Ubuntu Server 18.10 Domain Join Fails

Walked through enabling Univention PPA on an Ubuntu 18.10 headless server install.

After a reboot, I ran: sudo /usr/sbin/univention-domain-join-cli --skip-login-manager

After entering the credentials, the script fails to complete and issues an error. The following snippet is from the log file:

2019-03-02 12:22:36,298 userinfo CRITICAL An error occurred. Please check /var/log/univention/domain-join-cli.log for more information.
2019-03-02 12:22:36,302 debugging CRITICAL [Errno 2] No such file or directory
Traceback (most recent call last):
  File "/usr/sbin/univention-domain-join-cli", line 194, in <module>
    distribution_joiner.create_backup_of_config_files()
  File "/usr/lib/python2.7/dist-packages/univention_domain_join/distributions/ubuntu.py", line 78, in create_backup_of_config_files
    DnsConfigurator(self.nameservers, self.domain).backup(backup_dir)
  File "/usr/lib/python2.7/dist-packages/univention_domain_join/join_steps/dns_configurator.py", line 65, in __init__
    if DnsConfiguratorNetworkManager().works_on_this_system():
  File "/usr/lib/python2.7/dist-packages/univention_domain_join/join_steps/dns_configurator.py", line 144, in works_on_this_system
    stdout=subprocess.PIPE, stderr=subprocess.PIPE
  File "/usr/lib/python2.7/subprocess.py", line 394, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1047, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory
type or paste code here

It appears the script is failing to create the required backup files necessary to proceed. Is this a bug that should be reported or is there an issue with the file system that should be addressed?

Is this an isolated issue? A ‘one off’? Too few actually use Ubuntu?

Very curious if there’s any support for binding Ubuntu to the Directory. Anyone?

Univention Domain Join supports the following Linux distributions:

Ubuntu 18.04 LTS („Bionic Beaver“)
Linux Mint („Tara“)
Ubuntu 17.10 („Artful Aardvark“)
Ubuntu 16.04 LTS („Xenial Xerus“)
Ubuntu 14.04 LTS („Trusty Tahr“)

Did you try

univention-domain-join-cli --master-ip x.x.x.x --skip-login-manager

I have a test system with 18.04 LTS and it works perfect for me

Greetings Ben

Perhaps Ubuntu 18.10 introduced changes to the file system layout or permissions schema that breaks the script.

univention-domain-join-cli --master-ip x.x.x.x --skip-login-manager continues to yield the same error noted in the original post.

Appreciate you at least responding!

You system is missing is the CLI tool “nmcli”. You could install it via “sudo apt-get install network-manager”.

I created a bugzilla entry for this:
https://forge.univention.org/bugzilla/show_bug.cgi?id=49103

Indeed it was missing and the installation of the Network Manager group was the solution.

Thank you!

I am getting the same error. I installed Network Manager (begrudgingly), and get a new error. Seems the script is trying to configure DNS for me, when netplan.io is already integrated.
Does this script support netplan.io? It seems like it does not. The bug report above is detailing the main problem with univention-domain-join-cli and univention-domain-join, they are trying to do too much.
Mainly it seems that you MUST have network-manager installed, and you MUST not have any other networking configured. This is not detailed in any of the documentation.
I would strongly recommend adding a flag that ignores setting up DNS. Most admins know to do this before integrating a client into AD.
Let me configure DNS, and dont touch my networking configurations. Let the script take care of configuring Kerberos, and other configurations.

Ok after hacking up some of the univention-domain-join-cli python files I was able to get this to finally work. I built a script (below) that will peform some simple checks, adjust the python files that are causing problems, and some other things.
The main problems I found were the following (Due to this distribution being Ubuntu server and not desktop):

1. Ubuntu server has no Display manager, just ssh and xrdp. Needed to remove all Mention to LoginManagerConfiguration().
2. The script will fail to download your CA cert if you are using HTTPS only. The script has hard coded http, and does not redirect well. Also for use we have a multihomed AD system so, its just easier to manually download your cert and pass it to my script to do the work.
3. univention-domain-join-cli was only built against network-manager nmcli systems. Ubuntu server uses netplan. This script tries to do too much with DNS and configurations with the network interfaces. I ripped out a lot of what dns_configurator.py was doing. So you will need to make sure DNS and NTP is set up properly ahead of time.
4. Not so much a problem, but did some minor feature adds to sssd.conf file builds.

