Slave DC - univention-samba4.inst - failed

UCS - Univention Corporate Server
#1

Guten Abend,

derzeit ist es nicht möglich einen Slave DC in unsere Domäne einzubinden. Folgender Fehler im univention-run-join-scripts

Search LDAP binddn                                         done
Running 01univention-ldap-server-init.inst                 skipped (already executed)
Running 03univention-directory-listener.inst               skipped (already executed)
Running 04univention-ldap-client.inst                      skipped (already executed)
Running 05univention-bind.inst                             skipped (already executed)
Running 08univention-apache.inst                           skipped (already executed)
Running 10univention-ldap-server.inst                      skipped (already executed)
Running 11univention-heimdal-init.inst                     skipped (already executed)
Running 11univention-pam.inst                              skipped (already executed)
Running 15univention-heimdal-kdc.inst                      skipped (already executed)
Running 18python-univention-directory-manager.inst         skipped (already executed)
Running 20univention-directory-policy.inst                 skipped (already executed)
Running 20univention-join.inst                             skipped (already executed)
Running 26univention-nagios-common.inst                    skipped (already executed)
Running 30univention-appcenter.inst                        skipped (already executed)
Running 30univention-nagios-client.inst                    skipped (already executed)
Running 34univention-management-console-server.inst        skipped (already executed)
Running 35univention-appcenter-docker.inst                 skipped (already executed)
Running 35univention-management-console-module-appcenter.inskipped (already executed)
Running 35univention-management-console-module-diagnostic.iskipped (already executed)
Running 35univention-management-console-module-join.inst   skipped (already executed)
Running 35univention-management-console-module-lib.inst    skipped (already executed)
Running 35univention-management-console-module-mrtg.inst   skipped (already executed)
Running 35univention-management-console-module-passwordchanskipped (already executed)
Running 35univention-management-console-module-quota.inst  skipped (already executed)
Running 35univention-management-console-module-reboot.inst skipped (already executed)
Running 35univention-management-console-module-services.insskipped (already executed)
Running 35univention-management-console-module-setup.inst  skipped (already executed)
Running 35univention-management-console-module-sysinfo.instskipped (already executed)
Running 35univention-management-console-module-top.inst    skipped (already executed)
Running 35univention-management-console-module-ucr.inst    skipped (already executed)
Running 35univention-management-console-module-updater.instskipped (already executed)
Running 36univention-management-console-module-apps.inst   skipped (already executed)
Running 40univention-virtual-machine-manager-schema.inst   skipped (already executed)
Running 78univention-kde.inst                              skipped (already executed)
Running 81univention-nfs-server.inst                       skipped (already executed)
Running 90univention-bind-post.inst                        skipped (already executed)
Running 92univention-management-console-web-server.inst    skipped (already executed)
Running 96univention-samba4.inst                           failed (exitcode: 1)
Running 97univention-s4-connector.inst                     failed (exitcode: 1)
Running 98univention-pkgdb-tools.inst                      done
Running 98univention-samba4-dns.inst                       failed (exitcode: 1)

/var/log/univention/join.log

RUNNING 96univention-samba4.inst
2015-12-02 20:57:02.486075601+01:00 (in joinscript_init)
ERROR: No S4 Connector installed yet on DC Master or DC Backup.
EXITCODE=1
RUNNING 97univention-s4-connector.inst
2015-12-02 20:57:03.728343178+01:00 (in joinscript_init)
Create connector/s4/ldap/host
Create connector/s4/ldap/base
Not updating connector/s4/ldap/ssl
Create connector/s4/mapping/group/language
Create connector/s4/ldap/protocol
Create connector/s4/ldap/socket
W: Missing value for config registry variable 'set'
W: Missing value for config registry variable 'set'
Create connector/ldap/bindpw
Create connector/ldap/binddn
Create connector/ldap/server
Object exists: cn=gPLink,cn=custom attributes,cn=univention,dc=mueller,dc=lan
Object exists: cn=Builtin,dc=mueller,dc=lan
Object exists: cn=System,dc=mueller,dc=lan
Object exists: cn=Policies,cn=System,dc=mueller,dc=lan
Object exists: ou=Domain Controllers,dc=mueller,dc=lan
Object exists: cn=WMIPolicy,cn=System,dc=mueller,dc=lan
Object exists: cn=SOM,cn=WMIPolicy,cn=System,dc=mueller,dc=lan
Object exists: cn=ldapschema,cn=univention,dc=mueller,dc=lan
INFO: No change of core data of object msgpo.
INFO: No change of core data of object mswmi.
Object exists: cn=udm_module,cn=univention,dc=mueller,dc=lan
INFO: No change of core data of object container/msgpo.
No modification: cn=msgpo,cn=ldapschema,cn=univention,dc=mueller,dc=lan

