Can not join Master like a Slave|Backup


#1

Hello all,

I have strange issue. I have exists Master UCS in AWS. I joined Slave and another 2xBackups in AWS to my Master. All was good. In house I have Proxmox server with VM’s. One of this is UCS version 4.0-4 like rest. I’m trying to join Master but I have problems like:

56741937 /etc/ldap/slapd.conf: line 50: <suffix> invalid DN 21 (Invalid syntax) slapschema: bad configuration file!.

After installation I have problem in slapd.conf. It is the same like rest slapd.conf’s on Backups and Slaves in AWS.

I tired joined by Wizard and by command line. Always I have issue like:

Check DC Master:                                           done
Stop LDAP Server:                                          done
Search ldap/base                                           done
Start LDAP Server:                                         done
Search LDAP binddn                                         done
Sync time:                                                 fail
Join Computer Account:                                     done
Stopping univention-directory-listener daemon:  done
Sync ldap-backup.secret:                                   done
Check TLS connection:                                      done
Download host certificate: ..                              done
Restart LDAP Server:                                       done
Sync Kerberos settings:                                    done
Not updating kerberos/adminserver
Configure 01univention-ldap-server-init.inst               done
Configure 03univention-directory-listener.inst             failed


**************************************************************************
* Join failed!                                                           *
* Contact your system administrator                                      *
**************************************************************************
* Message:  FAILED: 03univention-directory-listener.inst
**************************************************************************

And in log I see:

File: /etc/ldap/ldap.conf
Could not chdir to home directory /dev/null: Not a directory
scp: /etc/univention/ssl/hostname: Permission denied
Could not chdir to home directory /dev/null: Not a directory
scp: /etc/univention/ssl/domain: Permission denied
Could not chdir to home directory /dev/null: Not a directory
scp: /etc/univention/ssl/hostname: Permission denied
Could not chdir to home directory /dev/null: Not a directory
scp: /etc/univention/ssl/domain: Permission denied
Could not chdir to home directory /dev/null: Not a directory
Could not chdir to home directory /dev/null: Not a directory
Restarting ldap server(s).
Stopping ldap server(s): slapd ...done.
Starting ldap server(s): slapd ...failed.
56741980 /etc/ldap/slapd.conf: line 50: <suffix> invalid DN 21 (Invalid syntax) slapschema: bad configuration file!.

I can add that on Master side I see that server by:

udm computers/domaincontroller_slave list

I didn’t have any problems like that when I joined AWS VM to Master. All connection is working between. DNS! Ping! Domains! All is good.

I will be glad for any help.

Thank you,
Rafal


#2

Hey,

can you please remove the computer’s account from the LDAP directory and try the join again? Please make sure to run “univention-join” as root, not as a regular user.

Then please post the full output of the “univention-join” command as well as the full log file /var/log/univention/join.log. Thanks.


#3

[quote=“Moritz Bunkus”]Hey,
can you please remove the computer’s account from the LDAP directory and try the join again? Please make sure to run “univention-join” as root, not as a regular user.
[/quote]

Before every try I do it on my PDC:

udm computers/domaincontroller_slave remove --dn cn=XXX

And next join. I even tried install new system and join by install wizard.

Best,
Rafal


#4

This is join.log. This fail was until Setup Wizard.

Mon Jan  4 17:59:31 CET 2016: starting /usr/share/univention-join/univention-join -dcaccount Administrator -dcpwd /tmp/tmp.Icye27v01R
running version check
OK: UCS version on pdc.ds.net is higher or equal (4.04) to the local version (4.04).
Stopping ldap server(s): slapd ...done.
Starting ldap server(s): slapd ...done.
univention-server-join: joins a server to an univention domain
copyright (c) 2001-2015 Univention GmbH, Germany

