Mysterious installation issues - Add Backup DC fails

ssl
ucs-4-2

#1

For those who don’t like to read that much: I got it solved:
For unknown reasons, not only the DC2 couldn’t create the /etc/univention/ssl/fqdn folders. It didn’t create SSL certificates either.
Which also caused the domain join to fail.
I found out about the missing certs, since apache2 wouldn’t start and complained about it.

I generated new certificates for DC2 on the Master DC and copied them over to DC2.
Then I started the join again.

There still seem to be some issues with the listener: On both machines I had to restart slapd and the univention-direcory-listener a few times, until “it caught”.

So: Yes, there still seem to be issues, but at least I now know where to look…

===
Hi,

I am running into mysterious install issues with UCS 4.2.0 and 4.2.1 alike:
Install on a KVM VM (Proxmox 4.4) runs smoothly … and then something goes wrong and the installation - or rather dpkg just dies.

At least during 4-5 attemts this happened during the “univention-web-js” installation.
If an installation actually manages to go past this issue, the server will see issues during the join of a UCS domain (as backup DC).
Here I was able to tail the join.log, where it started with not finding the directory for it’s own certificates - of the top of my head: /etc/ssl/univention/%hostname% and /etc/ssl/univention/%fqdn% (Not 100% sure of the correct path name here!).
On another console I could actually create those directories and then the script moved on - until it tried to contact the DC.
The DC is up & running and functioning as it should. No firewall inbetween - and still it apparently could not connect.

Anybody else seen such issues?
And maybe have a solution?


#2

Yet 2 new attempts.
First one on SAS drives within ProxMox: Failed again at the “univention-web-js” installation.
2nd attempt on SSD worked smooth … upto the domain join.

Where the following happens:

I created those directories manually (Not /dev/null :wink: ), then the script continues:

I stopped the firewall on dc1 and restarted slapd there … just in case. No difference.
After a while the setup breaks and continues, w/o domain join.

At the same time on DC1:

tail -f listener.log

shows:

UNIVENTION_DEBUG_BEGIN  : uldap.__open host=ucs-dc1.keerl-it.com port=7389 base=dc=keerl-it,dc=com
UNIVENTION_DEBUG_END    : uldap.__open host=ucs-dc1.keerl-it.com port=7389 base=dc=keerl-it,dc=com
26.07.17 21:17:01.680  LISTENER    ( ERROR   ) : connection to notifier was closed
26.07.17 21:17:01.680  LISTENER    ( ERROR   ) : failed to recv result
26.07.17 21:17:01.681  LISTENER    ( ERROR   ) : listener: 1UNIVENTION_DEBUG_BEGIN  : uldap.__open host=ucs-dc1.keerl-it.com port=7389 base=dc=keerl-it,dc=com

Result so far:
I can’t logon to DC2 (the new backup DC to be) with Administrator. Website for UMC reports “connection refused”.
Trying to run the join scripts manually through CLI reports:

root@ucs-dc2:/usr/lib/univention-system-setup/scripts#  univention-run-join-scripts
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright (c) 2001-2017 Univention GmbH, Germany

Enter DC Master Account : Administrator
Enter DC Master Password:

Search LDAP binddn

**************************************************************************
* Running join scripts failed!                                           *
**************************************************************************
* Message:  Invalid credentials
**************************************************************************

Guess what: If I ssh to DC1 I can log on with the exact same credentials.
However: If I pass on a wrong password:

root@ucs-dc2:/usr/lib/univention-system-setup/scripts# univention-run-join-scripts
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright (c) 2001-2017 Univention GmbH, Germany

Enter DC Master Account : Administrator
Enter DC Master Password:

Search LDAP binddn Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).


**************************************************************************
* Running join scripts failed!                                           *
**************************************************************************
* Message:  binddn for user Administrator not found
**************************************************************************

So…what’s next?