Univention Bugzilla – Bug 39251
(Re-)join of DC Backup fails if S4 is not installed on DC Master
Last modified: 2017-06-28 22:18:00 CEST
S4 installed (accidently) only on Backup, but not on master. Things go down from there as soon as the backup is (re-)joined. Need inter-app-dependency to ensure S4 is installed on Master? # univention-join ... Configure 96univention-samba4.inst failed # univention-run-join-scripts ... Running 96univention-samba4.inst failed (exitcode: 1) Running 97univention-s4-connector.inst failed (exitcode: 1) Running 98univention-pkgdb-tools.inst skipped (already executed) Running 98univention-samba4-dns.inst failed (exitcode: 1) # tail /var/log/univention/join.log RUNNING 96univention-samba4.inst 2015-08-21 11:18:33.789688024+02:00 (in joinscript_init) Not updating samba4/role Multifile: /etc/samba/smb.conf Object exists: cn=Builtin,dc=phahn,dc=qa WARNING: cannot append cn=backup40,cn=dc,cn=computers,dc=phahn,dc=qa to hosts, value exists No modification: cn=Enterprise Domain Controllers,cn=groups,dc=phahn,dc=qa Stopping Samba AD DC daemon: samba. Samba is configured as AD DC, service smbd is controlled by the main samba daemon. Stopping NetBIOS name server: nmbd. Setting kerberos/kdc Setting kerberos/kpasswdserver File: /etc/krb5.conf Setting slapd/port File: /etc/init.d/slapd Multifile: /etc/ldap/slapd.conf Setting slapd/port/ldaps File: /etc/init.d/slapd Multifile: /etc/ldap/slapd.conf Restarting ldap server(s). Stopping ldap server(s): slapd ...done. Starting ldap server(s): slapd ...done. extract_rIDNextRID: Attribute rIDSetReferences not found Not updating windows/wins-support WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. ERROR: Invalid IP address 'phahn.qa'! WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. ERROR: Invalid IP address 'backup40.phahn.qa'! Failed to join the domain. EXITCODE=1 RUNNING 97univention-s4-connector.inst 2015-08-21 11:18:53.241542484+02:00 (in joinscript_init) Not updating connector/s4/ldap/host Not updating connector/s4/ldap/base Not updating connector/s4/ldap/ssl Not updating connector/s4/mapping/group/language Not updating connector/s4/ldap/protocol Not updating connector/s4/ldap/socket Object exists: cn=gPLink,cn=custom attributes,cn=univention,dc=phahn,dc=qa Object exists: cn=Builtin,dc=phahn,dc=qa Object exists: cn=System,dc=phahn,dc=qa Object exists: cn=Policies,cn=System,dc=phahn,dc=qa Object exists: ou=Domain Controllers,dc=phahn,dc=qa Object exists: cn=WMIPolicy,cn=System,dc=phahn,dc=qa Object exists: cn=SOM,cn=WMIPolicy,cn=System,dc=phahn,dc=qa Object exists: cn=ldapschema,cn=univention,dc=phahn,dc=qa INFO: No change of core data of object msgpo. INFO: No change of core data of object mswmi. Object exists: cn=udm_module,cn=univention,dc=phahn,dc=qa INFO: No change of core data of object container/msgpo. No modification: cn=msgpo,cn=ldapschema,cn=univention,dc=phahn,dc=qa No modification: cn=mswmi,cn=ldapschema,cn=univention,dc=phahn,dc=qa No modification: cn=container/msgpo,cn=udm_module,cn=univention,dc=phahn,dc=qa Waiting for activation of the extension object msgpo: OK Waiting for activation of the extension object mswmi: OK Waiting for activation of the extension object container/msgpo: OK Waiting for file /usr/share/pyshared/univention/admin/handlers/container/msgpo.py: OK Terminating running univention-cli-server processes. Object exists: cn=udm_module,cn=univention,dc=phahn,dc=qa INFO: No change of core data of object settings/mswmifilter. No modification: cn=settings/mswmifilter,cn=udm_module,cn=univention,dc=phahn,dc=qa Waiting for activation of the extension object settings/mswmifilter: OK Waiting for file /usr/share/pyshared/univention/admin/handlers/settings/mswmifilter.py: OK Terminating running univention-cli-server processes. Samba4 does not seem to be provisioned, exiting /usr/lib/univention-install/97univention-s4-connector.inst EXITCODE=1 RUNNING 98univention-samba4-dns.inst 2015-08-21 11:18:59.329617608+02:00 (in joinscript_init) Samba4 backend database not available yet, exiting joinscript 98univention-samba4-dns. EXITCODE=1 # dcaccount=Administrator bindpwd=univention bash -x /usr/lib/univention-install/96univention-samba4.inst ... + samba-tool domain info backup40.phahn.qa WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. ERROR: Invalid IP address 'backup40.phahn.qa'!
