Can't create a memberserver

Hi,

I'm trying to create a member server (Join existing AD domain), and an error comes up...

• Domain setup (this might take a while):
  binddn for user Administrator not found.

Here is my join.log:

Mon Mar 20 13:33:39 CDT 2017: starting /usr/share/univention-join/univention-join -dcaccount Administrator -dcpwd /tmp/tmp.rg9BZSPNM4
running version check
OK: UCS version on dc1.erlphase.com is higher or equal (4.14) to the local version (4.14).
Mon Mar 20 13:33:47 CDT 2017: finish /usr/share/univention-join/univention-join
Mon Mar 20 14:56:54 CDT 2017: starting /usr/share/univention-join/univention-join -dcaccount Administrator -dcpwd /tmp/tmp.xAU5s8IvrX
running version check
OK: UCS version on dc1.erlphase.com is higher or equal (4.14) to the local version (4.14).
Mon Mar 20 14:56:59 CDT 2017: finish /usr/share/univention-join/univention-join
Mon Mar 20 15:01:23 CDT 2017: starting /usr/share/univention-join/univention-join -dcaccount Administrator -dcpwd /tmp/tmp.nzOXNgHl80
running version check
OK: UCS version on dc1.erlphase.com is higher or equal (4.14) to the local version (4.14).
Mon Mar 20 15:01:28 CDT 2017: finish /usr/share/univention-join/univention-join

Hi!

first of all, it would be great if you would explain your current setup and your goal in more detail

• Existing servers / New servers
• Actual condition / Desired condition
• Steps to reproduce
• UCS and Windows versions

Screenshots of the error message are welcome, too.

Best regards,
Michael Grandjean

Hi,

I have two existing Univention Servers. One is acting as an AD Server and hosts email. The second is a member server and is used as a fileserver. The new server is configured (hardware) the same as the fileserver: 2 CPU and 1GB RAM.

The currently running UCS servers are at 4.1-4 errata406, and the one I'm installing is from an ISO file downloaded 4 days ago. Windows version doesn't matter, as a Windows box is not involved in this scenario.

I want another member server to use for testing Apps (in this case DokuWiki).

Steps to reproduce:
1. Install UCS on virtual machine
- specifiy IP address
2. When asked, join an Active Directory Domain as member server
3. wait for install to complete.

The following error comes up:

join.log:

Wed Mar 22 12:41:15 CDT 2017: starting /usr/sbin/univention-join -dcname dc1.erlphase.com -dcaccount Administrator -dcpwd /tmp/tmpNmMHYz
running version check
OK: UCS version on dc1.erlphase.com is higher or equal (4.14) to the local version (4.14).
Wed Mar 22 12:41:25 CDT 2017: finish /usr/sbin/univention-join

Thanks a lot, that makes things much clearer

Important hint, because:

If it's all UCS systems, then pick "Join existing UCS domain" instead.
"Join an existing Active Directory domain" is actually for existing Windows Active Directory domains. I'm sorry that this isn't more obvious. Here is the corresponding chapter in the manual.

Best regards,
Michael Grandjean

Same issue when joining a UCS domain.

Okay, that's strange. Let's see if we can get that binddn manually. Please ssh into your first UCS server (dc1?) and run this command:

univention-ldapsearch uid=Administrator dn

Does this work? Can you post the output here?

root@dc1:~# univention-ldapsearch uid=Administrator dn
# extended LDIF
#
# LDAPv3
# base <dc=erlphase,dc=com> (default) with scope subtree
# filter: uid=Administrator
# requesting: dn 
#

# Administrator, users, erlphase.com
dn: uid=Administrator,cn=users,dc=erlphase,dc=com

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Okay, that looks fine.

I need to think about where this goes wrong ...

Wild guess: Did you change the SSH port on dc1?

No ssh port change, or any other changes other than upgrades.

Good morning

I think we just have to test this step by step. My idea is to not attempt the join during installation, but afterwards. This way we can execute the join in verbose-mode and the join.log will contain much more information.