ldap_dn="cn=ldap,dc=ds,dc=net"
Create ldap/hostdn
File: /etc/pam.d/smtp
Multifile: /etc/postfix/ldap.virtualwithcanonical
File: /etc/pam_ldap.conf
File: /etc/runit/univention-directory-listener/run
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
File: /etc/libnss-ldap.conf
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.virtualdomains
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.groups
Multifile: /etc/ldap/slapd.conf
Multifile: /etc/postfix/ldap.sharedfolderlocal
File: /etc/cron.d/univention-directory-policy
Multifile: /etc/postfix/ldap.sharedfolderremote
Multifile: /etc/postfix/ldap.canonicalsender
Setting ldap/server/name
Setting ldap/server/ip
Not updating ldap/server/port
Create ldap/master
Not updating ldap/master/port
Setting ldap/server/type
Multifile: /etc/ldap/slapd.conf
Multifile: /etc/postfix/ldap.virtualwithcanonical
File: /etc/pam_ldap.conf
File: /etc/krb5.conf
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
File: /etc/libnss-ldap.conf
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.virtualdomains
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.groups
File: /etc/pam.d/smtp
Multifile: /etc/postfix/ldap.sharedfolderlocal
File: /etc/init.d/slapd
File: /etc/default/ntpdate
File: /etc/nagios/nrpe.cfg
Multifile: /etc/postfix/ldap.sharedfolderremote
File: /etc/ntp.conf
Multifile: /etc/postfix/ldap.canonicalsender
File: /etc/ldap/ldap.conf
Could not chdir to home directory /dev/null: Not a directory
Could not chdir to home directory /dev/null: Not a directory
Restarting ldap server(s).
Stopping ldap server(s): slapd ...done.
Starting ldap server(s): slapd ...done.
Not updating ldap/server/name
Not updating ldap/master
Setting kerberos/realm
File: /etc/krb5.conf
File: /etc/heimdal-kdc/kdc.conf
Setting windows/domain
File: /etc/krb5.conf
Create dns/forwarder1
File: /etc/bind/named.conf.proxy
File: /etc/bind/named.conf.samba4
Create dns/forwarder2
File: /etc/bind/named.conf.proxy
File: /etc/bind/named.conf.samba4
Configure 01univention-ldap-server-init.inst Mon Jan  4 18:00:07 CET 2016
2016-01-04 18:00:07.523503080+01:00 (in joinscript_init)
568aa517 /etc/ldap/slapd.conf: line 50: <suffix> invalid DN 21 (Invalid syntax)
slapadd: bad configuration file!
E: your request could not be fulfilled
try `univention-config-registry --help` for more information
Not updating windows/domain
Not updating kerberos/realm
Starting ldap server(s): slapd ...failed.
568aa518 /etc/ldap/slapd.conf: line 50: <suffix> invalid DN 21 (Invalid syntax) slapschema: bad configuration file!.
invoke-rc.d: initscript slapd, action "start" failed.
2016-01-04 18:00:08.017062854+01:00 (in joinscript_save_current_version)
Configure 03univention-directory-listener.inst Mon Jan  4 18:00:08 CET 2016
2016-01-04 18:00:08.056218318+01:00 (in joinscript_init)
Create ldap/database/ldbm/dbsync
Multifile: /etc/ldap/slapd.conf
04.01.16 18:00:08.797  DEBUG_INIT
04.01.16 18:02:16.164  LISTENER    ( ERROR   ) : failed to connect to any notifier
04.01.16 18:02:16.165  LISTENER    ( ERROR   ) : can not connect any server, exit
Setting ldap/database/ldbm/dbsync
Multifile: /etc/ldap/slapd.conf
Restarting ldap server(s).
Stopping ldap server(s): slapd ...done.
Starting ldap server(s): slapd ...failed.
568aa5a7 /etc/ldap/slapd.conf: line 50: <suffix> invalid DN 21 (Invalid syntax) slapschema: bad configuration file!.
Mon Jan  4 18:02:31 CET 2016: finish /usr/share/univention-join/univention-join

But that slave I see on the PDC list:

udm computers/domaincontroller_slave list

Any idea? Thank you so much for any help.

Rafal


#5

Thanks. The host entry is created very early in the join stage so that the subsequent operations like copying certificates from the master can use the host account for authentication. That’s not unusual.