Be aware, this workaround has only been tested with Ubuntu Server 18.04. It was not tested much, and does not support a way to remove the system from the domain just add for now.

1. Follow the instructions here to download the univention-domain-join packages.
2. You must now MANUALLY download your UCS ca crt file. Have it on the same box that the script below will run on.
3. Make sure DNS is configured correctly. (My script does a few fail safe checks)
4. Make sure NTP is set up correctly. The script only does checks if systemd is syncing properly.
5. Copy the script from below, and save to box. Then run the script and pass it the ca cert file like this
   ./ubuntu-server-univention-domain-join-fixes ./Cacert.pem

#!/bin/bash

# By Dave Houser 20211203


# Check if script is being run as root
if [ "$EUID" -ne 0 ]; then
  echo "[!] ERROR: Script must be run as root, or with sudo priv."
  exit 1
fi

# Check if cert file is provided
if [ -z "$1" ]; then
    echo "[!] ERROR: You must provide the directory path of the ucs root ca cert from univention."
    echo "           This file MUST be downloaded ahead of time and passed to the script to run."
    echo "           You can download the file with:"
    echo "           wget --no-check-certificate -O ./CAcert.pem https://<masterUCS>/ucs-root-ca.crt"
    exit 1
elif [ ! -f "$1" ]; then 
    echo "[!] ERROR: '$1' path does not exist. Please provide a valid path to the Univention root CA cert."
    echo "           This file MUST be downloaded ahead of time and passed to the script to run."
    echo "           You can download the file with:"
    echo "           wget --no-check-certificate -O ./CAcert.pem https://<masterUCS>/ucs-root-ca.crt"
    exit 1
elif [[ "$(file "$1" | awk -F ': ' '{print$2}')" != 'PEM certificate' ]]; then
    echo "[!] ERROR: '$1' does not appear to be a PEM Cert file."
    exit 1
fi


py_ubuntu_file="/usr/lib/python2.7/dist-packages/univention_domain_join/distributions/ubuntu.py"
py_cert_file="/usr/lib/python2.7/dist-packages/univention_domain_join/join_steps/root_certificate_provider.py"
py_dns_file="/usr/lib/python2.7/dist-packages/univention_domain_join/join_steps/dns_configurator.py"
py_sssd_file="/usr/lib/python2.7/dist-packages/univention_domain_join/join_steps/sssd_configurator.py"
cert_file="CAcert.pem"
cert_folder="/etc/univention/ssl/ucsCA"

# Perform checks
# Check NTP
echo "[+] Checking NTP."
if [ $(timedatectl | grep active | awk -F ': ' '{print$2}') == "no" ]; then
    echo "[!] ERROR: NTP not configured: timedatectl systemd-timesyncd.service active = no."
    echo "           Adjust 'NTP' in /etc/systemd/timesyncd.conf to apply. Then run 'timedatectl set-ntp true'"
    exit 1
fi

# Check DNS
echo "[+] Checking DNS."
if [[ ! $(systemd-resolve --status | grep "DNS Servers") ]]; then
    echo "[!] ERROR: DNS servers are not configured."
    echo "           Adjust /etc/netplan yaml file to include dns, then run 'netplan apply'"
    exit 1
elif [[ ! $(systemd-resolve --status | grep "DNS Domain") ]]; then
    echo "[!] ERROR: DNS Domain is not configured."
    echo "           Adjust /etc/netplan yaml file to include search domain, then run 'netplan apply'"
    exit 1
fi


