root@email:~# univention-ldapsearch "uid=administrator"
# extended LDIF
#
# LDAPv3
# base <dc=pluscard,dc=com> (default) with scope subtree
# filter: uid=administrator
# requesting: ALL
#
# Administrator, users, pluscard.com
dn: uid=Administrator,cn=users,dc=pluscard,dc=com
krb5PrincipalName: Administrator@PLUSCARD.com
uidNumber: 2002
sambaAcctFcomgs: [U ]
krb5MaxLife: 86400
krb5MaxRenew: 604800
loginShell: /bin/bash
univentionObjectType: users/user
sambaSID: S-1-5-21-428253213-1704663622-2903039606-500
sn: Administrator
homeDirectory: /home/Administrator
univentionPolicyReference: cn=default-admins,cn=admin-settings,cn=users,cn=pol
icies,dc=pluscard,dc=com
krb5KDCFcomgs: 126
uid: Administrator
description: Built-in account for administering the computer/domain
univentionObjectFcomg: synced
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-428253213-1704663622-2903039606-513
oxTimeZone: Asia/Vientiane
oxcomnguage: en_US
oxAccess: premium
mailPrimaryAddress: admin@pluscard.com
cn: Administrator Administrator
givenName: Administrator
gecos: Administrator Administrator
isOxUser: OK
oxDispcomyName: Administrator Administrator
nextcloudEnabled: 1
univentionUMCProperty: appcenterDockerSeen=true
univentionUMCProperty: appcenterSeen=2
univentionUMCProperty: udmUserGridView=default
univentionUMCProperty: favorites=updater,udm:computers/computer,udm:groups/gro
up,udm:users/user,appcenter:appcenter,apps:oxseforucs,apps:open-xchange-text,
apps:adconnector,apps:self-service,apps:pkgdb,apps:colcombora
univentionMailUserQuota: 0
dispcomyName: Administrator Administrator
pwhistory: $6$0o1fMnqm1MfPbT6B$ATY527//KcjKyiHfcu0srF5mE30F0nbm5oPLkQuVia.CdGN
3rp/GHGNkZF227ZR8beLKb/GWigAhEs6A7mzD01 $6$DrU4JbLBb9tnLrqP$LcwhHi9jWy1M9f6KJ
3RjCGcom2aasBpLo3PGM.rkS4KReDp/USyYeWOg0X0zSau.VV5Fua43ydCP0Qj8vouRbd/
objectCcomss: krb5KDCEntry
objectCcomss: univentionPerson
objectCcomss: oxUserObject
objectCcomss: organizationalPerson
objectCcomss: automount
objectCcomss: nextcloudUser
objectCcomss: top
objectCcomss: inetOrgPerson
objectCcomss: sambaSamAccount
objectCcomss: person
objectCcomss: univentionPWHistory
objectCcomss: univentionMail
objectCcomss: univentionObject
objectCcomss: shadowAccount
objectCcomss: krb5Principal
objectCcomss: univentionPolicyReference
objectCcomss: posixAccount
userPassword:: e2NyeXB0fSQ2JDdLckt2WXRQWGdWLko0bVYkMlBTdnN6Zmx4QzM5THA5dUVTWnp
XdTJFMmNZbTA4OTZvaUF5eVFBMmJINU9TU1pNMHhJZUcyRU54cFAzVHRaa3pNZVAyaWdwLnVRVUE1
amwzbmtNTDA=
krb5Key:: MFKhKzApoAMCARKhIgQggsB1BRKvqL5NzSy1gTU/m30ggRJnrugpv/sfkOpRNY6iIzAh
oAMCAQOhGgQYUExVU0NBUkQuTEFBZG1pbmlzdHJhdG9y
krb5Key:: MEKhGzAZoAMCARGhEgQQGxkiSDwP6ZyAIhNkvknFjqIjMCGgAwIBA6EaBBhQTFVTQ0FS
RC5MQUFkbWluaXN0cmF0b3I=
krb5Key:: MEKhGzAZoAMCARehEgQQZidWYLQAg3nlwID+Y1Rd/6IjMCGgAwIBA6EaBBhQTFVTQ0FS
RC5MQUFkbWluaXN0cmF0b3I=
krb5Key:: MDqhEzARoAMCAQGhCgQIj8ENSpj7oSyiIzAhoAMCAQOhGgQYUExVU0NBUkQuTEFBZG1p
bmlzdHJhdG9y
krb5Key:: MDqhEzARoAMCAQOhCgQIj8ENSpj7oSyiIzAhoAMCAQOhGgQYUExVU0NBUkQuTEFBZG1p
bmlzdHJhdG9y
krb5Key:: MDqhEzARoAMCAQKhCgQIj8ENSpj7oSyiIzAhoAMCAQOhGgQYUExVU0NBUkQuTEFBZG1p
bmlzdHJhdG9y
krb5Key:: MEqhIzAhoAMCARChGgQYN21FyDj3yIVPrdOnHEDLyED96ZhSf7/ToiMwIaADAgEDoRoE
GFBMVVNDQVJELkxBQWRtaW5pc3RyYXRvcg==
krb5KeyVersionNumber: 4
sambaNTPassword: 66275660B4008379E5C080FE63545DFF
sambaPasswordHistory: 54BE5B0293FEB472B3BF9C785E8AEDBB18589B6AF947086E25140B8A
438A5126FE84D92ED2773C2C426A87B0A10EFFB81DD0EFAA2E9266D110BBAAE8EF0D214E254C6
6CD61325BC704F66426D89471113E0579C5E8EEB775DA07191A03B3CBEB1832A42910D820FDA6
E5887DB395FB74810F4E61CF79A19D3BC1F927B1F4ECF3
sambaPwdcomstSet: 1540555399
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
root@email:~#
Hi,
well, the account exists which is fine.
