UCS als Member in Samba4-AD einrichten

samba-ad
ad-connection
ucs-4-2

#1

Hallo zusammen,

ich habe ein paar Fragen an alle, die bereits einen UCS als Member einer samba4-AD-Domäne eingerichtet haben.
Wenn ich bei der Einrichtung des UCS “Einer bestehenden Active-Directory-Domäne beitreten” wähle um meiner bestehenden samba4-AD-Domäne (Debian 8 “Jessie”) beizutreten, schlägt dies aufgrund falscher Authentifizierung fehl (falscher Benutzername/Passwort). Bei der Einrichtung werden aber die richtigen Zugangsdaten des Domain-“Administrator”-Accounts angegeben.
Offensichtlich versucht der UCS sich mit seinem Rechnernamen und dem Passwort in der Datei /etc/machine.secret am DC anzumelden.
Sollte das grundsätzlich funktionieren? Soll der Computeraccount im Zuge der Einrichtung automatisch erstellt werden? Auch wenn ich das Maschinenkonto vorab im AD anlege, wird das machine.secret wohl kaum mit dem Kennwort des Computeraccounts im AD übereinstimmen?!

Ich kann jetzt natürlich manuell den Computeraccount anlegen und dessen Kennwort im AD entsprechend dem machine.secret setzen, aber das kann doch nicht die Standardlösung sein, oder?
Oder soll die Anmeldung am AD mittels Administrator-Account erfolgen durch Änderung der UCR-Variablen, wie:

ucr set connector/ad/ldap/binddn=Administrator
ucr set connector/ad/ldap/bindpw=/etc/univention/connector/password
touch /etc/univention/connector/password
chmod 600 /etc/univention/connector/password
echo -n "Administrator password" > /etc/univention/connector/password

Und mit welchem Kommando reinitialisiere ich die Einrichtung der AD-Verbindung, wenn ich die Daten geändert habe, oder reicht ein systemctl restart univention-ad-connector?

Grüße, Hans


#2

Hi,

These SDB Articles may help: http://sdb.univention.de/content/6/314/en/reinitialize-active-directory-connector.html?highlight=connector and http://sdb.univention.de/content/6/328/en/ad_connector-_-troubleshooting-guide.html?highlight=connector


#3

Hi,

thanks for your answer.
Unfortunately those links didn’t help and i can’t seem to get the AD-Connection working.
As i couldn’t connect to the samba4-AD-DC via the management-console i tried to set all UCR-Variables manually.

ucr get connector/ad/ldap/base
DC=ad,DC=b3-wohnen,DC=at
ucr get connector/ad/ldap/binddn
Administrator
ucr get connector/ad/ldap/bindpw
/etc/univention/connector/password
ucr get connector/ad/ldap/host
samba4dc.ad.b3-wohnen.at
ucr get connector/ad/ldap/ssl
yes

As only encrypted connections to the LDAP-Server are allowed I copied cert.pem from the samba4-DC to /etc/univention/ssl/samba4dc.ad.b3-wohnen.at/ and ca.pem to /etc/univention/ssl/ucsCA/certs/ what seem to be the correct locations as I don’t get any warnings about bad certificate anymore.
But my connector-status.log still shows errors about bad credentials and I don’t know where my settings could be wrong.

/var/log/univention/connector-status.log

Wed May  3 18:42:19 2017
 --- connect failed, failure was: ---

Traceback (most recent call last):
  File "/usr/share/pyshared/univention/connector/ad/main.py", line 293, in main
    connect()
  File "/usr/share/pyshared/univention/connector/ad/main.py", line 190, in connect
    baseConfig['%s/ad/listener/dir' % CONFIGBASENAME]
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 659, in __init__
    self.open_ad()
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 855, in open_ad
    self.lo_ad = univention.uldap.access(host=self.ad_ldap_host, port=int(self.ad_ldap_port), base=self.ad_ldap_base, binddn=self.ad_ldap_binddn, bindpw=self.ad_ldap_bindpw, start_tls=tls_mode, use_ldaps=ldaps, ca_certfile=self.ad_ldap_certificate, decode_ignorelist=['objectSid', 'objectGUID', 'repsFrom', 'replUpToDateVector', 'ipsecData', 'logonHours', 'userCertificate', 'dNSProperty', 'dnsRecord', 'member'])
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 152, in __init__
    self.__open(ca_certfile)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 206, in __open
    self.lo.simple_bind_s(self.binddn, self.__encode_pwd(self.bindpw))
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 879, in simple_bind_s
    res = self._apply_method_s(SimpleLDAPObject.simple_bind_s,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 215, in simple_bind_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'}

 ---     retry in 30 seconds      ---

univention-ad-connector in management-console shows a working encrypted connection.

Any ideas?


#4

hm, ldap-error: “data 52e” usually means “right user, wrong password”. Usually the bindDN and PW are as follows (my testenvironment):

connector/ad/ldap/binddn: ucs-1704$
connector/ad/ldap/bindpw: /etc/machine.secret

and the computeraccount in the AD is created at the join (with the right machine.secret) so an authentication should be possible. For a quick fix, you could manually set the machine.secret in the AD to the same one as in the /etc/machine.secret - then the auth should be possible.