Is it possible to join an ubuntu host using DC slave IP address?

Hello,

I am trying to join an ubuntu18.04 host (let’s call it hostA) to an UCS domain using DC slave. I did the following:

  • set DC slave IP as nameserver in /etc/resolv.conf of hostA
  • run on hostA:
    univention-domain-join-cli --username Administrator --password-file /root/Administrator-password.txt --domain abc.com

and got this response:

Automatically detected the domain ‘abc.com’.
No DNS record for the DC master could be found. Please make sure that the DC master is the DNS server for this computer or use this tool with --master-ip.

so it seems that univention-domain-join-cli expects that it can talk to the DC master.

I tried to use the option --master-ip with the DC slave IP address (just in case) and it didn’t work, with error:

CRITICAL All nameservers failed to answer the query _domaincontroller_master._tcp.abc.com. IN SRV: Server 192.168.30.103 UDP port 53 answered SERVFAIL

Any hint what to try please? Or is it impossible to join using a DC slave?

Regards,
Tony

Seems that this feature is implemented only for Ubuntu 20.04.

thank you for your hint.

I am still confused about the purpose of DC slaves: how are the DC slaves supposed to be used? My original expectation is that a DC slave can serve as a domain controller for the client hosts. But if a client host can join against a DC master only, then why do we have DC slave at all?

You have to ask this Univention.

I’ve created a lot of feature request regarding the Ubuntu Join Assistant. Not nearly all of them are implemented.

Unfortunately there is an ambivalent development in the Linux desktop product strategy of Univention (Univention Corporate Client -> Univention Corporate Client -> Ubuntu Join Assistant): Less painful restrictions but less integration features too.

Seems that Univention don’t want to much effort in the Linux desktop. So Univention should make it easier to use the Samba 4 LDAP. The AD backend of SSSD has a lot of more integration features.

I ran univention-domain-join-cli on a ubuntu20.04 host and could join against a DC slave without error. However it seems the root CAcert is not the same as on master; I am talking about this file:

/etc/univention/ssl/ucsCA/CAcert.pem

on ubuntu18.04 this cert was copied from the master. On ubuntu20.04 it was reported to be copied from the DC:

Downloading the UCS root certificate to /etc/univention/ssl/ucsCA/CAcert.pem

but it’s slightly different. I found this difference after many hours trying to connect the ldap server on DC slave (and master) over TLS: TLS keeps complaining that the cert is not trusted.

So I searched for CAcert.pem on: DC master, DC slave, ubuntu20.04 host. On DC master I found this:

/etc/univention/ssl.orig/ucsCA/CAcert.pem

which is the same as the one copied to ubuntu host.

Now I am not sure how to move on. Can I safely delete the directory /etc/univention/ssl.orig on DC master?

Regards,
Tony