Description Michael Grandjean 2020-08-18 17:10:26 CEST

# univention-app info
UCS: 4.4-5 errata710
Installed: samba4=4.10 self-service=4.0 self-service-backend=4.0 ucsschool=4.4 v6
Upgradable:

Scenario:
In "98univention-samba4-dns.inst" we create a SPN account named "dns-hostname$" using the script "create_spn_account.sh". Because the user is created via UDM on the UCS Master, but must be available on the local machine for upcoming steps in the join script, the script waits until it can find the account in the local Samba AD directory:

https://github.com/univention/univention-corporate-server/blob/4.4-5/services/univention-samba4/scripts/create_spn_account.sh#L131

There is a $timeout variable that defaults to "1200" (2 hours). The variable can be changed via "create_spn_account_timeout".

Expected behavior:
I can define "create_spn_account_timeout" prior to the join and this affects the timeout. There are environments where the 2 hours are not enough (see also Bug #47609).

Observed behavior:
"create_spn_account_timeout" does not get evaluated and the joinscript aborts after waiting for 2 hours for the "dns-hostname$" account to be available in the local Samba AD.
As a consequence the whole join aborts. This is especially painful if the join itself takes several hours in larger environments and has to be presumed manually after waiting long enough for the replication and s4-connector to catch up.

Possible solution:
"create_spn_account.sh" could simply do a "eval $(ucr shell create/spn/account/timeout)". This way "create/spn/account/timeout" could be defined via a UCR policy and would be set locally at the beginning of the join and before "98univention-samba4-dns.inst" is called.