Bug 34754

Summary: dns-service account missing after re-join of DC backup
Product: UCS Reporter: Arvid Requate <requate>
Component: Samba4Assignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Stefan Gohmann <gohmann>
Severity: normal    
Priority: P5 CC: gohmann, jmm
Version: UCS 3.1   
Target Milestone: UCS 3.2-2-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 32595    
Bug Blocks:    
Attachments: save_and_restore_rid_pool.patch

Description Arvid Requate univentionstaff 2014-05-06 18:19:43 CEST 
After re-joining a DC backup no accounts can be created locally any longer.
As a result the join.log shows that the dns-service account is not created.
I guess that DDNS updates will fail in this case. We already had this once, see Bug #28373. I think this is a regression due to the changes of Bug #32595.

join.log:
===================================================================
Configure 96univention-samba4.inst Tue Jan  7 15:02:45 CET 2014
[...]
keeping existing samaccount: CN=BACKUP41,OU=Domain Controllers,DC=ar320i1,DC=qa
Deleted CN=dns-backup41,CN=Users,DC=ar320i1,DC=qa
Deleted CN=2fec9585-e6ce-45da-8c9a-04631eff01d0,CN=NTDS Settings,CN=BACKUP41,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ar320i1,DC=qa
Deleted CN=NTDS Settings,CN=BACKUP41,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ar320i1,DC=qa
Deleted CN=BACKUP41,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ar320i1,DC=qa
Adding CN=BACKUP41,OU=Domain Controllers,DC=ar320i1,DC=qa
Adding CN=BACKUP41,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ar320i1,DC=qa
Adding CN=NTDS Settings,CN=BACKUP41,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ar320i1,DC=qa
Adding SPNs to CN=BACKUP41,OU=Domain Controllers,DC=ar320i1,DC=qa
[...]

Configure 98univention-samba4-dns.inst Tue Jan  7 15:03:58 CET 2014
Waiting for RID Pool replication: done.
ERROR(ldb): Failed to add user 'dns-backup41':  - ../ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid 
in CN=dns-backup41,CN=Users,DC=ar320i1,DC=qa - ../ldb_tdb/ldb_index.c:1148: unique index violation on object
Sid in CN=dns-backup41,CN=Users,DC=ar320i1,DC=qa
===================================================================

Looks like the "RID Set" information got lost during rejoin:
===================================================================
dn: CN=dns-backup41\0ADEL:e003cdd0-8023-4709-95d4-36be33390736,CN=Deleted Objects,DC=ar320i1,DC=qa
objectSid: S-1-5-21-2504708665-2173701359-1147132429-1601
sAMAccountName: dns-backup41
===================================================================

The RID Set lost track of the rIDNextRID:
===================================================================
dn: CN=RID Set,CN=BACKUP41,OU=Domain Controllers,DC=ar320i1,DC=qa
objectClass: rIDSet
rIDAllocationPool: 1600-2099
rIDUsedPool: 0
rIDNextRID:  ## this attribute is missing
===================================================================

+++ This bug was initially created as a clone of Bug #32595 +++
Comment 1 Arvid Requate univentionstaff 2014-05-06 18:21:24 CEST 
I think we should revert the changes of Bug #32595 and fix the original issue instead:

===============================================================================
ERROR(<type 'exceptions.TypeError'>): uncaught exception - join_DC() got an unexpected keyword argument 'keep_existing'
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 560, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
===============================================================================
Comment 2 Arvid Requate univentionstaff 2014-06-04 12:35:46 CEST 
Created attachment 5935 [details]
save_and_restore_rid_pool.patch

Patch for the joinscript, taken from the script implemented for Bug 32187.
Comment 3 Arvid Requate univentionstaff 2014-06-04 16:17:43 CEST 
Advisory: 2014-05-28-univention-samba4.yaml
Comment 4 Stefan Gohmann univentionstaff 2014-06-05 14:24:18 CEST 
Code: OK

YAML: OK

Tests: OK
Comment 5 Moritz Muehlenhoff univentionstaff 2014-06-05 15:33:16 CEST 
http://errata.univention.de/ucs/3.2/119.html