Domain Join Ubuntu 22.04 - Failed (with updated Join Script)

pmhahn · December 19, 2022, 6:38am

UDJ builds a command to join your Ubuntu client to your domain, which is then executed on your Primary. This is done via ssh for which it needs the address of your Primary and your Administrator credentials to do the login. The later thing we have now solved, but the command the fails for some reason. I need to see that error message to figure out, what goes wrong and why that might happen in your environment.

The command with is executed is built in line 119-126 which is something like this:

/usr/sbin/udm computers/ubuntu create \
--binddn cn=Administrator,cn=users,dc=codenauten,dc=intranet \
--bindpwdfile /SOME/PATH \
--position cn=computers,dc=codenauten,dc=intranet \
--set name=HOSTNAME \
--set password=PASSWORD \
--set operatingSystem=Ubuntu \
--set operatingSystemVersion=22.04

It can fail for multiple reasons:

wrong admin credentials
missing UDM module
LDAP errors
type error
password policy complexity issue
…

The error message from that specific udm command hopefully will tell us the exact problem. Its output should be in the log files named above near the end if you search for Adding an LDAP object for this computer didn't work.
If you don’t find that message you could just login to your Primary itself and then execute the command there by hand, which should then show the same error. If you later on run UDJ again it should detect that the machine account already exists and should try to modify that already existing entry.

MCN · December 19, 2022, 10:50am

Thank you so much for your constant support.

Which log file is needed? On the primary or the client?

The clients var/log/univention/domain-join-gui.log is posted above.

Does the primary has any log file for domain join fails

pmhahn · December 19, 2022, 11:14am

/var/log/univention/domain-join-gui.log or /var/log/univention/domain-join-cli.log from the client — the Ubuntu host where UDJ is executed.

Not for UDJ — for joining other UCS server roles /usr/share/univention-join/univention-server-join would log to ~Administrator/.univention-server-join.log.
For UDJ the failing command should be logged in the UDJ log files named above.

MCN · December 19, 2022, 1:03pm

@pmhahn

this was the /var/log/univention/domain-join-gui.log file from the client as i used the GUI.

MCN:

2022-12-07 01:35:34,377 userinfo WARNING Warning: /etc/ldap/ldap.conf already exists.
2022-12-07 01:35:34,379 userinfo WARNING Warning: /etc/sssd/sssd.conf already exists.
2022-12-07 01:35:34,382 userinfo WARNING Warning: /etc/krb5.conf already exists.
2022-12-07 01:35:34,383 userinfo INFO Created a backup of all configuration files, that will be modified at '/var/univention-backup/20221207003534_domain-join'.
2022-12-07 01:35:35,222 userinfo INFO Getting the DN of the Administrator
2022-12-07 01:35:36,739 userinfo INFO Downloading the UCS root certificate to /etc/univention/ssl/ucsCA/CAcert.pem
2022-12-07 01:35:36,790 userinfo INFO Adding the UCS root certificate to the certificate store
2022-12-07 01:35:41,288 userinfo INFO Adding LDAP entry for this machine on the UCS DC
2022-12-07 01:35:42,189 userinfo CRITICAL Adding an LDAP object for this computer didn't work.
2022-12-07 01:35:42,190 userinfo CRITICAL Warning: Permanently added 'IP.of.your.UCS' (ED25519) to the list of known hosts.

2022-12-07 01:35:42,941 userinfo CRITICAL
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention_domain_join/join_steps/ldap_configurator.py", line 78, in modify_old_entry_or_add_machine_to_ldap
	udm_type, dn = get_machines_udm(dc_ip, admin_username, admin_pw, admin_dn)
  File "/usr/lib/python3/dist-packages/univention_domain_join/utils/ldap.py", line 77, in get_machines_udm
	raise LookupError(dc_ip)
LookupError: IP.of.your.UCS

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/sbin/univention-domain-join", line 458, in run
	distribution_joiner.join_domain()

PS:

Just for the forum post to obfuscate my servers actual IP.
It is the same IP as in the DNS config file

pmhahn · December 20, 2022, 6:29am

MCN:

2022-12-07 01:35:42,189 userinfo CRITICAL Adding an LDAP object for this computer didn't work.
2022-12-07 01:35:42,190 userinfo CRITICAL Warning: Permanently added 'IP.of.your.UCS' (ED25519) to the list of known hosts.

The 1st line is the header from line 131, the 2nd is from ssh (which can be ignored) but there is only a blank line after it, which I had hoped for to contains the error from that udm command.
Can you please insert a breakpoint() before line 130, so the code looks like this:

		ssh_process = ssh(admin_username, admin_pw, dc_ip, udm_command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
		stdout, stderr = ssh_process.communicate()
		breakpoint()
		if ssh_process.returncode != 0 or stderr.decode().startswith('E: '):
			userinfo_logger.critical('Adding an LDAP object for this computer didn\'t work.')

Then run the client again and when the debugger starts print out some values for me:

p ssh_process.args
p ssh_process.returncode
p stdout
p stderr

MCN · December 22, 2022, 6:12pm

Okay thats strange.