1. Start the installation, choose your dc1 as primary DNS server and when the Domain setup page appears, choose Join into an existing UCS domain:
   
2. On the next page, choose Memberserver:
   
3. When asked for the join information, deselect the check mark at Start join at the end of the installation:
   
4. Choose a hostname and a password for the local root user:
   
5. Deselect the check mark at Update system after setup:
   
6. Click on Configure system, wait for the installation to finish, reboot
7. Login to your newly installed system via ssh and the local root user with the password you have chosen above
8. Start the join in verbose mode:
   univention-join -verbose
9. Edit and attach the logfile /var/log/univention/join.log

Please note: Why edit the file? The verbose mode will also log the password of your domain administrator to the logfile. Make sure to replace this with a dummy value in the logfile before uploading it. You should find entries like these in the first 25 lines or so:

+ echo -n 'Enter DC Master Password: '
+ read -s password
+ echo -n SecretPassword

In my case, SecretPassword is my password. Just replace that with some dummy string.

Best regads,
Michael Grandjean

Here's the requested log file. I couldn't attach it.

Thu Mar 23 07:23:51 CDT 2017: starting /usr/sbin/univention-join -verbose
+ '[' -n 2 ']'
+ old_listener_debug_level=2
+ ucr set listener/debug/level=4
Setting listener/debug/level
+ listener_debug_level=4
+ display_header
+ echo 'univention-join: joins a computer to an ucs domain'
+ echo 'copyright (c) 2001-2017 Univention GmbH, Germany'
+ echo ''
+ '[' memberserver = domaincontroller_master ']'
+ '[' -z '' ']'
+ echo -n 'Enter DC Master Account : '
+ read DCACCOUNT
+ '[' '!' -f /tmp/tmp.zv1TGWIClS/dcpwd ']'
+ echo -n 'Enter DC Master Password: '
+ read -s password
+ echo -n 'fake!'
+ echo ''
+ echo ''
+ '[' -n '' ']'
+ '[' memberserver = fatclient ']'
+ '[' -z memberserver ']'
+ '[' -z '' ']'
+ echo -n 'Search DC Master: '
++ host -t SRV _domaincontroller_master._tcp.erlphase.com
++ sed -ne '$s/.* \([^ ]\+\)\.$/\1/p'
+ DCNAME=dc1.erlphase.com
+ '[' -n dc1.erlphase.com ']'
+ echo -e '\033[60Gdone'
+ DCNAME=dc1.erlphase.com
+ '[' -z dc1.erlphase.com ']'
+ echo -n 'Check DC Master: '
+ ping -c 1 dc1.erlphase.com
+ univention-ssh /tmp/tmp.zv1TGWIClS/dcpwd Administrator@dc1.erlphase.com echo ssh-check
+ grep -qs ssh-check
Warning: Permanently added 'dc1.erlphase.com,192.168.100.5' (ECDSA) to the list of known hosts.
++ univention-ssh /tmp/tmp.zv1TGWIClS/dcpwd Administrator@dc1.erlphase.com /usr/sbin/ucr search --brief '^version/'
+ versions='version/erratalevel: 406
version/patchlevel: 4
version/releasename: Vahr
version/version: 4.1'
+ OLDIFS=' 	
'
+ IFS='
'
+ for i in '$versions'
+ key=version/erratalevel
+ value=406
+ case "$key" in
+ for i in '$versions'
+ key=version/patchlevel
+ value=4
+ case "$key" in
+ master_patchlevel=4
+ for i in '$versions'
+ key=version/releasename
+ value=Vahr
+ case "$key" in
+ master_releasename=Vahr
+ for i in '$versions'
+ key=version/version
+ value=4.1
+ case "$key" in
+ master_version=4.1
+ IFS=' 	
'
+ echo 'running version check'
running version check
+ mystatus=no
+ '[' -n 4.1 -a -n 4 ']'
+ vmaster=4.14
+ vmyself=4.14
++ echo 4.14 4.14
++ awk '{if ($1 >= $2) print "yes"; else print "no"}'
