Join error: ldap_bind: Invalid credentials (49) - uid=Administrator / cn=Administrator?

UCS - Univention Corporate Server
#1

Hi everyone.

After spending endless hours trying to figure out why I cannot join one more member server to my UCS domain I could need some help.

As several others in this forum I get the following error during univention-join:

ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

I figured out, that this error message is a result of the failing of the following command (Here with a custom file for the password):

univention-ldapsearch -p '' -s base -h ucs.ig.intra -D uid=Administrator,cn=users,dc=ig,dc=intra --bindpwdfile /tmp/masterpwd dn

I am pretty sure, the password is correct. I expect this account to be the one used when logging to the web interface of the univention domain controller?

In some post (dont remember where) someone talked about a different DN with “cn” instead of “uid”, so I also tried:
univention-ldapsearch -p '' -s base -h ucs.ig.intra -D cn=Administrator,cn=users,dc=ig,dc=intra --bindpwdfile /tmp/masterpwd dn

That does work.
If I use that account in a LDAP client (Apache Directory Studio), I cannot find any DN with “uid=Administrator”. Alle users in CN=Users,DC=ig,DC=intra are written as “CN=…”.

If I change the Administrators password on the Domain controller with

udm users/user modify --dn='uid=Administrator,cn=users,dc=ig,dc=intra' --set password='<new password>'

that does work and I have to use the new password in the univention-ldapsearch command (with “cn=Administrator”) to be successfull.

If figured out that the script “univention-join” does get the full DN from the user name by using the command:

univention-ssh /tmp/masterpwd Administrator@ucs.ig.intra /usr/sbin/udm users/user list --filter uid=Administrator --logfile /dev/null

This delivers the following:

uid=Administrator
DN: uid=Administrator,cn=users,dc=ig,dc=intra
  MRAccept: 0
  MRAcceptConflictingTimes: 0
  MRAcceptRecurringItems: 0
  MRProcess: 0

…and so on…

I did not mess around with the LDAP. Before this problem I mostly only used the web interface to configure things. Maybe the kopano installation did? Before this server I successfully joined two more servers, on one of whichI installed kopano. None of these servers are productive, yet. Still, I would like to avoid to start all over an install the domain controller and all servers again.

BTW: I tried the same unvention-ldapsearch command on one of the already joined servers. Same problem here, it does not work with “uid=Administrator,…” but with “cn=Administrator,…”.

Questions:

  • Is “uid=Administrator,cn=users,dc=ig,dc=intra” a diffent user than “cn=Administrator,cn=users,dc=ig,dc=intra”?
  • Then why does the password change of “uid=Administrator” affect “cn=Administrator”?
  • Why am I not able to find “uid=Administrator” in the LDAP?
  • Where does the command “/usr/sbin/udm users/user list” on the domain controller get the information from?
  • How can I fix the situation?

Clueless,
Ralph Reckert

#2

The first thing you should know is that a UCS server with Samba is actually running two separate LDAP servers simultaneously:

  • An OpenLDAP server on ports 7389 (plain text) and 7636 (encrypted)
  • The Samba 4 LDAP server on ports 389 (plain text) and 636 (encrypted)

The OpenLDAP server is always present on a DC Master, even if one doesn’t run Samba. The data in the OpenLDAP server is authoritative. The Univetion tools dealing with all kinds of settings (users, groups, DNS, policies, portal configuration etc.) all query and write to the OpenLDAP server.

In order to ensure that the Samba 4 LDAP contains the same data, there’s a component doing a bidirectional synchronization between both LDAP directories: the Univention Samba 4 connector (or simply the “S4 connector”).

Both LDAP directories use different schemas: the OpenLDAP uses the traditional Unixy POSIX schemas whereas the Samba 4 LDAP uses the Active Directory schema.

And now we can get to your questions:

They’re the same user, but both syntaxes name users in different directories. uid=… is used solely in OpenLDAP whereas cn=username,… is used in Samba 4. Password changes to one of those affect the other because the S4 connector synchronizes the password fields.

You’re most likely connecting to the wrong port, or to be precise: you’re connecting to port 389 or 636 (which is the Samba 4 LDAP), and in the Samba/AD LDAP the users are named cn=….

From the OpenLDAP server.

Note that both the univention-ldapsearch and the plain ldapsearch commands use information from /etc/ldap/ldap.conf in order to determine the host name & port to connect to unless you overwrite those settings from the command line. The default in ldap.conf is port 7389, meaning both commands will search the OpenLDAP server.

If you want to search the Samba 4 LDAP server from the command line instead, use the univention-s4search command which operates almost identically.

