Problem: After Update to UCS5 the Citrix server service could not start anymore

Knowledge Base Community
, , ,
#1

Problem:

After Update to UCS5 the Citrix server service (Citrix Konfigurationsprotokollierungsdienst/Citrix Configuration Logging Service) could not start anymore.

Dienststart fehlgeschlagen: System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException: Das angegebene Verzeichnisdienstattribut bzw. der angegebene Verzeichnisdienstwert ist nicht vorhanden.

Service start failed: System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException: The specified directory service attribute or the specified directory service value does not exist.

Environment:

with an outdated domain level

# samba-tool domain level show
Domain and forest function level for domain 'DC=schein,DC=ig

Forest function level: (Windows) 2003
Domain function level: (Windows) 2003
Lowest function level of a DC: (Windows) 2008 R2

How-to: Raise Domain Functional Level

Investigation:

Check the ACLs of the system or e.g configuration.
The command

univention-s4search -b "CN=Partitions,CN=Configuration,DC=schein,DC=ig"  -s base

returns the partition, but no attributes come back.

Solution:

The samba ACLs on the partition were set like this:

ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Partitions,CN=Configuration,DC=schein,DC=ig" -s base ntsecuritydescriptor
# record 1
dn: CN=Partitions,CN=Configuration,DC=schein,DC=ig
nTSecurityDescriptor: O:EAG:DUD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIID;
 RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;DA)

This is compared to the default acl on partion in UCS5 very “short”
So the adjustment to the default acls on partition solved the issue:

ldbedit -H /var/lib/samba/private/sam.ldb -b "CN=Partitions,CN=Configuration,DC=schein,DC=ig" ntsecuritydescriptor
dn: CN=Partitions,CN=Configuration,DC=schein,DC=ig
nTSecurityDescriptor: O:EAG:EAD:AI(A;;LCLORC;;;AU)(OA;;RP;e48d0154-bcf8-11d1-8
 702-00c04fb96050;;AU)(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)(OA;;RP
 ;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)(OA;;RP;032160bf-9824-11d1-aec0-000
 0f80367c1;;AU)(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)(OA;;RP;5706ae
 af-b940-4fb2-bcfc-5268683ad9fe;;AU)(A;;RPWPCRCCLCLORCWOWDSW;;;EA)(A;;RPWPCRCC
 DCLCLORCWOWDSDDTSW;;;SY)(A;;CC;;;ED)(OA;CIIO;WP;3df793df-9858-4417-a701-735a1
 ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)(A;CIID;RPWPCRCCDCLCLORCWOWDS
 DDTSW;;;EA)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;DA)S:(AU;CISA;WPCRCCDCWOWDSDDT;;;
 WD)

Note:

It is possible to reset the system to the default alcs. This should not be executed lightly! GPOS and all adjustments regarding acls should be backuped. Also we recomment, to try this first in a testenvironment (clone of the system). This should only be helpfull, if this is an “old and updated” system.

# samba-tool dbcheck --help
Usage: samba-tool dbcheck [<DN>] [options]

Check local AD database for errors.
Options:
  -h, --help            show this help message and exit

  --reset-well-known-acls
                        reset ACLs on objects with well known default values
                        (for updating from early 4.0.x)
#2
Mastodon