I may be getting closer! Unable to login to web interface with Administrator password, or use Administrator account - this Univention server was originally built as an Active-Directory connected Domain Controller (not AD takeover), and is now in “Primary Directory Mode” after in place upgrade to UCS 5.0
root@ucs-bdc:~# univention-check-join-status
Warning: ‘nextcloud’ is not configured.
Warning: ‘univention-samba4’ is not configured.
Warning: ‘univention-samba4-dns’ is not configured.
Warning: ‘univention-samba4-saml-kerberos’ is not configured.
Error: Not all install files configured: 4 missing
and:
root@ucs-bdc:~# univention-run-join-scripts
Running 50nextcloud.inst failed (exitcode: 1)
Running 50wekan.inst skipped (already exec uted)
Running 50wordpress.inst skipped (already exec uted)
Running 81univention-ad-connector.inst skipped (already exec uted)
Running 81univention-nfs-server.inst skipped (already exec uted)
Running 90univention-bind-post.inst skipped (already exec uted)
Running 91univention-saml.inst skipped (already exec uted)
Running 92univention-management-console-web-server.inst skipped (already exec uted)
Running 96univention-samba4.inst failed (exitcode: 1)
Running 98univention-pkgdb-tools.inst skipped (already exec uted)
Running 98univention-samba4-dns.inst failed (exitcode: 1)
Running 98univention-samba4-saml-kerberos.inst failed (exitcode: 1)
Running post-joinscripts hook(s): done
Any help appreciated! I had issues with samba4 and schannel so uninstalled it and reinstalled but something went amiss…
root@ucs-bdc:~# univention-adconnector-list-rejected
kdestroy: krb5_cc_destroy: Did not find a plugin for ccache_ops
Traceback (most recent call last):
File “/usr/sbin/univention-adconnector-list-rejected”, line 118, in
main()
File “/usr/sbin/univention-adconnector-list-rejected”, line 80, in main
ad.init_ldap_connections()
File “/usr/lib/python3/dist-packages/univention/connector/ad/init.py”, line 535, in init_ldap_connections
self.open_ad()
File “/usr/lib/python3/dist-packages/univention/connector/ad/init.py”, line 692, in open_ad
self.get_kerberos_ticket()
File “/usr/lib/python3/dist-packages/univention/connector/ad/init.py”, line 669, in get_kerberos_ticket
raise kerberosAuthenticationFailed(‘The following command failed: “%s” (%s): %s’ % (’ '.join(cmd_block), p1.returncode, stdout.decode(‘UTF-8’, ‘replace’)))
univention.connector.ad.kerberosAuthenticationFailed: The following command failed: “kinit --no-addresses --password-file=/tmp/tmpbmx46pu5 ucs-bdc$” (1): kinit: krb5_get_init_creds: unable to reach any KDC in realm REALDOMAIN.COM
and:
root@ucs-bdc:~# univention-ldapsearch uid= sambaSID
extended LDIF
LDAPv3
base <dc=realdomain,dc=com> (default) with scope subtree
filter: uid=
requesting: sambaSID
search result
search: 3
result: 0 Success
numResponses: 1
root@ucs-bdc:~# univention-s4search sAMAccountName= objectSid
lpcfg_do_global_parameter: WARNING: The “server schannel” option is deprecated
Failed to inquire of target’s available sasl mechs in rootdse search: NT_STATUS_IO_TIMEOUT
Failed to bind - LDAP client internal error: NT_STATUS_IO_TIMEOUT
Failed to connect to ‘ldaps://ucs-bdc.realdomain.com’ with backend ‘ldaps’: LDAP client internal error: NT_STATUS_IO_TIMEOUT
Failed to connect to ldaps://ucs-bdc.realdomain.com - LDAP client internal error: NT_STATUS_IO_TIMEOUT
root@ucs-bdc:~# univention-s4connector-list-rejected
-bash: univention-s4connector-list-rejected: command not found
root@ucs-bdc:~# net getdomainsid
pdb backend samba_dsdb did not correctly init (error was NT_STATUS_UNSUCCESSFUL)
WARNING: Could not open passdb
root@ucs-bdc:~#
root@ucs-bdc:~# univention-s4search --cross-ncs cn=‘Domain Admins’ objectSid
lpcfg_do_global_parameter: WARNING: The “server schannel” option is deprecated
Failed to inquire of target’s available sasl mechs in rootdse search: NT_STATUS_IO_TIMEOUT
Failed to bind - LDAP client internal error: NT_STATUS_IO_TIMEOUT
Failed to connect to ‘ldaps://ucs-bdc.realdomain.com’ with backend ‘ldaps’: LDAP client internal error: NT_STATUS_IO_TIMEOUT
Failed to connect to ldaps://ucs-bdc.realdomain.com - LDAP client internal error: NT_STATUS_IO_TIMEOUT
Any help would be great. Univention 5 did not join domain it was upgraded from correctly but ir ran great for years before the update to 5. Now it does not work
root@ucs-bdc:~# samba-tool drs showrepl
Failed to connect host 192.168.2.79 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.2.79 (ucs-bdc.realdomain.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
Failed to connect host 192.168.2.79 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.2.79 (ucs-bdc.realdomain.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
Failed to connect host 192.168.2.79 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.2.79 (ucs-bdc.realdomain.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class ‘samba.drs_utils.drsException’>): DRS connection to ucs-bdc.realdomain.com failed - drsException: DRS connection to ucs-bdc.realdomain.com failed: (3221226038, ‘The transport-connection attempt was refused by the remote system.’)
