Problem: 99ucs-school-umc-printermoderation.inst failed (exitcode: 1)

scheinig · May 2, 2022, 9:58am

Problem:

99ucs-school-umc-printermoderation.inst failed (exitcode: 1)

Investigation:

In /var/log/univention/join.log you find:

Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
Failed to connect to 'ldaps://rs1.schein.ig' with backend 'ldaps': LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
Failed to connect to ldaps://rs1.schein.ig - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>

→ Seems to be a samba -issue
You get the same, if you do an univention-s4search
Looking in the logfile /var/log/samba/log.samba you will find

GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find SMB$@SCHEIN.IG(kvno 39) in keytab FILE:/etc/krb5.keytab (aes256-cts-hmac-sha1-96)

or

Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:2a00:1e80:71:1:250:56ff:fea6:6901[49153,seal,krb5,target_hostname=6ed13bb0-151c-426e-81c4-40f9e632ae79._msdcs.schein.ig,target_principal=GC/backup.schein.ig/schein.ig,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=2a00:1e80:71:1:250:56ff:fea6:592] NT_STATUS_UNSUCCESSFUL

Solution:

Compare the secret in DB

ldbsearch -H /var/lib/samba/private/secrets.ldb \
objectClass=primaryDomain secret msDS-KeyVersionNumber

with

/etc/machine.secret

If these are identical, compare the KeyVersionNumber

ldbsearch -H /var/lib/samba/private/sam.ldb 'samAccountName=rs1$' msDS-KeyVersionNumber
# record 1
dn: CN=RS1,OU=Domain Controllers,DC=schein,DC=ig
msDS-KeyVersionNumber: 1

And also check with the keytab file

ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:

Vno  Type                     Principal                         Aliases
  2  des-cbc-crc              HOST/primary@SCHEIN.IG            
  2  des-cbc-crc              HOST/primary.schein.ig@SCHEIN.IG  
  2  des-cbc-crc              host/primary.schein.ig@SCHEIN.IG  
  2  des-cbc-crc              ldap/primary.schein.ig@SCHEIN.IG  
  2  des-cbc-crc              PRIMARY$@SCHEIN.IG                
  2  des-cbc-md5              HOST/primary@SCHEIN.IG            
  2  des-cbc-md5              HOST/primary.schein.ig@SCHEIN.IG  
  2  des-cbc-md5              host/primary.schein.ig@SCHEIN.IG  
  2  des-cbc-md5              ldap/primary.schein.ig@SCHEIN.IG  
  2  des-cbc-md5              PRIMARY$@SCHEIN.IG                
  2  arcfour-hmac-md5         HOST/primary@SCHEIN.IG            
  2  arcfour-hmac-md5         HOST/primary.schein.ig@SCHEIN.IG  
  2  arcfour-hmac-md5         host/primary.schein.ig@SCHEIN.IG  
  2  arcfour-hmac-md5         ldap/primary.schein.ig@SCHEIN.IG  
  2  arcfour-hmac-md5         PRIMARY$@SCHEIN.IG
  2  aes128-cts-hmac-sha1-96  HOST/primary@SCHEIN.IG
  2  aes128-cts-hmac-sha1-96  HOST/primary.schein.ig@SCHEIN.IG
  2  aes128-cts-hmac-sha1-96  host/primary.schein.ig@SCHEIN.IG
  2  aes128-cts-hmac-sha1-96  ldap/primary.schein.ig@SCHEIN.IG
  2  aes128-cts-hmac-sha1-96  PRIMARY$@SCHEIN.IG
  2  aes256-cts-hmac-sha1-96  HOST/primary@SCHEIN.IG
  2  aes256-cts-hmac-sha1-96  HOST/primary.schein.ig@SCHEIN.IG
  2  aes256-cts-hmac-sha1-96  host/primary.schein.ig@SCHEIN.IG
  2  aes256-cts-hmac-sha1-96  ldap/primary.schein.ig@SCHEIN.IG
  2  aes256-cts-hmac-sha1-96  PRIMARY$@SCHEIN.IG

If there is only “2” in the keytab, the authentication failes

Change the password in samba via samba-tool again. This will automatically raise the KeyVersionNumber.
You should backup /etc/krb5.keytab first

cp /etc/krb5.keytab{,.bak}
samba-tool user setpassword "${hostname}\$" --newpassword="$(</etc/machine.secret)"

It could also be possible to trigger the server password change:

scheinig · May 2, 2022, 10:02am