First Last Prev Next    This bug is not in your last search results.
Bug 52758 - Backup with samba can not join into single server environment
Backup with samba can not join into single server environment
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-9-errata
Assigned To: Juan Pedro Torres
Arvid Requate
https://git.knut.univention.de/univen...
:
Depends on: 54736 48815 54712 54768
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-08 14:04 CET by Christina Scheinig
Modified: 2022-06-01 16:41 CEST (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.103
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021020121000442, 2021041821000345, 2022011421000276
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2021-02-08 14:04:08 CET 
This happens again, within UCS 4.4-7 Singleschool Environment, when a backup tries to join.

  ldb: univention_samaccountname_ldap_check: calling ucs-school-create_windows_computer
  
Traceback (most recent call last):
  File "/usr/sbin/ucs-school-create_windows_computer", line 80, in <module>
    main()
  File "/usr/sbin/ucs-school-create_windows_computer", line 63, in main
    result = client.umc_command(args.command, options).result
  File "/usr/lib/python2.7/dist-packages/univention/lib/umc.py", line 444, in umc_command
    return self.request('POST', 'command/%s' % (path,), data, headers)
  File "/usr/lib/python2.7/dist-packages/univention/lib/umc.py", line 524, in request
    return self.send(request)
  File "/usr/lib/python2.7/dist-packages/univention/lib/umc.py", line 553, in send
    raise HTTPError(request, response, self.hostname)
univention.lib.umc.HTTPError: 591 on server.fwse-cloud.de (command/selectiveudm/create_windows_computer): {u'status': 591, u'message': u'Interner Server-Fehler in "select
iveudm/create_windows_computer".', u'location': u'https://server.fwse-cloud.de/univention/command'}
Interner Server-Fehler in "selectiveudm/create_windows_computer".
Request: selectiveudm/create_windows_computer

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 359, in __error_handling
    six.reraise(etype, exc, etraceback)
  File "/usr/lib/python2.7/dist-packages/univention/management/console/base.py", line 262, in execute
    function.__func__(self, request, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/univention/management/console/modules/decorators.py", line 181, in _response
    return function(self, request)
  File "/usr/lib/pymodules/python2.7/ucsschool/lib/school_umc_ldap_connection.py", line 140, in wrapper_func
    return func(*args, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/selective-udm/__init__.py", line 127, in create_windows_computer
    computer_dn = computer.create()
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1241, in _create
    al.extend(self._ldap_modlist())
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/computers/windows.py", line 286, in _ldap_modlist
    return super(object, self)._ldap_modlist()
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/computers/__base.py", line 237, in _ldap_modlist
    raise univention.admin.uexceptions.uidAlreadyUsed(': %s' % requested_uid)
uidAlreadyUsed: : SRV02$
[2021/02/03 10:31:07.753188,  1, pid=29408] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
  ldb: univention_samaccountname_ldap_check: unknown error code from ucs-school-create_windows_computer: 1


+++ This bug was initially created as a clone of Bug #48815 +++

Backup with samba can not join into single server environment


Join against S4 Connector server: master
Forest           : single44.intranet
Domain           : single44.intranet
Netbios domain   : SINGLE44
DC name          : master.single44.intranet
DC netbios name  : MASTER
Server site      : Default-First-Site-Name
Client site      : Default-First-Site-Name
INFO 2019-02-27 20:53:25,351 pid:10266 /usr/lib/python2.7/dist-packages/samba/join.py #1519: workgroup is SINGLE44
INFO 2019-02-27 20:53:25,352 pid:10266 /usr/lib/python2.7/dist-packages/samba/join.py #1522: realm is single44.intranet
ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <00002035: ldb_request: Unwilling to perform (53)> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 184, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 699, in run
    backend_store=backend_store)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1535, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1427, in do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 641, in join_add_objects
    ctx.samdb.add(rec, controls=controls)
Adding CN=BACKUP,OU=Domain Controllers,DC=single44,DC=intranet
Join failed - cleaning up
Failed to join against the S4 Connector server master.
Make sure the server is online or if this server is no longer in use,
please completely remove the server object from the domain.
Forest           : single44.intranet
Domain           : single44.intranet
Netbios domain   : SINGLE44
DC name          : master.single44.intranet
DC netbios name  : MASTER
Server site      : Default-First-Site-Name
Client site      : Default-First-Site-Name
INFO 2019-02-27 20:53:29,219 pid:10274 /usr/lib/python2.7/dist-packages/samba/join.py #103: Finding a writeable DC for domain 'single44.intranet'
INFO 2019-02-27 20:53:29,227 pid:10274 /usr/lib/python2.7/dist-packages/samba/join.py #105: Found DC master.single44.intranet
INFO 2019-02-27 20:53:29,503 pid:10274 /usr/lib/python2.7/dist-packages/samba/join.py #1519: workgroup is SINGLE44
INFO 2019-02-27 20:53:29,503 pid:10274 /usr/lib/python2.7/dist-packages/samba/join.py #1522: realm is single44.intranet
ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <00002035: ldb_request: Unwilling to perform (53)> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 184, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 699, in run
    backend_store=backend_store)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1535, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1427, in do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 641, in join_add_objects
    ctx.samdb.add(rec, controls=controls)
Adding CN=BACKUP,OU=Domain Controllers,DC=single44,DC=intranet
Join failed - cleaning up
Failed to join the domain single44.intranet.
Make sure the server is online or if this server is no longer in use,
please completely remove the server object from the domain.
Comment 1 Arvid Requate univentionstaff 2021-02-08 15:37:14 CET 
As noted at Bug 48815 Comment 5 we use the univention_samaccountname_ldap_check LDB module in ucs-school-singlemaster to work around for Bug 31443.

