Univention Bugzilla – Full Text Bug Listing |
Summary: | univention-samba4 joinscript fails if orphaned Samba/AD DC account is present | ||
---|---|---|---|
Product: | UCS | Reporter: | Florian Best <best> |
Component: | Samba4 | Assignee: | Felix Botner <botner> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | botner, damrose, gohmann, gulden, keiser, requate |
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.3-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 6: Setup Problem: Issue for the setup process |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
User Pain: | 0.343 | Enterprise Customer affected?: | Yes |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2018022821000176, 2018022821000998, 2017111121000183, 2016121321000045, 2017032621000161, 2017060721000709, 2017081721000562 | Bug group (optional): | Error handling, External feedback |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 46762 |
Description
Florian Best
2016-12-20 12:25:55 CET
Do we have the join log? (In reply to Stefan Gohmann from comment #1) > Do we have the join log? No. I had the same issue just now: The 96univention-samba4.inst joinscript looks for the first DC it can join against. In my domain, that machine was not available anymore. The search is: s4connector_dc=$(ldapsearch -x -ZZ -LLL -D "$ldap_hostdn" -y /etc/machine.secret \ "(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(!(univentionService=S4 SlavePDC)))" cn \ | ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p') It then tries to join with if [ -n "$s4connector_dc" ]; then echo "Join against S4 Connector server: $s4connector_dc" if samba-tool domain info "$s4connector_dc.$domainname"; then samba-tool domain join "$domainname" "......" The joinscript logs: Join against S4 Connector server: ucs-4171 ERROR: Invalid IP address 'ucs-4171.ucs.local'! Samba currently not available on S4 Connector server ucs-4171. ERROR: Invalid IP address 'ucs.local'! ERROR: Invalid IP address 'ucs-4171.ucs.local'! Failed to join the domain. The joinscript should at least test if the server is currently available. Version: 4.1-4 errata408 (Vahr) Remark: This is the second slave server in the branch office, the first was deployed without any problem. > The joinscript should at least test if the server is currently available. > Samba currently not available on S4 Connector server ucs-4171. That's what "samba-tool domain info" has done. Finds that it cannot use it and continues with broadcast, but isn't successful at that: > ERROR: Invalid IP address 'ucs.local'! Maybe it should go on then and start over with a fresh provisioning. *** Bug 44765 has been marked as a duplicate of this bug. *** (In reply to Arvid Requate from comment #5) > > The joinscript should at least test if the server is currently available. > > Samba currently not available on S4 Connector server ucs-4171. > > That's what "samba-tool domain info" has done. Finds that it cannot use it > and continues with broadcast, but isn't successful at that: > > > ERROR: Invalid IP address 'ucs.local'! > > > Maybe it should go on then and start over with a fresh provisioning. what about a more detailed error message? No domain server available, make sure the server $(connector_server) is up and running. If this server is no longer in use, make sure to remove the server from your domain as explained in sbd.... So the join fails if we have an computer/DC in LDAP which is not online at the time during the join. What is the difference between a fresh provisioning and adding another DC Slave? (In reply to Florian Best from comment #8) > So the join fails if we have an computer/DC in LDAP which is not online at > the time during the join. > > What is the difference between a fresh provisioning and adding another DC > Slave? fresh provisioning - a new samba domain is created adding another DC - join into an existing domain what we need to avoid is "fresh provisioning" if the other samba server is just not reachable currently (In reply to Felix Botner from comment #9) > (In reply to Florian Best from comment #8) > > So the join fails if we have an computer/DC in LDAP which is not online at > > the time during the join. > > > > What is the difference between a fresh provisioning and adding another DC > > Slave? > > fresh provisioning - a new samba domain is created > adding another DC - join into an existing domain > > what we need to avoid is "fresh provisioning" if the other samba server is > just not reachable currently Could we add a check in the system setup? Like we are doing for the availability of UCS DC Master in Active Directory environments? (In reply to Florian Best from comment #10) > (In reply to Felix Botner from comment #9) > > (In reply to Florian Best from comment #8) > > > So the join fails if we have an computer/DC in LDAP which is not online at > > > the time during the join. > > > > > > What is the difference between a fresh provisioning and adding another DC > > > Slave? > > > > fresh provisioning - a new samba domain is created > > adding another DC - join into an existing domain > > > > what we need to avoid is "fresh provisioning" if the other samba server is > > just not reachable currently > > Could we add a check in the system setup? Like we are doing for the > availability of UCS DC Master in Active Directory environments? This is already done by "samba-tool domain info" in the join script. But can we be sure that a server is no longer is use if the check fails? Is it a good idea to create a new samba domain, which has implication for the whole UCS domain? I would rather go for a more detailed error message in this case and a sdb article that describes how to remove orphaned Samba/AD DC accounts. > > Could we add a check in the system setup? Like we are doing for the > > availability of UCS DC Master in Active Directory environments? > > This is already done by "samba-tool domain info" in the join script. Florians proposal was to also check this already in system setup. > But can we be sure that a server is no longer is use if the check fails? > Is it a good idea to create a new samba domain, which has implication for > the whole UCS domain? > > I would rather go for a more detailed error message in this case and a sdb > article that describes how to remove orphaned Samba/AD DC accounts. Yes, let's improve the error message. Move to 4.3-0-errata. If a UCS 4.2 backport is needed, please clone this issue. Just added the error message Make sure the server is online or if this server is no longer in use, please completely remove the server object from the domain. At some point in the future we should review the samba_domain_join() function in 96univention-samba4.inst. There are too many ways to join into a samba domain, and some ways are broken for ucs@school. In my opinion the join to the domain and the join to the ucs ldap "univentionService=Samba 4" servers should be removed. And the join to the "S4 Connector" server has to be fixed for ucs@school (better use get_available_s4connector_dc to find the s4 dc). The goal should be to support only * join to the server in UCR samba4/dc * join to the s4 connector server (which we get from the "school-safe" get_available_s4connector_dc()) 1ee115181fa257ef896a7029a6bd6b490defe1cd univention-samba4 a33bc0ffee2f8cf3add11e9b4e75a3a2e27be156 yaml Ok, the error message has been improved. The request of Comment 3 has not been implemented. The argument against it is, that the error message already shows that the machine is not usable to join against it: > The joinscript should at least test if the server is currently available. The request of Comment 10 has also not been implemented. > Could we add a check in the system setup? If this is actually desired please clone the bug. It would require more afford to check this depending on the software selection and given that samba-tool is not available at that point. Reported again: Version: 4.2-3 errata305 (Lesum) |