Neuer MasterDC - Client Anmeldung via nslcd funktioniert NICHT mehr

Peter · November 14, 2020, 5:10pm

nachdem ich den Backup DC zum Master dc gemacht habe (backup2master) können sich keine clients mehr via LDAP anmelden.

vor dem verändern des DC hat alles funktioniert.

A) kann es ein Zertifikat thema sein ? wie überprüfe ich das und wie fixe ich das?

B) Wie bekomme ich den Master sedeka4 dazu die Anfagen anzunehmen ?

C) Wie kann ich mit einem LDAP Explorer mir den ganzen LDAP Baum anschauen was sind die Einstellungen für (Softerra LDAP Admin)

Danke
Peter

Ergänzung:
ein:
univention-ldapsearch -b uid=admin.blub,ou=admins,cn=groups,cn=ka,cn=de,dc=mydomain,dc=local -LLL

funktioniert als root

ein:
ldapsearch -bldapsearch -b uid=admin.blub,ou=admins,cn=groups,cn=ka,cn=de,dc=mydomain,dc=local -LLL

ergibt mir ein:

SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)

Hier die LOG

nslcd: [8b4567] DEBUG: connection from pid=392 uid=0 gid=0
nslcd: [8b4567] <passwd="admin.blub"> DEBUG: myldap_search(base="ou=admins,cn=groups,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixAccount)(uid=admin.blub))")
nslcd: [8b4567] <passwd="admin.blub"> DEBUG: ldap_initialize(ldap://sedeka4.meinedomain.local:7389/)
nslcd: [8b4567] <passwd="admin.blub"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd="admin.blub"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd="admin.blub"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd="admin.blub"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd="admin.blub"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd="admin.blub"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd="admin.blub"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="admin.blub"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="admin.blub"> DEBUG: ldap_start_tls_s()
nslcd: [8b4567] <passwd="admin.blub"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://sedeka4.meinedomain.local:7389/")
nslcd: [8b4567] <passwd="admin.blub"> ldap_result() failed: Insufficient access
nslcd: [8b4567] <passwd="admin.blub"> DEBUG: myldap_search(base="cn=sudoers,cn=roles,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixAccount)(uid=admin.blub))")
nslcd: [8b4567] <passwd="admin.blub"> ldap_result() failed: Insufficient access
nslcd: [7b23c6] DEBUG: connection from pid=392 uid=0 gid=0