Can you please show the full content of the file “/etc/ldap/slapd.conf” after such a failed join attempt? Thanks.


#6

This is code from slapd.conf. What is strange on different servers in AWS I have exactly the same config and all is working. Maybe Tunnel VPN between my server and AWS is a problem? But all is working like Telnet, Ping, SSH

include         /var/lib/univention-ldap/schema.conf

pidfile			/var/run/slapd/slapd.pid
argsfile		/var/run/slapd/slapd.args
loglevel		0
allow			bind_v2 update_anon

TLSCertificateFile	/etc/univention/ssl/ldap.ds.net/cert.pem
TLSCertificateKeyFile	/etc/univention/ssl/ldap.ds.net/private.key
TLSCACertificateFile	/etc/univention/ssl/ucsCA/CAcert.pem
TLSCipherSuite	HIGH:MEDIUM:!aNULL:!MD5:!RC4
TLSProtocolMin	3.1
TLSDHParamFile	/etc/ldap/dh_2048.pem

sizelimit		400000

idletimeout		360

attributeoptions "entry-"

# database definition
modulepath	/usr/lib/ldap
moduleload	back_mdb.so
moduleload	k5pwd.so
moduleload	pwd_scheme_kinit.so

database	mdb
suffix		"dc=ds,dc=net"

overlay		k5pwd
overlay		pwd_scheme_kinit

maxsize	2147483648

threads		16
tool-threads	1

index	cn,givenName,mail,sn,uid pres,eq,sub,approx
index	aRecord,automountInformation,description,displayName,macAddress,mailAlternativeAddress,mailPrimaryAddress,ou,relativeDomainName,univentionUDMPropertyLongDescription,univentionUDMPropertyShortDescription,zoneName pres,eq,sub
index	dhcpHWAddress,gidNumber,homeDirectory,krb5PrincipalName,memberUid,objectClass,uidNumber,uniqueMember,univentionMailHomeServer,univentionObjectFlag,univentionPolicyReference,univentionUDMPropertyCLIName,univentionUDMPropertyDefault,univentionUDMPropertyDeleteObjectClass,univentionUDMPropertyDoNotSearch,univentionUDMPropertyHook,univentionUDMPropertyLayoutOverwritePosition,univentionUDMPropertyLayoutOverwriteTab,univentionUDMPropertyLayoutPosition,univentionUDMPropertyLayoutTabAdvanced,univentionUDMPropertyLayoutTabName,univentionUDMPropertyLdapMapping,univentionUDMPropertyModule,univentionUDMPropertyMultivalue,univentionUDMPropertyObjectClass,univentionUDMPropertyOptions,univentionUDMPropertySyntax,univentionUDMPropertyTranslationLongDescription,univentionUDMPropertyTranslationShortDescription,univentionUDMPropertyTranslationTabName,univentionUDMPropertyValueMayChange,univentionUDMPropertyValueRequired,univentionUDMPropertyVersion pres,eq
index	name pres,sub
index	pTRRecord,sambaSID,univentionInventoryNumber eq,sub
index	shadowMax pres
index	cNAMERecord,entryUUID,sambaAcctFlags,sambaDomainName,sambaGroupType,sambaPrimaryGroupSID,sambaSIDList,secretary,shadowExpire,univentionCanonicalRecipientRewriteEnabled,univentionLicenseModule,univentionLicenseObject,univentionNagiosHostname,univentionObjectType,univentionServerRole,univentionService,univentionShareGid,univentionShareSambaName,univentionShareWriteable,univentionUDMOptionModule eq
index	associatedDomain,default,employeeNumber,univentionOperatingSystem,univentionSyntaxDescription sub

limits users time.soft=-1 time.hard=-1

rootdn		"cn=update,dc=ds,dc=net"
include		/etc/ldap/rootpw.conf
updatedn	"cn=update,dc=ds,dc=net"
updateref	ldap://pdc.ds.net:7389

directory	"/var/lib/univention-ldap/ldap"
lastmod		on
sasl-regexp
    uid=(.*),cn=gssapi,cn=auth
    ldap:///"dc=ds,dc=net"??sub?uid=$1

