Bug 39251 - (Re-)join of DC Backup fails if S4 is not installed on DC Master
(Re-)join of DC Backup fails if S4 is not installed on DC Master
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.1-3-errata
Assigned To: Stefan Gohmann
Arvid Requate
:
Depends on:
Blocks: 44885
  Show dependency treegraph
 
Reported: 2015-08-21 12:51 CEST by Philipp Hahn
Modified: 2017-06-28 22:18 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.103
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2016062721000076
Bug group (optional): Workaround is available
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2015-08-21 12:51:45 CEST
S4 installed (accidently) only on Backup, but not on master.
Things go down from there as soon as the backup is (re-)joined.

Need inter-app-dependency to ensure S4 is installed on Master?

# univention-join
...
Configure 96univention-samba4.inst                         failed

# univention-run-join-scripts
...
Running 96univention-samba4.inst                           failed (exitcode: 1)
Running 97univention-s4-connector.inst                     failed (exitcode: 1)
Running 98univention-pkgdb-tools.inst                      skipped (already executed)
Running 98univention-samba4-dns.inst                       failed (exitcode: 1)

# tail /var/log/univention/join.log

RUNNING 96univention-samba4.inst
2015-08-21 11:18:33.789688024+02:00 (in joinscript_init)
Not updating samba4/role
Multifile: /etc/samba/smb.conf
Object exists: cn=Builtin,dc=phahn,dc=qa
WARNING: cannot append cn=backup40,cn=dc,cn=computers,dc=phahn,dc=qa to hosts, value exists
No modification: cn=Enterprise Domain Controllers,cn=groups,dc=phahn,dc=qa
Stopping Samba AD DC daemon: samba.
Samba is configured as AD DC, service smbd is controlled by the main samba daemon.
Stopping NetBIOS name server: nmbd.
Setting kerberos/kdc
Setting kerberos/kpasswdserver
File: /etc/krb5.conf
Setting slapd/port
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Setting slapd/port/ldaps
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Restarting ldap server(s).
Stopping ldap server(s): slapd ...done.
Starting ldap server(s): slapd ...done.
extract_rIDNextRID: Attribute rIDSetReferences not found
Not updating windows/wins-support
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
ERROR: Invalid IP address 'phahn.qa'!
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
ERROR: Invalid IP address 'backup40.phahn.qa'!
Failed to join the domain.
EXITCODE=1

RUNNING 97univention-s4-connector.inst
2015-08-21 11:18:53.241542484+02:00 (in joinscript_init)
Not updating connector/s4/ldap/host
Not updating connector/s4/ldap/base
Not updating connector/s4/ldap/ssl
Not updating connector/s4/mapping/group/language
Not updating connector/s4/ldap/protocol
Not updating connector/s4/ldap/socket
Object exists: cn=gPLink,cn=custom attributes,cn=univention,dc=phahn,dc=qa
Object exists: cn=Builtin,dc=phahn,dc=qa
Object exists: cn=System,dc=phahn,dc=qa
Object exists: cn=Policies,cn=System,dc=phahn,dc=qa
Object exists: ou=Domain Controllers,dc=phahn,dc=qa
Object exists: cn=WMIPolicy,cn=System,dc=phahn,dc=qa
Object exists: cn=SOM,cn=WMIPolicy,cn=System,dc=phahn,dc=qa
Object exists: cn=ldapschema,cn=univention,dc=phahn,dc=qa
INFO: No change of core data of object msgpo.
INFO: No change of core data of object mswmi.
Object exists: cn=udm_module,cn=univention,dc=phahn,dc=qa
INFO: No change of core data of object container/msgpo.
No modification: cn=msgpo,cn=ldapschema,cn=univention,dc=phahn,dc=qa

