Issues Domain Join Mint 21.1

treenerd · March 5, 2023, 8:39pm

Hi UCS Team,

I would like to share my todays experience of the domain join tool for Linux Mint 21.1.

To join the Clients I installed the univention-domain-join package like suggested in the github repo.

sudo add-apt-repository ppa:univention-dev/ppa
sudo apt-get update
sudo DEBIAN_FRONTEND=noninteractive apt-get install univention-domain-join

When I ran univention-domain-join it complained about a missing /etc/ldap/ldap.conf file, which was not there.
I installed also libldap-common to have the file in place. So the domain join could find the file and write it’s content to it. Not sure if this shouldn’t be added as dependency of the univention package or if there is a different issue within one of the scripts to join UCS.

After that I had some other issues, which I was not able to debug, because my time at this voluntary project at a small community driven school is very limited. But I couldn’t login as ucs user into the system eventough the domain join didn’t complain.

I had to install also additional dependencies before the domain join, to get the user login to work properly.

sudo apt install heimdal-docs heimdal-kcm python3-sniffio python3-trio adcli sssd-tools libsasl2-modules-ldap

Not sure which package fixed it… but after this, ucs users where able to login again, and fresh users where created again at the client system.

I used univention-domain-join-cli after some failures with the gui…
UCS version 5.0-3

If I can help with more information, I will try to add more precise information if needed.
Thank you,

erik · October 17, 2023, 1:27pm

Hi treenerd,

I have exactly the same issue. I also want to integrate my Linux Mint 21.1 Client to my UCS server (5.0-5 errata838), first the univention-domain-join also complained about the missing ldap.conf file, with your suggestion I tried to install libldap-common then the domain-join was successful, I could also find my Linux Mint client in the UMC module ->Computer.
However, when I tried to login as UCS user on the Linux Mint Client, it constantly said the password is incorrect. I have downloaded the additional dependencies which you suggested, but the problem has not been solved. Could you provide more information about how you solved this problem or do you have some idea?

Here is a copy from /var/log/auth.log
Oct 13 14:46:58 locutus lightdm: pam_succeed_if(lightdm:auth): requirement “user ingroup nopasswdlogin” not met by user “erik”
Oct 13 14:47:01 locutus lightdm: pam_unix(lightdm:auth): check pass; user unknown
Oct 13 14:47:01 locutus lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Oct 13 14:47:01 locutus lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=erik
Oct 13 14:47:01 locutus lightdm: gkr-pam: error looking up user information
Oct 13 14:47:01 locutus lightdm: pam_unix(lightdm:account): could not identify user (from getpwnam(erik))
Oct 13 14:47:01 locutus lightdm: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
Oct 13 14:47:01 locutus lightdm: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb

I would be very grateful for some suggestions.
Thank you,
erik.

treenerd · October 17, 2023, 4:11pm

Hi Erik,
I’m not sure if I can help very fast at the moment.
Probably I can try a domain join at the weekend and verify if this still would work with these versions.
Or I would have to build up a virtual environment here.
Not sure if I can answer before the weekend.
Please answer if you found already a solution before.

Best regards
Treenerd

erik · October 24, 2023, 7:47am

Hi Treenerad,

Sorry for the delay, I didn’t find a solution jet. So with your settings you can still get the domain join and Client User login working?

Best regards
Erik

treenerd · January 15, 2025, 10:10pm

Hi erik,

Tested with Linux Mint 22 XFCE today.
These where the steps I did and it worked without issues:

sudo apt install libldap-common
sudo apt install heimdal-docs heimdal-kcm python3-sniffio python3-trio adcli sssd-tools libsasl2-modules-ldap
sudo add-apt-repository ppa:univention-dev/ppa
sudo apt-get update
sudo DEBIAN_FRONTEND=noninteractive apt-get install univention-domain-join

Then I did the domain join via UI and rebooted.
Worked like it should and it was possible to login with an user created in the UCS server.

Perhaps this will save some time also other users in future
Happy 2025

Bildschirmfoto_20250116_085157

[edit] added more details and dedicated steps

huggeduster · March 10, 2025, 2:09pm

Hello,

I just encountered the same problem in a testing environment with virtualbox. I followed all the steps listed above but without success.
A Linux Mint 22 with xfce desktop was joined ‘successfully’ to a freshly set up ucs but users cannot log in. syslog and auth.log on both sides don’t tell me much.
Does anybody have an idea?

thx

Bernie

treenerd · March 10, 2025, 5:12pm

Hi @huggeduster

Which UCS version did you use? 5.0 or 5.2?

huggeduster · March 10, 2025, 6:09pm

For testing I used 5.2.

treenerd · March 10, 2025, 8:15pm

At the past I used ucs 5.0. There are some changes in UCS 5.2, and I didn’t test this version yet.

