Univention Bugzilla – Full Text Bug Listing |
Summary: | Fix missleading error message | ||
---|---|---|---|
Product: | UCS | Reporter: | Janis Meybohm <meybohm> |
Component: | Samba4 | Assignee: | Felix Botner <botner> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, requate, walkenhorst |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 3.2-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | 33942 | ||
Bug Blocks: |
Description
Janis Meybohm
2014-03-31 08:12:11 CEST
Ticket#: 2014011421000077 Ticket#: 2014031921008486 Ticket#: 2014032721004296 The join script tries to join to the domain, if that fails it tries to join to the samba dc's, until the join succeeds. But if the replication during the first join (to the domain) fails with "Failed to apply records" (unique index violation on objectGUID, i create two objects with the same objectSid -> ldbedit -H /var/lib/samba/private/sam.ldb.d/DC\=W2K12\,DC\=TEST.ldb) the second join (to the dc) always fails with "Your filesystem or build does not support posix ACLs, which". After the first join failed samba is in a horribly state and trying to join to another dc's does not help. (1) We should check if the domain/dc is reachable before join, than join and NOT continue if the join fails. Unfortunately, the return value of "samba-tool domain join" is always 255 in case of an error: -> samba-tool domain join ...; echo $? raise ProvisioningError("Your filesystem 255 -> samba-tool domain join ...; echo $? raise Exception("Failed to find a writeable DC for 255 But maybe we can check samba-tool domain info before the samba domain join. If that fails, we check the (next) dc. If samba domain join fails, we abort the join script. -> samba-tool domain info w2k12.test; echo $? ... Client site : Default-First-Site-Name 0 samba-tool domain info master.w2k12.test; echo $? ... Client site : Default-First-Site-Name 0 -> samba-tool domain info master.w2k12.test; echo $? ERROR: Invalid IP address 'master.w2k12.test'! 255 -> root@slave:~# samba-tool domain info w2k12.test; echo $? ERROR: Invalid IP address 'w2k12.test'! 255 (2) If we are in this state (raise ProvisioningError("Your filesystem or build does...) a complete rejoin also fails. There is no way to get samba going. I assume we have to cleanup /var/lib/samba some how. The join script does this, but only if ldbsearch -H /var/lib/samba/private/sam.ldb \ 'samAccountName=slave$' msDS-KeyVersionNumber returns something. In my case i get -> ldbsearch -H /var/lib/samba/private/sam.ldb 'samAccountName=slave$' msDS-KeyVersionNumber Searching for dsServiceName in rootDSE failed: operations error at ../source4/dsdb/samdb/ldb_modules/rootdse.c:518 Failed to find our own NTDS Settings DN in the ldb! schema_load_init: no schema head present: (skip schema loading) module schema_load initialization failed : No such object module rootdse initialization failed : No such object module samba_dsdb initialization failed : No such object Unable to load modules for /var/lib/samba/private/sam.ldb: (null) Failed to connect to /var/lib/samba/private/sam.ldb - (null) So, no cleanup in this case, and the join fails. If i remove /var/lib/samba/private/* before running the join script, the join succeeds. -> /etc/init.d/samba stop -> rm -rf /var/lib/samba/private/* -> /etc/init.d/samba start * added test "samba-tool domain info" before join * abort if join fails * always cleanup /var/lib/samba (cleanup_var_lib_samba) YAML: 2014-06-17-univention-samba4.yaml Verified: * Code review Ok * Rejoin works, machine SID stays the same, "RID Set" stays the same, rIDNextRID is preserved and the re-created dns-account works. * Advisory Ok |