File “/usr/lib/python3/dist-packages/samba/netcmd/drs.py”, line 55, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File “/usr/lib/python3/dist-packages/samba/drs_utils.py”, line 63, in drsuapi_connect
raise drsException(“DRS connection to %s failed: %s” % (server, e))
root@ucs-bdc:~# samba-tool dbcheck --cross-ncs --check-for-conflicts
ERROR(<class ‘ValueError’>): uncaught exception - unable to parse dn string
File “/usr/lib/python3/dist-packages/samba/netcmd/init.py”, line 186, in _run
return self.run(*args, **kwargs)
File “/usr/lib/python3/dist-packages/samba/netcmd/dbcheck.py”, line 151, in run
check_for_conflicts=check_for_conflicts)
File “/usr/lib/python3/dist-packages/samba/dbchecker.py”, line 117, in init
self.infrastructure_dn = ldb.Dn(samdb, “CN=Infrastructure,” + samdb.domain_dn())
root@ucs-bdc:~# samba-tool drs kcc
Failed to connect host 192.168.2.79 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.2.79 (ucs-bdc.realdomain.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
Failed to connect host 192.168.2.79 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.2.79 (ucs-bdc.realdomain.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
Failed to connect host 192.168.2.79 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.2.79 (ucs-bdc.realdomain.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class ‘samba.drs_utils.drsException’>): DRS connection to ucs-bdc.realdomain.com failed - drsException: DRS connection to ucs-bdc.realdomain.com failed: (3221226038, ‘The transport-connection attempt was refused by the remote system.’)
File “/usr/lib/python3/dist-packages/samba/netcmd/drs.py”, line 55, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File “/usr/lib/python3/dist-packages/samba/drs_utils.py”, line 63, in drsuapi_connect
raise drsException(“DRS connection to %s failed: %s” % (server, e))
root@ucs-bdc:~#
root@ucs-bdc:~# samba-tool ntacl sysvolcheck
ERROR(runtime): uncaught exception - samdb_domain_sid failed
File “/usr/lib/python3/dist-packages/samba/netcmd/init.py”, line 186, in _run
return self.run(*args, **kwargs)
File “/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py”, line 444, in run
domain_sid = security.dom_sid(samdb.domain_sid)
File “/usr/lib/python3/dist-packages/samba/samdb.py”, line 921, in get_domain_sid
return dsdb._samdb_get_domain_sid(self)
–
root@ucs-bdc:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
Host gc._msdcs.realdomain.com not found: 3(NXDOMAIN)
Host _gc._tcp.realdomain.com not found: 3(NXDOMAIN)
Host _ldap._tcp.gc._msdcs.realdomain.com not found: 3(NXDOMAIN)
_ldap._tcp.realdomain.com has SRV record 0 100 7389 ucs-bdc.realdomain.com.
Host _ldap._tcp.dc._msdcs.realdomain.com not found: 3(NXDOMAIN)
Host _ldap._tcp.pdc._msdcs.realdomain.com not found: 3(NXDOMAIN)
host: ‘_ldap._tcp…domains._msdcs.realdomain.com’ is not a legal name (empty label)
Host _kerberos._tcp.dc._msdcs.realdomain.com not found: 3(NXDOMAIN)
_kerberos._tcp.realdomain.com has SRV record 0 100 88 ucs-bdc.realdomain.com.
_kerberos._udp.realdomain.com has SRV record 0 100 88 ucs-bdc.realdomain.com.
Host _kpasswd._tcp.realdomain.com not found: 3(NXDOMAIN)
Host _kpasswd._udp.realdomain.com not found: 3(NXDOMAIN)
_kerberos.belldesign.com descriptive text “realdomain”
root@ucs-bdc:~# ucr search dns/backend
dns/backend: ldap
Bind can use different backends for its configuration: ‘ldap’ configures the use of the UCS OpenLDAP directory. ‘samba4’ uses the Samba 4 LDB database. When using the Samba backend, a search is performed in the LDAP for every DNS request. Wi th the OpenLDAP backend, a search is only performed in the directory service if the DNS data has changed. On Directory No des running ‘samba4’, the backend must not be changed to ‘ldap’.