Replacing Samba 4.1 on U16.04 with UCS 4.3 fails

UCS - Univention Corporate Server
#1

Hello,

we are trying to replace an Samba 4.1 on Ubuntu 16.04 with the current UCS. During the installation of UCS we choosed “Backup Domain Controller” and “Join AD Domain”, which was successful, because “getent passwd” on the UCS lists the users of the Samba PDC.
We then executed the /usr/lib/univention-ldap/univention-backup2master which started with an error:

ERROR: univention-backup2master can only be started on a domain controller backup. Use -f to proceed anyway

The migration continued, because we started the script with “-f”.

During the migration, the script asked a number of “silly” questions:

'Do you want this reference to be changed from'
  "0 100 3268 ucs-7355.dom1.local."'
to
  "0 100 3268 ucs-7355.dom1.local."'

Currently the old PDC is switched off, “getent password” doesn’t list any LDAP users and we get a number of errors in different files:

/var/log/univentions/connector.log
19.09.2018 13:21:50,262 MAIN        (------ ): DEBUG_INIT
19.09.2018 13:22:27,109 LDAP        (ERROR  ): Failed to lookup AD LDAP base, using UCR value: {'desc': "Can't contact LDAP server"}

/var/log/univentions/connector-status.log
Wed Sep 19 13:23:11 2018
 --- connect failed, failure was: ---
Traceback (most recent call last):
  File "/usr/share/pyshared/univention/connector/ad/main.py", line 303, in main
    connect()
  File "/usr/share/pyshared/univention/connector/ad/main.py", line 191, in connect
    baseConfig['%s/ad/listener/dir' % CONFIGBASENAME]
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 704, in __init__
    self.open_ad()
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 894, in open_ad
    self.get_kerberos_ticket()
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 872, in get_kerberos_ticket
    raise kerberosAuthenticationFailed('The following command failed: "%s"' % string.join(cmd_block))
kerberosAuthenticationFailed: The following command failed: "kinit --no-addresses --password-file=/etc/machine.secret ucs-7355$"

Has anyone successfully replaced a Samba with a UCS and can give us a hint how to do this?

Thanks for any hints or suggestions,

Stefan

#2

Hey,

you need to differentiate between two different domain types and server roles in said domain types:

  1. UCS/Univention domain. This refers to the OpenLDAP-driven domain that all UCS servers use including the Univention Directory Notifier/Listener mechanism for replicating data across multiple servers. In this type of domain there’s exactly one server of role “DC Master” (or “Domain Controller Master”) and as many servers as you want with the roles “DC Backup”, “DC Slave” or “Member server”.
  2. ActiveDirectory domain as served by Samba. In this type of domain there are only two roles: “AD DC” (or “Active Directory Domain Controller”) and “Member server”. Note that in an AD the notion of “Primary DC” and “Backup DC” does not exist: all AD DCs synchronize data bidirectionally with all others (with the exception of “Read-only DCs” = “RODCs”).

Both types can be mixed almost at will and don’t necessarily refer to each other. Here are a couple of common examples:

  1. On your UCS DC Master you run an AD DC that handles everything: from domain logons, group policies (the sysvol share), printer and file shares. There are other UCS servers, but none of them provides Samba services.
  2. On both your UCS DC Master and your UCS DC Backup you run an AD DC handling domain logons & the sysvol share. An additional UCS Member Server runs an AD Member Server that provides file & printer sharing, but no domain logon services.
  3. You have three locations connected via VPN. Your UCS DC Master is located in your central location where it provides AD DC services (domain logons, sysvols share, file & print services). In location 2 you have a UCS DC Slave which contains a full copy of the OpenLDAP content. Additionally it runs an AD DC for this location that provides domain logon services, file & printer shares. In your third location you don’t have any Windows clients, only Linux ones. Therefore you run a UCS DC Slave there (again with a full copy of the OpenLDAP content) but no AD services at all.

You’ve been confused by these two different types of domains. Chosing “Domain Controller Backup”, which refers to the role in the UCS domain structure, during installation is meant for situations where you already have a UCS domain you want to join this server into. This also means that you must already have a UCS DC Master available.

The script backup2master is, again, meant for UCS domains, not for AD domains. It will only work on UCS DC Backup servers and re-configure them to function as the new sole UCS DC Master in your UCS domain.

Your situation is different. What you want to do is to convert an existing AD domain served by either Windows-based AD DCs or non-UCS-Samba-based AD DCs into a UCS-Samba-based AD domain (in your case it’s a Samba-on-Ubuntu-based AD domain). For this use case Univention implemented the “AD Takeover” application. It is usually only tested against Windows-based AD DCs, but there are reports here in the forum of users successfully converting Samba-based AD domains.

What happens, in that case, is that you install a new UCS domain with a new UCS DC Master, install the “AD Takeover” application from the App Center, and join that new machine as an AD Memberserver to the existing AD domain. Next the “AD Takeover” app copies user, group and machine accounts over to the UCS OpenLDAP. Then you shut down the existing non-UCS AD DCs. Last the app re-builds the UCS Samba AD part from the new data in the OpenLDAP directory and re-configures the UCS Samba AD DC to be the sole AD DC in the domain.

I highly suggest starting over with your UCS server. I don’t see a way to “fix” your setup to work properly, and even if you manage to make it work somehow, I can almost guarantee you’ll run into a lot of hard-to-debug problems down the road.

Kind regards
mosu

#3

Addendum: if you speak German, you can search this forum for e.g. “zentyal”. There were several threads talking about using AD Takeover for converting a Zentyal installation, which uses Samba to provide an AD domain, to a UCS-based AD domain. There are a couple of English threads about Zentyal, too.

#4

Hello Moritz,

thank you for your fast and long response!! There is only one detail that confuses me a little bit:

If e.g. the domain name on the old Samba is DOMOLD, shall I setup a new domain e.g. DOMNEW on the UCS and the app will nevertheless convert DOMNEW into DOMOLD? I guess I misunderstand this because with two different domains the UCS cannot join the old domain, right?

Kind regards,

Stefan

AD Takeover fails due to GPO problem
#5

Hey,

you’re quite welcome.

I highly suggest you read the admin manual regarding the “AD Takeover” process; I’ve linked to it above. The manual lists the prerequisites for the takeover process, and it explicitly answers your particular question.

m.

#6

CIao, usually just install ucs and run the AD takeover of the current domain, at the end of the takeover turns off the old samba and gets restarted ucs.

#7

Hi,

we started the takeover, but ran into another problem:

Regards,

Stefan

Mastodon