Now this is a very good question. Let’s get back to what you wrote at the top:

This is plain wrong. The univention-ldapsearch command, as stated above, should contact the OpenLDAP server instead of the Samba 4 LDAP server. Therefore the syntax cn=administrator should not work but uid=… should. I can think of two possible reasons why this happens:

  1. univention-ldapsearch doesn’t use port 7389 but 389.
  2. The OpenLDAP server isn’t listening on port 7389 on your server.

Let’s make sure the DC Master’s configuration is correct first. Run the following on your DC Master and post the output here, please:

lsof -aPniTCP:7389 -iTCP:389 -sTCP:LISTEN
iptables -t nat -L -nv

Next take take a look at /etc/ldap/ldap.conf on the server you’re trying to join. Post its content here. Additionally install the strace package on the server to join if it isn’t installed yet, run the next command and post the content of the file connect.txt that’s created by that strace command here:

strace -o connect.txt -f -e connect univention-ldapsearch -s base

That should give us some clues about what’s going on.

#3

Hi Moritz_Bunkus.

(For some reason I did not get a notification on your reply, that’s why I only found it today.)

Thanks for your reply. Here are the results of the tests you suggested:

The ports of the two LDAP services on the DC look correct:

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
slapd    969 root    8u  IPv4  18488      0t0  TCP *:7389 (LISTEN)
slapd    969 root    9u  IPv6  18489      0t0  TCP *:7389 (LISTEN)
samba   1403 root   24u  IPv6  23013      0t0  TCP [::1]:389 (LISTEN)
samba   1403 root   32u  IPv4  23018      0t0  TCP 127.0.0.1:389 (LISTEN)
samba   1403 root   36u  IPv4  23022      0t0  TCP 192.168.0.5:389 (LISTEN)
samba   2067 root   24u  IPv6  23013      0t0  TCP [::1]:389 (LISTEN)
samba   2067 root   32u  IPv4  23018      0t0  TCP 127.0.0.1:389 (LISTEN)
samba   2067 root   36u  IPv4  23022      0t0  TCP 192.168.0.5:389 (LISTEN)

Here the output of “iptables -t nat -L -nv” on the DC:

Chain PREROUTING (policy ACCEPT 154K packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination
 126K 9121K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 120K packets, 8762K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 158K packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               destination
 7996  507K DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 158K packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination

There isnt much in the file /etc/ldap/ldap.conf on the new server. On my joined server there is a correct entry for URI, BASE, and TLS_CACERT but not here. Should the correct values have been set during the join process before or in the script univention-join?

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

When running “strace -o connect.txt -f -e connect univention-ldapsearch -s base” on the new server, I get the repeated output “ldap_start_tls: Can’t contact LDAP server (-1)”

Here the are the first lines of the content of “connect.txt”:

10337 +++ exited with 0 +++
10336 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=10337, si_uid=0, si_status=0, si_utime=56, si_stime=6} ---
10338 +++ exited with 0 +++
10336 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=10338, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
10341 connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
10341 connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
10341 connect(3, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
10341 connect(3, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = 0
10341 connect(3, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = -1 ECONNREFUSED (Connection refused)
10341 connect(3, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ECONNREFUSED (Connection refused)

I don’t know, what “htons()” means, but the 389 looks like it is trying to connect to the wrong (=SAMBA) port? How can that happen?

Should I copy the content of /etc/ldap/ldap.conf from one of my joined servers and try the univention-ldapsearch afterwards?

Best regards,
Ralph Reckert

#4

Do you have a file called /root/.ldaprc or /root/ldaprc on your new server? What does grep -Er 'localhost|127.0.0.1|389' /root output?

#5

No, no file .ldaprc or ldaprc in /root/

Grep only files a line in the bash history:

/root/.bash_history:ldapsearch -h ucs.ig.intra -p 7389 -x -D cn=administrator,$(ucr get ldap/base) -w $(cat /etc/ldap.secret) cn=admin

#6

One thing I haven’t asked for yet is log output. Please re-run univention-join and post all lines from /var/log/univention/join.log from that attempt.

