Univention Bugzilla – Bug 40470
Add test case 90_ucsschool/141_check_DNS_settings
Last modified: 2017-06-23 18:45:39 CEST
Please add a test case for this scenario. +++ This bug was initially created as a clone of Bug #39384 +++ Setup: * UCS@school Multi-Server-Environment * DC Master with Samba AD * School-Slave with Samba AD * UCS 4.0-3 Errata 320 * UCS@school 4.0 R2 v1 General: A UCS Domain Controller provides also DNS services and is therefore automatically added to the default Forward Lookup Zone as nameserver. This adds them to the DNS AUTHORITY SECTION and the DNS ADDITIONAL SECTION (using dig). In a typical UCS domain, this is desired behaviour. In a UCS@school multi-server environments, this is counterproductive. Observed behaviour: All schoolslaves are also added to the Forward Lookup Zone as nameservers and therefore show up in the DNS AUTHORITY SECTION and the DNS ADDITIONAL SECTION. AFAIK this has two drawbacks: - Schoolslaves are shown as authoritative nameserver for other schools/networks. Imho this won't work. Usually they are not even reachable. - This easily blows the DNS UDP package, because with around 20 to 25 schoolslaves/nameservers, the answer is bigger than 512 bytes. The UDP package then gets truncated. Workaround: Use TCP for DNS or extend the accepted package size (e.g. "dig +bufsize=1024 <FQDN>" Expected behaviour: - schoolslaves are not added to the Forward Lookup Zone as nameservers (or removed after installing UCS@school). Clients need to be configured with the correct DNS settings of this particular school anyway.
I've added two tests. One checking that the UCRVs for slaves are set correctly. Another one for checking that the school servers are not added to DNS AUTHORITY SECTION (for slaves and masters). svn commit: 75383 + 75384 + 75385 build: 3.0.17-37.358.201612191229
The test cases are 90_ucsschool/140_check_Domain_Users_policies and 00_checks/30_check_DNS_UCRVs. They are currently skipped, due to a missing tag (I think "apptest"): http://jenkins.knut.univention.de:8080/job/UCSschool%204.1/job/UCSschool%204.1%20(R2)%20Multiserver/lastCompletedBuild/SambaVersion=s4-school-only/testReport/90_ucsschool/140_check_Domain_Users_policies/test/ Please adjust the test cases according to the patch in Bug #40471: * Create a school * use a main() function * start the "desc" in the first line * use lo.get() instead of lo.search() to get the relevant objects. * set the exposure to dangerous * use assertions/exception instead of sys.exit/utils.fail
The suggestions from Florian have been integrated and the tests seem to work. They have already found one bad test-environment: http://jenkins.knut.univention.de:8080/job/UCSschool%204.1/job/UCSschool%204.1%20(R2)%20Singleserver/lastCompletedBuild/ImportTests=NoImportTests,SambaVersion=s4-with-slave/testReport/ svn commit: 75590 + 75592 build: 3.0.17-45.366.201701051256
90_ucsschool/141_check_DNS_settings: 19 » » zone_name = ".".join([rdn[3:] for rdn in ldap_base.split(',')]) 20 21 » » school_server = ucr.get('hostname') + "." + zone_name 22 23 » » zone = lo.get(filter_format('zoneName=%s,cn=dns,%s', (zone_name, ldap_base))) Please use ucr.get('domainname') instead of the ldap-base for the zone name. filter_format is wrong here, as the argument of lo.get() is a DN and not a search filter. You have to escape the zone_name value with ldap.dn.escape_dn_chars().
The latest hints from Florian have now been used as well. svn commit: 75657 build: 3.0.17-46.367.201701101452
Created attachment 8355 [details] patch The test script only detects zones under cn=dns,dc=base. I think it is better to make a search, so that no zone anywhere uses this value.
I have committed and build Florians suggested changes and the tests seems to work properly. svn commit: 76018 build: 3.0.17-47.368.201701231639
Nice :)