Error during run univention-join -- failed to create DC Slave (1) [Permission denied.]

UCS - Univention Corporate Server
1

Hi! I’am trying to create DC Slave and have error when launch univention-join:

++ echo -n ''\''-binddn'\''' ''\''uid=a.zakabluk,cn=users,dc=corp,dc=softwarelab,dc=net'\''' ''\''-role'\''' ''\''domaincontroller_slave'\''' ''\''-hostname'\''' ''\''slave1'\''' ''\''-domainname'\''' ''\''corp.softwarelab.net'\'''
+ univention-ssh --no-split /tmp/tmp.UgeOfDUeLK/dcpwd a.zakabluk@ucs1.corp.softwarelab.net 'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' ''\''-binddn'\'' '\''uid=a.zakabluk,cn=users,dc=corp,dc=softwarelab,dc=net'\'' '\''-role'\'' '\''domaincontroller_slave'\'' '\''-hostname'\'' '\''slave1'\'' '\''-domainname'\'' '\''corp.softwarelab.net'\'''
univention-server-join: joins a server to an univention domain
copyright (c) 2001-2018 Univention GmbH, Germany

E: failed to create DC Slave (1) [Permission denied.]
++ sed -ne 's/^E:\s*//p' /tmp/tmp.UgeOfDUeLK/scrubbed
+ res_message='failed to create DC Slave (1) [Permission denied.]'
+ '[' -z 'failed to create DC Slave (1) [Permission denied.]' ']'
+ failed_message 'failed to create DC Slave (1) [Permission denied.]'
+ echo ''
+ echo ''
+ echo '**************************************************************************'
+ echo '* Join failed!                                                           *'
+ echo '* Contact your system administrator                                      *'
+ echo '**************************************************************************'
+ echo '* Message:  Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- failed to create DC Slave (1) [Permission denied.]'
+ echo '**************************************************************************'
+ exit 1

I ran UCS in docker container:

docker run -d --name slave1_container --hostname=slave1 \
    -e domainname=corp.softwarelab.net \
    -e rootpwd=tibco -p 8013:80 \
    -e nameserver1=192.168.0.11 \
    -e container=docker \
    -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
    --tmpfs /run --tmpfs /run/lock \
    --cap-add=SYS_ADMIN \
    --restart unless-stopped \
    univention/ucs-slave-amd64 /sbin/init

My user is in group:

gid=5001(Domain Users) groups=5001(Domain Users),5000(Domain Admins),1005(Windows Hosts),5005(DC Backup Hosts),5006(DC Slave Hosts),5007(Computers),5011(Authenticated Users),5017(Enterprise Domain Controllers),5051(Denied RODC Password Replication Group),5052(Administrators),5053(Users),5083(BU Admin)

2

Hey,

did you move the Domain Admins group by any chance? What’s the output of univention-ldapsearch -LLLo ldif-wrap=no 'cn=domain admins' ?

m.

3

Hi! Thanks for your response.

root@ucs1:~# univention-ldapsearch -LLLo ldif-wrap=no 'cn=domain admins'
dn: cn=Domain Admins,cn=groups,dc=corp,dc=softwarelab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: univentionGroup
objectClass: sambaGroupMapping
objectClass: univentionObject
objectClass: univentionPolicyReference
univentionObjectType: groups/group
univentionGroupType: -21474836
cn: Domain Admins
sambaSID: S-1-5-21-481694030-41
sambaGroupType: 2
gidNumber: 5000
memberUid: Administrator
memberUid: a.zakabluk
uniqueMember: uid=Administrator,cn=users,dc=corp,dc=softwarelab,dc=net
uniqueMember: uid=a.zakabluk,cn=users,dc=corp,dc=softwarelab,dc=net
univentionPolicyReference: cn=default-umc-all,cn=UMC,cn=policies,dc=corp,dc=softwarelab,dc=net
description: Designated administrators of the domain
4

That result looks just fine to me. I’m not sure why it gives “permission denied” errors. Yesterday I actuall verified that a user other than administrator who is a member of the domain admins group may in fact join a newly installed DC Slave to the domain, so what you’re trying to do should work.

Maybe it’s somehow related to being run in Docker.

Have you tried joining as administrator?

5

It’s real help me. Thanks.