No modification: cn=mswmi,cn=ldapschema,cn=univention,dc=mueller,dc=lan

No modification: cn=container/msgpo,cn=udm_module,cn=univention,dc=mueller,dc=lan

Waiting for activation of the extension object msgpo: OK
Waiting for activation of the extension object mswmi: OK
Waiting for activation of the extension object container/msgpo: OK
Waiting for file /usr/share/pyshared/univention/admin/handlers/container/msgpo.py: OK
Terminating running univention-cli-server processes.
Object exists: cn=udm_module,cn=univention,dc=mueller,dc=lan
INFO: No change of core data of object settings/mswmifilter.
No modification: cn=settings/mswmifilter,cn=udm_module,cn=univention,dc=mueller,dc=lan

Waiting for activation of the extension object settings/mswmifilter: OK
Waiting for file /usr/share/pyshared/univention/admin/handlers/settings/mswmifilter.py: OK
Terminating running univention-cli-server processes.
Samba4 does not seem to be provisioned, exiting /usr/lib/univention-install/97univention-s4-connector.inst
EXITCODE=1
RUNNING 98univention-pkgdb-tools.inst
2015-12-02 20:57:17.738484284+01:00 (in joinscript_init)
Cannot find service-record of _pkgdb._tcp.
No DB-Server-Name found.
2015-12-02 20:57:17.934560352+01:00 (in joinscript_save_current_version)
EXITCODE=0
RUNNING 98univention-samba4-dns.inst
2015-12-02 20:57:18.002722150+01:00 (in joinscript_init)
Samba4 backend database not available yet, exiting joinscript 98univention-samba4-dns.
EXITCODE=1

Mi 2. Dez 20:57:19 CET 2015
univention-run-join-scripts finished

Darüber hinaus scheinen wir ein Problem in Sync zwischen LDAP und Samba zu haben. Vielleicht ist dies die Ursache?

univention-s4connector-list-rejected

UCS rejected

    1:   UCS DN: cn=Printer-Admins,cn=groups,dc=mueller,dc=lan
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1448301751.800197

    2:   UCS DN: cn=Printer-Admins,cn=groups,dc=mueller,dc=lan
          S4 DN: <not found>
         Filename: /var/lib/univention-connector/s4/1448301793.611938


S4 rejected

    1:    S4 DN: CN=Print Operators,CN=Builtin,DC=mueller,DC=lan
         UCS DN: <not found>

        last synced USN: 3774

Im connector-s4.log steht folgendes:

