Not able to connect to Active Directory Domain Controller

german

#1

Hi,

I have successfully deployed UCS server on a VMWare but while setting up Active directory connection it is not able to make connection to Active Directory domain controller.

I am able to ping to the AD Domain and also issue a dig command through UCS server command line but not able to connect through UCS management console.

In the /var/log/univention/management-console-module-adconnector.log I can see result of dig is throwing a connection timeout out; no servers could be reached but if you manually issue dig IP-Address it works fine.

Could some one please suggest what can be done to investigate this issue ?

Regards,
Nitin


UCS AD Conncetor and Windows 2012 Domain
#2

In my scenario there are two domains(root and child) and DNS server is configured on the root domain so that should make child domain accessible using DNS of parent domain.
I am trying to synchronise user accounts of child domain.
Regards,
Nitin


#3

Hi Nitin!

This sounds a bit like foresting, Samba currently doesn’t support foresting, so far.

But first to your initial problem. It’s hard to guess what’s wrong, without some detailed informations, so can you please attach some output like a relevant snippet from the logs as well as the manual command, which seemed to work…


#4

Hi nicost,

When I am trying to access child domain I can see below in /var/log/univention/ management-console-module-adconnector.log

10.181.8.11==> IP of Child Domain controller

06.12.16 11:44:48.740 MODULE ( PROCESS ) : Lookup ADDS DC
06.12.16 11:44:48.746 MODULE ( PROCESS ) : running [‘dig’, '@10.181.8.11’]
06.12.16 11:45:03.761 MODULE ( PROCESS ) : stdout:
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @10.181.8.11
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

06.12.16 11:45:03.761 MODULE ( PROCESS ) : stderr:
06.12.16 11:45:03.761 MODULE ( WARN ) : Failure: [‘Connection to AD Server 10.181.8.11 failed’]
06.12.16 11:45:03.761 MODULE ( PROCESS ) : The command has failed: Could not connect to AD Server 10.181.8.11. Please verify that the specified address is correct.

Even if try dig @10.181.1.11 it gives me below error

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @10.181.8.11
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Regards,
Nitin


#5

Hi Nitin,

from the source-code (’/usr/share/pyshared/univention/lib/admember.py:663’) you can see that the AD-Connector is trying to contact the MS-AD DC. Several UCR-Variables are parsed to query for tge ip address of the AD-Server.
Can you please check if your MS-AD DC is one of the following UCR-entries:

root@ucs: ~# ucr search forwarder nameserver

According to this, one of the following should lead to success:

root@ucs: ~# dig @$(ucr get dns/forwarder1) +short
root@ucs: ~# dig @$(ucr get dns/forwarder2) +short
root@ucs: ~# dig @$(ucr get dns/forwarder3) +short
root@ucs: ~# dig @$(ucr get nameserver1) +short
root@ucs: ~# dig @$(ucr get nameserver2) +short
root@ucs: ~# dig @$(ucr get nameserver3) +short

If not, take care to enter your MS-AD DC’s IP address either as nameserver or as dns/forwarder.


#6

Hi nicest,

Thanks for the information.

The domain controller is not running a DNS server role.The DNS server is in the parent domain.

The users we need to synchronise though are in the child domain that does not run its own DNS.

Is running the DNS server role on a domain controller a pre requisite?If so why is that so ?

Regards,
Nitin


#7

Hi nicost,

If I run ucr search forwarder nameserver I get a list of name servers and dns forwarders and one of them (dig @$(ucr get nameserver1) +short) works fine.
Please note that my MS-AD DC IP is not specificied in either /etc/resolv.conf or as dns/forwarders but my parent domain DC’s DNS IP is in the name server config(/etc/resolv.conf).

I have tried to replicate this on my local laptop using Oracle virtual box and same topology but it works fine there but on VMWare on our test environment it is not working.

To iterate my scenario is as follows
There are two MS AD Domain Controller’s (one DC for parent domain with DNS server and another DC for child domain without DNS server.Child DC uses parent DC’s DNS server).

Now UCS Active Directory Connection is able to resolve parent domain DC but not child domain DC.So in the connection if I enter DNS Server IP and use the username and password of the user in the parent domain then it is able to retrieve AD DC domain information and synchronise user accounts.

But if I enter IP address of child domain controller(which is not running DNS server but using parent DC DNS server) then UCS is not able to connect to it.

How can check whether it is a DNS issue or a network issue or something else?

Please note that from UCS server I am able to ping and telnet to child DC IP address but UCS is failing while issuing dig command.

Regards,
Nitin


#8

Hi Nitin,

from the information you provided I assume that you want to setup UCS as part of the AD child domain, i.e. the first option described in the manual, and not the second option described there. Please note that the first option implies that is finally intended to be the same as .