#Make backups
echo "[+] Performing Backups of Univention Domain Join Python scripts."
if [ ! -f "$py_ubuntu_file.backup" ]; then
    echo "[+] Backing up $py_ubuntu_file"
    cp "$py_ubuntu_file" "$py_ubuntu_file".backup
fi
if [ ! -f "$py_cert_file.backup" ]; then
    echo "[+] Backing up $py_cert_file"
    cp "$py_cert_file" "$py_cert_file".backup
fi
if [ ! -f "$py_cert_file.backup" ]; then
    echo "[+] Backing up $py_dns_file"
    cp "$py_dns_file" "$py_dns_file".backup
fi
if [ ! -f "$py_sssd_file.backup" ]; then
    echo "[+] Backing up $py_sssd_file"
    cp "$py_sssd_file" "$py_sssd_file".backup
fi

# Commentout sections in ubuntu.py
# Problem1: Ubuntu server has no Display manager, is all done via shell or XRDP, remove all connections to LoginManagerConfiguration()
echo "[+] Adjusting $py_ubuntu_file."
sed -i '68 i \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ pass' $py_ubuntu_file
sed -i '69,74 s/^/#/' $py_ubuntu_file
sed -i '100,101 s/^/#/' $py_ubuntu_file

# Comment out sections in certificate file gathering. This section is trying to download from our AD server the public CA cert.
# Problem1: We have a multihomed OOBM set up on our UCS, so we do not allow users to access the resolved IP for the server to access ssh or HTTP.
# Problem2: We also disabled HTTP and redirect to HTTPS only. These sections are just broken with our system.        
echo "[+] Adjusting $py_cert_file."
sed -i '55 i \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ pass' $py_cert_file
sed -i '56,68 s/^/#/' $py_cert_file

# Comment out sections in DNS configurations.
# Problem1: These sections only work for systems that use network-manager + nmcli. Ubuntu server uses netplan. 
echo "[+] Adjusting $py_dns_file"
sed -i '141 i \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ pass' $py_dns_file
sed -i '142,155 s/^/#/' $py_dns_file
sed -i '164 i \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ pass' $py_dns_file
sed -i '165,190 s/^/#/' $py_dns_file
sed -i '195 i \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ pass' $py_dns_file
sed -i '196,214 s/^/#/' $py_dns_file
sed -i '218 i \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ pass' $py_dns_file
sed -i '219,239 s/^/#/' $py_dns_file
sed -i '270 i \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ pass' $py_dns_file
sed -i '271,277 s/^/#/' $py_dns_file
sed -i '281 i \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ pass' $py_dns_file
sed -i '282,291 s/^/#/' $py_dns_file

# Update sssd_configurator.py file
# Enhancement1: Allow for SSH service logins
# Enhancement2: Do not require FQDN to login
# Enhancement3: Put AD users home directory in a domain directory in /home
echo "[+] Adjusting $py_sssd_file"
sed -i '97s/sudo/sudo, ssh/g' $py_sssd_file
sed -i '122 i  \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ '"'"'override_homedir = /home/%%d/%%u\\n'"'"' \\' $py_sssd_file
sed -i '122 i  \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ '"'"'use_fully_qualified_names = false\\n'"'"' \\' $py_sssd_file



# Create univention cert folder, and move cert to there.
echo "[+] Moving cert to $cert_folder/$cert_file"
mkdir -p $cert_folder
cp "$1" $cert_folder/$cert_file


echo "[+] Done."

6. Now run univention-domain-join-cli, Should be able to join the box to the domain.
7. reboot

Try logging in with SSH or XRDP with a domain user or admin. I found some times I needed to login with a local admin first, then I was able to use the other types of logins.

Hope this helps someone

@davehouser1 - nice work on this one. I can’t imagine this is an edge case on the Ubuntu server side. Might be worth submitting via GitHub to the Univention dev team. They may be able to integrate your work into later UCS releases (guessing 5.x at this point?)