Ausgangslage:
2 Standorte:
Büro Univention Master Controller ucs.asp.lan 10.0.0.212
Lager Univention Backup Controller ucsbdc.asp.lan 10.0.1.212
VPN-Tunnel zwischen den beiden Netzwerken
Installation UCS 4.3
-
UCS Server Erstellen einer neuen UCS Domäne
Domänen Controller Master
Active Directory-kompatibler Domänencontroller (Samba 4.7) auf Server ucs.asp.lan
Neustart UCS Server
UCS 4.3.1 errata 145
Keine weiteren Apps -
UCS Server Einer bestehenden UCS-Domäne beitreten
Domänen Controller Backup
Neustart UCS Server
Installation Active Directory-kompatibler Domänencontroller (Samba 4.7) auf Server ucsbdc.asp.lan
UCS 4.3.1 errata 145
Keine weiteren Apps
Status Active Directory-kompatibler Domänencontroller
Server Status
ucs.asp.lan 4.7 installiert
ucsbdc.asp.lan 4.7 installiert
Problem auf 2. UCS Server ucsbdc.asp.lan 2 Join-Skripte stehen auf ausstehend
96univention-samba4.inst
98univention-samba4-dns.inst
Alle ausstehenden Join Skripte ausführen führt zum einem Fehler “LDAP error 8 LDAP_STRONG_AUTH_REQUIRED”
siehe /var/log/univention/join.log
univention-run-join-scripts started
Mi 11. Jul 11:53:08 CEST 2018
RUNNING 96univention-samba4.inst
2018-07-11 11:53:09.103163104+02:00 (in joinscript_init)
11.07.18 11:53:12.323 DEBUG_INIT
UNIVENTION_DEBUG_BEGIN : uldap.__open host=ucs.asp.lan port=7389 base=dc=asp,dc=lan
UNIVENTION_DEBUG_END : uldap.__open host=ucs.asp.lan port=7389 base=dc=asp,dc=lan
Not updating samba4/role
Restarting univention-directory-listener (via systemctl): univention-directory-listener.service.
Multifile: /etc/samba/smb.conf
Object exists: cn=Builtin,dc=asp,dc=lan
WARNING: cannot append cn=DC Backup Hosts,cn=groups,dc=asp,dc=lan to nestedGroup, value exists
No modification: cn=Enterprise Domain Controllers,cn=groups,dc=asp,dc=lan
WARNING: cannot append cn=ucsbdc,cn=dc,cn=computers,dc=asp,dc=lan to hosts, value exists
No modification: cn=Enterprise Domain Controllers,cn=groups,dc=asp,dc=lan
Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
Stopping smbd (via systemctl): smbd.service.
Stopping nmbd (via systemctl): nmbd.service.
Setting kerberos/kdc
Setting kerberos/kpasswdserver
File: /etc/krb5.conf
Setting slapd/port
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Setting slapd/port/ldaps
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Restarting slapd (via systemctl): slapd.serviceWarning: slapd.service changed on disk. Run 'systemctl daemon-reload' to reload units.
.
Not updating windows/wins-support
Join against S4 Connector server: ucs
Forest : asp.lan
Domain : asp.lan
Netbios domain : ASP
DC name : ucs.asp.lan
DC netbios name : UCS
Server site : Default-First-Site-Name
Client site : Default-First-Site-Name
Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <SASL:[GSS-SPNEGO]: not allowed if TLS is used.> <>
Failed to connect to 'ldap://ucs' with backend 'ldap': LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <SASL:[GSS-SPNEGO]: not allowed if TLS is used.> <>
ERROR(ldb): uncaught exception - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <SASL:[GSS-SPNEGO]: not allowed if TLS is used.> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 668, in run
keep_existing=keep_existing)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1462, in join_DC
machinepass, use_ntvfs, dns_backend, promote_existing, keep_existing=keep_existing)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 90, in __init__
credentials=ctx.creds, lp=ctx.lp)
File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 57, in __init__
options=options)
File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 114, in __init__
self.connect(url, flags, options)
File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 72, in connect
options=options)
Failed to join against the S4 Connector server ucs.
Make sure the server is online or if this server is no longer in use,
please completely remove the server object from the domain.
Forest : asp.lan
Domain : asp.lan
Netbios domain : ASP
DC name : ucs.asp.lan
DC netbios name : UCS
Server site : Default-First-Site-Name
Client site : Default-First-Site-Name
Finding a writeable DC for domain 'asp.lan'
Found DC ucs.asp.lan
Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <SASL:[GSS-SPNEGO]: not allowed if TLS is used.> <>
Failed to connect to 'ldap://ucs.asp.lan' with backend 'ldap': LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <SASL:[GSS-SPNEGO]: not allowed if TLS is used.> <>
ERROR(ldb): uncaught exception - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <SASL:[GSS-SPNEGO]: not allowed if TLS is used.> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 668, in run
keep_existing=keep_existing)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1462, in join_DC
machinepass, use_ntvfs, dns_backend, promote_existing, keep_existing=keep_existing)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 90, in __init__
credentials=ctx.creds, lp=ctx.lp)
File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 57, in __init__
options=options)
File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 114, in __init__
self.connect(url, flags, options)
File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 72, in connect
options=options)
Failed to join the domain asp.lan.
Make sure the server is online or if this server is no longer in use,
please completely remove the server object from the domain.
EXITCODE=1
RUNNING 98univention-samba4-dns.inst
2018-07-11 11:54:12.894942565+02:00 (in joinscript_init)
Samba4 backend database not available yet, exiting joinscript 98univention-samba4-dns.
EXITCODE=1
Mi 11. Jul 11:54:14 CEST 2018
univention-run-join-scripts finished
Eingerichte Freigaben auf dem 2. UCs Server funktionieren nicht, auch kein Homeverzeichnis oder netlogon zu sehen.
Wie lässt sich das Problem lösen?
Gruss Stephan