I’ve looked at the code and the original desgin decisions behind it. This is what I found:

You are right, in this case the code currently tries to confirm that the given AD-DC is also a nameserver. We made that restrictive assumption because, for this first option of the AD-Connection, we later want to create these DNS records:

_domaincontroller_master._tcp.<child-dns-domain> SRV     0 0 0  <ucs-master-hostname>.<child-dns-domain>.   ## mind the trailing dot
ucs-sso.<child-dns-domain>                       A       <IP of UCS-Server>

From my quick look at the code I have the impression that the this “dig” check could be avoided, if those records have already been created manually in your parent domain DNS server. To confirm that after manually adding them, the following commands can be run on the UCS commandline and they must return the correct values:

dig "_domaincontroller_master._tcp.$(hostname -d)" SRV @10.181.8.11 +short dig "ucs-sso.$(hostname -d)" @10.181.8.11 +short
Iff these prerequisites are fulfilled, then we actually (AFAICS) wouldn’t need to perform the nameserver check via dig. The problem is, that this check is currently hardcoded in the python source code. Speaking as a developer (not a supporter) I share my assumption that it might be possible to quickly adjust this locally on your machine. This step would require that your are confident to use an editor like “vim” on a file containing Python source code, without causing any collateral damage. I would recomend you first copy that file to a safe location to be able to recover in case something got messed up:

cp /usr/share/pyshared/univention/lib/admember.py /var/tmp/admember.py.bak

After this precautionary step, you can open that file with an editor of your choice and change the line

def lookup_adds_dc(ad_server=None, ucr=None, check_dns=True):

into:

def lookup_adds_dc(ad_server=None, ucr=None, check_dns=False):

Without a test envirnment I cannot guarantee that this will have the desired effect.

Thanks for sharing you issue anyway, it helps to identify the relevance of a use case that was out of our initial focus.
We will consider your feedback to see how we can improve the product to make it usable without any hickups also in scenarios like yours.


#9

Thanks requate for such a detailed information.I would definitely gives this a try but before this I wanted to confirm below

I am choosing the second option while deploying the UCS AD connection service “Synchronization of account data between an AD domain and a UCS domain”.

Is the above steps which you have mentioned applicable for this?

I would be comfortable to make the code changes as I am a developer.Once you confirm I will give it a try on our test environment.

Thanks again for your help.

Regards,
Nitin


#10

Hi equate,

Can you please let me know how do we add DNS entries in parent domain?

Regards,
nitin


#11

Hi Nitin,

In the UMC (webfrontend) within ‘Domain → DNS’ you can enter additional Records. The correct position normally is the forware-zone.

If you want to do these steps in the terminal you can use the UDM:

udm dns/dns list  # shows all available dns zones
udm dns/forward_zone list  # show all available dns forward zones; use these dn's as superordinate
udm dns/host_record list --superordinate "zoneName=<domain.tld>,cn=dns,dc=<domain>,dc=<tld>"  # this is just an example

# add Service-Record
udm dns/srv_record create --superordinate "zoneName=$(dnsdomainname),cn=dns,$(ucr get ldap/base)" --set name="foo udp bar" --set location="0 0 0 <FQDN>"



#12

Hi requate,

I have followed the steps mentioned by you but it is still not working although it has skipped the dig check but it fails for kerberos authentication(Please check screenshot attached).

Below error is seen in /var/log/univention/management-console-module-adconnector.log

[code]11.12.16 22:11:47.182 MODULE ( PROCESS ) : Lookup ADDS DC
11.12.16 22:11:47.215 MODULE ( PROCESS ) : AD Info: {‘Domain’: ‘sdhic.xsdhis.nhs.uk’, ‘LDAP Base’: ‘DC=sdhic,DC=xsdhis,DC=nhs,DC=uk’, ‘Forest’: ‘xsdhis.nhs.uk’, ‘Client Site’: ‘Default-First-Site-Name’, ‘DC Netbios Name’: ‘WIN-82F5ISVQSK7’, ‘DC DNS Name’: ‘WIN-82F5ISVQSK7.sdhic.xsdhis.nhs.uk’, ‘Netbios Domain’: ‘SDHISDC’, ‘DC IP’: ‘192.168.0.23’, ‘Server Site’: ‘Default-First-Site-Name’}
11.12.16 22:11:47.376 MODULE ( PROCESS ) : Time difference is less than 180 seconds, skipping reset of local time
11.12.16 22:11:47.475 MODULE ( PROCESS ) : Prepare Kerberos UCR settings
11.12.16 22:11:47.478 MODULE ( PROCESS ) : Setting UCR variables: [u’kerberos/defaults/dns_lookup_kdc=true’]
11.12.16 22:11:47.568 MODULE ( PROCESS ) : Unsetting UCR variables: [u’kerberos/kdc’, u’kerberos/kpasswdserver’, u’kerberos/adminserver’]
11.12.16 22:12:31.662 MODULE ( ERROR ) : kinit failed:
kinit: krb5_get_init_creds: unable to reach any KDC in realm SDHIC.XSDHIS.NHS.UK

11.12.16 22:12:31.860 MODULE ( WARN ) : Failure:
11.12.16 22:12:31.861 MODULE ( PROCESS ) : The command has failed: Could not connect to AD Server WIN-82F5ISVQSK7.sdhic.xsdhis.nhs.uk. Please verify that username and password are correct.[/code]

I have checked that username/password combination is correct.

