0 100 464 master.schein.intranet.
master.schein.intranet.	80600	IN	A	10.200.43.191
ucs-sso.schein.intranet. 80600	IN	A	10.200.43.191
schein.intranet.	10800	IN	SOA	master.schein.intranet. root.schein.intranet. 28 28800 7200 604800 10800

Received 1453 bytes from 10.200.43.191#53 in 7 ms

Comment 1 Christina Scheinig

2019-11-20 10:45:51 CET

Created attachment 10227 [details]
picture2

Comment 2 Christina Scheinig

2019-11-20 10:59:21 CET

Created attachment 10228 [details]
join.log from my fresh master

Additional:
and maybe the root cause on (just) my machine?
My fresh installed master shows missing joinscripts:

root@master:~# univention-app info
UCS: 4.4-2 errata350
Installed: samba4=4.10 ucsschool=4.4 v4
Upgradable: 
root@master:~# univention-check-join-status 
Warning: 'univention-samba4-dns' is not configured.
Warning: 'univention-samba4-saml-kerberos' is not configured.
Error: Not all install files configured: 2 missing

root@master:~# date
Di 19. Nov 16:06:54 CET 2019

I attached my join.log

Comment 3 Christina Scheinig

2019-11-20 11:11:27 CET

The customer has a successfully joined master and still the problem, but in my environment the problem is gone with the finally run joinscripts

Comment 5 Arvid Requate

2019-12-16 22:14:20 CET

> In my test environment i first installed @school and samba4 afterwards.

That should work since Bug 43478 was fixed. But IIRC it still requires a univention-run-join-scripts after installing, otherwise the 98univention-samba4-dns.inst Joinscript has not run (due to <reasons>).

To answer the question at the ticket regarding the recommended value of the UCR variable dns/backend: On UCS servers that are Samba/AD DCs it is "samba4" by default and that should not be changed, because that's required to allow Windows clients to update their DNS records via DDNS/Kerberos. On UCS servers that are not not Samba/AD DCs it needs to be "ldap".

Generally I'm not sure how to rate this bug report, because dns/backend=samba4 is actually the default on UCS Servers with Samba/AD and that works.

Comment 6 Christina Scheinig

2020-10-29 11:58:43 CET

I am not sure, which additional info is/was needed here. I do not remember this issue, and it does not occur again. So this seems not to be a general problem, if this is not reported again.

Comment 7 Jan-Luca Kiok

2023-05-08 13:53:40 CEST

(In reply to Christina Scheinig from comment #6)
> I am not sure, which additional info is/was needed here. I do not remember
> this issue, and it does not occur again. So this seems not to be a general
> problem, if this is not reported again.

As this last comment is already some years old, there were no additional reports, the initial problem was solved and we were unable to reproduce it I will close this bug.

I give it a WONTFIX because actually `ldap` as DNS backend is unsupported in UCS@school nowadays at least.