+ mystatus=yes
+ '[' no = yes ']'
+ echo 'OK: UCS version on dc1.erlphase.com is higher or equal (4.14) to the local version (4.14).'
OK: UCS version on dc1.erlphase.com is higher or equal (4.14) to the local version (4.14).
+ echo -e '\033[60Gdone'
+ '[' -x /etc/init.d/univention-s4-connector ']'
+ '[' -x /etc/init.d/slapd ']'
+ '[' -x /etc/init.d/samba ']'
+ '[' -z '' ']'
+ echo -n 'Search ldap/base'
++ sed -ne 's|^ldap/base: ||p'
++ univention-ssh /tmp/tmp.zv1TGWIClS/dcpwd Administrator@dc1.erlphase.com /usr/sbin/ucr search --brief '^ldap/base$'
+ ldap_base=dc=erlphase,dc=com
+ '[' -n dc=erlphase,dc=com ']'
+ univention-config-registry set ldap/base=dc=erlphase,dc=com
+ echo -e '\033[60Gdone'
+ '[' -x /etc/init.d/slapd ']'
+ echo -n 'Search LDAP binddn '
++ univention-ssh /tmp/tmp.zv1TGWIClS/dcpwd Administrator@dc1.erlphase.com /usr/sbin/udm users/user list --filter uid=Administrator --logfile /dev/null
++ sed -ne 's|^DN: ||p'
+ binddn=
+ '[' -z '' ']'
++ univention-ssh /tmp/tmp.zv1TGWIClS/dcpwd Administrator@dc1.erlphase.com ldapsearch -x -LLL -H ldapi:/// '\'\''(&(uid=Administrator)(objectClass=person))
\'\''' dn
++ ldapsearch-decode64
++ sed -ne 's|^dn: ||p;s|^DN: ||p'
++ ldapsearch-wrapper
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
+ binddn=
+ '[' -z '' ']'
++ univention-ssh /tmp/tmp.zv1TGWIClS/dcpwd Administrator@dc1.erlphase.com ldapsearch -x -LLL '\'\''(&(uid=Administrator)(objectClass=person))\'\''' dn
++ ldapsearch-decode64
++ sed -ne 's|^dn: ||p;s|^DN: ||p'
++ ldapsearch-wrapper
Insufficient access (50)
+ binddn=
+ '[' -z '' ']'
+ failed_message 'binddn for user Administrator not found. '
+ echo ''
+ echo ''
+ echo '**************************************************************************'
+ echo '* Join failed!                                                           *'
+ echo '* Contact your system administrator                                      *'
+ echo '**************************************************************************'
+ echo '* Message:  binddn for user Administrator not found. '
+ echo '**************************************************************************'
+ exit 1
+ trapOnExit
+ rm -rf /tmp/tmp.zv1TGWIClS
+ '[' -n true -a true = true ']'
+ '[' -n 2 ']'
+ ucr set listener/debug/level=2
Setting listener/debug/level
++ LC_ALL=C
++ date
+ echo 'Thu Mar 23 07:27:33 CDT 2017: finish /usr/sbin/univention-join'
Thu Mar 23 07:27:33 CDT 2017: finish /usr/sbin/univention-join

Thanks!

So, here we have it:

The system tries to receive the binddn of the Administrator via logging in to dc1 as Administrator and running udm there. But that fails, binddn is empty and therefore the join can't continue.

Can you please test this on the newly installed memberserver:

1. Write the password of the Administrator to a file: echo -n "fake!" > pwdfile
2. run a little variation of the command used in the join process:
   univention-ssh pwdfile Administrator@dc1.erlphase.com \
/usr/sbin/udm users/user list --filter uid=Administrator \
--logfile /dev/null | sed -ne 's|^DN: ||p
3. if this returns nothing, run the command again without ... | sed -ne 's|^DN: ||p
4. if this returns nothing, run this command on your dc1:
   /usr/sbin/udm users/user list --filter uid=Administrator

This gave me a '>' prompt and wouldn't run. I had to ^C, so I dropped the sed.

