Univention Bugzilla – Bug 55403
[5.0] Kerberos-based SAML-SSO is not working for Windows clients joined to a UCS@school schoolserver
Last modified: 2022-11-18 11:00:06 CET
Bug #51078 added the samba SPN for the ucs-sso user on schoolservers. This is broken on UCS 5, at least on new installations with UCS 5.0-2e476 The code in the joinscript ucs-school-metapackage/62ucs-school-replica.inst to add the SPN fails during the initial join. This might be okay, as samba is not provisioned at that time yet, it's done in a later joinscript. But the joinscript must then fail, to be re-executed later. Currently the joinscript completes successfully. The part in the joinscript not running correctly: 62ucs-school-replica.inst line 168 if [ $JS_LAST_EXECUTED_VERSION -lt 9 ]; then if samba-tool spn list "ucs-sso" | grep -q 'no servicePrincipalName'; then samba-tool spn add "HTTP/ucs-sso.$(hostname -d)" "ucs-sso" || die fi fi Relevant part from the join.log: ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file /var/lib/samba/private/sam.ldb: No such file or directory Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory ERROR(ldb): uncaught exception - Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib/python3/dist-packages/samba/netcmd/spn.py", line 56, in run credentials=creds, lp=lp) File "/usr/lib/python3/dist-packages/samba/samdb.py", line 72, in __init__ options=options) File "/usr/lib/python3/dist-packages/samba/__init__.py", line 114, in __init__ self.connect(url, flags, options) File "/usr/lib/python3/dist-packages/samba/samdb.py", line 87, in connect options=options)
Maybe see also bug 54038
Created attachment 11009 [details] schoolserver join.log