[solved] Join of a backup dc fails "invalid credential" and "failed.ldif"

join

#1

Hello.

We tried to add a backup domaincontroller to our AD. Therefore we install a new machine with UCS Core 4.2-1. The problem now is that the join didn’t work and a login using the web interface is not possible.
The new machine is listed in the dc master as backup domaincontroller.
To investigate the cause I run the join script in a ssh session.

First I removed failed.ldif and removed the new domaincontroller from the master to start again.

univention-join -verbose -dcname <fqdn> -dcaccount Administrator

In the join.log I found following errors at the end of the log.

++ basename /usr/lib/univention-install/03univention-directory-listener.inst
+ delete_unjoinscript 03univention-directory-listener.inst
+ local joinscript
+ joinscript=/usr/lib/univention-install/03univention-directory-listener.inst
+ test -e /usr/lib/univention-install/03univention-directory-listener.inst
+ echo /usr/lib/univention-install/03univention-directory-listener.inst
+ grep -q '.uinst$'
+ return 1
+ '[' domaincontroller_backup = domaincontroller_slave -o domaincontroller_backup = domaincontroller_backup ']'
++ basename /usr/lib/univention-install/03univention-directory-listener.inst
+ '[' 03univention-directory-listener.inst = 03univention-directory-listener.inst ']'
+ '[' -e /var/lib/univention-directory-replication/failed.ldif ']'
+ failed_message 'FAILED: failed.ldif exists.'
+ echo ''
+ echo ''
+ echo '**************************************************************************'
+ echo '* Join failed!                                                           *'
+ echo '* Contact your system administrator                                      *'
+ echo '**************************************************************************'
+ echo '* Message:  FAILED: failed.ldif exists.'
+ echo '**************************************************************************'

23.08.17 11:51:59.001  LISTENER    ( INFO    ) : umc-service-providers: Reloading LDAP server.
Restarting slapd (via systemctl): slapd.serviceWarning: Unit file of slapd.service changed on disk, 'systemctl daemon-reload' recommended.
Job for slapd.service failed. See 'systemctl status slapd.service' and 'journalctl -xn' for details.
 failed!
23.08.17 11:51:59.212  LISTENER    ( INFO    ) : postrun handler: nss (prepared=-1)
Traceback (most recent call last):
  File "/usr/lib/univention-pam/ldap-group-to-file.py", line 110, in <module>
    lo = univention.uldap.getMachineConnection(ldap_master=False)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 91, in getMachineConnection
    return access(host=ucr['ldap/server/name'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 152, in __init__
    self.__open(ca_certfile)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 206, in __open
    self.lo.simple_bind_s(self.binddn, self.__encode_pwd(self.bindpw))
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 879, in simple_bind_s
    res = self._apply_method_s(SimpleLDAPObject.simple_bind_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 215, in simple_bind_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}

univention-ldapsearch and univention-s4search aren’t working on the backup dc. “Invalid credentials”

DC Master

UCS: 4.2-1 errata139
App Center compatibility: 4
Installed: kvm=1.2.8 mailserver=11 openvpn4ucs=1.1.13 samba4=4.6 uvmm=6

DC Backup

UCS: 4.2-1 errata139
App Center compatibility: 4
Installed: samba4=4.6
Upgradable:

#2

Just a wild guess - did you install the memberOf-overlay on the UCS Master?


#3

Thank you very much.
I think we got this overlay with the nextcloud app we had installed some time ago.

Solved this problem according to the linked support article.