UNIVENTION install fine, but no admin

UCS - Univention Corporate Server
#1

I have just installed Univention Server 4.1 on a proxmox VM.
install went fine, I have setup install to join domain as a DC in a win2003 server 2 DC domain.

1/ univention is integrated as a server NOT a DC. my users are reconized on univention and I can see each personnal share.

2/ if I login in univention serveur web interface as Administrator I have acces to none service. all service in univention-management-console are denied with a windows error " An error occured \n you are not authorizes to perform this action \n serveur error message : \n Forbidden \n [OK] "

what can I do now ?

I would have expected my UCS to be a DC, OR if it is just a menber to be able to upgrade it as a DC, or at least to be able to install any other module.

I can login as root of local the system but I have no option to install more modules.

is there a way to manualy upgrade the menber as a DC ?
is there a way to manualy activate the install of new module (any) ?

thank you all in advance for your help and for your indications.

#2

diging :

/var/log/univention# univention-check-join-status Joined successfully

#3

Hi,

it looks like you have shell access. A good point to start should be the investigation of the files in /var/log/univention. I would try to reproduce the error and immediately list the files, sorted by date (ls -altr).

In addition I noticed the word “serveur” in your post. This reminded me that French Windows localization may cause problems (see [bug]25904[/bug]).

Best Regards,
Dirk Ahrnke

#4

this is it, I am in French polynesia, so french locales.
I keep diging into logs.

by the way if someone have a clear explain of the solution to french windows localisation …

#5

would it be enought if I create an admin named Administrator ?

[edit] I have made a test of creating a domain admin named “Administrator” , and now I can join APP center as Administrateur …
it looks this confirm the bug about locale

#6

UCS seems to care about locale naming:

18.11.15 17:24:49.536 MODULE ( PROCESS ) : Matching well known object names 18.11.15 17:24:52.503 MODULE ( PROCESS ) : Create connector/ad/mapping/group/table/Printer-Admins Unsetting connector/ad/mapping/group/language Process: Renaming 'uid=Administrator,cn=users,dc=infoel,dc=pf' to 'Administrateur' in UCS LDAP. Process: Renaming 'cn=Domain Guests,cn=groups,dc=infoel,dc=pf' to 'Invités du domaine' in UCS LDAP. Process: Renaming 'cn=Domain Users,cn=groups,dc=infoel,dc=pf' to 'Utilisa. du domaine' in UCS LDAP. Process: Modifying 'cn=default,cn=univention,dc=infoel,dc=pf' in UCS LDAP. Process: Renaming 'cn=Domain Admins,cn=groups,dc=infoel,dc=pf' to 'Admins du domaine' in UCS LDAP.

however some script or process do NOT care (log from setup.log) Using short domain name -- INFOEL Joined 'UNIFONECS' to dns domain 'infoel.pf' Create windows/wins-support Multifile: /etc/samba/smb.conf ... Successfully granted rights. Failed to grant privileges for Administrator (NT_STATUS_NO_SUCH_USER) Object created: cn=unifonecs.infoel.pf,cn=shares,dc=infoel,dc=pf Object modified: cn=unifonecs.infoel.pf,cn=shares,dc=infoel,dc=pf Object exists: cn=services,cn=univention,dc=infoel,dc=pf Object created: cn=Samba 3,cn=services,cn=univention,dc=infoel,dc=pf Object modified: cn=unifonecs,cn=dc,cn=computers,dc=infoel,dc=pf 2015-11-18 17:26:08.307323120-10:00 (in joinscript_save_current_version)

#7

[quote=“dominix”]

... Process: Renaming 'uid=Administrator,cn=users,dc=infoel,dc=pf' to 'Administrateur' in UCS LDAP. [/quote]

Did you try to logon as “Administrateur”?

Best Regards,
Dirk

#8

I give up.
there is no way to install univention as a DC in a existing French localised domain.

#9

I’m sorry to hear that. If you want to give it another chance, I will try to help you.