[code]02.12.2015 20:16:46,101 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1448301751.800197
02.12.2015 20:16:46,103 LDAP (PROCESS): sync from ucs: [ group] [ add] cn=Printer-Admins,cn=groups,DC=mueller,DC=lan
02.12.2015 20:16:46,106 LDAP (ERROR ): sync_from_ucs: traceback during add object: cn=Printer-Admins,cn=groups,DC=mueller,DC=lan
02.12.2015 20:16:46,106 LDAP (ERROR ): sync_from_ucs: traceback due to addlist: [(‘objectClass’, [‘top’, ‘group’]), (‘groupType’, [u’-2147483643’]), (u’description’, [u’Members can administer domain printers’]), (‘sAMAccountName’, [u’Print Operators’]), (‘objectSid’, [’\x01\x02\x00\x00\x00\x00\x00\x05 \x00\x00\x00&\x02\x00\x00’])]
02.12.2015 20:16:46,106 LDAP (WARNING): sync failed, saved as rejected
/var/lib/univention-connector/s4/1448301751.800197
02.12.2015 20:16:46,107 LDAP (WARNING): Traceback (most recent call last):
File “/usr/lib/pymodules/python2.7/univention/s4connector/init.py”, line 802, in __sync_file_from_ucs
or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
File “/usr/lib/pymodules/python2.7/univention/s4connector/s4/init.py”, line 2402, in sync_from_ucs
self.lo_s4.lo.add_ext_s(compatible_modstring(object[‘dn’]), compatible_addlist(addlist), serverctrls=ctrls) #FIXME encoding
File “/usr/lib/python2.7/dist-packages/ldap/ldapobject.py”, line 187, in add_ext_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File “/usr/lib/python2.7/dist-packages/ldap/ldapobject.py”, line 476, in result3
resp_ctrl_classes=resp_ctrl_classes
File “/usr/lib/python2.7/dist-packages/ldap/ldapobject.py”, line 483, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File “/usr/lib/python2.7/dist-packages/ldap/ldapobject.py”, line 106, in _ldap_call
result = func(*args,**kwargs)
ALREADY_EXISTS: {‘info’: ‘00002071: …/ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in CN=Printer-Admins,CN=Groups,DC=mueller,DC=lan - …/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in CN=Printer-Admins,CN=Groups,DC=mueller,DC=lan’, ‘desc’: ‘Already exists’}

02.12.2015 20:16:46,107 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1448301793.611938
02.12.2015 20:16:46,109 LDAP (PROCESS): sync from ucs: [ group] [ add] cn=Printer-Admins,cn=groups,DC=mueller,DC=lan
02.12.2015 20:16:46,111 LDAP (ERROR ): sync_from_ucs: traceback during add object: cn=Printer-Admins,cn=groups,DC=mueller,DC=lan
02.12.2015 20:16:46,111 LDAP (ERROR ): sync_from_ucs: traceback due to addlist: [(‘objectClass’, [‘top’, ‘group’]), (‘groupType’, [u’-2147483643’]), (u’description’, [u’Members can administer domain printers’]), (‘sAMAccountName’, [u’Print Operators’]), (‘objectSid’, [’\x01\x02\x00\x00\x00\x00\x00\x05 \x00\x00\x00&\x02\x00\x00’])]
02.12.2015 20:16:46,112 LDAP (WARNING): sync failed, saved as rejected
/var/lib/univention-connector/s4/1448301793.611938
02.12.2015 20:16:46,112 LDAP (WARNING): Traceback (most recent call last):
File “/usr/lib/pymodules/python2.7/univention/s4connector/init.py”, line 802, in __sync_file_from_ucs
or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))):
File “/usr/lib/pymodules/python2.7/univention/s4connector/s4/init.py”, line 2402, in sync_from_ucs
self.lo_s4.lo.add_ext_s(compatible_modstring(object[‘dn’]), compatible_addlist(addlist), serverctrls=ctrls) #FIXME encoding
File “/usr/lib/python2.7/dist-packages/ldap/ldapobject.py”, line 187, in add_ext_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File “/usr/lib/python2.7/dist-packages/ldap/ldapobject.py”, line 476, in result3
resp_ctrl_classes=resp_ctrl_classes
File “/usr/lib/python2.7/dist-packages/ldap/ldapobject.py”, line 483, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File “/usr/lib/python2.7/dist-packages/ldap/ldapobject.py”, line 106, in _ldap_call
result = func(*args,**kwargs)
ALREADY_EXISTS: {‘info’: ‘00002071: …/ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in CN=Printer-Admins,CN=Groups,DC=mueller,DC=lan - …/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in CN=Printer-Admins,CN=Groups,DC=mueller,DC=lan’, ‘desc’: ‘Already exists’}

