Bug 38754

Summary: Race condition in new school-dc setup
Product: UCS@school Reporter: Janis Meybohm <meybohm>
Component: UMC - InstallerAssignee: Sönke Schwardt-Krummrich <schwardt>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P1 CC: gohmann, grandjean, petersen, schwardt
Version: UCS@school 3.2 R2   
Target Milestone: UCS@school 4.0 R2 Errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Janis Meybohm univentionstaff 2015-06-23 14:27:45 CEST 
Ticket#2015052021000181

We had that twice now in the customer environment:

* A new DC-Save is set up in the environment (without samba4)
* The DC-Slave is joined
* UCS@school App is installed
* UCS@school installer is run
...installer hangs forever while trying to re-join the domain.

What happens is that the listener gets restarted during the package installation and newly installed modules get loaded (ucsschool-user-logonscripts among others).
After installation is completed the school-installer moves the DC-Slave to the OU and univention-join is started.

univention-join than changes UCR ldap/hostdn to the new DN and tries to stop the listener.
That fails because the listener is in initialization phase of the Module ucsschool-user-logonscripts (in the current case) that continuously tries a univention.uldap.getMachineConnection(ldap_master=False) with the new ldap/hostdn against the local (old) LDAP.

-> deadlock
Comment 1 Tim Petersen univentionstaff 2015-07-30 11:07:24 CEST 
2015072021000276
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2015-10-01 22:51:50 CEST 
(In reply to Janis Meybohm from comment #0)
> We had that twice now in the customer environment:
> 
> * A new DC-Save is set up in the environment (without samba4)
> * The DC-Slave is joined
> * UCS@school App is installed
> * UCS@school installer is run
> ...installer hangs forever while trying to re-join the domain.

"forever" seems to be up to 5min per DN that has to be processed → a long time.

> univention-join than changes UCR ldap/hostdn to the new DN and tries to stop
> the listener.
> That fails because the listener is in initialization phase of the Module
> ucsschool-user-logonscripts (in the current case) that continuously tries a
> univention.uldap.getMachineConnection(ldap_master=False) with the new
> ldap/hostdn against the local (old) LDAP.

The LDAP exception handling has been improved and the LDAP connection is dropped if an error occurs. Additionally the LDAP connection handling does not wait up to 5 mins on LDAP error "INVALID_CREDENTIALS" but fails fast.

This should improve the situation a lot.

ucs-school-netlogon-user-logonscripts (11.0.2-1):
r64155 | Bug #38754: added changelog entry
r64154 | Bug #38754: catch LDAP errors and invalidate LDAP connection / fail fast on error INVALID_CREDENTIALS
r64153 | Bug #38754: do not overwrite variable "dn"
r64152 | Bug #38754: increased log level
r64151 | Bug #38754: connection should be never a boolean value / fixed indention
r64150 | Bug #38754: removed useless imports / code
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2015-10-01 23:13:32 CEST 
The package has been published to app repo ucsschool_devel.
Comment 4 Felix Botner univentionstaff 2015-10-19 14:10:55 CEST 
OK, code looks good, tests OK 
i wasn't able to reproduce this, but all my test were OK
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2015-11-11 14:20:27 CET 
UCS@school 4.0 R2 v3 has been released.

If this error occurs again, please use "Clone This Bug".