Bug 47388 – non-school servers cannot join caused by missing S4 SlavePDC Service on a school-slave

Bug 47388 - non-school servers cannot join caused by missing S4 SlavePDC Service on a school-slave


Summary:	non-school servers cannot join caused by missing S4 SlavePDC Service on a sch...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3-1-errata
Assigned To:	Felix Botner
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-07-23 13:04 CEST by Christina Scheinig
Modified:	2018-08-24 09:47 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.429
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2018072321000265
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2018-07-23 13:04:41 CEST

The join.log of a non-school slave shows:
--------------------------------------------------------------------------------
Configure 96univention-samba4.inst Mon Jul 23 09:22:30 CEST 2018
2018-07-23 09:22:30.054606665+02:00 (in joinscript_init)
23.07.18 09:22:34.438  DEBUG_INIT
UNIVENTION_DEBUG_BEGIN  : uldap.__open host=master.beispiel.de port=7389 base=dc=beispiel,dc=de
UNIVENTION_DEBUG_END    : uldap.__open host=master.beispiel.de port=7389 base=dc=beispiel,dc=de
Not updating samba4/role
Restarting univention-directory-listener (via systemctl): univention-directory-listener.service.
Multifile: /etc/samba/smb.conf
Object exists: cn=Builtin,dc=beispiel,dc=de
WARNING: cannot append cn=DC Backup Hosts,cn=groups,dc=beispiel,dc=de to nestedGroup, value exists
No modification: cn=Enterprise Domain Controllers,cn=groups,dc=beispiel,dc=de
WARNING: cannot append cn=slave-opsi,cn=dc,cn=computers,dc=beispiel,dc=de to hosts, value exists
No modification: cn=Enterprise Domain Controllers,cn=groups,dc=beispiel,dc=de
Object created: cn=Console Logon,cn=Builtin,dc=beispiel,dc=de
modifying entry "cn=Console Logon,cn=Builtin,dc=beispiel,dc=de"

ERROR: More than one S4 Connector hosts available: master
school-slave1
--------------------------------------------------------------------------------
Using the filter from the join.script it shows two servers.
univention-ldapsearch "(&(univentionService=S4 Connector)(objectClass=univentionDomainController)(!(univentionService=S4 SlavePDC)))" dn
# extended LDIF
#
# LDAPv3
# base <dc=beispiel,dc=de> (default) with scope subtree
# filter: (&(univentionService=S4 Connector)(objectClass=univentionDomainController)(!(univentionService=S4 SlavePDC)))
# requesting: dn
#

# master, dc, computers, beispiel.de
dn: cn=master,cn=dc,cn=computers,dc=beispiel,dc=de

# school-slave1, dc, server, computers, slave1, beispiel.de
dn: cn=school-slave1,cn=dc,cn=server,cn=computers,ou=slave1,dc=beispiel,dc=de
------------------------------------------------------------------------------
The school-slave does not have this Service. The school-slave was joined successfully.
dn: cn=ucs-school-slave1,cn=dc,cn=server,cn=computers,ou=slave1,dc=beispiel,dc=de
univentionService: LDAP
univentionService: NFS
univentionService: DNS
univentionService: Univention Management Console
univentionService: DHCP
univentionService: UCS@school
univentionService: UCS@school Education
univentionService: Print
univentionService: PROXY
univentionService: Samba 4
univentionService: S4 Connector
univentionService: PrintQuota

To fix this I added the service manually. This obviously failed in "96univention-samba4slavepdc.inst", but I did not found an error message.
udm computers/domaincontroller_slave modify --dn "cn=cs-school-slave1,cn=dc,cn=server,cn=computers,ou=slave1,dc=beispiel,dc=de" --append service="S4 SlavePDC"
------------------------------------------------------------------------------
At least we should have an error message in the join script, if appending the service failed.

Comment 1 Felix Botner

2018-08-15 10:49:28 CEST

as discussed with support, only modified the error message to 

ERROR: More than one S4 Connector hosts available: master backup
ERROR: If this is a central (non-school) slave, make sure every school slave
ERROR: in the list above has the 'univentionService=S4 SlavePDC' service set!

this should give a clue what to do in that case.

univention-samba4: 8ae9682a99cb7c96cfa6ed1f91dfa11fcd3ac225
yaml: c9b6a03856ff8ade0a3e893939e003a941074f51

Comment 2 Arvid Requate

2018-08-15 18:17:11 CEST

Hmm, I had difficulties grasping the meaning of the message and then I think customers will have similar problems. How about just listing the Slaves in the message and leaving out the Master/Backups ? Otherwise people start adding 'univentionService=S4 SlavePDC' to Master and Backups.

Comment 3 Felix Botner

2018-08-16 11:46:51 CEST

ok, changed the message (look for slaves hosts and print this list)

Comment 4 Arvid Requate

2018-08-22 13:50:50 CEST

As discussed, I guess the error message is misleading if we are in a OU.

Comment 5 Felix Botner

2018-08-22 16:33:58 CEST

print error message only if $OU is not empty (central school department)

Comment 6 Arvid Requate

2018-08-23 18:12:51 CEST

Ok.

Comment 7 Arvid Requate

2018-08-23 18:13:00 CEST

Released collaterally with Bug 47638 Comment 6.

Comment 8 Philipp Hahn

2018-08-24 09:47:54 CEST

I manually fixed the YAML <git:1890b69516> and updated the generated HTML erratum to include these changes as well: <http://errata.software-univention.de/ucs/4.3/218.html>