root@app1:~# univention-ssh pwdfile Administrator@dc1.erlphase.com /usr/sbin/udm users/user list --filter uid=Administrator --logfile /dev/null
Traceback (most recent call last):
  File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 222, in doit
    output = univention.admincli.admin.doit(arglist)
  File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 404, in doit
    out = _doit(arglist)
  File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 608, in _doit
    univention.admin.modules.init(lo, position, module)
  File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 135, in init
    update_extended_attributes(lo, module, position)
  File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 297, in update_extended_attributes
    propertyHook = getattr(univention.admin.hook, propertyHookString)()
  File "/usr/lib/pymodules/python2.7/univention/admin/hooks.d/oxUserDefaults.py", line 59, in __init__
    lo, pos = univention.admin.uldap.getMachineConnection()
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 147, in getMachineConnection
    lo = univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 79, in getMachineConnection
    bindpw = open(secret_file).read().rstrip('\n')
IOError: [Errno 13] Permission denied: '/etc/machine.secret'
root@app1:~#

I then ran the last command on dc1:

root@dc1:~# /usr/sbin/udm users/user list --filter uid=Administrator
uid=Administrator
DN: uid=Administrator,cn=users,dc=erlphase,dc=com
ARG: None
  oxProfession: None
  homedrive: None
  CtxKeyboardLayout: None
  disabled: none
  oxCountryBusiness: None
  oxUserfield09: None
  postcode: None
  oxUserfield17: None
  oxUserfield05: None
  oxUserfield04: None
  CtxWFProfilePath: None
  oxUserfield06: None
  CtxRASDialin: E
  oxUserfield14: None
  oxUserfield03: None
  oxNickName: None
  oxAnniversary: None
  oxUserfield15: None
  title: None
  organisation: None
  CtxMaxIdleTime: None
  oxPosition: None
  oxUserfield11: None
  oxNote: None
  oxFaxHome: None
  lastname: Administrator
  employeeNumber: None
  oxUserfield18: None
  oxUserfield19: None
  oxUserfield16: None
  oxManagerName: None
  password: {crypt}$6$PkPO0s8JZcK0UjYR$piDumc.HfsUfTFN5KTVk2IyHdAP7vFHS92BMjjnNP8rzPkdsowgRhkRrLWS.lyiPZwU29EZC3oVNSC0g/F3j.1
  oxUserfield12: None
  oxUserfield13: None
  oxUserfield10: None
  oxMiddleName: None
  oxStateHome: None
  oxBranches: None
  oxBirthday: None
  passwordexpiry: None
  sambaRID: 500
  profilepath: None
  objectFlag: None
  sambahome: None
  CtxWFHomeDirDrive: None
  oxTimeZone: America/Winnipeg
  CtxCallback: None
  street: None
  CtxShadow: 00000000
  oxUserfield20: None
  oxUserfield07: None
  oxLanguage: en_US
