Bug 51806 - AD Member Mode: sambaJoinScriptFailed (wait for well known sid objects not correct?)
AD Member Mode: sambaJoinScriptFailed (wait for well known sid objects not c...
Status: NEW
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-11 14:27 CEST by Felix Botner
Modified: 2020-08-11 14:30 CEST (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
listener.log (58.14 KB, text/x-log)
2020-08-11 14:29 CEST, Felix Botner
Details
notifier.log (311 bytes, text/x-log)
2020-08-11 14:29 CEST, Felix Botner
Details
setup.log (327.12 KB, text/x-log)
2020-08-11 14:30 CEST, Felix Botner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2020-08-11 14:27:57 CEST
UCS appliance joins as member into w2k12 german AD. admin account is Administrator2, domain admins group in AD is Domänen-Admins.

11.08.20 06:56:03.443  MODULE      ( PROCESS ) : Running samba join script
...
Stopping winbind (via systemctl): winbind.service.
Create samba/user
Create samba/user/pwdfile
Multifile: /etc/samba/smb.conf
Setting stored password for "cn=ucs,cn=dc,cn=computers,dc=admember,dc=local" in secrets.tdb
setting idmap secret for '*' from /etc/machine.secret
Secret stored
Stopping smbd (via systemctl): smbd.service.
Stopping nmbd (via systemctl): nmbd.service.
Starting nmbd (via systemctl): nmbd.service.
Starting smbd (via systemctl): smbd.service.
Permission denied.
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/setup/setup_script.py", line 313, in run
    success = self.inner_run()
  File "/usr/lib/univention-system-setup/scripts/90_postjoin/10admember", line 119, in inner_run
    admember.run_samba_join_script(username, password)
  File "/usr/lib/python2.7/dist-packages/univention/lib/admember.py", line 1266, in run_samba_join_script
    raise sambaJoinScriptFailed()
sambaJoinScriptFailed

My assumption is that the "Permission denied." is from a udm call 


listener.log
 11.08.20 06:56:22.463  LISTENER    ( PROCESS ) : updating 'cn=Domain Admins,cn=groups,dc=admember,dc=local' command r
 11.08.20 06:56:22.463  LISTENER    ( PROCESS ) : updating 'cn=Domänen-Admins,cn=groups,dc=admember,dc=local' command a
 11.08.20 06:56:22.465  LISTENER    ( PROCESS ) : well-known-sid-name-mapping: ucr set groups/default/domainadmins=Domänen-Admins
 11.08.20 06:56:26.632  LISTENER    ( PROCESS ) : updating 'cn=Domänen-Admins,cn=groups,dc=admember,dc=local' command m
 11.08.20 06:56:26.634  LISTENER    ( PROCESS ) : updating 'cn=Domain Guests,cn=groups,dc=admember,dc=local' command r
 ...
 11.08.20 06:57:09.241  LISTENER    ( ERROR   ) : well-known-sid-name-mapping.d/univention-ldap-server.py: postrun: Restarting slapd (via systemctl): slapd.service.


So up until 06:57:09.241 when the ldap server is restarted with the new ACL's the univention-samba join script can not run.

The order in scripts/90_postjoin/10admember seems to be correct

 _progress(70, _('Renaming well known SID objects...'))
 admember.rename_well_known_sid_objects(username, password)

 _progress(75, _('Configuring Administrator account...'))
 admember.prepare_administrator(username, password)

 _progress(80, _('Running Samba join script...'))
 admember.run_samba_join_script(username, password)

But the actual join happened before the ldap server restart:

 11.08.20 06:55:48.017  MODULE      ( PROCESS ) : Create connector/ad/mapping/group/table/Printer-Admins
 Unsetting connector/ad/mapping/group/language
 Process: Renaming 'cn=Domain Users,cn=groups,dc=admember,dc=local' to 'Domänen-Benutzer' in UCS LDAP.
 Process: Modifying 'cn=default,cn=univention,dc=admember,dc=local' in UCS LDAP.
 Process: Renaming 'cn=Domain Admins,cn=groups,dc=admember,dc=local' to 'Domänen-Admins' in UCS LDAP.
 Process: Renaming 'cn=Domain Guests,cn=groups,dc=admember,dc=local' to 'Domänen-Gäste' in UCS LDAP.
 Process: Renaming 'uid=Administrator,cn=users,dc=admember,dc=local' to 'Administrator2' in UCS LDAP.
 11.08.20 06:55:48.018  MODULE      ( INFO    ) : Waiting for well-known-sid-name-mapping listener to map Domain Admins
 __STEP__:75
 __MSG__:Configuring Administrator account...
 11.08.20 06:56:03.139  MODULE      ( PROCESS ) : Prepare administrator account
 __STEP__:80
 __MSG__:Running Samba join script...
 11.08.20 06:56:03.443  MODULE      ( PROCESS ) : Running samba join script
 11.08.20 06:56:34.069  MODULE      ( PROCESS ) : 2020-08-11 06:56:03.593354121-04:00 (in joinscript_init)
 Create samba/role
 Multifile: /etc/samba/smb.conf
 INFO: ad/member is true, will join as memberserver into an AD domain
 Create samba/domain/security
 Multifile: /etc/samba/smb.conf
 Create samba4/ntacl/backend
 File: /etc/samba/base.conf
 Restarting univention-directory-listener (via systemctl): univention-directory-listener.service.
 Setting samba/share/home
 File: /etc/samba/base.conf
 Multifile: /etc/samba/smb.conf
 No handlers could be found for logger "univention.service_info"
 Setting samba/autostart
 Module: autostart
 Multifile: /etc/samba/smb.conf
 Not updating samba/autostart
 Stopping nfs-kernel-server (via systemctl): nfs-kernel-server.serviceWarning: nfs-kernel-server.service changed on disk. Run 'systemctl daemon-reload' to reload units.
 .
 Stopping winbind (via systemctl): winbind.service.
 Create samba/user
 Create samba/user/pwdfile
 Multifile: /etc/samba/smb.conf
 Setting stored password for "cn=ucs,cn=dc,cn=computers,dc=admember,dc=local" in secrets.tdb
 setting idmap secret for '*' from /etc/machine.secret
 Secret stored
 Stopping smbd (via systemctl): smbd.service.
 Stopping nmbd (via systemctl): nmbd.service.
 Starting nmbd (via systemctl): nmbd.service.
 Starting smbd (via systemctl): smbd.service.
 Permission denied.
 11.08.20 06:56:34.069  MODULE      ( ERROR   ) : 26univention-samba.inst failed with 3

=> 06:56:34.069 26univention-samba.inst failed
=> 06:57:09.241  LISTENER    ( ERROR   ) : well-known-sid-name-mapping.d/univention-ldap-server.py: postrun: Restarting slapd (via systemctl): slapd.service.


There is code in rename_well_known_sid_objects (univention-lib/python/admember.py) to wait for the replication, maybe we are missing something there.

Seen only once in our app appliances tests.
Comment 1 Felix Botner univentionstaff 2020-08-11 14:29:40 CEST
Created attachment 10457 [details]
listener.log
Comment 2 Felix Botner univentionstaff 2020-08-11 14:29:54 CEST
Created attachment 10458 [details]
notifier.log
Comment 3 Felix Botner univentionstaff 2020-08-11 14:30:13 CEST
Created attachment 10459 [details]
setup.log