happened again at Ticket#2016062721000076 - I try to reproduce it in a testing environment and update the bug with the environment for reference
verified in test environment master: .42.176 backup: .42.174 - fresh install both servers - install S4 on backup - root@ucs-5241:~# univention-join -verbose Configure 96univention-samba4.inst failed ************************************************************************** * Join failed! * * Contact your system administrator * ************************************************************************** * Message: FAILED: 96univention-samba4.inst ************************************************************************** root@ucs-5241:~# join log -verbose (abridged) ... ... ... distinguishedName: CN=RID Set,CN=UCS-5241,OU=Domain Controllers,DC=acheron,DC=intranet # returned 1 records # 1 entries # 0 referrals' ++ sed -n 's/^rIDAllocationPool: //p' + old_rIDAllocationPool=1100-1599 ++ sed -n 's/^rIDPreviousAllocationPool: //p' + old_rIDPreviousAllocationPool=1100-1599 ++ sed -n 's/^rIDNextRID: //p' + old_rIDNextRID=1110 + mv /var/lib/samba /var/lib/samba_backup_20160628135620 + rsync -a --exclude '/private/*' /var/lib/samba_backup_20160628135620/ /var/lib/samba + samba_domain_join --keep-existing + local success + local samba_join_options + samba_join_options=("${@}") + samba_join_options+=(--kerberos=no) + samba_join_options+=(-U"$dcaccount"%"$bindpwd") + samba_join_options+=(--realm="$kerberos_realm") + samba_join_options+=(--machinepass="$(cat /etc/machine.secret)") ++ cat /etc/machine.secret + '[' -n '' ']' + univention-config-registry set 'windows/wins-support?no' Not updating windows/wins-support + '[' -n '' ']' + samba-tool domain info acheron.intranet ERROR: Invalid IP address 'acheron.intranet'! + '[' -z '' ']' + cn=($(ldapsearch -x -ZZ -LLL -D "$ldap_hostdn" -y /etc/machine.secret "(&(univentionService=Samba 4)(objectClass=univentionDomainController))" cn | ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p' )) ++ sed -n 's/^cn: \(.*\)/\1/p' ++ ldapsearch-wrapper ++ ldapsearch -x -ZZ -LLL -D cn=ucs-5241,cn=dc,cn=computers,dc=acheron,dc=intranet -y /etc/machine.secret '(&(univentionService=Samba 4)(objectClass=univentionDomainController))' cn + for name in '"${cn[@]}"' + samba-tool domain info ucs-5241.acheron.intranet ERROR: Invalid IP address 'ucs-5241.acheron.intranet'! + '[' -z '' ']' + echo 'Failed to join the domain.' Failed to join the domain. + exit 1 + '[' 1 -ne 0 ']' + echo -e '\033[60Gfailed' ++ basename /usr/lib/univention-install/96univention-samba4.inst + failed_message 'FAILED: 96univention-samba4.inst' + echo '' + echo '' + echo '**************************************************************************' + echo '* Join failed! *' + echo '* Contact your system administrator *' + echo '**************************************************************************' + echo '* Message: FAILED: 96univention-samba4.inst' + echo '**************************************************************************' + exit 1 + trapOnExit + rm -rf /tmp/tmp.TGaQBdAP0A + '[' -n true -a true = true ']' + '[' -n 2 ']' + ucr set listener/debug/level=2 Setting listener/debug/level File: /etc/runit/univention-directory-listener/run ++ LC_ALL=C ++ date + echo 'Tue Jun 28 13:56:22 CEST 2016: finish /usr/sbin/univention-join' Tue Jun 28 13:56:22 CEST 2016: finish /usr/sbin/univention-join
Workaround: remove the univentionService: Samba 4 attribute from the backup. Fix: 96univention-samba4.inst +850 ## check if we there already is a **domaincontroller** providing the service "Samba 4" samba4servicedcs=$(ldapsearch -x -ZZ -LLL -D "$ldap_hostdn" -y /etc/machine.secret \ "(&(univentionService=${NAME})(objectClass=univentionDomainController))" cn \ | ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p') ## currently there is no u-d-m module computers/dc This also finds the currently rejoining server. The join script than executes a domain join instead of a fresh samba provisioning. We have to ignore the join system in this ldap search: ## check if we there already is a **domaincontroller** providing the service "Samba 4" samba4servicedcs=$(ldapsearch -x -ZZ -LLL -D "$ldap_hostdn" -y /etc/machine.secret \ - "(&(univentionService=${NAME})(objectClass=univentionDomainController))" cn \ + "(&(univentionService=${NAME})(objectClass=univentionDomainController)(!(cn=$(hostname))))" cn \ | ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p') ## currently there is no u-d-m module computers/dc
I guess setting samba4/provision/secondary=yes in UCR would also work around this.
I've added a check if the local system is the S4 Connector system. In this case the system is re-configured as first Samba 4 DC and all other Samba 4 DCs need to be rejoined again: r73151 I'll give our Jenkins environments a first test run.
(In reply to Stefan Gohmann from comment #5) > I've added a check if the local system is the S4 Connector system. In this > case the system is re-configured as first Samba 4 DC and all other Samba 4 > DCs need to be rejoined again: r73151 > > I'll give our Jenkins environments a first test run. Looks good. I've also tested manual installations and rejoins.
Verified: * Patch ok and merged to UCS 4.2 * Rejoin works * Advisory: Ok
<http://errata.software-univention.de/ucs/4.1/309.html>