Clear install 4.3.2 system's (Master+Slave), join not work (TLS)

domainjoin

#1

Hi@all,

I repeat the procedure about 10 times and fail every time on the same mistake! For testing I need a new ucs network. I install a new router ( LAN: 192.168.100.254) and am new master in behind (192.168.100.11). The installation of the master works as usual. In the second I i install another one ucs system and select:

host: kvm02.peka,lan

-> Join an existing ucs-domain
-> member

In the input field with the relevant connection parameter always look good:

tux.peka.lan
Adminstrator


After this I get the error:

[    INFO]: **************************************************************************
[    INFO]: * Join failed!                                                           *
[    INFO]: * Contact your system administrator                                      *
[    INFO]: **************************************************************************
[    INFO]: * Message:  Establishing a TLS connection with ucs.domain.la failed. Maybe you didn't specify a FQDN.

The clocks of bothe hosts are sync. I remove the host (kvm02.peka.lan) after faild join from the ldap on the master.

I repeat the installation of both systems many times but evertime the same error :frowning:

with best
sven


#2

Hi,

what DNS/ Nameservers do you give your second server? During join does it recon the master domaincontroller? Use as external DNS your master server, nothing else. (you should change it after successful join, though).

Second, I remember there might be a bug regarding join during installation. Go ahead, install your host, set the role and apply updates. Do NOT join the domain yet.

Reboot and then perform the join progress independent from installation.

Should work then

/CV


#3

The IP from the Master: 192.168.100.11

do I understand it right, when I install the member I set:

external DNS: 192.168.100.11 (IP from the master)

after the install/join I change it?


#4

Yes,

best practice.

Reason is the new server should only ask your master server for the needed information (like masterserver and so on). If you have configured an additional DNS it might happen it replies with a different (wrong) address and so does not properly recon your domain master.
But you should set it after join to an external nameserver in case your master goes offline then your clients still can resolve through your second server.

Most of the time it works flawlessly but for improved availability it is just “best practice”.

/CV


#5

but on the master (ip:192.168.100.11) leave it set on:

Primary-DNS: 192.168.100.11 (master him self)

External-DNS: 192.168.100.254 (Gateway)

?


#6

Hi,

yes. this is fine.

Nameservers are all DC-Nameservers and external ones router or whatever forwarder you have.

/CV


#7

ok, it work’s. Thank you

best regards


#8

I still have problems with the join. I install another uss (new)

-> Manual Network Settings
-> IP: 192.168.100.8/24
-> DNS: 192.168.100.11 (IP from master)
-> GW: 192.168.100.5 (Router)
-> Extern DNS:

The Installer identify the master korrekt “tux.peka.lan” / Adminstrator

-> Passwort
-> Next

Hostsystem: saturn (not FQH)

-> Next

Additional software: none

-> Next

Infopage

FQH: saturn.peka.lan
DNS: 192.168.100.11

-> Config system

Join faild! … Establishing a TLS connection with tux.peka.lan faild. Maby you ditn’t specify a FQDN

what’s wrong?


#9

I select “complete” and restart the member.

http://192.168.100.8 not work
http://saturn.peka.lan not work

ssh -l root saturn.peka.lan work

Whe I try to join per terminal:

root@saturn:~# univention-join
univention-join: joins a computer to an ucs domain
copyright (c) 2001-2018 Univention GmbH, Germany

Enter DC Master Account : Administrator
Enter DC Master Password: 

Search DC Master:                                          done
Check DC Master:                                           done
Search ldap/base                                           done
Search LDAP binddn                                         done
Sync time:                                                 done
Join Computer Account:                                     done
Check TLS connection: ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1


**************************************************************************
* Join failed!                                                           *
* Contact your system administrator                                      *
**************************************************************************
* Message:  Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- Establishing a TLS connection with tux.peka.lan failed. Maybe you didn't specify a FQDN.
**************************************************************************

#10

little addendum …

I check the possible sources of error here:

root@saturn:~# host -t SRV "_domaincontroller_master._tcp.peka.lan"
_domaincontroller_master._tcp.peka.lan has SRV record 0 0 0 tux.peka.lan.
oot@saturn:~# ssh Administrator@tux.peka.lan
Password: 
Univention DC Master 4.3-2:
root@saturn:~# ucr search --brief nameserver
nameserver/external: <empty>
nameserver/option/timeout: 2
nameserver1: 192.168.100.11
nameserver2: <empty>
nameserver3: <empty>

#11

I have the same problem
I try to reinstall OS but still same problem with Join failed


#12

@ khampasith:
Are you sure you have the exact same error? Do you see

Check TLS connection: ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

or just “join failed”? Again, do not mix there are ways too many reason for a failed join. If your is different, please open a new thread!

@pixel:
Has this host already been registered at some stage in the LDAP? If so you might need to reset the computer account password for “saturn$”. See this article.

If this does not help, the TLS through LDAP appears to be failing. During join the new host copies the certificates from the master. Sounds like this did not succeed properly. Check this article.

Hope it helps.

/CV