Comment 1 Stefan Gohmann 2017-01-24 08:55:17 CET

Do we have the join log?

Comment 2 Florian Best 2017-01-24 09:49:45 CET

(In reply to Stefan Gohmann from comment #1)
> Do we have the join log?
No.

Comment 3 Erik Damrose 2017-04-03 13:43:14 CEST

I had the same issue just now: The 96univention-samba4.inst joinscript looks for the first DC it can join against. In my domain, that machine was not available anymore.

The search is: 
s4connector_dc=$(ldapsearch -x -ZZ -LLL -D "$ldap_hostdn" -y /etc/machine.secret \            "(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(!(univentionService=S4 SlavePDC)))" cn \
            | ldapsearch-wrapper | sed -n 's/^cn: \(.*\)/\1/p')

It then tries to join with
if [ -n "$s4connector_dc" ]; then
            echo "Join against S4 Connector server: $s4connector_dc"
            if samba-tool domain info "$s4connector_dc.$domainname"; then
                samba-tool domain join "$domainname" "......"

The joinscript logs:
Join against S4 Connector server: ucs-4171
ERROR: Invalid IP address 'ucs-4171.ucs.local'!
Samba currently not available on S4 Connector server ucs-4171.
ERROR: Invalid IP address 'ucs.local'!
ERROR: Invalid IP address 'ucs-4171.ucs.local'!
Failed to join the domain.

The joinscript should at least test if the server is currently available.

Comment 4 Florian Best 2017-04-18 12:34:35 CEST

Version: 4.1-4 errata408 (Vahr)

Remark: This is the second slave server in the branch office, the first was deployed without any problem.

Comment 5 Arvid Requate 2017-07-17 14:09:25 CEST

> The joinscript should at least test if the server is currently available.
> Samba currently not available on S4 Connector server ucs-4171.

That's what  "samba-tool domain info" has done. Finds that it cannot use it and continues with broadcast, but isn't successful at that:

> ERROR: Invalid IP address 'ucs.local'!


Maybe it should go on then and start over with a fresh provisioning.

Comment 6 Johannes Keiser 2017-11-15 16:02:21 CET

*** Bug 44765 has been marked as a duplicate of this bug. ***

Comment 7 Felix Botner 2017-12-11 13:01:50 CET

(In reply to Arvid Requate from comment #5)
> > The joinscript should at least test if the server is currently available.
> > Samba currently not available on S4 Connector server ucs-4171.
> 
> That's what  "samba-tool domain info" has done. Finds that it cannot use it
> and continues with broadcast, but isn't successful at that:
> 
> > ERROR: Invalid IP address 'ucs.local'!
> 
> 
> Maybe it should go on then and start over with a fresh provisioning.

what about a more detailed error message?

No domain server available, make sure the server $(connector_server) is up and running. If this server is no longer in use, make sure to remove the server from your domain as explained in sbd....

Comment 8 Florian Best 2017-12-11 13:08:33 CET

So the join fails if we have an computer/DC in LDAP which is not online at the time during the join.

What is the difference between a fresh provisioning and adding another DC Slave?

Comment 9 Felix Botner 2017-12-11 13:16:15 CET

(In reply to Florian Best from comment #8)
> So the join fails if we have an computer/DC in LDAP which is not online at
> the time during the join.
> 
> What is the difference between a fresh provisioning and adding another DC
> Slave?

fresh provisioning - a new samba domain is created
adding another DC - join into an existing domain

what we need to avoid is "fresh provisioning" if the other samba server is just not reachable currently

Comment 10 Florian Best 2017-12-11 13:19:02 CET

(In reply to Felix Botner from comment #9)
> (In reply to Florian Best from comment #8)
> > So the join fails if we have an computer/DC in LDAP which is not online at
> > the time during the join.
> > 
> > What is the difference between a fresh provisioning and adding another DC
> > Slave?
> 
> fresh provisioning - a new samba domain is created
> adding another DC - join into an existing domain
> 
> what we need to avoid is "fresh provisioning" if the other samba server is
> just not reachable currently

Could we add a check in the system setup? Like we are doing for the availability of UCS DC Master in Active Directory environments?

Comment 11 Felix Botner 2017-12-12 09:57:05 CET

(In reply to Florian Best from comment #10)
> (In reply to Felix Botner from comment #9)
> > (In reply to Florian Best from comment #8)
> > > So the join fails if we have an computer/DC in LDAP which is not online at
> > > the time during the join.
> > > 
> > > What is the difference between a fresh provisioning and adding another DC
> > > Slave?
> > 
> > fresh provisioning - a new samba domain is created
> > adding another DC - join into an existing domain
> > 
> > what we need to avoid is "fresh provisioning" if the other samba server is
> > just not reachable currently
> 
> Could we add a check in the system setup? Like we are doing for the
> availability of UCS DC Master in Active Directory environments?

This is already done by "samba-tool domain info" in the join script. 

But can we be sure that a server is no longer is use if the check fails? Is it a good idea to create a new samba domain, which has implication for the whole UCS domain?

I would rather go for a more detailed error message in this case and a sdb article that describes how to remove orphaned Samba/AD DC accounts.

Comment 12 Arvid Requate 2017-12-12 21:08:50 CET

> > Could we add a check in the system setup? Like we are doing for the
> > availability of UCS DC Master in Active Directory environments?
> 
> This is already done by "samba-tool domain info" in the join script. 

Florians proposal was to also check this already in system setup.


> But can we be sure that a server is no longer is use if the check fails?
> Is it a good idea to create a new samba domain, which has implication for
> the whole UCS domain?
> 
> I would rather go for a more detailed error message in this case and a sdb
> article that describes how to remove orphaned Samba/AD DC accounts.

Yes, let's improve the error message.

Comment 13 Stefan Gohmann 2018-03-15 06:37:16 CET

Move to 4.3-0-errata. If a UCS 4.2 backport is needed, please clone this issue.

Comment 14 Felix Botner 2018-03-21 14:38:03 CET

Just added the error message

Make sure the server is online or if this server is no longer in use,
please completely remove the server object from the domain.


At some point in the future we should review the samba_domain_join() function in 96univention-samba4.inst. There are too many ways to join into a samba domain, and some ways are broken for ucs@school. In my opinion the join to the domain and the join to the ucs ldap "univentionService=Samba 4" servers should be removed. And the join to the "S4 Connector" server has to be fixed for ucs@school (better use get_available_s4connector_dc to find the s4 dc).

The goal should be to support only
 * join to the server in UCR samba4/dc
 * join to the s4 connector server (which we get from the "school-safe" 
   get_available_s4connector_dc())

1ee115181fa257ef896a7029a6bd6b490defe1cd univention-samba4
a33bc0ffee2f8cf3add11e9b4e75a3a2e27be156 yaml

Comment 15 Arvid Requate 2018-03-27 12:41:54 CEST

Ok, the error message has been improved.


The request of Comment 3 has not been implemented. The argument against it is, that the error message already shows that the machine is not usable to join against it:

> The joinscript should at least test if the server is currently available.


The request of Comment 10 has also not been implemented.

> Could we add a check in the system setup? 

If this is actually desired please clone the bug. It would require more afford to check this depending on the software selection and given that samba-tool is not available at that point.

Comment 16 Arvid Requate 2018-03-28 13:28:25 CEST

<http://errata.software-univention.de/ucs/4.3/5.html>

Comment 17 Johannes Keiser 2018-03-29 18:11:02 CEST

Reported again: Version: 4.2-3 errata305 (Lesum)