No modification: cn=mswmi,cn=ldapschema,cn=univention,dc=phahn,dc=qa

No modification: cn=container/msgpo,cn=udm_module,cn=univention,dc=phahn,dc=qa

Waiting for activation of the extension object msgpo: OK
Waiting for activation of the extension object mswmi: OK
Waiting for activation of the extension object container/msgpo: OK
Waiting for file /usr/share/pyshared/univention/admin/handlers/container/msgpo.py: OK
Terminating running univention-cli-server processes.
Object exists: cn=udm_module,cn=univention,dc=phahn,dc=qa
INFO: No change of core data of object settings/mswmifilter.
No modification: cn=settings/mswmifilter,cn=udm_module,cn=univention,dc=phahn,dc=qa

Waiting for activation of the extension object settings/mswmifilter: OK
Waiting for file /usr/share/pyshared/univention/admin/handlers/settings/mswmifilter.py: OK
Terminating running univention-cli-server processes.
Samba4 does not seem to be provisioned, exiting /usr/lib/univention-install/97univention-s4-connector.inst
EXITCODE=1

RUNNING 98univention-samba4-dns.inst
2015-08-21 11:18:59.329617608+02:00 (in joinscript_init)
Samba4 backend database not available yet, exiting joinscript 98univention-samba4-dns.
EXITCODE=1

# dcaccount=Administrator bindpwd=univention bash -x /usr/lib/univention-install/96univention-samba4.inst
...
+ samba-tool domain info backup40.phahn.qa
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
ERROR: Invalid IP address 'backup40.phahn.qa'!
Comment 1 Jens Thorp-Hansen univentionstaff 2016-06-28 09:37:27 CEST
happened again at Ticket#2016062721000076 - I try to reproduce it in a testing environment and update the bug with the environment for reference
Comment 2 Jens Thorp-Hansen univentionstaff 2016-06-28 14:03:26 CEST
verified in test environment

master: .42.176
backup: .42.174

- fresh install both servers 
- install S4 on backup
- root@ucs-5241:~# univention-join -verbose

Configure 96univention-samba4.inst                         failed


**************************************************************************
* Join failed!                                                           *
* Contact your system administrator                                      *
**************************************************************************
* Message:  FAILED: 96univention-samba4.inst
**************************************************************************
root@ucs-5241:~# 

join log -verbose (abridged)

...
...
...
distinguishedName: CN=RID Set,CN=UCS-5241,OU=Domain Controllers,DC=acheron,DC=intranet

# returned 1 records
# 1 entries
# 0 referrals'
++ sed -n 's/^rIDAllocationPool: //p'
+ old_rIDAllocationPool=1100-1599
++ sed -n 's/^rIDPreviousAllocationPool: //p'
+ old_rIDPreviousAllocationPool=1100-1599
++ sed -n 's/^rIDNextRID: //p'
+ old_rIDNextRID=1110
+ mv /var/lib/samba /var/lib/samba_backup_20160628135620
+ rsync -a --exclude '/private/*' /var/lib/samba_backup_20160628135620/ /var/lib/samba
+ samba_domain_join --keep-existing
+ local success
+ local samba_join_options
+ samba_join_options=("${@}")
+ samba_join_options+=(--kerberos=no)
+ samba_join_options+=(-U"$dcaccount"%"$bindpwd")
+ samba_join_options+=(--realm="$kerberos_realm")
+ samba_join_options+=(--machinepass="$(cat /etc/machine.secret)")
++ cat /etc/machine.secret
+ '[' -n '' ']'
+ univention-config-registry set 'windows/wins-support?no'
Not updating windows/wins-support
+ '[' -n '' ']'
+ samba-tool domain info acheron.intranet
ERROR: Invalid IP address 'acheron.intranet'!
+ '[' -z '' ']'
+ cn=($(ldapsearch -x -ZZ -LLL -D "$ldap_hostdn" -y /etc/machine.secret 						"(&(univentionService=Samba 4)(objectClass=univentionDomainController))" cn 			| ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p' ))
++ sed -n 's/^cn: \(.*\)/\1/p'
++ ldapsearch-wrapper
++ ldapsearch -x -ZZ -LLL -D cn=ucs-5241,cn=dc,cn=computers,dc=acheron,dc=intranet -y /etc/machine.secret '(&(univentionService=Samba 4)(objectClass=univentionDomainController))' cn
+ for name in '"${cn[@]}"'
+ samba-tool domain info ucs-5241.acheron.intranet
ERROR: Invalid IP address 'ucs-5241.acheron.intranet'!
+ '[' -z '' ']'
+ echo 'Failed to join the domain.'
Failed to join the domain.
+ exit 1
+ '[' 1 -ne 0 ']'
+ echo -e '\033[60Gfailed'
++ basename /usr/lib/univention-install/96univention-samba4.inst
+ failed_message 'FAILED: 96univention-samba4.inst'
+ echo ''
+ echo ''
+ echo '**************************************************************************'
+ echo '* Join failed!                                                           *'
+ echo '* Contact your system administrator                                      *'
+ echo '**************************************************************************'
+ echo '* Message:  FAILED: 96univention-samba4.inst'
+ echo '**************************************************************************'
+ exit 1
+ trapOnExit
+ rm -rf /tmp/tmp.TGaQBdAP0A
+ '[' -n true -a true = true ']'
+ '[' -n 2 ']'
+ ucr set listener/debug/level=2
Setting listener/debug/level
File: /etc/runit/univention-directory-listener/run
++ LC_ALL=C
++ date
+ echo 'Tue Jun 28 13:56:22 CEST 2016: finish /usr/sbin/univention-join'
Tue Jun 28 13:56:22 CEST 2016: finish /usr/sbin/univention-join
Comment 3 Felix Botner univentionstaff 2016-06-28 14:45:06 CEST
Workaround:

remove the univentionService: Samba 4 attribute from the backup.

Fix:

96univention-samba4.inst +850

    ## check if we there already is a **domaincontroller** providing the service "Samba 4"
    samba4servicedcs=$(ldapsearch -x -ZZ -LLL -D "$ldap_hostdn" -y /etc/machine.secret \
                       "(&(univentionService=${NAME})(objectClass=univentionDomainController))" cn \
                       | ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p')  ## currently there is no u-d-m module computers/dc


This also finds the currently rejoining server. The join script than executes a domain join instead of a fresh samba provisioning. We have to ignore the join system in this ldap search:

        ## check if we there already is a **domaincontroller** providing the service "Samba 4"
        samba4servicedcs=$(ldapsearch -x -ZZ -LLL -D "$ldap_hostdn" -y /etc/machine.secret \
-                          "(&(univentionService=${NAME})(objectClass=univentionDomainController))" cn \
+                          "(&(univentionService=${NAME})(objectClass=univentionDomainController)(!(cn=$(hostname))))" cn \
                                           | ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p')  ## currently there is no u-d-m module computers/dc
Comment 4 Arvid Requate univentionstaff 2016-06-28 17:54:46 CEST
I guess setting samba4/provision/secondary=yes in UCR would also work around this.
Comment 5 Stefan Gohmann univentionstaff 2016-10-13 16:31:58 CEST
I've added a check if the local system is the S4 Connector system. In this case the system is re-configured as first Samba 4 DC and all other Samba 4 DCs need to be rejoined again: r73151

I'll give our Jenkins environments a first test run.
Comment 6 Stefan Gohmann univentionstaff 2016-10-18 12:13:10 CEST
(In reply to Stefan Gohmann from comment #5)
> I've added a check if the local system is the S4 Connector system. In this
> case the system is re-configured as first Samba 4 DC and all other Samba 4
> DCs need to be rejoined again: r73151
> 
> I'll give our Jenkins environments a first test run.

Looks good. I've also tested manual installations and rejoins.
Comment 7 Arvid Requate univentionstaff 2016-10-19 20:10:32 CEST
Verified:

* Patch ok and merged to UCS 4.2
* Rejoin works
* Advisory: Ok
Comment 8 Janek Walkenhorst univentionstaff 2016-10-20 12:40:02 CEST
<http://errata.software-univention.de/ucs/4.1/309.html>