02.12.2015 20:16:46,113 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=Print Operators,CN=Builtin,DC=mueller,DC=lan
02.12.2015 20:16:46,115 LDAP (PROCESS): sync to ucs: [ group] [ modify] cn=Printer-Admins,cn=groups,dc=mueller,dc=lan
02.12.2015 20:16:46,135 LDAP (PROCESS): Unable to sync cn=Printer-Admins,cn=groups,dc=mueller,dc=lan (UUID: f1a7be28-f974-1034-8e10-ef3f8c0cae3a). The object is currently locked.
[/code]

univention-ldapsearch -b “cn=Printer-Admins,cn=groups,dc=mueller,dc=lan”

root@bernd:/usr/share/univention-s4-connector# univention-ldapsearch -b "cn=Printer-Admins,cn=groups,dc=mueller,dc=lan"
# extended LDIF
#
# LDAPv3
# base <cn=Printer-Admins,cn=groups,dc=mueller,dc=lan> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Printer-Admins, groups, mueller.lan
dn: cn=Printer-Admins,cn=groups,dc=mueller,dc=lan
sambaGroupType: 5
cn: Printer-Admins
objectClass: top
objectClass: posixGroup
objectClass: univentionGroup
objectClass: sambaGroupMapping
objectClass: univentionObject
univentionObjectType: groups/group
description: Members can administer domain printers
gidNumber: 5016
sambaSID: S-1-5-32-550
univentionGroupType: -2147483643

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Die Suche dem Konto in Samba zeigt keinen Treffer:
univention-s4search -b “cn=Printer-Admins,cn=groups,dc=mueller,dc=lan”

search error - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <00002030: No such Base DN: cn=Printer-Admins,cn=groups,dc=mueller,dc=lan> <>

Ich vermute, dass aufgrund o.g. Konflikt das Hinzufügen des Slaves nicht möglich ist. Gibt es einen Weg diesen zu beheben?
Der Master DC und der Slave sind auf Version 4.1 Errata 14.

Viele Dank für Ihre Unterstützung!
Nils

#2

Ich bezweifle, daß es an dem Konflikt liegt. Von welchem System ist denn die Ausgabe von “univention-run-join-scripts”? Vom Slave? Wenn ja wie kommt der Connector da hin? Der sollte bei einem Slave eigentlich nicht auftauchen.

Der Slave scheint ja beim Joinen keinen Host mit installiertem Connector zu finden. Was ist die Ausgabe von

univention-ldapsearch univentionService="S4 Connector"

auf dem Master?

#3

Guten Abend,

vielen Dank für die schnelle Rückmeldung. Die Ausgabe vom univention-run-join-scripts war vom Slave.

Die Ausgabe auf dem Master ist wie folgt:
univention-ldapsearch univentionService=“S4 Connector”

# extended LDIF
#
# LDAPv3
# base <dc=mueller,dc=lan> (default) with scope subtree
# filter: univentionService=S4 Connector
# requesting: ALL
#

# search result
search: 3
result: 0 Success

# numResponses: 1
root@bernd:~#

Scheint in der Tat sind gefunden zu werden. Der univention-s4-connector wird jedoch als installiert angzeigt.

Die Ausa

#4

Kein Problem, ich bin auch immer froh wenn mir einer schnell hilft :slight_smile:

Das scheint mir dann erstmal die Ursache zu sein. Du solltest also am Computer-Objekt, an dem der Connector läuft (also wohl der Master) den Service “S4 Connector” hinzufügen. Das kannst du über die UMC erledigen.

Den Connector auf dem Slave würde ich entfernen. Der sollte, sofern sich mit UCS 4.1 nichts geändert hat, da nämlich wirklich nicht sein. Erst dann würde ich erneut versuchen die Joinscripte auszuführen.

#5

Der Dienst steht leider nicht in der Auwahlliste. Ich muss dazu sagen, dass es sich um einen BDC handelt der zum PDC hochgestuft wurde. Der alte PDC ist nicht mehr in Betrieb.
Kann man den Dienst in der Liste neu aufnehmen?

In der Paketverwaltung ist “univention-s4-connector” installiert. Bei dem Systemdiensten wird auch angzeigt das er läuft.

Vg,
Nils

#6

Seltsam. Den Dienst solltest du wie folgt in die Liste mit aufnehmen können:

udm settings/service create --dn "cn=S4 Connector,cn=services,cn=univention,dc=home,dc=dg"

Reden wir hier vom Slave? Dann würde ich ihn da wie gesagt entfernen. Oder handelt es sich um ein UCS@school-System?