On Linux Mint side there are logs under /var/log/univention/domain-join-gui.log
Anything you can share to get more details?

And may a stupid question.
Did you turn the Client off and on again?

treenerd · March 10, 2025, 8:30pm

Spawned a new UCS 5.2 environment in my Proxmox VE and tested a domain join with Mint 22 wilma.
And a User login with tesusers.
And it worked without issues.

But, I cloned a prepared VM which I already had prepared at my environment, so this wasn’t a fresh Linux Mint installation.
May I have time to prepare a fresh Mint installation tomorrow.

huggeduster · March 10, 2025, 8:48pm

Hello Treenerd,

thank you very much for your testing and information.
I will try with 5.0 also and post the result.

huggeduster · March 11, 2025, 9:44pm

Sorry, i didn’t answer your questions. So do I now:
Yes, I did reboot the system.
In the logfile you mentioned there was nothing suspicious to be found.

So, by now I have set up a Kubuntu 24.04 (latest) and couldn’t manage to retrieve the domainjoin script: “repository doesn’ have a release file”.

Okay, so I tried Mint 22.1 (xia) with Cinnamon Desktop with a freshly setup UCS 5.09 err 1125 and everything worked without obstacles.

Next I tried to join th formerly failed Mint 22 and succeeded.

As a (not exactly analytical) conclusion regarding your success and my failures, I’d say that ucs 5.2 might be kind of choosy which system to join with.

Regards

Bernie

treenerd · March 14, 2025, 6:26am

With UCS 5.2, Univention decided to switch from simplesaml to keycloack.
Maybe it is somehow related to this change.

Since it is not possible to report issues at github GitHub - univention/univention-domain-join: An assistant for joining Ubuntu machines into Univention Corporate Server domains I would suggest to send them a message and report the issue.

lunaticT · April 29, 2025, 2:03pm

I’ve done this just last week with UCS 5.2, ucs@school and linux mint 22.1 for a small scale demo deployment and it worked flawlessly. I’m also using an NFS share as a shared home directory. I’ll attach my ansible script for joining the clients to the domain for reference. Keep in mind that this is just a temporary script for a demo.
It’s in not an attachment because new users can’t upload files.


