Univention Bugzilla – Bug 36831
Rejects on school slave after installing distributed UCS@school env
Last modified: 2016-09-14 15:38:55 CEST
I've several rejects after the update to UCS@school 4.0 on a school slave if Samba 4 is not installed on the master: S4 rejected 1: S4 DN: CN=Domain Users,CN=Groups,DC=deadlock43,DC=intranet UCS DN: cn=domain users,cn=groups,dc=deadlock43,dc=intranet 2: S4 DN: CN=Domain Admins,CN=Groups,DC=deadlock43,DC=intranet UCS DN: cn=domain admins,cn=groups,dc=deadlock43,dc=intranet 3: S4 DN: CN=System,DC=deadlock43,DC=intranet UCS DN: cn=system,dc=deadlock43,dc=intranet 4: S4 DN: DC=deadlock43,DC=intranet UCS DN: dc=deadlock43,dc=intranet 5: S4 DN: OU=Domain Controllers,DC=deadlock43,DC=intranet UCS DN: ou=domain controllers,dc=deadlock43,dc=intranet 6: S4 DN: CN=Group Policy Creator Owners,CN=Groups,DC=deadlock43,DC=intranet UCS DN: cn=group policy creator owners,cn=groups,dc=deadlock43,dc=intranet 7: S4 DN: CN=Administrator,CN=Users,DC=deadlock43,DC=intranet UCS DN: uid=administrator,cn=users,dc=deadlock43,dc=intranet 8: S4 DN: CN=Domain Guests,CN=Groups,DC=deadlock43,DC=intranet UCS DN: cn=domain guests,cn=groups,dc=deadlock43,dc=intranet root@slave432:~# univention-ldapsearch 'cn=domain guests' -LLL description ; univention-s4search 'cn=domain guests' description dn: cn=Domain Guests,cn=groups,dc=deadlock43,dc=intranet WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. # record 1 dn: CN=Domain Guests,CN=Groups,DC=deadlock43,DC=intranet description: All domain guests
This was already before updating to UCS 4.
*** Bug 37834 has been marked as a duplicate of this bug. ***
Created attachment 6704 [details] connector-s4.log with debug level set to 4, same system as Bug 37834 I reverted my system of Bug 37834 to an older snapshot and set connector/debug/level=4 before installing UCS@school. I was then able to reproduce the rejects by just installing UCS@school with Samba 4. I attached th connector-s4.log.
Ok, thanks, that should give a pretty clear idea what things need to be written with Admin credentials during join. To avoid pre-seeding all this nitty gritty detail, we could "simply" initialize the S4-Connector during join with Admin credentials. But that would require to implement a mechanism in the S4-Connector to drop the initialization-Credentials after it has initialzed, to continue normal operations with host credentials. For this we would in turn need to find a way to recognize at which pount the initial sync is done (not too easy, USN tracking..). Just brainstorming..
again with 4.1-2 and school 4.1R2 UCS Master + school (no univention-samba4!) UCS Slave + school with univention-samba4/connector After installing school on the slave the connector complains about the following rejects: S4 rejected 1: S4 DN: OU=Domain Controllers,DC=w2k12,DC=test UCS DN: ou=domain controllers,dc=w2k12,dc=test 2: S4 DN: CN=System,DC=w2k12,DC=test UCS DN: cn=system,dc=w2k12,dc=test 3: S4 DN: CN=Administrator,CN=Users,DC=w2k12,DC=test UCS DN: uid=administrator,cn=users,dc=w2k12,dc=test 4: S4 DN: DC=w2k12,DC=test UCS DN: dc=w2k12,dc=test All rejects a caused by a permission problem: 09.06.2016 10:54:04,126 LDAP (PROCESS): sync to ucs: [ container_dc] [ modify] dc=w2k12,dc=test 09.06.2016 10:54:04,151 LDAP (ERROR ): Unknown Exception during sync_to_ucs 09.06.2016 10:54:04,151 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1438, in sync_to_ucs result = self.property[property_type].ucs_sync_function(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/dc.py", line 180, in con2ucs s4connector.lo.modify(dn, ml) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 420, in modify raise univention.admin.uexceptions.permissionDenied permissionDenied We should either * ignore those objects on school slaves in the connector * or changes the ldap acls for school slave But rejects are not good ...
Ticket#2016071121000755 here too, same as above. It is cosmetic, but may mask other problems: If we recommend resolving these "legit" rejects or ignoring them, other problems may rear its head in the future with causes that are ignored in this earlier states. rejects are not good.
This hit me some weeks ago, too.
We already create several groups in the 96univention-samba4slavepdc.inst join script. We should do these changes there as well.
YAML: r71761 Fix: r71760 * Update some default settings in the LDAP directory to prevent rejects if no S4 connector is installed on the DC master (Bug #36831) Waiting for Jenkins test results.
(In reply to Stefan Gohmann from comment #9) > YAML: r71761 > > Fix: r71760 > > * Update some default settings in the LDAP directory to prevent > rejects if no S4 connector is installed on the DC master > (Bug #36831) > > Waiting for Jenkins test results. Some more updates: r71768 + r71770 + r71780 We've decided to increase the join script version so the rejects will be removed after running the join scripts. I've also merged these changes to UCS 4.2.
Rebuild package for Bug #36831, #41167 due to buildsystem error r71999 4.0.7-6.96.201608291833
OK - merged to 4.2 OK - no rejects on slave - no samba4 on master OK - no rejects on slave - samba4 on master OK - rejects are gone after upgrade/univention-run-join-scripts on slave OK - yaml
<http://errata.software-univention.de/ucs/4.1/264.html>