Bug 36831 – Rejects on school slave after installing distributed UCS@school env

Bug 36831 - Rejects on school slave after installing distributed UCS@school env


Summary:	Rejects on school slave after installing distributed UCS@school env

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1-3-errata
Assigned To:	Stefan Gohmann
QA Contact:	Felix Botner

URL:
Keywords:

Duplicates:	37834 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-11-18 17:57 CET by Stefan Gohmann
Modified:	2016-09-14 15:38 CEST (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
connector-s4.log with debug level set to 4, same system as Bug 37834 (4.15 MB, text/x-log) 2015-02-19 14:44 CET, Michael Grandjean	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2014-11-18 17:57:50 CET

I've several rejects after the update to UCS@school 4.0 on a school slave if Samba 4 is not installed on the master:

S4 rejected

    1:    S4 DN: CN=Domain Users,CN=Groups,DC=deadlock43,DC=intranet
         UCS DN: cn=domain users,cn=groups,dc=deadlock43,dc=intranet
    2:    S4 DN: CN=Domain Admins,CN=Groups,DC=deadlock43,DC=intranet
         UCS DN: cn=domain admins,cn=groups,dc=deadlock43,dc=intranet
    3:    S4 DN: CN=System,DC=deadlock43,DC=intranet
         UCS DN: cn=system,dc=deadlock43,dc=intranet
    4:    S4 DN: DC=deadlock43,DC=intranet
         UCS DN: dc=deadlock43,dc=intranet
    5:    S4 DN: OU=Domain Controllers,DC=deadlock43,DC=intranet
         UCS DN: ou=domain controllers,dc=deadlock43,dc=intranet
    6:    S4 DN: CN=Group Policy Creator Owners,CN=Groups,DC=deadlock43,DC=intranet
         UCS DN: cn=group policy creator owners,cn=groups,dc=deadlock43,dc=intranet
    7:    S4 DN: CN=Administrator,CN=Users,DC=deadlock43,DC=intranet
         UCS DN: uid=administrator,cn=users,dc=deadlock43,dc=intranet
    8:    S4 DN: CN=Domain Guests,CN=Groups,DC=deadlock43,DC=intranet
         UCS DN: cn=domain guests,cn=groups,dc=deadlock43,dc=intranet


root@slave432:~# univention-ldapsearch 'cn=domain guests' -LLL description ; univention-s4search 'cn=domain guests' description
dn: cn=Domain Guests,cn=groups,dc=deadlock43,dc=intranet

WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
# record 1
dn: CN=Domain Guests,CN=Groups,DC=deadlock43,DC=intranet
description: All domain guests

Comment 1 Stefan Gohmann

2014-11-18 18:58:13 CET

This was already before updating to UCS 4.

Comment 2 Arvid Requate

2015-02-18 14:44:11 CET

*** Bug 37834 has been marked as a duplicate of this bug. ***

Comment 3 Michael Grandjean

2015-02-19 14:44:07 CET

Created attachment 6704 [details]
connector-s4.log with debug level set to 4, same system as  Bug 37834

I reverted my system of Bug 37834 to an older snapshot and set connector/debug/level=4 before installing UCS@school. I was then able to reproduce the rejects by just installing UCS@school with Samba 4. I attached th connector-s4.log.

Comment 4 Arvid Requate

2015-02-20 11:39:09 CET

Ok, thanks, that should give a pretty clear idea what things need to be written with Admin credentials during join.

To avoid pre-seeding all this nitty gritty detail, we could "simply" initialize the S4-Connector during join with Admin credentials. But that would require to implement a mechanism in the S4-Connector to drop the initialization-Credentials after it has initialzed, to continue normal operations with host credentials. For this we would in turn need to find a way to recognize at which pount the initial sync is done (not too easy, USN tracking..). Just brainstorming..

Comment 5 Felix Botner

2016-06-09 10:59:49 CEST

again with 4.1-2 and school 4.1R2

UCS Master + school (no univention-samba4!)
UCS Slave + school with univention-samba4/connector

After installing school on the slave the connector complains about the following rejects:

S4 rejected

    1:    S4 DN: OU=Domain Controllers,DC=w2k12,DC=test
         UCS DN: ou=domain controllers,dc=w2k12,dc=test
    2:    S4 DN: CN=System,DC=w2k12,DC=test
         UCS DN: cn=system,dc=w2k12,dc=test
    3:    S4 DN: CN=Administrator,CN=Users,DC=w2k12,DC=test
         UCS DN: uid=administrator,cn=users,dc=w2k12,dc=test
    4:    S4 DN: DC=w2k12,DC=test
         UCS DN: dc=w2k12,dc=test


All rejects a caused by a permission problem:

09.06.2016 10:54:04,126 LDAP        (PROCESS): sync to ucs:   [  container_dc] [    modify] dc=w2k12,dc=test
09.06.2016 10:54:04,151 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
09.06.2016 10:54:04,151 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1438, in sync_to_ucs
    result = self.property[property_type].ucs_sync_function(self, property_type, object)
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dc.py", line 180, in con2ucs
    s4connector.lo.modify(dn, ml)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 420, in modify
    raise univention.admin.uexceptions.permissionDenied
permissionDenied

We should either
 * ignore those objects on school slaves in the connector
 * or changes the ldap acls for school slave

But rejects are not good ...

Comment 6 Jens Thorp-Hansen

2016-07-22 10:51:23 CEST

Ticket#2016071121000755

here too, same as above. It is cosmetic, but may mask other problems: If we recommend resolving these "legit" rejects or ignoring them, other problems may rear its head in the future with causes that are ignored in this earlier states.

rejects are not good.

Comment 7 Florian Best

2016-07-22 11:03:00 CEST

This hit me some weeks ago, too.

Comment 8 Stefan Gohmann

2016-08-15 07:20:57 CEST

We already create several groups in the 96univention-samba4slavepdc.inst join script. We should do these changes there as well.

Comment 9 Stefan Gohmann

2016-08-19 16:30:49 CEST

YAML: r71761

Fix: r71760

* Update some default settings in the LDAP directory to prevent
  rejects if no S4 connector is installed on the DC master
  (Bug #36831)

Waiting for Jenkins test results.

Comment 10 Stefan Gohmann

2016-08-22 16:57:32 CEST

(In reply to Stefan Gohmann from comment #9)
> YAML: r71761
> 
> Fix: r71760
> 
> * Update some default settings in the LDAP directory to prevent
>   rejects if no S4 connector is installed on the DC master
>   (Bug #36831)
> 
> Waiting for Jenkins test results.

Some more updates: r71768 + r71770 + r71780

We've decided to increase the join script version so the rejects will be removed after running the join scripts.

I've also merged these changes to UCS 4.2.

Comment 11 Janek Walkenhorst

2016-08-29 18:36:02 CEST

Rebuild package for Bug #36831, #41167 due to buildsystem error

r71999

4.0.7-6.96.201608291833

Comment 12 Felix Botner

2016-09-12 13:56:21 CEST

OK - merged to 4.2
OK - no rejects on slave - no samba4 on master
OK - no rejects on slave - samba4 on master
OK - rejects are gone after upgrade/univention-run-join-scripts on slave
OK - yaml

Comment 13 Janek Walkenhorst

2016-09-14 15:38:55 CEST

<http://errata.software-univention.de/ucs/4.1/264.html>