Bug 57111 – S4connector cannot handle subdomains and produces ._msdcs rejects

Bug 57111 - S4connector cannot handle subdomains and produces ._msdcs rejects


Summary:	S4connector cannot handle subdomains and produces ._msdcs rejects

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:	Samba maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2024-03-05 14:50 CET by Finn David
Modified:	2024-04-16 11:34 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.091
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2022111021000237, 2024030421000153, 2024022821000173
Bug group (optional):
Max CVSS v3 score:

Attachments
connector-s4.log (17.74 MB, text/x-log) 2024-03-05 14:50 CET, Finn David	Details
check_essential_samba4_dns_records from primary (3.89 KB, text/x-log) 2024-03-05 14:51 CET, Finn David	Details
check_essential_samba4_dns_records from replica (2.26 KB, text/x-log) 2024-03-05 14:54 CET, Finn David	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Finn David

2024-03-05 14:50:37 CET

Created attachment 11196 [details]
connector-s4.log

Environment:

Primary and replica with UCS 5.0-6 and samba4 installed.
The domain of the primary is: example.com.
The domain of the replica is: subdomain.example.com.


Steps to reproduce:

- Create a DNS zone subdomain.example.com
- Join the replica with: univention-join -dcname primary.example.com
- Join fails because of 92univention-management-console-web-server.inst
--> ucr set umc/saml/idp-server='https://ucs-sso.example.com/simplesamlphp/saml2/idp/metadata.php'
- univention-run-join-scripts


This results in the following rejects after the join:
UCS rejected

    1:   UCS DN: relativeDomainName=0eaabe28-c68a-42d0-839c-d15bf59937c6._msdcs,zoneName=subdomain.samba-test.intranet,cn=dns,dc=samba-test,dc=intranet
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1709568265.483867

    2:   UCS DN: relativeDomainName=_ldap._tcp.dc._msdcs,zoneName=subdomain.samba-test.intranet,cn=dns,dc=samba-test,dc=intranet
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1709568267.768083

    3:   UCS DN: relativeDomainName=_ldap._tcp.09caae8e-984b-407b-88d3-d5a356adc368.domains._msdcs,zoneName=subdomain.samba-test.intranet,cn=dns,dc=samba-test,dc=intranet
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1709568268.774607

    4:   UCS DN: relativeDomainName=_kerberos._tcp.dc._msdcs,zoneName=subdomain.samba-test.intranet,cn=dns,dc=samba-test,dc=intranet
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1709568271.812686

    5:   UCS DN: relativeDomainName=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs,zoneName=subdomain.samba-test.intranet,cn=dns,dc=samba-test,dc=intranet
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1709568275.308666

    6:   UCS DN: relativeDomainName=_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs,zoneName=subdomain.samba-test.intranet,cn=dns,dc=samba-test,dc=intranet
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1709568277.308242

Comment 1 Finn David

2024-03-05 14:51:19 CET

Created attachment 11197 [details]
check_essential_samba4_dns_records from primary

Comment 2 Finn David

2024-03-05 14:54:29 CET

Created attachment 11198 [details]
check_essential_samba4_dns_records from replica

Comment 3 Arvid Requate

2024-03-11 10:14:38 CET

> The domain of the primary is: example.com.
> The domain of the replica is: subdomain.example.com.

This is out of scope of the UCS domain concept. A replica has to be in the same domain as the primary.

Comment 4 Christina Scheinig

2024-03-13 10:02:38 CET

(In reply to Arvid Requate from comment #3)
> > The domain of the primary is: example.com.
> > The domain of the replica is: subdomain.example.com.
> 
> This is out of scope of the UCS domain concept. A replica has to be in the
> same domain as the primary.

So do we have that in the documentation, that this is not in the domain concept? We have not found it.
And if this is neither documented, nor allowed to do that, we should prevent this.
I also think, that we should point that out, that we do not support that. In a windows AD, it is possible and allowed, to join a subdomain.

Comment 5 Arvid Requate

2024-04-16 11:34:55 CEST

> In a windows AD, it is possible and allowed, to join a subdomain.

In MS that's done by creating a forest (of two domains and a trust config etc between them).

We can make a statement in the documentation about things like these (product is not suitable to do XYZ)
but that list may grow a lot and it's unclear if people would have seen it before trying.
I'll discuss with some documentation specialist about it.