Is kerberos based on DNS?Is there a way this can be skipped through config/code change?

Output of dig commands which are prerequisites (as per your last comment )are as below

root@ucs-master:/var/log/univention# dig "_domaincontroller_master._tcp.$(hostname -d)" SRV @192.168.0.27 +short 0 0 0 ucs-master.sdhic.xsdhis.nhs.uk.

192.168.0.27 is the IP Address of UCS Master Domain Controller

root@ucs-master:/var/log/univention# dig "ucs-sso.$(hostname -d)" @192.168.0.27 +short 192.168.0.27

DNS entries screenshot is also attached.

Can you please suggest whether we can skip kerberos authentication of is there any config through which we can fix it ?

Regards,
Nitin





#13

Irrespective of which of the below option I choose both of them do not work giving the same error.
Configure UCS as part of an Active Directory domain .
Synchronisation of account data between an Active Directory and this UCS domain.


#14

11.12.16 22:12:31.860 MODULE ( WARN ) : Failure: 11.12.16 22:12:31.861 MODULE ( PROCESS ) : The command has failed: Could not connect to AD Server WIN-82F5ISVQSK7.sdhic.xsdhis.nhs.uk. Please verify that username and password are correct.

Unfortunatly, this may be misleading. You get this message also if the following situation is present:

kinit: krb5_get_init_creds: unable to reach any KDC in realm SDHIC.XSDHIS.NHS.UK

So you still need to find out, why the UCS does not reach the AD Server. Did you already check your network infrastructure for “bugs”? Are all essential dns records now present on both sides?

/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh

#15

Hi Thorp-Hansen,

I am not able to find /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh in my invention installation.

When I am installing Active Directory connection i am selecting second option “Synchronisation of account data between an Active Directory and this UCS domain”.

I have installed univention 4.1 and only Active Directory connection is installed from the App centre.

I am running all this on my local virtual box setup and also the firewalls are disabled so should not be a network issue.

Can you please confirm which DNS entries needs to be present on AD and UCS server.Please note that I am trying to connect UCS to AD DC which does not have DNS role installed? When DNS role is installed on AD-DC it works fine otherwise it fails.

If you can let me know whether we can manually add DNS entries in UCS so that it works.

Thanks for your help.

Regards,
Nitin


#16

manually adding DNS entries is mentioned already by my collegue: [url]Not able to connect to Active Directory Domain Controller] However - this should only be needed if the DNS entries are missing. Is there a reason, why you do not have the DNS role installed on the AD DC?


#17

HI Thorp-Hansen,

I have already added those and still it does not work.I have followed all the steps given by requate and stoeckigt but no luck.

In our scenario setup consists of parent AD DC and child AD DC.All users are in child domain and only parent AD DC has DNS role installed in it.
Child AD DC uses parent’s DNS server.

If you can confirm that DNS role is a pre requisite for UCS to work or if there is a work around then we can figure out the next steps based on your suggestion.

Thanks for the help.

Regards,
Nitin


#18

Hi All,

Finally I have managed to change the code and run UCS without a DNS Server.

We need to make below changes.If some developer can suggest if there is some better way of achieving the same then that would be very helpful.

1.Bypass this method.

def check_ad_account(ad_domain_info, username, password, ucr=None).

This method does kerberized LDAP lookup with the AD DC which fails for not having DNS since kerberos realm is not properly set.

This method checks if AD account user is a Administrator or account is just a member of Domain Admins or other user.

2.Avoid dig command check.
check_dns is changed to false else dig command will fail

def lookup_adds_dc(ad_server=None, ucr=None, check_dns=False):

I don’t know what would be effects of tweaking the code as above but if someone from UCS dev team would suggest than that would be very helpful.

Cheers,
Nitin


#19

Okay, by tweaking the code you have a temporary solution, but next updates will most likely overide your additions. You need to have a look after the packages you modified. But these are only used for joins, right? After a successful join I suspect the server will not just lose its join-state.


#20

Yes you are right next updates will override the changes but once the join state is established it won’t loose the state.

We will contacting UCS sales as we would like to go for UCS subscription before we go into production.

Thanks for your help.

Regards,
Nitin