Univention Bugzilla – Full Text Bug Listing |
Summary: | UCS@school Samba/AD DC Slave join fails at 99ucs-school-umc-printermoderation | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Samba4 | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Stefan Gohmann <gohmann> |
Severity: | critical | ||
Priority: | P5 | CC: | gohmann, schwardt, walkenhorst |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Attachments: | join.log |
Description
Arvid Requate
2016-01-14 19:46:14 CET
root@slave12:~# kinit -t /etc/krb5.keytab 'SLAVE12$' && echo OK OK So secrets.ldb seems to be fine (i.e. in sync with machine.secret and sam.ldb) as well. root@slave12:~# ucr search --brief version/version version/errata version/erratalevel: 55 version/version: 4.1 This one works too: root@slave12:~# ldbsearch -H "ldaps://$(hostname -f)" \ --simple-bind-dn="slave12\$@$(hostname -d)" \ --password="$(< /etc/machine.secret)" and this one too: root@slave12:~# ldbsearch --kerberos=no -H "ldaps://$(hostname -f)" \ -Uslave12$%"$(< /etc/machine.secret)" Ok, it's that docker interface. This seems to fix everything: root@slave12:~# ucr set samba/interfaces=eth0 samba/interfaces/bindonly=yes root@slave12:~# service samba restart No clue yet why this only happens on a UCS@school Slave but not on the Master. Ok, a bit more about this: 1. This workaround works partially: root@slave12:~# ucr set samba/interfaces=eth0 but the drawback is that samba doesn't listener any longer on localhost, and things like kinit break too. So, this is not an option. This looks a bit like a change of behaviour of Samba 4.3.1 (UCS 4.1-0) as compared to Samba 4.2.3 (UCS 4.0-4). 2. This workaround doesn't work: root@slave12:~# ucr set samba/interfaces='eth0 127.0.0.1' In that case all the <SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE> stuff happens with univention-s4search against the FQDN. Search against localhost works though. BUT: All of this trouble only happens on an UCS@school Slave PDC! Before installing UCS@school on the Samba/AD DC Slave all the univention-s4search variations work fine on UCS 4.1! So my impression is that we are still barking up the wrong tree here. The issue still occurs when I effectively remove the docker0 interface on Master and Slave before installing UCS@school on the Samba AD DC Slave: service docker stop ip link set docker0 down; brctl delbr docker0 service samba restart I'm able to reproduce it in Jenkins. The Jenkins setup has S4 installed on the slave previously. It didn't help to remove the samba private directory and to re-join the slave. The following works for me: root@slave2032:~# ls -la /etc/krb5.keytab* -rw------- 1 root nogroup 8021 Jan 26 05:53 /etc/krb5.keytab -rw------- 1 root root 8021 Jan 26 05:53 /etc/krb5.keytab.SAVE root@slave2032:~# rm /etc/krb5.keytab root@slave2032:~# /usr/share/univention-samba4/scripts/create-keytab.sh Modified 1 records successfully Modified 1 records successfully root@slave2032:~# ls -la /etc/krb5.keytab* -rw------- 1 root root 2222 Jan 26 14:34 /etc/krb5.keytab -rw------- 1 root root 8021 Jan 26 05:53 /etc/krb5.keytab.SAVE root@slave2032:~# ldbsearch -H "ldaps://$(hostname -f)" -U"$(hostname)$%$(cat /etc/machine.secret)" -s base | grep ^dn dn: DC=autotest203,DC=local root@slave2032:~# It looks like the keytab includes several keys. Should the keytab be removed if the server is rejoined? (In reply to Arvid Requate from comment #0) > root@slave12:~# kinit --password-file=/etc/machine.secret 'slave12$' && echo > OK > OK [...] > root@slave12:~# ldbsearch -H "ldaps://$(hostname -f)" \ > -Uslave12$%"$(cat /etc/machine.secret)" > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - > <SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE> <> I've added these both commands to ucs-test: 00_checks/21_kinit_hostaccount 00_checks/22_ldbsearch_hostaccount I adjusted create-keytab.sh to work around changed Samba 4.3.x behaviour (maybe internal heimdal), that causes duplicate hashes when password is changed in secrets.ldb but the same KVNO is used. This seems to have fixed the issue. Additionally I merged the patches from Bug 39601. This may help avoid IPs from the Docker 172.17.0.0/16 address range getting registered in DNS automatically during join (not via samba_dnsupdate, that's a separate issue). Advisory: univention-samba4.yaml Note: the patches from Bug 39601 might help address Bug 40374 but there is no hard proof for that connection yet. I'll move the bug to UCS. Code review: OK Tests: OK YAML: OK |