#7

The output of univention-join is:

univention-join: joins a computer to an ucs domain
copyright (c) 2001-2018 Univention GmbH, Germany

Enter DC Master Account : Administrator
Enter DC Master Password:

Search DC Master:                                          done
Check DC Master:                                           done
Search ldap/base                                           done
Search LDAP binddn                                         done
Sync time:                                                 done
Join Computer Account:                                     done
Check TLS connection: ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1


**************************************************************************
* Join failed!                                                           *
* Contact your system administrator                                      *
**************************************************************************
* Message:  Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- Establishing a TLS connection with ucs.ig.intra failed. Maybe you didn't specify a FQDN.
**************************************************************************

The log file /var/log/univention/join.log:

Tue Mar 19 16:34:06 CET 2019: starting /usr/sbin/univention-join
running version check
OK: UCS version on ucs.ig.intra is higher or equal (4.33) to the local version (4.32).
Tue Mar 19 16:34:23 CET 2019
univention-server-join: joins a server to an univention domain
copyright (c) 2001-2019 Univention GmbH, Germany

ldap_dn="cn=bareos,cn=memberserver,cn=computers,dc=ig,dc=intra"
Setting hostname
Setting ldap/hostdn
File: /etc/pam.d/smtp
File: /etc/welcome.msg
Multifile: /etc/postfix/ldap.virtualwithcanonical
File: /etc/issue
Multifile: /etc/postfix/ldap.virtual_mailbox
Multifile: /etc/hosts
Multifile: /etc/postfix/ldap.groups
File: /etc/dhcp/dhclient.conf
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
Multifile: /etc/postfix/ldap.canonicalsender
File: /etc/apache2/sites-available/univention-proxy.conf
Multifile: /etc/postfix/ldap.virtualdomains
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.sharedfolderlocal_aliases
File: /etc/apache2/conf-available/ucs.conf
Multifile: /etc/postfix/ldap.sharedfolderlocal
File: /etc/mailname
File: /etc/cron.d/univention-directory-policy
Multifile: /etc/postfix/main.cf
Multifile: /etc/postfix/ldap.sharedfolderremote
File: /etc/hostname
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.external_aliases
Multifile: /etc/apache2/sites-available/default-ssl.conf
Multifile: /etc/pam.d/univention-management-console
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
152 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.


**************************************************************************
* Join failed!                                                           *
* Contact your system administrator                                      *
**************************************************************************
* Message:  Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- Establishing a TLS connection with ucs.ig.intra failed. Maybe you didn't specify a FQDN.
**************************************************************************
Tue Mar 19 16:34:43 CET 2019: finish /usr/sbin/univention-join
#8

Judging from the content of your /etc/ldap/ldap.conf file, it seems that you don’t have the package univention-ldap-client installed, which absolutely must be installed. This is rather strange as the package univention-role-server-common depends on it, and univention-server-member in turn depends on univention-role-server-common.

All in all it seems like you’re missing packages for one reason or another.

Please post the output of `dpkg -l ‘univention*’

Then run univention-install univention-server-member followed by ucr commit

Afterwards look at /etc/ldap/ldap.conf again. At the very least it should start with the usual UCS disclaimer:

# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
…

If it does, try your join again.

#9

Hi Moritz_Bunkus.

Thanks for your help. After installing the package I was able to complete the univention-join script without errors.

Before, for some reasons, some of the packages where not fully(?) installed.

Here are the results of “dpkg -l ‘univention*’” before installing the package:

||/ Name                                Version                Architektur            Beschreibung
+++-===================================-======================-======================-============================================================================
ii  univention-apache                   10.0.2-2A~4.3.0.201805 all                    UCS - Apache2 configuration
ii  univention-appcenter                7.0.2-49A~4.3.0.201812 all                    Tools for Univention App Center
ii  univention-appcenter-docker         7.0.2-49A~4.3.0.201812 all                    Docker integration for Univention App Center
ii  univention-archive-key              8.0.0-1A~4.3.0.2017121 all                    UCS - Archive signature key
ii  univention-base-files               7.0.0-20A~4.3.0.201811 all                    UCS - base configuration files
ii  univention-base-packages            7.0.0-20A~4.3.0.201811 all                    UCS - base packages
un  univention-basesystem               <keine>                <keine>                (keine Beschreibung vorhanden)
un  univention-bind                     <keine>                <keine>                (keine Beschreibung vorhanden)
ii  univention-bootsplash               9.0.0-5A~4.3.0.2018011 all                    UCS - bootsplash
ii  univention-config                   13.0.0-6A~4.3.0.201811 all                    UCS - configuration manager
un  univention-config-registry          <keine>                <keine>                (keine Beschreibung vorhanden)
ii  univention-directory-listener       12.0.0-33A~4.3.0.20181 amd64                  UCS - Directory Listener
ii  univention-directory-manager-tools  13.0.25-27A~4.3.0.2018 all                    UCS - Command-line based administration tools
ii  univention-directory-policy         9.0.0-1A~4.3.0.2017121 all                    UCS - Directory Policy handler
ii  univention-docker                   3.0.0-2A~4.3.0.2018011 all                    UCS settings for Docker
ii  univention-errata-level             4.3.3-407              all                    UCS - errata level handling
ii  univention-grub                     11.0.0-1A~4.3.0.201712 all                    UCS - meta package for the Grub2 configuration
ii  univention-heimdal-common           11.0.1-9A~4.3.0.201805 all                    UCS - Kerberos common package
un  univention-heimdal-kdc              <keine>                <keine>                (keine Beschreibung vorhanden)
un  univention-heimdal-member           <keine>                <keine>                (keine Beschreibung vorhanden)
un  univention-ifplugd                  <keine>                <keine>                (keine Beschreibung vorhanden)
ii  univention-initrd                   10.0.0-1A~4.3.0.201712 all                    UCS - initrd scripts
ii  univention-ipcalc                   9.0.0-2A~4.3.0.2017122 all                    UCS - ipcalc tool for network
ii  univention-join                     10.0.0-25A~4.3.0.20181 all                    UCS - join domains
ii  univention-kernel-image             11.0.1-9A~4.3.0.201808 amd64                  UCS - Linux kernel (standard)
un  univention-ldap-listener            <keine>                <keine>                (keine Beschreibung vorhanden)
un  univention-ldap-policy              <keine>                <keine>                (keine Beschreibung vorhanden)
un  univention-ldap-server              <keine>                <keine>                (keine Beschreibung vorhanden)
un  univention-mail                     <keine>                <keine>                (keine Beschreibung vorhanden)
ii  univention-mail-postfix             12.0.0-21A~4.3.0.20180 all                    UCS - postfix configuration
un  univention-mail-postfix-forward     <keine>                <keine>                (keine Beschreibung vorhanden)
un  univention-mail-postfix-kolab2      <keine>                <keine>                (keine Beschreibung vorhanden)
ii  univention-management-console-front 10.0.6-18A~4.3.0.20190 all                    UCS Management Console - Web based computer administration tool
ii  univention-management-console-login 10.0.6-18A~4.3.0.20190 all                    UCS Management Console - Login page
ii  univention-management-console-modul 7.0.0-2A~4.3.0.2017122 all                    Module lib containing low-lewel commands to control the UMC server
ii  univention-management-console-modul 11.0.5-28A~4.3.0.20181 all                    UMC module for Univention System Setup
ii  univention-management-console-modul 8.0.0-2A~4.3.0.2017122 all                    UMC module for system info
ii  univention-management-console-serve 10.0.6-18A~4.3.0.20190 all                    UCS Management Console - server
ii  univention-management-console-web-s 10.0.6-18A~4.3.0.20190 all                    UCS Management Console - Web server
ii  univention-network-common           10.0.0-3A~4.3.0.201804 all                    UCS - Network tools for ifplugd and network-manager (common)
un  univention-network-manager          <keine>                <keine>                (keine Beschreibung vorhanden)
ii  univention-runit                    9.0.0-5A~4.3.0.2018020 all                    UCS - service supervision
ii  univention-saml-schema              5.0.4-29A~4.3.0.201812 all                    UCS simpleSAMLphp ldap integration
un  univention-server-backup            <keine>                <keine>                (keine Beschreibung vorhanden)
un  univention-server-member            <keine>                <keine>                (keine Beschreibung vorhanden)
un  univention-server-slave             <keine>                <keine>                (keine Beschreibung vorhanden)
un  univention-setup-boot               <keine>                <keine>                (keine Beschreibung vorhanden)
ii  univention-ssh                      9.0.0-1A~4.3.0.2017121 all                    UCS - ssh scripts
ii  univention-ssl                      12.0.0-16A~4.3.0.20181 all                    UCS - SSL/TLS certificates
ii  univention-system-info              8.0.0-2A~4.3.0.2017122 all                    UCS - collect system information
ii  univention-system-setup             11.0.5-28A~4.3.0.20181 all                    UCS System Setup tools
un  univention-system-setup-appliance   <keine>                <keine>                (keine Beschreibung vorhanden)
rc  univention-system-setup-boot        11.0.5-28A~4.3.0.20181 all                    Starting univention-system-setup on next boot
ii  univention-updater                  13.0.1-62A~4.3.0.20181 all                    UCS - system upgrading tool
ii  univention-web-js                   2.0.0-31A~4.3.0.201812 all                    Univention Javascript Library
ii  univention-web-style                2.0.0-31A~4.3.0.201812 all                    Univention Style Library
ii  univention-welcome-screen           9.0.0-5A~4.3.0.2018011 all                    UCS - welcome screen

Best regards,
Ralph Reckert

#10

This is somewhat suspicious. In your shoes I’d probably re-install the whole machine. If you want to go down that road, be sure to opt for joining the UCS domain at the end of the installation process and to set the server role during the installation (instead of selecting “do not join a domain” or similar and then doing it later). That way you can be more confident that everything’s installed the way it’s supposed to be.

Mastodon