First things first:

UCS can be an Active Directory Domain controller when it’s running in stand-alone mode, but that is not the scenario you want, I guess.

Concerning the localisation:

I did this myself some time ago with a spanish Active Directory. There we also have “Administrador” vs. “Administrator”, and it did work with the localised names (Administrador). The manual says:

Once the AD member mode has been set up, the authentication is performed against the AD domain controller. Consequently, the password from the AD domain now applies for the administrator. If an AD domain with a non-English language convention has been joined, the administrator account from UCS is automatically changed to the spelling of the AD during the domain join. The same applies for all user and group objects with Well Known SID (e.g., Domain Admins).

I don’t have any Windows 2003 DVD/ISO with french locales, but I might try it with Windows Server 2008 R2 and have a look if I can reproduce your issue.

#10

So I quickly tested this with the following setup:

1x Windows Server 2008 R2 (because I don’t have a french Windows 2003) as Active Directory Domain controller and DNS Server
Domain name: ad.example.org
FQDN: winfr.ad.example.org

1x UCS 4.1
I did NOT choose “Join existing AD domain” during the installation, because the other way it’s a bit easier to access the logs:

  • As DNS server enter the IP of the Windows Server
  • During installation choose “Create new UCS domain”
  • Name the domain exactly the same as the AD domain: ad.example.org
  • As FQDN I chose ucs.ad.example.org
  • Choose “Active Direction Connection” as Software component to be installed
  • When the installation is done, log in to the UMC using Administrator and the password chosen during UCS installation
  • Go to the Domain category and select the “Active Directory Connection” Module
  • Specify the IP Adress of the Windows DC
  • Specify the name of the Windows AD Administrator: Administrateur
  • Enter the password of the Administrateur account of the Windows AD
  • Start the join process and wait for it to finish
  • Reload the UMC (or restart the service or even the server)
  • Log in to the UMC as Administrateur and the password of the Windows AD
  • I could then access all UMC modules

In the log file “/var/log/univention/management-console-module-adconnector.log” I also see this:

02.12.15 22:02:05.374 MODULE ( PROCESS ) : Renaming well known SID objects... 02.12.15 22:02:05.580 MODULE ( PROCESS ) : Matching well known object names 02.12.15 22:02:07.021 MODULE ( PROCESS ) : Create connector/ad/mapping/group/table/Printer-Admins Unsetting connector/ad/mapping/group/language Process: Renaming 'cn=Domain Admins,cn=groups,dc=ad,dc=example,dc=org' to 'Admins du domaine' in UCS LDAP. Process: Renaming 'cn=Domain Users,cn=groups,dc=ad,dc=example,dc=org' to 'Utilisateurs du domaine' in UCS LDAP. Process: Modifying 'cn=default,cn=univention,dc=ad,dc=example,dc=org' in UCS LDAP. Process: Renaming 'cn=Domain Guests,cn=groups,dc=ad,dc=example,dc=org' to 'Invités du domaine' in UCS LDAP. Process: Renaming 'uid=Administrator,cn=users,dc=ad,dc=example,dc=org' to 'Administrateur' in UCS LDAP.
That’s fine and expected.

I don’t see the “NT_STATUS_NO_SUCH_USER” in setup.log

If you want to try it again and follow my instructions from above, please delete the computer object of the UCS system and the DNS entries (especially the SRV record “_domaincontroller_master”) from the Windows AD before starting over.

Best regards,
Michael Grandjean

#11

many thanks to take the time to elaborate a solution to this tricky setup.

I’ll try this as soon as I have the time to, and I’ll report the state here.

#12

I’m back at the begining.
I am able to install a menber server, a standalone serveur, but I can not join a French WIN2003 domain as DC.
I am able to log-in with “administrateur” but have no right (“you are not authorized…”) and futher more after joining I can not log in with administrator any more. (no local admin) = bad password any try I made.

Mastodon