Bug 48815 Comment 4 explains all alternative approaches to fixing this properly and Bug 48815 Comment 10 has a patch for the LDB module.



Workaround to join a Server in the central school department: Run this on the Primary Directory Node before joining the Backup Directory Node:

/usr/share/univention-samba4/scripts/register_ldb_module.py \
     -H /var/lib/samba/private/sam.ldb \
     --ignore-exists \
     --remove univention_samaccountname_ldap_check
/etc/init.d/samba restart

The join and after joining activate the LDB module again:

/usr/share/univention-samba4/scripts/register_ldb_module.py \
     -H /var/lib/samba/private/sam.ldb \
     --prepend univention_samaccountname_ldap_check
/etc/init.d/samba restart
Comment 4 Christina Scheinig univentionstaff 2022-01-20 12:31:07 CET 
This is still a problem, because Bug 48815 does not fix the issue on a singleschoolmaster.
The Patch proposed in comment 10 could do that.
So the customer still gets this problem with the join of a backup server.

The workaround is always manual doing because univention_samaccountname_ldap_check has to be removed and append again. Otherwise windows clients would not get their proper position on a singleschool, after the backup join.
Comment 5 Juan Pedro Torres univentionstaff 2022-05-18 10:38:53 CEST 
Applied patch suggested in comment 4. 

Package: univention-ldb-modules
Version: 7.0.0-7A~4.4.0.202205181028
Branch: ucs_4.4-0
Scope: errata4.4-9


univention-ldb-modules.yaml
4f2962a1ee11 | Bug #52758: update YAML
1cb8c0453884 | Bug #52758: backup server cannot join single server environment

univention-ldb-modules (7.0.0-7)
1cb8c0453884 | Bug #52758: backup server cannot join single server environment
Comment 6 Arvid Requate univentionstaff 2022-05-18 16:16:13 CEST 
Ok I tested on amd64 and the package was not built, because the automatic mechanism
for triggering the amd64 build after the i686 build was inactive (for some reason..).
I've fixed that to be able to test the package update on amd64. I'd recommend to
always check with an amd64 environment if the built package can actually be installed.

Now, while testing I asked myself, if samba needs a restart, and actually it does, and

services/univention-ldb-modules/debian/libunivention-ldb-modules.postinst

contains code for that. But that seems to have a problem:

libunivention-ldb-modules (7.0.0-7A~4.4.0.202205181028) wird eingerichtet ...
invoke-rc.d: syntax error: missing required parameter
[ ok ] Restarting univention-directory-listener (via systemctl): univention-directory-listener.service.

I've searched bugzilla for the error message and found Bug 48823, where we fixed that issue for errata5.0-1.
I guess we need to cherry-pick that patch too for this bug.
Comment 7 Juan Pedro Torres univentionstaff 2022-05-18 18:13:50 CEST 
I have created a new merge request after cherry-pick the solution to Bug 48823.
Comment 8 Juan Pedro Torres univentionstaff 2022-05-18 18:59:25 CEST 

Package: univention-ldb-modules
Version: 7.0.0-8A~4.4.0.202205181839
Branch: ucs_4.4-0
Scope: errata4.4-9

univention-ldb-modules.yaml
5640e07a115a | Bug #52758: update yaml
2a09138827f5 | Bug #52758: Error message from libunivention-ldb-modules.postinst
bcc5e141d2dc | Bug #52758: Advisory wording
4f2962a1ee11 | Bug #52758: update YAML
1cb8c0453884 | Bug #52758: backup server cannot join single server environment

univention-ldb-modules (7.0.0-8)
2a09138827f5 | Bug #52758: Error message from libunivention-ldb-modules.postinst

univention-ldb-modules (7.0.0-7)
1cb8c0453884 | Bug #52758: backup server cannot join single server environment
Comment 9 Arvid Requate univentionstaff 2022-05-31 16:52:04 CEST 
4c8de73208 | Advisory markup (by Philipp)

Verified:
* Package built with adjusted code
* Package update
* Advisory
First Last Prev Next    This bug is not in your last search results.