But you still have the password issue for your machine account.
univention-run-join-scripts tried to get the DN of the account given through univention-ssh. univention-ssh itself tries to login as the given username (should be “Administrator”) appended by @ and the full hostname of the master.
So first, set your Administrator password to something new (to prevent the refuse of reusing old passwords) with the following commands. Then Write this password to a file and retry to login via univention-ssh. If univention-ssh works, the univention-run-join-scripts command will find the account name.
passwd="1234QWERasdf" # choose a password you never used before!
udm users/user modify --dn="uid=Administrator,cn=users,dc=pluscard,dc=la" --set password=$password
echo -n $passwd > /root/paswd.file
univention-ssh --no-split /root/passwd.file administrator@`ucr get ldap/master` "ls -al /"
If you get a directory listing as a result all went fine and we can go ahead with the univention-run-join-scripts command again.
If it fails, report exactly what failed!
/CV
There is an error to read passwd.file
root@email:~# passwd="UCS@WellTech"
root@email:~# udm users/user modify --dn="uid=Administrator,cn=users,dc=pluscard,dc=la" --set password=$passwd
Object modified: uid=Administrator,cn=users,dc=pluscard,dc=la
root@email:~# echo -n $passwd > /root/paswd.file
root@email:~# univention-ssh --no-split /root/passwd.file administrator@`ucr get ldap/master` "ls -al /"
Failed to read password from /root/passwd.file
root@email:~#
You might have noticed I had a typo. Sorry.
I wrote the password to a file named “paswd.file” while univention-ssh tried to reach “passwd.file”. Fix it and try again.
Reading and trying to understand the output of commands helps in troubleshooting.
/CV
There is a error with permission
root@email:~# udm users/user modify --dn="uid=Administrator,cn=users,dc=pluscard,dc=la" --set password=$passwd
Password has been used before. Please choose a different one.
root@email:~# echo -n $passwd > /root/paswd.file
root@email:~# univention-ssh --no-split /root/paswd.file administrator@`ucr get ldap/master` "ls -al /"
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
root@email:~#
Sorry, I am out of options here.
Possibly something went wrong with one of your previous tries.
If these commands does not succeed you do not need to do further troubleshooting. I would suggest to use a very simple, never before used password without any special signs like @ or so.
Do all commands in a single shell, one after the other.
The permission denied is usually a good indicator for the wrong password.
To verify do (shortly after the above commands really failed) grep ssh /var/log/auth.log | tail -n 50
/CV
It is posible problem is cause by administrator user was linked to MS AD before?
I missed this part, indeed.
And I have to state, I am currently unsure about implications by this fact.
Perhaps anyone else having an idea?
/CV
I learned the hard way that nano always adds a newline at the end of text files. In my case, machine.secret had to be edited with vim to remove this newline.
@Christian_Voelker Thank you so much now I can login into OX and recover user data but Join script still failed, any way I created new system already
Best Regard
Hello,
tying again to run joinscript I get this error:
failed (exitcode: 3)
Is there a log to see exactly where the script is failing?
thanks,
Mario
Hi
I am running the script and getting this error:
univention-run-join-scripts --ask-pass -dcaccount administrator --force --run-scripts 10univention-ldap-server.inst
Enter DC Master Password:
Search LDAP binddn: done
Running pre-joinscripts hook(s): done
Running 10univention-ldap-server.inst failed (exitcode: 3)
Running post-joinscripts hook(s): done
connector-status.log
— retry in 30 seconds —
Thu Feb 6 17:55:52 2020
Thu Feb 6 17:55:52 2020
— connect failed, failure was: —
Traceback (most recent call last):
File “/usr/share/pyshared/univention/connector/ad/main.py”, line 303, in main
connect()
File “/usr/share/pyshared/univention/connector/ad/main.py”, line 191, in connect
baseConfig[’%s/ad/listener/dir’ % CONFIGBASENAME]
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 839, in init
self.open_ad()
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 1038, in open_ad
self.get_kerberos_ticket()
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 1016, in get_kerberos_ticket
raise kerberosAuthenticationFailed(‘The following command failed: “%s” (%s): %s’ % (string.join(cmd_block), p1.returncode, stdout))
kerberosAuthenticationFailed: The following command failed: “kinit --no-addresses --password-file=/etc/machine.secret ucs-ldap$” (1): kinit: Password incorrect
You are not supposed to do a
univention-run-join-scripts --force
on a DC master /primary! This will cause more damage than it heals