und
nslcd -d

nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.10
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,allow)
nslcd: DEBUG: CFG: threads 5
nslcd: DEBUG: CFG: uid nslcd
nslcd: DEBUG: CFG: gid 115
nslcd: DEBUG: CFG: uri ldap://sedeka4.meinedomain.local:7389/
nslcd: DEBUG: CFG: uri ldap://sedeka2.meinedomain.local:7389/
nslcd: DEBUG: CFG: uri ldap://sedeka3.meinedomain.local:7389/
nslcd: DEBUG: CFG: ldap_version 3
nslcd: DEBUG: CFG: base ou=admins,cn=groups,cn=ka,cn=de,dc=meinedomain,dc=local
nslcd: DEBUG: CFG: base cn=sudoers,cn=roles,cn=ka,cn=de,dc=meinedomain,dc=local
nslcd: DEBUG: CFG: scope sub
nslcd: DEBUG: CFG: deref never
nslcd: DEBUG: CFG: referrals yes
nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias)
nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device)
nslcd: DEBUG: CFG: filter group (objectClass=posixGroup)
nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost)
nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup)
nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork)
nslcd: DEBUG: CFG: filter passwd (objectClass=posixAccount)
nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol)
nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc)
nslcd: DEBUG: CFG: filter services (objectClass=ipService)
nslcd: DEBUG: CFG: filter shadow (objectClass=shadowAccount)
nslcd: DEBUG: CFG: map group userPassword "*"
nslcd: DEBUG: CFG: map passwd userPassword "*"
nslcd: DEBUG: CFG: map passwd gecos "${gecos:-$cn}"
nslcd: DEBUG: CFG: map shadow userPassword "*"
nslcd: DEBUG: CFG: map shadow shadowLastChange "${shadowLastChange:--1}"
nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}"
nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}"
nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}"
nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}"
nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}"
nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}"
nslcd: DEBUG: CFG: pam_authc_ppolicy yes
nslcd: DEBUG: CFG: bind_timelimit 10
nslcd: DEBUG: CFG: timelimit 0
nslcd: DEBUG: CFG: idle_timelimit 0
nslcd: DEBUG: CFG: reconnect_sleeptime 1
nslcd: DEBUG: CFG: reconnect_retrytime 10
nslcd: DEBUG: CFG: ssl start_tls
nslcd: DEBUG: CFG: tls_reqcert allow
nslcd: DEBUG: CFG: pagesize 0
nslcd: DEBUG: CFG: nss_min_uid 0
nslcd: DEBUG: CFG: nss_uid_offset 0
nslcd: DEBUG: CFG: nss_gid_offset 0
nslcd: DEBUG: CFG: nss_nested_groups no
nslcd: DEBUG: CFG: nss_getgrent_skipmembers no
nslcd: DEBUG: CFG: nss_disable_enumeration no
nslcd: DEBUG: CFG: validnames /^[a-z0-9._@$()]([a-z0-9._@$() \~-]*[a-z0-9._@$()~-])?$/i
nslcd: DEBUG: CFG: ignorecase no
nslcd: DEBUG: CFG: pam_authc_search BASE
nslcd: DEBUG: CFG: cache dn2uid 15m 15m
nslcd: version 0.9.10 starting
nslcd: DEBUG: initgroups("nslcd",115) done
nslcd: DEBUG: setgid(115) done
nslcd: DEBUG: setuid(110) done
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=392 uid=0 gid=0
nslcd: [8b4567] <group/member="root"> DEBUG: myldap_search(base="ou=admins,cn=groups,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixAccount)(uid=root))")
nslcd: [8b4567] <group/member="root"> DEBUG: ldap_initialize(ldap://sedeka4.meinedomain.local:7389/)
nslcd: [8b4567] <group/member="root"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <group/member="root"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <group/member="root"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <group/member="root"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <group/member="root"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <group/member="root"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <group/member="root"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <group/member="root"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <group/member="root"> DEBUG: ldap_start_tls_s()
nslcd: [8b4567] <group/member="root"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://sedeka4.meinedomain.local:7389/")
nslcd: [8b4567] <group/member="root"> ldap_result() failed: Insufficient access
nslcd: [8b4567] <group/member="root"> DEBUG: myldap_search(base="cn=sudoers,cn=roles,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixAccount)(uid=root))")
nslcd: [8b4567] <group/member="root"> ldap_result() failed: Insufficient access
nslcd: [8b4567] <group/member="root"> DEBUG: myldap_search(base="ou=admins,cn=groups,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixGroup)(memberUid=root))")
nslcd: [8b4567] <group/member="root"> ldap_result() failed: Insufficient access
nslcd: [8b4567] <group/member="root"> DEBUG: myldap_search(base="cn=sudoers,cn=roles,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixGroup)(memberUid=root))")
nslcd: [8b4567] <group/member="root"> ldap_result() failed: Insufficient access
nslcd: [7b23c6] DEBUG: connection from pid=392 uid=0 gid=0
nslcd: [7b23c6] <passwd="admin.blub"> DEBUG: myldap_search(base="ou=admins,cn=groups,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixAccount)(uid=admin.blub))")
nslcd: [7b23c6] <passwd="admin.blub"> ldap_result() failed: Insufficient access
nslcd: [7b23c6] <passwd="admin.blub"> DEBUG: myldap_search(base="cn=sudoers,cn=roles,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixAccount)(uid=admin.blub))")
nslcd: [7b23c6] <passwd="admin.blub"> ldap_result() failed: Insufficient access
nslcd: [3c9869] DEBUG: connection from pid=392 uid=0 gid=0
nslcd: [3c9869] <passwd="peter.blub"> DEBUG: myldap_search(base="ou=admins,cn=groups,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixAccount)(uid=peter.blub))")
nslcd: [3c9869] <passwd="peter.blub"> ldap_result() failed: Insufficient access
nslcd: [3c9869] <passwd="peter.blub"> DEBUG: myldap_search(base="cn=sudoers,cn=roles,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixAccount)(uid=peter.blub))")
nslcd: [3c9869] <passwd="peter.blub"> ldap_result() failed: Insufficient access
nslcd: [334873] DEBUG: connection from pid=392 uid=0 gid=0
nslcd: [334873] <group/member="postfix"> DEBUG: myldap_search(base="ou=admins,cn=groups,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixAccount)(uid=postfix))")
nslcd: [334873] <group/member="postfix"> ldap_result() failed: Insufficient access
nslcd: [334873] <group/member="postfix"> DEBUG: myldap_search(base="cn=sudoers,cn=roles,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixAccount)(uid=postfix))")
nslcd: [334873] <group/member="postfix"> ldap_result() failed: Insufficient access
nslcd: [334873] <group/member="postfix"> DEBUG: myldap_search(base="ou=admins,cn=groups,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixGroup)(memberUid=postfix))")
nslcd: [334873] <group/member="postfix"> ldap_result() failed: Insufficient access
nslcd: [334873] <group/member="postfix"> DEBUG: myldap_search(base="cn=sudoers,cn=roles,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixGroup)(memberUid=postfix))")
nslcd: [334873] <group/member="postfix"> ldap_result() failed: Insufficient access
nslcd: [b0dc51] DEBUG: connection from pid=392 uid=0 gid=0
nslcd: [b0dc51] <group/member="root"> DEBUG: myldap_search(base="ou=admins,cn=groups,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixAccount)(uid=root))")
nslcd: [b0dc51] <group/member="root"> ldap_result() failed: Insufficient access
nslcd: [b0dc51] <group/member="root"> DEBUG: myldap_search(base="cn=sudoers,cn=roles,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixAccount)(uid=root))")
nslcd: [b0dc51] <group/member="root"> ldap_result() failed: Insufficient access
nslcd: [b0dc51] <group/member="root"> DEBUG: myldap_search(base="ou=admins,cn=groups,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixGroup)(memberUid=root))")
nslcd: [b0dc51] <group/member="root"> ldap_result() failed: Insufficient access
nslcd: [b0dc51] <group/member="root"> DEBUG: myldap_search(base="cn=sudoers,cn=roles,cn=ka,cn=de,dc=meinedomain,dc=local", filter="(&(objectClass=posixGroup)(memberUid=root))")
nslcd: [b0dc51] <group/member="root"> ldap_result() failed: Insufficient access