When i run the CLI (for debug purpose) i ran into the same problem.
The Log also shows:

2022-12-22 11:46:19,573 userinfo CRITICAL An error occurred: . Please check /var/log/univention/domain-join-cli.log for more information.
2022-12-22 11:46:19,573 debugging CRITICAL 
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention_domain_join/join_steps/ldap_configurator.py", line 78, in modify_old_entry_or_add_machine_to_ldap
    udm_type, dn = get_machines_udm(dc_ip, admin_username, admin_pw, admin_dn)
  File "/usr/lib/python3/dist-packages/univention_domain_join/utils/ldap.py", line 77, in get_machines_udm
    raise LookupError(dc_ip)
LookupError: IP,of,your.ICS

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/codenauten/join-script/fromGit/univention-domain-join-ubuntu22.04/scripts/cli.py", line 192, in <module>
    distribution_joiner.join_domain()
  File "/usr/lib/python3/dist-packages/univention_domain_join/distributions/ubuntu.py", line 115, in join_domain
    LdapConfigurator().configure_ldap(self.dc_ip, self.ldap_server_name, self.admin_username, self.admin_pw, self.ldap_base, admin_dn)
  File "/usr/lib/python3/dist-packages/univention_domain_join/join_steps/ldap_configurator.py", line 72, in configure_ldap
    self.modify_old_entry_or_add_machine_to_ldap(password, dc_ip, admin_username, admin_pw, ldap_base, admin_dn)
  File "/usr/lib/python3/dist-packages/univention_domain_join/join_steps/ldap_configurator.py", line 81, in modify_old_entry_or_add_machine_to_ldap
    dn = self.add_machine_to_ldap(password, dc_ip, admin_username, admin_pw, ldap_base, admin_dn)
  File "/usr/lib/python3/dist-packages/univention_domain_join/join_steps/ldap_configurator.py", line 133, in add_machine_to_ldap
    raise LdapConfigutationException()
univention_domain_join.join_steps.ldap_configurator.LdapConfigutationException

However the breakpoint() on line 130 wont trigger.
I also used a breakpoint inside of cli.py just to make sure that the debugger is running.
This one triggers.

I tried breakpoint somewhere else in the ldap_configurator.py.
However they dont trigger as well.
I also put breakpoints on lines such as 115 which obviously are executed.

Even the manual way with

b path:line
c

does not trigger the breakpoint

MCN · January 1, 2023, 6:30pm

Well i still was not able to actually trigger breakpoints.

I tried to reload modules, i hard imported the Joiner class from ubuntu , still an issue.

However, i copied different parts together into my version of the cli script and therefore i was able to trigger breakpoints as well as logging functions.
Therefore i was able to get the breakpoint and executed the debugger commands.

And this is what i got. (I shall notice that “mars” is the machines name):

(Pdb) p ssh_process.args
['sshpass', '-e', 'ssh', '-F', 'none', '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null', '-l', 'Administrator', 'MY.UCS.SERVER.IP', '/usr/sbin/udm computers/ubuntu create --binddn uid=administrator,cn=users,dc=codenauten,dc=intranet --bindpwdfile /dev/shm/Administratordomain-join --position cn=computers,dc=codenauten,dc=intranet --set name=mars --set \'password=RANDOM_PASSWORD' --set operatingSystem=Ubuntu --set operatingSystemVersion=22.04']
(Pdb) p ssh_process.returncode
3
(Pdb) p stdout
b'E: Object exists: (uid) mars$\n'
(Pdb) p stderr
b"Warning: Permanently added '89.58.11.173' (ED25519) to the list of known hosts.\r\n"
(Pdb)

I hope this bring us closer!
Thank you so much and i want to wish you a happy new year!

PS: I edited IP and Password of the ssh args, just in case

MCN · January 4, 2023, 7:43pm

A little update.

I deleted the machine Mars via UCS Web GUI.
Restarted the original cli.py (not my debug version).
Aaaannnnnnndddd success:

Warning: /etc/ldap/ldap.conf already exists.
Warning: /etc/sssd/sssd.conf already exists.
Warning: /etc/krb5.conf already exists.
Created a backup of all configuration files, that will be modified at ‘/var/univention-backup/20230104194115_domain-join’.
Getting the DN of the Administrator
Adding LDAP entry for this machine on the UCS DC
Writing /etc/ldap/ldap.conf
Writing /etc/machine.secret
Writing /etc/sssd/sssd.conf
Configuring auth config profile for sssd
Restarting sssd
Writing /usr/share/pam-configs/ucs_mkhomedir
Adding groups to /etc/security/group.conf
Adding groups to /usr/share/pam-configs/local_groups
Updating PAM
Writing /etc/krb5.conf
Synchronizing time with the DC
The domain join was successful.
Please reboot the system.

pmhahn · January 8, 2023, 4:50pm

The already existing entry should have triggered another code-path and add_machine_to_ldap() should never have been called. I’d need to take a look after my vacation why that happened.

Excellent: Glad to hear that it now worked for you.

MCN · January 8, 2023, 8:55pm

Thank your reply.
I currently fiddling with more steps like roaming ubuntu profiles.
I going to give the whole process a complete “Vanilla 22.04.4 to UCS” try on another machines this week.

If this works out, without further problems I like to contribute a write-up for other users.
If there is any preferred style/kind of contribution for a guide i would be happy to follow them (Forum poss ,Blog post,Wiki, markdown text,…).
So at least i can give something back for all the time you spend to guide my through this process.