Univention Bugzilla – Full Text Bug Listing |
Summary: | AD Member Mode fails if dynamic DNS updates are disabled on Windows DC | ||
---|---|---|---|
Product: | UCS | Reporter: | Michael Grandjean <grandjean> |
Component: | AD Connector | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Stefan Gohmann <gohmann> |
Severity: | enhancement | ||
Priority: | P5 | CC: | da, gohmann, requate, walkenhorst |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 4.0-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Attachments: | full log file |
Description
Michael Grandjean
2014-09-10 14:16:47 CEST
Created attachment 6105 [details]
full log file
This error also occured in an environment where "only secure" Updates are allowed. context: [Ticket#2014111021000654] (In reply to Dirk Ahrnke from comment #2) > This error also occured in an environment where "only secure" Updates are > allowed. > > context: [Ticket#2014111021000654] please ignore this comment, though the same error "failedToAddServiceRecordToAD" occurs, the source of the problem in the context of the ticket is most likely different. Another option would be to 1. Check if the DC(AD) already can resolve _domainctontroller_master._tcp (to allow partners/customers to manually pre-create the record as a workaround): If it's there and points to us then simply continue. 2. Attempt to create the record directly in the AD. We chose the DNS update method because we didn't have to bother with AD-DNS-backend details, but technically it's possible to do that. We only need to find out where the DNS-Zone is located in AD (probably below DC=DomainDnsZones but maybe also in CN=MicrosoftDNS,CN=System), create the object and finally check if it's resolvable via DNS. 3. If both these strategies fail, we could continue the setup none the less and just finally show a bold warning to the user saying that this record needs to be created in AD before attempting to join other UCS Systems. AFAIK the SRV record is only required for other UCS systems to join ("somebody" should check..). Point one of the above three options has been implemented now for errata4.0-0. Advisory: 2014-12-09-univention-lib.yaml (In reply to Arvid Requate from comment #4) > 3. If both these strategies fail, we could continue the setup none the less > and just finally show a bold warning to the user saying that this record > needs to be created in AD before attempting to join other UCS Systems. AFAIK > the SRV record is only required for other UCS systems to join ("somebody" > should check..). Yes, it is only required for the join. (In reply to Arvid Requate from comment #5) > Point one of the above three options has been implemented now for > errata4.0-0. > > Advisory: 2014-12-09-univention-lib.yaml YAML: OK (small adjustment r57407) Tests: Fail System setup shows a message that the setup failed: "failed to add SRV record to 10.201.65.1". I don't know what to do next. Maybe we could change it in the following way: - Don't show a setup failure in this case - Show a notification at the first UMC login that the SRV record is missing - Link to the SDB article which describes the creation of this SRV record Ok, adjusted UMC module in univention-ad-connector to show a message. I guess we can handle this with the same Bug. Advisory: 2014-12-09-univention-ad-connector.yaml Dependency: 2014-12-09-univention-lib.yaml (In reply to Arvid Requate from comment #7) > Ok, adjusted UMC module in univention-ad-connector to show a message. > I guess we can handle this with the same Bug. > > Advisory: 2014-12-09-univention-ad-connector.yaml > Dependency: 2014-12-09-univention-lib.yaml Yes that looks good. But I think we need a specific SDB article for exactly this case. No domaincontroller_master SRV record and how to create it in the AD DNS. Ok, here we go: http://sdb.univention.de/1299 Package re-built with adjusted URL. (In reply to Arvid Requate from comment #9) > Ok, here we go: http://sdb.univention.de/1299 > Package re-built with adjusted URL. Very good. I've published the SDB article. |