# allow authentication
access to attrs=userPassword
    by anonymous auth
    by * none break

access to attrs=userPassword,krb5Key,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword
   by sockname="PATH=/var/run/slapd/ldapi" read
   by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=ds,dc=net" read
   by dn.base="cn=ldap-ber,cn=dc,cn=computers,dc=ds,dc=net" read
   by * none

access to *
   by users read

access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,dc=ds,dc=net$" filter="(objectClass=univentionVirtualMachine)"
	by dn.onelevel="cn=dc,cn=computers,dc=ds,dc=net" read
	by dn.onelevel="cn=memberserver,cn=computers,dc=ds,dc=net" read
	by * read break

access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,dc=ds,dc=net$" filter="(objectClass=univentionVirtualMachineCloudConnection)"
	by dn.onelevel="cn=dc,cn=computers,dc=ds,dc=net" read
	by dn.onelevel="cn=memberserver,cn=computers,dc=ds,dc=net" read
	by * read break

access to dn.regex="^cn=(Information|CloudConnection),cn=Virtual Machine Manager,dc=ds,dc=net$" attrs=children,entry
	by dn.onelevel="cn=dc,cn=computers,dc=ds,dc=net" read
	by dn.onelevel="cn=memberserver,cn=computers,dc=ds,dc=net" read
	by * read break


#7

Thanks. That file looks good to me.

The error in question is this one:

/etc/ldap/slapd.conf: line 50: <suffix> invalid DN 21 (Invalid syntax)

In your slapd.conf you’ve most likely left out all the commented lines at the start of the file. Therefore the “line 50” in the error message doesn’t correspond to line 50 in the slapd.conf file you’ve posted here, but in your original slapd.conf file this should be the line starting with “suffix …”.

That suffix is OK. If the LDAP server complains an invalid DN then the attribute you’re using in the DN (“dc” in this case) isn’t known to the server.

This hints at a problem during the installation of the LDAP server. I’m at a loss how this could have happened.

Before digging further into trying to make this work I’d advise to wipe the current installation and to re-install. If that works then we’d save ourselves spending a lot of time debugging and trying to fix the current installation.


#8

I reinstalled my machine I think 20 times so far :wink: I check different options. I will do it again and not join to UCS Domain by Wizard but later after install. But probably there will be LDAP package missing and more.

I noticed that I have 1 minute time different between the PDC and Ldap on my server. Do you think it could be a problem?

Best,
Rafal


#9

Fresh installation without connect to any Domain. I wish to join from command line but I have that problem:

[code]root@ldap-ber:~# univention-join -dcaccount Administrator -dcname domain.net -type domaincontroller_slave -verbose
univention-join: joins a computer to an ucs domain
copyright © 2001-2015 Univention GmbH, Germany

Enter DC Master Password:

Check DC Master: done
Search ldap/base done
Search LDAP binddn done
Sync time: fail
Join Computer Account: done
Sync ldap-backup.secret: done
Check TLS connection:


  • Join failed! *
  • Contact your system administrator *

  • Message: Establishing a TLS connection with domain.net failed. Maybe you didn’t specify a FQDN.

[/code]

Rafal


#10

Generally speaking the time on all computers within a domain should be synchronized, otherwise things like Kerberos will break. They have a certain tolerance, though I cannot say exactly how much of one. I don’t really think that the time is the culprit in your situation.

About that last failed join: You have to give the name of a domain controller (DC) with "-dcname ", not the domain name.


#11

Thank you for all help. I found solution yesterday. First: date/time sync was problem with rdate and open port 37 between my server and AWS. And rest was the same Firewall. I have checked 7636/7389 ports from my server to AWS but I think it is using something more. Because when I opened more ports all was fine and works like a charm right now.

Thank you again for any help.

Best,
Rafal


#12

Firewall… dang, I should have thought about that, too. Glad you got it working.