#7

Ja ist schon merkwürdig. Es handelt sich um den Master. School Version ist es auch nicht.
Muss sonst.nochwas ergänzt.werden oder gibt es noch ein log in dem ich prüfeb kann ob es ok ist? Vg

#8

Naja danach solltest du den Service beim Master in die Liste mit aufnehmen. Passende Logdateien fallen mir jetzt erstmal keine ein.

#9

Ok - vielen Dank für die Unterstützung! Ich werde mich morgen nochmal melden. Vg

#10

Guten Morgen,

die Eingabe führe zu einem Fehler.

udm settings/service create --dn "cn=S4 Connector,cn=services,cn=univention,dc=mueller,dc=lan"
E: Insufficient information
The following parameters are missing:
name

EDIT: Haben den den Namen hinzugefügt. Der entsprechende Eintrag habe ich dann im Computer Objekt unter Dienste hinzugefügt.

root@bernd:~# udm settings/service create --dn "cn=S4 Connector,cn=services,cn=univention,dc=mueller,dc=lan" --set name="S4 Connector" Object created: cn=S4 Connector,dc=mueller,dc=lan

Vg

#11

Top! Läuft. Serverneustart war nicht notwendig - vielen Dank für die Unterstützung.

Search LDAP binddn done Running 01univention-ldap-server-init.inst skipped (already executed) Running 03univention-directory-listener.inst skipped (already executed) Running 04univention-ldap-client.inst skipped (already executed) Running 05univention-bind.inst skipped (already executed) Running 08univention-apache.inst skipped (already executed) Running 10univention-ldap-server.inst skipped (already executed) Running 11univention-heimdal-init.inst skipped (already executed) Running 11univention-pam.inst skipped (already executed) Running 15univention-heimdal-kdc.inst skipped (already executed) Running 18python-univention-directory-manager.inst skipped (already executed) Running 20univention-directory-policy.inst skipped (already executed) Running 20univention-join.inst skipped (already executed) Running 26univention-nagios-common.inst skipped (already executed) Running 30univention-appcenter.inst skipped (already executed) Running 30univention-nagios-client.inst skipped (already executed) Running 34univention-management-console-server.inst skipped (already executed) Running 35univention-appcenter-docker.inst skipped (already executed) Running 35univention-management-console-module-appcenter.inskipped (already executed) Running 35univention-management-console-module-diagnostic.iskipped (already executed) Running 35univention-management-console-module-join.inst skipped (already executed) Running 35univention-management-console-module-lib.inst skipped (already executed) Running 35univention-management-console-module-mrtg.inst skipped (already executed) Running 35univention-management-console-module-passwordchanskipped (already executed) Running 35univention-management-console-module-quota.inst skipped (already executed) Running 35univention-management-console-module-reboot.inst skipped (already executed) Running 35univention-management-console-module-services.insskipped (already executed) Running 35univention-management-console-module-setup.inst skipped (already executed) Running 35univention-management-console-module-sysinfo.instskipped (already executed) Running 35univention-management-console-module-top.inst skipped (already executed) Running 35univention-management-console-module-ucr.inst skipped (already executed) Running 35univention-management-console-module-updater.instskipped (already executed) Running 36univention-management-console-module-apps.inst skipped (already executed) Running 40univention-virtual-machine-manager-schema.inst skipped (already executed) Running 78univention-kde.inst skipped (already executed) Running 81univention-nfs-server.inst skipped (already executed) Running 90univention-bind-post.inst skipped (already executed) Running 92univention-management-console-web-server.inst skipped (already executed) Running 96univention-samba4.inst done Running 97univention-s4-connector.inst done Running 98univention-pkgdb-tools.inst skipped (already executed) Running 98univention-samba4-dns.inst done

#12

Freut mich, daß ich helfen konnte. Meiner Meinung bleiben da dann noch zwei Fragen offen. Zum einen die nach dem Connector auf dem Slave ;), zum anderen waren da ja noch die Rejects, die ich jetzt behandeln würde (in einem anderen Thread).

#13

Guten Morgen, vielen Dank für Ihre Nachricht. Ich habe einen zweiten Thread aufgemacht und würde wenn Sie mich dabei unterstützen können. Viele Grüße, Neils

[url]ldap_sasl_bind(SIMPLE): Can't contact LDAP server]

Mastodon