  oxCommercialRegister: None
  oxMarialStatus: None
  oxUserfield01: None
  oxStateOther: None
  isOxUser: Not
  oxPostalCodeHome: None
  CtxWorkDirectory: None
  CtxNWLogonServer: None
  oxUserfield02: None
  CtxMaxConnectionTime: None
  umcProperty: appcenterSeen = 2
  umcProperty: favorites = appcenter:appcenter,updater,apps:dhcp-server
  oxDepartment: None
  oxFaxOther: None
  oxTelephoneOther: None
  oxStateBusiness: None
  groups: cn=Domain Admins,cn=groups,dc=erlphase,dc=com
  groups: cn=Domain Users,cn=groups,dc=erlphase,dc=com
  groups: cn=DC Backup Hosts,cn=groups,dc=erlphase,dc=com
  groups: cn=Schema Admins,cn=groups,dc=erlphase,dc=com
  groups: cn=Enterprise Admins,cn=groups,dc=erlphase,dc=com
  groups: cn=Group Policy Creator Owners,cn=groups,dc=erlphase,dc=com
  groups: cn=Administrators,cn=Builtin,dc=erlphase,dc=com
  oxInstantMessenger1: None
  oxInstantMessenger2: None
  overridePWHistory: None
  oxCountryHome: None
  country: None
  oxCountryOther: None
  oxUrl: None
  pwdChangeNextLogin: None
  UniventionDovecotUserQuota: None
  primaryGroup: cn=Domain Admins,cn=groups,dc=erlphase,dc=com
  CtxInitialProgram: None
  scriptpath: admin.bat
  oxUserfield08: None
  oxPostalCodeOther: None
  city: None
  CtxStartprogramClient: 0
  oxEmail2: None
  userexpiry: None
  oxMobileBusiness: None
  oxNumOfChildren: None
  oxFaxBusiness: None
  username: Administrator
  departmentNumber: None
  shell: /bin/bash
  CtxMinEncryptionLevel: None
  CtxCallbackNumber: None
  mailHomeServer: None
  CtxCfgFlags1: None
  gidNumber: 5000
  oxCityHome: None
  sambaLogonHours: None
  CtxBrokenSession: 0000
  oxTelephoneAssistant: None
  locked: none
  CtxReconnectSession: 0000
  oxDisplayName:  Administrator
  roomNumber: None
  oxTelephoneCar: None
  homeShare: None
  gecos: Administrator
  oxAccess: none
  oxTelephoneTtydd: None
  oxTaxId: None
  CtxCfgClientPrinters: 0
  oxEmail3: None
  oxStreetHome: None
  jpegPhoto: None
  uidNumber: 2002
  oxTelephoneCompany: None
  oxSpouseName: None
  oxTelephoneIp: None
  employeeType: None
  homeSharePath: None
  oxCityOther: None
  CtxCfgPresent: None
  CtxWFHomeDir: None
  unixhome: /home/Administrator
  oxStreetOther: None
  description: Built-in account for administering the computer/domain
  firstname: None
  birthday: None
  oxSuffix: None
  overridePWLength: None
  oxSalesVolume: None
  CtxMaxDisconnectionTime: None
  CtxCfgDefaultClientPrinters: 0
  displayName: Administrator
  mailPrimaryAddress: None
  CtxCfgClientDrivers: 0
  CtxCfgTSLogon: 1
  oxTelephoneTelex: None
  univentionPolicyReference: cn=default-admins,cn=admin-settings,cn=users,cn=policies,dc=erlphase,dc=com

