Grüßt Euch!
bei einem Backup Domain Controller bekomme ich ein univention-join Problem nicht in den Griff. Der lief schon eine ganze Weile, bis ich vor kurzem durch einen Scriptfehler das Transaction File auf dem Master, der als AD Member läuft, zerstört habe. Darauf hin habe ich den AD Connector neu Initialisiert und dachte, wenn ich den Backup-DC neu zur Domain joine, wird wieder alles gut. Aber das mag mir nicht gelingen.
Bei Windows würde ich den Backup-DC demoten, so dass er alle Directory Informationen verliert und wieder zum DC promoten. Gibt es bei UCS außer univention.join noch andere Möglichkeiten die mir weiterhelfen könnten?
.
Backup-DC:
root@srvmucudcb03:~# univention-app info
UCS: 4.2-2 errata209
App Center compatibility: 4
Installed: kvm=1.2.8 samba-memberserver=4.6 self-service=2.0 uvmm=6
Upgradable:
.
Master DC:
root@srvmucudcb01:/home/support# univention-app info
UCS: 4.2-2 errata231
App Center compatibility: 4
Installed: adconnector=11.0 cups=1.7.5 nagios=3.5 radius=4.0 samba-memberserver=4.6 self-service=2.0 uvmm=6
Upgradable:
.
.
Folgender Vorgang hat über 90 Minuten gedauert:
root@srvmucudcb03:~# univention-join -dcname srvmucudcb01.firma.de -type domaincontroller_backup
univention-join: joins a computer to an ucs domain
copyright (c) 2001-2017 Univention GmbH, Germany
Enter DC Master Account : Administrator
Enter DC Master Password:
Check DC Master: done
Stop LDAP Server: done
Stop Samba Server: done
Search ldap/base done
Start LDAP Server: done
Search LDAP binddn done
Sync time: done
Join Computer Account: done
Stopping univention-directory-notifier daemon: done
Stopping univention-directory-listener daemon: done
Sync ldap.secret: done
Sync ldap-backup.secret: done
Sync SSL directory: done
Check TLS connection: done
Download host certificate: done
Sync SSL settings: done
Restart LDAP Server: done
Sync Kerberos settings: done
Configure 01univention-ldap-server-init.inst
done
Configure 02univention-directory-notifier.inst done
Configure 03univention-directory-listener.inst
done
Configure 04univention-ldap-client.inst done
Configure 05univention-bind.inst done
Configure 08univention-apache.inst done
Configure 10univention-ldap-server.inst done
Configure 11univention-heimdal-init.inst done
Configure 11univention-pam.inst done
Configure 15univention-directory-notifier-post.inst done
Configure 15univention-heimdal-kdc.inst done
Configure 18python-univention-directory-manager.inst done
Configure 20univention-directory-policy.inst done
Configure 20univention-join.inst done
Configure 26univention-nagios-common.inst done
Configure 26univention-samba.inst failed
**************************************************************************
* Join failed! *
* Contact your system administrator *
**************************************************************************
* Message: FAILED: 26univention-samba.inst
**************************************************************************
root@srvmucudcb03:~#
root@srvmucudcb03:~# tail -n 40 /var/log/univention/join.log
Object exists: cn=UNIVENTION_NTP,cn=nagios,dc=firma,dc=de
Object exists: cn=UNIVENTION_SMTP2,cn=nagios,dc=firma,dc=de
Object exists: cn=UNIVENTION_SSL,cn=nagios,dc=firma,dc=de
Object exists: cn=UNIVENTION_LOAD,cn=nagios,dc=firma,dc=de
Object exists: cn=UNIVENTION_REPLICATION,cn=nagios,dc=firma,dc=de
Object exists: cn=UNIVENTION_NSCD,cn=nagios,dc=firma,dc=de
Object exists: cn=UNIVENTION_NSCD2,cn=nagios,dc=firma,dc=de
Object exists: cn=UNIVENTION_KPASSWDD,cn=nagios,dc=firma,dc=de
Object exists: cn=UNIVENTION_WINBIND,cn=nagios,dc=firma,dc=de
Object exists: cn=UNIVENTION_SMBD,cn=nagios,dc=firma,dc=de
Object exists: cn=UNIVENTION_NMBD,cn=nagios,dc=firma,dc=de
Object exists: cn=UNIVENTION_JOINSTATUS,cn=nagios,dc=firma,dc=de
Object exists: cn=UNIVENTION_PACKAGE_STATUS,cn=nagios,dc=firma,dc=de
2017-12-05 01:46:28.602029088+01:00 (in joinscript_save_current_version)
Configure 26univention-samba.inst Tue Dec 5 01:46:28 CET 2017
2017-12-05 01:46:28.623145606+01:00 (in joinscript_init)
Setting samba/role
Multifile: /etc/samba/smb.conf
INFO: ad/member is true, will join as memberserver into an AD domain
Setting samba/domain/security
Multifile: /etc/samba/smb.conf
Setting samba/share/home
File: /etc/samba/base.conf
Multifile: /etc/samba/smb.conf
Setting samba/autostart
Module: autostart
Multifile: /etc/samba/smb.conf
Not updating samba/autostart
Stopping winbind (via systemctl): winbind.service.
Setting samba/user
Not updating samba/user/pwdfile
Multifile: /etc/samba/smb.conf
Setting stored password for "cn=srvmucudcb03,cn=dc,cn=computers,dc=firma,dc=de" in secrets.tdb
setting idmap secret for '*' from /etc/machine.secret
Secret stored
Restarting samba (via systemctl): samba.service.
Object modified: cn=srvmucudcb03,cn=dc,cn=computers,dc=firma,dc=de
Failed to join domain: failed to lookup DC info for domain 'firma' over rpc: Undetermined error
ERROR: Failed to join to AD DC via net ads join. Please check your Samba DCs and your DNS and WINS configuration.
Bei der DNS konfig kann ich keinen Fehler finden, zumindest was die Namensauflösung angeht.
.
.
root@srvmucudcb03:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: Administrator@firma.DE
Issued Expires Principal
Dec 5 00:27:58 2017 Dec 5 10:27:53 2017 krbtgt/firma.DE@firma.DE
Dec 5 00:31:33 2017 Dec 5 10:27:53 2017 host/srvmucudcb01.firma.de@
Dec 5 00:31:33 2017 Dec 5 10:27:53 2017 host/srvmucudcb01.firma.de@firma.DE
.
.
Im /var/log/univention/listener.log ist auffällig, dass in jedem Eintrag cn=temporary drinsteht
05.12.17 14:35:52.091 LISTENER ( PROCESS ) : updating 'cn=johann,cn=uid,cn=temporary,cn=univention,dc=firma,dc=de' command d
05.12.17 14:35:52.092 LISTENER ( PROCESS ) : updating 'cn=7189,cn=uidNumber,cn=temporary,cn=univention,dc=firma,dc=de' command d
05.12.17 14:35:52.102 LISTENER ( PROCESS ) : updating 'cn=S-1-5-21-2231228107-1648847474-2204682860-15380,cn=sid,cn=temporary,cn=univention,dc=firma,dc=de' command d
Gruß,
Dirk