- name: Install univention apt repository
  ansible.builtin.deb822_repository:
    name: univention-dev-ubuntu-ppa-noble
    types: deb
    uris: https://ppa.launchpadcontent.net/univention-dev/ppa/ubuntu/
    suites: noble
    components: main
    signed_by: |
      -----BEGIN PGP PUBLIC KEY BLOCK-----
      .
      mQINBFph/qEBEACs13CRmcfi8UPla0uwqXTrBk1ETZwbmPsG4HqUUC5IaqLV56R3
      leA7zXM4yLlsWioKSkLqs5x15JOb2Y26trHzYKLLYBzhI2SiZwCNQudD3bOoYVaa
      TgqOP97dy7kXbffQc4Hf8/msu/IcRnLr6ofCvmurt/3FhFzSfzbAQfelB2T1hLt+
      y4bzBd0W/RWYDQWgzXMSvDzeUfgT6jw9pKszSRv3c9Ir6ys7WewDzX96Y74h+Yq4
      W0jzX0nc4icJOhIUk+UuLnlNLySKChk+bS0dOYY8lKxlO8Fm/BYYgSGjfAWZR7Ej
      odiodkcUYX7Q4pgWeYT7c83gOCVsmmHQOefyYOaAGppDOPy6/mvkjpfmoJf4vIqG
      y9LguMnYscIWcu3YZ68AEvzoMhiOYCZrTe9M1YwviolaA82ao16Oky9becMGrexm
      VlfVYEvFYVTe/m3UHEWwwNv0+NPPNxw8e0Amya6KoGOv5RmA1RfxCbgHQ63UkQ2x
      jZ+PhQm3MP5YGI69SaSdz5OozXqnjoSue1dykHD8Lhtl/EtqoDS/bLaNQXOe5ppF
      U83LZB72OL8wcYYqKWMT/HY/XEoUlo7xhv337bWXMQ5THkx7LPc6B7HGyRVtlG1m
      8v63K/ZxwYDQZd7AoZtf0Yyo3dSrm0I0Fwaz+qOM+Zfi+30j8JSlE/vsxwARAQAB
      tBxMYXVuY2hwYWQgUFBBIGZvciBVbml2ZW50aW9uiQI4BBMBAgAiBQJaYf6hAhsD
      BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDapxIM+1IP/SlYD/4sKe2bt1iN
      D3gVvr1+FrdKX18LkSU5gAQYwSQWDGYZFgKK0V3Dk+4ywtGQGgpXONzHg4Tj39Pn
      XFT4rHakTj9wM5Wa9lGzl1uQHCcbk2z2dkc1Cua/c7b9s8mRvosxVCGSk3jFRIXx
      gI/G1xeKwcCyC7NHsVlXfJCxBZrIcR0Z9AL1lAa8O7kfyKcKegc5spL98u2R19QE
      ZQ0V0ZIpchrEClrQk4iE/RbjjT9PIDw7o+txjxnK40sXQjP/XGvAgwt2HvYX2qWv
      MYpwtzSSLRPnnzE1FMm+iKsApjsc3XRbtQiSJSxgfQYj3IIOucxxOaXFVcXXbyyT
      H+fsrRwkkWror62dMsIfKo1E3BIIWCBRhe0rhKBAVcyAI7zoB/QOLiOQ1It0Dopj
      xZ5kj20/30UwV1pCliUQfAmmXwg1vUHQ8+XpL2EDClD1YLYqUTLgFglb0HKVxJJo
      NUiQSMzE0CU1pKg0tT8oiXnI/1X/s7tIG8YpxUP6oj/u5PE7NghVp5rB3WAyQwWu
      3t6bcE4LSD9OG97riGvnld0aCgxzeEQ/68mIB8NYjmRSxIb3fBi0wgOnt6J8e6vZ
      FJs++nOVGBPcKYih51UKgyrGJmLIbZgl7JzlW8hW24TWYCZ9/PBvIQrok4ei189e
      KhIC0eeynHls+KfHVmlVK/RVXx96iJl/CQ==
      =J6ek
      -----END PGP PUBLIC KEY BLOCK-----

- name: Install univention join assistant cli
  ansible.builtin.apt:
    name: univention-domain-join-cli
    state: present
    update_cache: true

- name: Install other dependencies
  ansible.builtin.apt:
    name:
      - nfs-common
      - libldap-common
    state: present

- name: Checking Domain Join status
  ansible.builtin.command:
    cmd: id "Administrator"
  register: ad_status
  changed_when: false
  ignore_errors: true

- name: Join domain
  ansible.builtin.command:
    cmd: univention-domain-join-cli --username Administrator --password {inset password} --domain school-name.intranet --skip-login-manager
  when: ad_status.rc != 0
  changed_when: ad_status != 0

- name: Disable mkhomedir
  ansible.builtin.replace:
    path: /etc/pam.d/common-session
    regexp: "^([^#]+.*pam_mkhomedir.*)"
    replace: '#ansible: disable for nfs \1'

- name: Mount an NFS volume
  ansible.posix.mount:
    src: ucs.school-name.intranet:/nfs/linux/home/school-name/
    path: /home/school-name/
    opts: rw,sync,hard
    state: mounted
    fstype: nfs

treenerd · December 22, 2025, 9:28pm

I work on an Linux Mint unattended installer for a small school nearby.
The project is based on AntonioCarlini linux-mint-unattended-installer work.
The goal in our case is the unattended installation of devices within this school and make univention domain joins possible. It is not a generic project. But maybe this is also interesting to others. Keep in mind there are still a lot of todo’s in this project.

Relate to the domain join, this is not automated yet. But it can be done via the univention-domain-join gui. Thank you for sharing the ansible snippets of the domain join, I was already thinking in this direction.

During creation of the scripts I figured out an issue with the univention-domain-join when /etc/ldap/ldap.conf is missing.
In our case I just included a workaround to fix it.

  mkdir /etc/ldap
  touch /etc/ldap/ldap.conf

The Domain Join worked with Linux Mint 22.2 “Zara” and an UCS 5.2.
The server has been upgraded from 5.0 to 5.2 before.

Hope this will help others with their univention-domain-join story.