Getting closer. So, univention-ssh into dc1 works, but then calling udm does not, because:

Can you have a look at the permissions of /etc/machine.secret?
SSH into your dc1 and just run
ls -la /etc/machine.secret

root@dc1:~# ls -la /etc/machine.secret
-rw------- 1 root root 20 Mar 17 01:07 /etc/machine.secret
root@dc1:~#

that looks just fine.

Last try:
Please execute this on dc1:

echo -n "fake!" > pwdfile
univention-ssh pwdfile Administrator@dc1.erlphase.com /usr/sbin/udm users/user list --filter uid=Administrator --logfile /dev/null

And afterwards this:

su Administrator
/usr/sbin/udm users/user list --filter uid=Administrator

Echoing the password into a file fails. My real password contains an exclamation mark, and I get this:

> echo -n “fake!” > pwdfile
-bash: !": event not found

So I used nano to create the pwdfile.

root@dc1:~# univention-ssh pwdfile Administrator@dc1.erlphase.com /usr/sbin/udm users/user list --filter uid=Administrator --logfile /dev/null
Warning: Permanently added ‘dc1.erlphase.com,192.168.100.5’ (ECDSA) to the list of known hosts.
Traceback (most recent call last):
File “/usr/share/univention-directory-manager-tools/univention-cli-server”, line 222, in doit
output = univention.admincli.admin.doit(arglist)
File “/usr/lib/pymodules/python2.7/univention/admincli/admin.py”, line 404, in doit
out = _doit(arglist)
File “/usr/lib/pymodules/python2.7/univention/admincli/admin.py”, line 608, in _doit
univention.admin.modules.init(lo, position, module)
File “/usr/lib/pymodules/python2.7/univention/admin/modules.py”, line 135, in init
update_extended_attributes(lo, module, position)
File “/usr/lib/pymodules/python2.7/univention/admin/modules.py”, line 297, in update_extended_attributes
propertyHook = getattr(univention.admin.hook, propertyHookString)()
File “/usr/lib/pymodules/python2.7/univention/admin/hooks.d/oxUserDefaults.py”, line 59, in init
lo, pos = univention.admin.uldap.getMachineConnection()
File “/usr/lib/pymodules/python2.7/univention/admin/uldap.py”, line 147, in getMachineConnection
lo = univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master)
File “/usr/lib/pymodules/python2.7/univention/uldap.py”, line 79, in getMachineConnection
bindpw = open(secret_file).read().rstrip(’\n’)
IOError: [Errno 13] Permission denied: ‘/etc/machine.secret’

root@dc1:~# su Administrator
Administrator@dc1:/root$ /usr/sbin/udm users/user list --filter uid=Administrator
Traceback (most recent call last):
File “/usr/share/univention-directory-manager-tools/univention-cli-server”, line 222, in doit
output = univention.admincli.admin.doit(arglist)
File “/usr/lib/pymodules/python2.7/univention/admincli/admin.py”, line 404, in doit
out = _doit(arglist)
File “/usr/lib/pymodules/python2.7/univention/admincli/admin.py”, line 608, in _doit
univention.admin.modules.init(lo, position, module)
File “/usr/lib/pymodules/python2.7/univention/admin/modules.py”, line 135, in init
update_extended_attributes(lo, module, position)
File “/usr/lib/pymodules/python2.7/univention/admin/modules.py”, line 297, in update_extended_attributes
propertyHook = getattr(univention.admin.hook, propertyHookString)()
File “/usr/lib/pymodules/python2.7/univention/admin/hooks.d/oxUserDefaults.py”, line 59, in init
lo, pos = univention.admin.uldap.getMachineConnection()
File “/usr/lib/pymodules/python2.7/univention/admin/uldap.py”, line 147, in getMachineConnection
lo = univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master)
File “/usr/lib/pymodules/python2.7/univention/uldap.py”, line 79, in getMachineConnection
bindpw = open(secret_file).read().rstrip(’\n’)
IOError: [Errno 13] Permission denied: ‘/etc/machine.secret’

I changed the password to contain no special characters and tried all of the above again. No difference.

I appreciate all the help!

Gerald

This seems not to be a good idea! If it's really necessary please use vi or vim due to file formatings.

root@ucs:~# file ~/pwdfile
~/pwdfile: ASCII text, with no line terminators

Hi,

When I changed the password to not contain an exclamation mark, I used the echo -n command to create the pwdfile. The errors were the same.

Gerald

yeah, sorry. ! is a builtin command of bash - I forgot about that. The correct way is to use single quotes instead of doube quotes, so the ecxlamation mark doesn't get interpreted as shell command.
So this should work:

echo -n ‘fake!’ > pwdfile

The remark of @stoeckigt is also valid. Texteditors like nano tend to add line terminators or newline characters at the end of lines in text files. Those special characters might be interpreted as part of the password - which they aren't.
That's also why I used echo -n instead of echo. The -n prevents a trailing newline.

As @stoeckigt pointed out, you can use the file command to check the file. If it says "with no line terminators", the file is okay. If that output is missing, the line terminators must be removed.

But back to the original problem: After checking back with my colleagues, it seems that using /etc/machine.secret is only a fallback mechanism. The first try is to use /etc/ldap.secret and there we need the correct permissions, too.

This is how it looks on my system:

root@ucs01:~# ls -la /etc/ldap.secret
-rw-r----- 1 root DC Backup Hosts 8 Apr 29 2013 /etc/ldap.secret

Note that the group "DC Backup Hosts" has read permissions. And by default, the user Administrator is part of the group "DC Backup Hosts".

So please check that your permissions are the same and that your Administrator account is part of the group "DC Backup Hosts".

Best regards,
Michael Grandjean